import softhsm-2.6.0-5.module+el8.4.0+10228+192bf5af

.gitignore

@@ -0,0 +1 @@
+SOURCES/softhsm-2.6.0.tar.gz

.softhsm.metadata

@@ -0,0 +1 @@
+da4220189c358741a42a63442561ec07996badaf SOURCES/softhsm-2.6.0.tar.gz

SOURCES/softhsm-2.6.1-rh1834909-exit.patch

@@ -0,0 +1,72 @@
+diff --git a/src/lib/crypto/OSSLCryptoFactory.cpp b/src/lib/crypto/OSSLCryptoFactory.cpp
+index 32daca2..ace4bcb 100644
+--- a/src/lib/crypto/OSSLCryptoFactory.cpp
++++ b/src/lib/crypto/OSSLCryptoFactory.cpp
+@@ -226,31 +226,49 @@ err:
+ // Destructor
+ OSSLCryptoFactory::~OSSLCryptoFactory()
+ {
+-#ifdef WITH_GOST
+-	// Finish the GOST engine
+-	if (eg != NULL)
++	bool ossl_shutdown = false;
++
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
++	// OpenSSL 1.1.0+ will register an atexit() handler to run
++	// OPENSSL_cleanup(). If that has already happened we must
++	// not attempt to free any ENGINEs because they'll already
++	// have been destroyed and the use-after-free would cause
++	// a deadlock or crash.
++	//
++	// Detect that situation because reinitialisation will fail
++	// after OPENSSL_cleanup() has run.
++	(void)ERR_set_mark();
++	ossl_shutdown = !OPENSSL_init_crypto(OPENSSL_INIT_ENGINE_RDRAND, NULL);
++	(void)ERR_pop_to_mark();
++#endif
++	if (!ossl_shutdown)
+ 	{
+-		ENGINE_finish(eg);
+-		ENGINE_free(eg);
+-		eg = NULL;
+-	}
++#ifdef WITH_GOST
++		// Finish the GOST engine
++		if (eg != NULL)
++		{
++			ENGINE_finish(eg);
++			ENGINE_free(eg);
++			eg = NULL;
++		}
+ #endif
+ 
+-	// Finish the rd_rand engine
+-	ENGINE_finish(rdrand_engine);
+-	ENGINE_free(rdrand_engine);
+-	rdrand_engine = NULL;
++		// Finish the rd_rand engine
++		ENGINE_finish(rdrand_engine);
++		ENGINE_free(rdrand_engine);
++		rdrand_engine = NULL;
+ 
++		// Recycle locks
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
++		if (setLockingCallback)
++		{
++			CRYPTO_set_locking_callback(NULL);
++		}
++#endif
++	}
+ 	// Destroy the one-and-only RNG
+ 	delete rng;
+ 
+-	// Recycle locks
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+-	if (setLockingCallback)
+-	{
+-		CRYPTO_set_locking_callback(NULL);
+-	}
+-#endif
+ 	for (unsigned i = 0; i < nlocks; i++)
+ 	{
+ 		MutexFactory::i()->recycleMutex(locks[i]);

SOURCES/softhsm-2.6.1-rh1857272-negatives.patch

@@ -0,0 +1,230 @@
+From cfe1f7fdd12e202fa2d056c7fd731cfeee378a98 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Wed, 15 Jul 2020 18:12:32 +0200
+Subject: [PATCH] Unbreak negative mechanism lists in slots.mechanisms +
+ testcase
+
+Previously, when the list for slots.mechanisms was prefixed with
+minus sign "-", the first mechanism was skipped as invalid and
+therefore the tool was presenting wrong list of algorithms.
+
+This fixes the initial index for selection of first algorithm
+and adds unit test for this scenario.
+---
+ .gitignore                                    |  1 +
+ configure.ac                                  |  1 +
+ src/lib/SoftHSM.cpp                           |  9 ++-
+ src/lib/test/InfoTests.cpp                    | 70 ++++++++++++++++++-
+ src/lib/test/InfoTests.h                      |  2 +
+ src/lib/test/Makefile.am                      |  1 +
+ src/lib/test/softhsm2-negative-mech.conf.in   |  8 +++
+ .../test/softhsm2-negative-mech.conf.win32    |  7 ++
+ win32/p11test/p11test.vcxproj.in              |  2 +
+ 9 files changed, 97 insertions(+), 4 deletions(-)
+ create mode 100644 src/lib/test/softhsm2-negative-mech.conf.in
+ create mode 100644 src/lib/test/softhsm2-negative-mech.conf.win32
+
+diff --git a/configure.ac b/configure.ac
+index d4dad435..c6a51c7a 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -217,6 +217,7 @@ AC_CONFIG_FILES([
+ 	src/lib/test/softhsm2-alt.conf
+ 	src/lib/test/softhsm2-reset-on-fork.conf
+ 	src/lib/test/softhsm2-mech.conf
++	src/lib/test/softhsm2-negative-mech.conf
+ 	src/lib/test/tokens/dummy
+ 	src/bin/Makefile
+ 	src/bin/common/Makefile
+diff --git a/src/lib/SoftHSM.cpp b/src/lib/SoftHSM.cpp
+index 0a0c32cc..cac724e6 100644
+--- a/src/lib/SoftHSM.cpp
++++ b/src/lib/SoftHSM.cpp
+@@ -791,12 +791,17 @@ void SoftHSM::prepareSupportedMecahnisms(std::map<std::string, CK_MECHANISM_TYPE
+ 	if (mechs != "ALL")
+ 	{
+ 		bool negative = (mechs[0] == '-');
+-		if (!negative)
++		size_t pos = 0, prev = 0;
++		if (negative)
++		{
++			/* Skip the minus sign */
++			prev = 1;
++		}
++		else
+ 		{
+ 			/* For positive list, we remove everything */
+ 			supportedMechanisms.clear();
+ 		}
+-		size_t pos = 0, prev = 0;
+ 		std::string token;
+ 		do
+ 		{
+diff --git a/src/lib/test/InfoTests.cpp b/src/lib/test/InfoTests.cpp
+index a07956fb..d2218e34 100644
+--- a/src/lib/test/InfoTests.cpp
++++ b/src/lib/test/InfoTests.cpp
+@@ -328,9 +328,9 @@ void InfoTests::testGetMechanismListConfig()
+ 	CK_MECHANISM_TYPE_PTR pMechanismList;
+ 
+ #ifndef _WIN32
+-    setenv("SOFTHSM2_CONF", "./softhsm2-mech.conf", 1);
++	setenv("SOFTHSM2_CONF", "./softhsm2-mech.conf", 1);
+ #else
+-    setenv("SOFTHSM2_CONF", ".\\softhsm2-mech.conf", 1);
++	setenv("SOFTHSM2_CONF", ".\\softhsm2-mech.conf", 1);
+ #endif
+ 
+ 	// Just make sure that we finalize any previous failed tests
+@@ -363,6 +363,72 @@ void InfoTests::testGetMechanismListConfig()
+ #endif
+ }
+ 
++void InfoTests::testGetMechanismNegativeListConfig()
++{
++	CK_RV rv;
++	CK_ULONG ulMechCount = 0;
++	CK_MECHANISM_TYPE_PTR pMechanismList;
++	CK_ULONG allMechsCount = 0;
++
++	// Just make sure that we finalize any previous failed tests
++	CRYPTOKI_F_PTR( C_Finalize(NULL_PTR) );
++
++	// First of all, try to get the default list
++	rv = CRYPTOKI_F_PTR( C_GetMechanismList(m_initializedTokenSlotID, NULL_PTR, &ulMechCount) );
++	CPPUNIT_ASSERT(rv == CKR_CRYPTOKI_NOT_INITIALIZED);
++
++	rv = CRYPTOKI_F_PTR( C_Initialize(NULL_PTR) );
++	CPPUNIT_ASSERT(rv == CKR_OK);
++
++	// Get the size of the buffer
++	rv = CRYPTOKI_F_PTR( C_GetMechanismList(m_initializedTokenSlotID, NULL_PTR, &ulMechCount) );
++	CPPUNIT_ASSERT(rv == CKR_OK);
++	pMechanismList = (CK_MECHANISM_TYPE_PTR)malloc(ulMechCount * sizeof(CK_MECHANISM_TYPE_PTR));
++	/* Remember how many mechanisms are supported */
++	allMechsCount = ulMechCount;
++
++	// Get the mechanism list
++	rv = CRYPTOKI_F_PTR( C_GetMechanismList(m_initializedTokenSlotID, pMechanismList, &ulMechCount) );
++	CPPUNIT_ASSERT(rv == CKR_OK);
++	CPPUNIT_ASSERT_EQUAL(allMechsCount, ulMechCount);
++	free(pMechanismList);
++
++	CRYPTOKI_F_PTR( C_Finalize(NULL_PTR) );
++	/* Now try with configuration having negative list */
++#ifndef _WIN32
++	setenv("SOFTHSM2_CONF", "./softhsm2-negative-mech.conf", 1);
++#else
++	setenv("SOFTHSM2_CONF", ".\\softhsm2-negative-mech.conf", 1);
++#endif
++
++	rv = CRYPTOKI_F_PTR( C_Initialize(NULL_PTR) );
++	CPPUNIT_ASSERT(rv == CKR_OK);
++
++	// Get the size of the buffer
++	rv = CRYPTOKI_F_PTR( C_GetMechanismList(m_initializedTokenSlotID, NULL_PTR, &ulMechCount) );
++	CPPUNIT_ASSERT(rv == CKR_OK);
++	/* We should get 2 shorter */
++	//CPPUNIT_ASSERT_EQUAL(allMechsCount - 2, ulMechCount);
++	pMechanismList = (CK_MECHANISM_TYPE_PTR)malloc(ulMechCount * sizeof(CK_MECHANISM_TYPE_PTR));
++
++	// Get the mechanism list
++	rv = CRYPTOKI_F_PTR( C_GetMechanismList(m_initializedTokenSlotID, pMechanismList, &ulMechCount) );
++	CPPUNIT_ASSERT(rv == CKR_OK);
++	//CPPUNIT_ASSERT_EQUAL(allMechsCount - 2, ulMechCount);
++	for (unsigned long i = 0; i < ulMechCount; i++) {
++		CPPUNIT_ASSERT(pMechanismList[i] != CKM_RSA_X_509);
++		CPPUNIT_ASSERT(pMechanismList[i] != CKM_RSA_PKCS);
++	}
++	free(pMechanismList);
++
++	CRYPTOKI_F_PTR( C_Finalize(NULL_PTR) );
++#ifndef _WIN32
++	setenv("SOFTHSM2_CONF", "./softhsm2.conf", 1);
++#else
++	setenv("SOFTHSM2_CONF", ".\\softhsm2.conf", 1);
++#endif
++}
++
+ void InfoTests::testWaitForSlotEvent()
+ {
+ 	CK_RV rv;
+diff --git a/src/lib/test/InfoTests.h b/src/lib/test/InfoTests.h
+index dfd02953..1cc99ccb 100644
+--- a/src/lib/test/InfoTests.h
++++ b/src/lib/test/InfoTests.h
+@@ -49,6 +49,7 @@ class InfoTests : public TestsNoPINInitBase
+ 	CPPUNIT_TEST(testGetMechanismInfo);
+ 	CPPUNIT_TEST(testGetSlotInfoAlt);
+ 	CPPUNIT_TEST(testGetMechanismListConfig);
++	CPPUNIT_TEST(testGetMechanismNegativeListConfig);
+ 	CPPUNIT_TEST(testWaitForSlotEvent);
+ 	CPPUNIT_TEST_SUITE_END();
+ 
+@@ -62,6 +63,7 @@ class InfoTests : public TestsNoPINInitBase
+ 	void testGetMechanismInfo();
+ 	void testGetSlotInfoAlt();
+ 	void testGetMechanismListConfig();
++	void testGetMechanismNegativeListConfig();
+ 	void testWaitForSlotEvent();
+ };
+ 
+diff --git a/src/lib/test/Makefile.am b/src/lib/test/Makefile.am
+index 17887dd4..a22ce668 100644
+--- a/src/lib/test/Makefile.am
++++ b/src/lib/test/Makefile.am
+@@ -39,6 +39,7 @@ EXTRA_DIST =			$(srcdir)/CMakeLists.txt \
+ 				$(srcdir)/*.h \
+ 				$(srcdir)/softhsm2-alt.conf.win32 \
+ 				$(srcdir)/softhsm2-reset-on-fork.conf.win32 \
++				$(srcdir)/softhsm2-negative-mech.conf.win32 \
+ 				$(srcdir)/softhsm2-mech.conf.win32 \
+ 				$(srcdir)/softhsm2.conf.win32 \
+ 				$(srcdir)/tokens/dummy.in
+diff --git a/src/lib/test/softhsm2-negative-mech.conf.in b/src/lib/test/softhsm2-negative-mech.conf.in
+new file mode 100644
+index 00000000..51f7e6ac
+--- /dev/null
++++ b/src/lib/test/softhsm2-negative-mech.conf.in
+@@ -0,0 +1,8 @@
++# SoftHSM v2 configuration file
++
++directories.tokendir = @builddir@/tokens
++objectstore.backend = file
++log.level = INFO
++slots.removable = false
++slots.mechanisms = -CKM_RSA_X_509,CKM_RSA_PKCS
++
+diff --git a/src/lib/test/softhsm2-negative-mech.conf.win32 b/src/lib/test/softhsm2-negative-mech.conf.win32
+new file mode 100644
+index 00000000..a3aefb96
+--- /dev/null
++++ b/src/lib/test/softhsm2-negative-mech.conf.win32
+@@ -0,0 +1,7 @@
++# SoftHSM v2 configuration file
++
++directories.tokendir = .\tokens
++objectstore.backend = file
++log.level = INFO
++slots.removable = false
++slots.mechanisms = -CKM_RSA_X_509,CKM_RSA_PKCS
+diff --git a/win32/p11test/p11test.vcxproj.in b/win32/p11test/p11test.vcxproj.in
+index 55dfb087..88859bca 100644
+--- a/win32/p11test/p11test.vcxproj.in
++++ b/win32/p11test/p11test.vcxproj.in
+@@ -67,6 +67,7 @@ copy ..\..\src\lib\test\softhsm2.conf.win32 "$(TargetDir)\softhsm2.conf"
+ copy ..\..\src\lib\test\softhsm2-alt.conf.win32 "$(TargetDir)\softhsm2-alt.conf"
+ copy ..\..\src\lib\test\softhsm2-reset-on-fork.conf.win32 "$(TargetDir)\softhsm2-reset-on-fork.conf"
+ copy ..\..\src\lib\test\softhsm2-mech.conf.win32 "$(TargetDir)\softhsm2-mech.conf"
++copy ..\..\src\lib\test\softhsm2-negative-mech.conf.win32 "$(TargetDir)\softhsm2-negative-mech.conf"
+ mkdir "$(TargetDir)\tokens" 2&gt; nul
+ copy ..\..\src\lib\test\tokens\dummy.in "$(TargetDir)\tokens\dummy"
+       </Command>
+@@ -99,6 +100,7 @@ copy ..\..\src\lib\test\softhsm2.conf.win32 "$(TargetDir)\softhsm2.conf"
+ copy ..\..\src\lib\test\softhsm2-alt.conf.win32 "$(TargetDir)\softhsm2-alt.conf"
+ copy ..\..\src\lib\test\softhsm2-reset-on-fork.conf.win32 "$(TargetDir)\softhsm2-reset-on-fork.conf"
+ copy ..\..\src\lib\test\softhsm2-mech.conf.win32 "$(TargetDir)\softhsm2-mech.conf"
++copy ..\..\src\lib\test\softhsm2-negative-mech.conf.win32 "$(TargetDir)\softhsm2-negative-mech.conf"
+ mkdir "$(TargetDir)\tokens" 2&gt; nul
+ copy ..\..\src\lib\test\tokens\dummy.in "$(TargetDir)\tokens\dummy"
+       </Command>

SPECS/softhsm.spec

@@ -0,0 +1,291 @@
+#global prever rc1
+# Rebuild configure.ac if patches do change it
+%global rebuild_ac 1
+
+Summary: Software version of a PKCS#11 Hardware Security Module
+Name: softhsm
+Version: 2.6.0
+Release: %{?prever:0.}5%{?prever:.%{prever}}%{?dist}
+License: BSD
+Url: http://www.opendnssec.org/
+Source: http://dist.opendnssec.org/source/%{?prever:testing/}%{name}-%{version}.tar.gz
+Source1: http://dist.opendnssec.org/source/%{?prever:testing/}%{name}-%{version}.tar.gz.sig
+
+Patch1: softhsm-2.6.1-rh1834909-exit.patch
+Patch2: softhsm-2.6.1-rh1857272-negatives.patch
+
+Group: Applications/System
+BuildRequires: openssl-devel >= 1.0.1k-6, sqlite-devel >= 3.4.2, cppunit-devel
+BuildRequires: gcc-c++, pkgconfig, p11-kit-devel, nss-devel
+
+Requires(pre): shadow-utils
+Requires: p11-kit, nss-tools
+Requires: openssl-libs >= 1.0.1k-6
+
+%global _hardened_build 1
+
+%global softhsm_module "SoftHSM PKCS #11 Module"
+
+%description
+OpenDNSSEC is providing a software implementation of a generic
+cryptographic device with a PKCS#11 interface, the SoftHSM. SoftHSM is
+designed to meet the requirements of OpenDNSSEC, but can also work together
+with other cryptographic products because of the PKCS#11 interface.
+
+%package devel
+Summary: Development package of softhsm that includes the header files
+Group: Development/Libraries
+Requires: %{name} = %{version}-%{release}, openssl-devel, sqlite-devel
+%if 0%{?prever:!} || 0%{?rebuild_ac}
+BuildRequires: autoconf, libtool, automake
+%endif
+
+%description devel
+The devel package contains the libsofthsm include files
+
+%prep
+%setup -q -n %{name}-%{version}%{?prever}
+%patch1 -p1
+%patch2 -p1
+
+# remove softhsm/ subdir auto-added to --libdir
+sed -i "s:full_libdir/softhsm:full_libdir:g" configure
+%if 0%{?prever:1} || 0%{?rebuild_ac}
+sed -i 's:^full_libdir=":#full_libdir=":g' configure.ac
+%endif
+sed -i "s:libdir)/@PACKAGE@:libdir):" Makefile.in
+
+sed -i 's:$full_libdir/libsofthsm2\.so:libsofthsm2\.so:g' configure
+
+%if 0%{?prever:1} || 0%{?rebuild_ac}
+sed -i 's:$full_libdir/libsofthsm2\.so:libsofthsm2\.so:g' configure.ac
+%endif
+
+%if 0%{?prever:1} || 0%{?rebuild_ac}
+autoreconf -fiv
+%endif
+
+%build
+%configure --libdir=%{_libdir}/pkcs11 --with-openssl=%{_prefix} --enable-ecc --disable-gost \
+           --with-migrate --enable-visibility --with-p11-kit=%{_datadir}/p11-kit/modules/
+
+make %{?_smp_mflags}
+# install our copy of pk11install taken from coolkey package
+
+%check
+# skip while cppunit is broken
+#make check
+
+%install
+rm -rf %{buildroot}
+make DESTDIR=%{buildroot} install
+
+rm %{buildroot}/%{_sysconfdir}/softhsm2.conf.sample
+rm -f %{buildroot}/%{_libdir}/pkcs11/*a
+mkdir -p %{buildroot}%{_includedir}/softhsm
+cp src/lib/*.h %{buildroot}%{_includedir}/softhsm
+mkdir -p %{buildroot}/%{_sharedstatedir}/softhsm/tokens
+
+# leave a softlink where softhsm-1 installed its library. Programs like
+# opendnssec have that filename in their configuration file.
+mkdir -p %{buildroot}/%{_libdir}/softhsm/
+ln -s ../pkcs11/libsofthsm2.so %{buildroot}/%{_libdir}/softhsm/libsofthsm.so
+# rhbz#1272423 NSS needs it to be in the search path too
+( cd  %{buildroot}/%{_libdir} ; ln -s pkcs11/libsofthsm2.so)
+
+%files
+%config(noreplace) %{_sysconfdir}/softhsm2.conf
+%{_bindir}/*
+%dir %{_libdir}/softhsm
+%{_libdir}/pkcs11/libsofthsm2.so
+%{_libdir}/libsofthsm2.so
+%{_libdir}/softhsm/libsofthsm.so
+%attr(0664,root,root) %{_datadir}/p11-kit/modules/softhsm2.module
+%attr(0750,ods,ods) %dir %{_sharedstatedir}/softhsm
+%attr(1770,ods,ods) %dir %{_sharedstatedir}/softhsm/tokens
+%doc LICENSE README.md NEWS
+%{_mandir}/*/*
+
+%files devel
+%attr(0755,root,root) %dir %{_includedir}/softhsm
+%{_includedir}/softhsm/*.h
+
+%pre
+getent group ods >/dev/null || groupadd -r ods
+getent passwd ods >/dev/null || \
+    useradd -r -g ods -d %{_sharedstatedir}/softhsm -s /sbin/nologin \
+    -c "softhsm private keys owner" ods
+exit 0
+
+%post
+
+%triggerpostun -- softhsm < 2.0.0
+if [ -f /var/softhsm/slot0.db ]; then
+      runuser -g ods ods -c 'softhsm2-migrate --db /var/softhsm/slot0.db --pin 1234 --slot 0' || :
+fi
+
+%changelog
+* Mon Feb 15 2021 Thomas Woerner <twoerner@redhat.com> - 2.6.0-5
+- Install prever devel package requirements for new negative option patch
+  Related: RHBZ#1857272
+
+* Mon Feb 15 2021 Alexander Bokovoy <abokovoy@redhat.com> - 2.6.0-4
+- Fixes: rhbz#1857272 - negative option for token.mechanism not working correctly
+
+* Thu Jun 04 2020 Alexander Bokovoy <abokovoy@redhat.com> - 2.6.0-3
+- Fixes: rhbz#1834909 - softhsm use-after-free on process exit
+- Synchronize the final fix with Fedora
+
+* Thu May 14 2020 Paul Wouters <pwouters@redhat.com> - 2.6.0-2
+- Fixes: rhbz#1834909 - softhsm use-after-free on process exit
+
+* Wed Apr 01 2020 Alexander Bokovoy <abokovoy@redhat.com> - 2.6.0-1
+- Fixes: rhbz#1818877 - rebase to softhsm 2.6.0+
+- Fixes: rhbz#1701233 - support setting supported signature methods on the token
+
+* Mon Feb 17 2020 Alexander Bokovoy <abokovoy@redhat.com> - 2.4.0-4
+- Provide specific version libsofthsm2.so for p11-kit
+- Fixes: rhbz#1727065
+
+* Tue Feb 11 2020 Alexander Bokovoy <abokovoy@redhat.com> - 2.4.0-3
+- Remove architecture-specific path from softhsm2.module definition
+- Fixes: rhbz#1727065
+
+* Fri Aug 17 2018 Alexander Bokovoy <abokovoy@redhat.com> - 2.4.0-2
+- Replace PKCS11 headers by a more liberal version from p11-kit
+- Fixes: rhbz#1615766
+
+* Sat Aug 11 2018 Nikos Mavrogiannopoulos <nmav@redhat.com> - 2.4.0-1
+- Updated to latest upstream release
+
+* Tue Jul 31 2018 Alexander Bokovoy <abokovoy@redhat.com> - 2.3.0-4
+- Fix crash when used as a PKCS11 library via p11-kit (#1608690)
+
+* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.3.0-3.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Fri Feb 02 2018 Nikos Mavrogiannopoulos <nmav@redhat.com> - 2.3.0-3
+- Remove softhsm2-pk11install. Software modules are to be registered with
+  p11-kit as in https://fedoraproject.org/wiki/PackagingDrafts/Pkcs11Support (#1541095).
+
+* Tue Dec 05 2017 Jakub Jelen <jjelen@redhat.com> - 2.3.0-2
+- Add support for RSA-PSS from upstrem PR#335
+
+* Tue Dec 05 2017 Jakub Jelen <jjelen@redhat.com> - 2.3.0-1
+- New upstream release (#1467329)
+
+* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.0-2.2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.0-2.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Tue Jun 27 2017 Nikos Mavrogiannopoulos <nmav@redhat.com> - 2.2.0-2
+- Increased the level of messages that go to syslog, thus softhsm
+  will no longer write on syslog when it cannot open the shared DB (#1425135)
+- Allow users in the 'ods' group to store their keys in /var/lib/softhsm/tokens/
+  while at the same time disallow deleting other users' keys (using the
+  sticky bit). Prevent users in the 'ods' group from writing in /var/lib/softhsm.
+
+* Thu Jun 22 2017 Nikos Mavrogiannopoulos <nmav@redhat.com> - 2.2.0-1
+- Rebased to latest upstream release
+
+* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.0-2.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Fri Sep 23 2016 Paul Wouters <pwouters@redhat.com> - 2.1.0-2
+- Resolves: rhbz#1378800 Module cleanup crash
+
+* Mon May 16 2016 Paul Wouters <pwouters@redhat.com> - 2.1.0-1
+- Resolves: rhbz#1244461 Updated to 2.1.0
+- Resolves: rhbz#1272423 Softhsm PKCS#11 module not visible to NSS becasue it is not in the search path
+- Resolves: rhbz#1177086 A marked as trusted certificate cannot be written in a softhsmv2 db
+- Resolves: rhbz#1272453 - A marked as CA certificate cannot be written in a softhsmv2 db
+- Removed merged in bug#162 patch
+- Temporarily disable make check because cppunit is broken
+
+* Thu Feb 25 2016 Paul Wouters <pwouters@redhat.com> - 2.0.0-2
+- Resolves: rhbz#1272453 A marked as CA certificate cannot be written in a softhsmv2 db
+
+* Fri Feb 05 2016 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.0-1.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
+
+* Wed Sep 02 2015 Paul Wouters <pwouters@redhat.com> - 2.0.0-1
+- Resolves: rhbz#1244461 Update to softhsm-2.0.0
+- Resolves: rhbz#1177086 A marked as trusted certificate cannot be written in a softhsmv2 db
+- Resolves: rhbz#1159827 Typo in homedir in /etc/passwd
+- Added global prever to toggle snapshot vs full release build changes
+
+* Fri Jun 26 2015 Petr Spacek <pspacek@redhat.com> - 2.0.0rc1-3
+- Add dependency on OpenSSL with fixed AES wrapping support
+
+* Fri Jun 19 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.0.0rc1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
+
+* Mon Jun 01 2015 Petr Spacek <pspacek@redhat.com> - 2.0.0rc1-1
+- Rebase to latest upstream release
+
+* Sat May 02 2015 Kalev Lember <kalevlember@gmail.com> - 2.0.0b1-4
+- Rebuilt for GCC 5 C++11 ABI change
+
+* Tue Sep 30 2014 Paul Wouters <pwouters@redhat.com> - 2.0.0b1-3
+- Add support for CKM_RSA_PKCS_OAEP key un/wrapping [Petr Spacek]
+- Use OpenSSL EVP interface for AES key wrapping [Petr Spacek]
+- Fix softhsm2-pk11install buid and post call
+- Do not use --with-objectstore-backend-db (causes issues on i686)
+- Change install directory to /usr/lib*/pkcs11/
+- Install pkcs11 module file
+- Use official upstream tar ball
+- Create ods user to own softhsm/token files
+- Enable migration tools (for softhsm-v1 installs)
+- Add softlink for softhsm-v1 .so (needed for opendnssec's conf.xml)
+- Require p11-kit, nss-tools, for SoftHSM PKCS #11 Module file
+- Copy pk11install.c from coolkey package
+- Enable hardened build
+- Add upstream official source url
+
+* Mon Aug 18 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.3.6-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
+
+* Sun Jun 08 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.3.6-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
+
+* Fri Apr 18 2014 Paul Wouters <pwouters@redhat.com> - 1.3.6-1
+- Updated to 1.3.6 (rhbz#1070196)
+- Provide a p11-kit module file (rhbz#1085327)
+
+* Sun Nov 03 2013 Paul Wouters <pwouters@redhat.com> - 1.3.5-1
+- Updated to 1.3.5 (rhbz#987721)
+
+* Tue Jul 30 2013 Paul Wouters <pwouters@redhat.com> - 1.3.3-4
+- Rebuilt for new botan - requires --with-botan argument
+
+* Fri Feb 15 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.3.3-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
+
+* Sat Jul 21 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.3.3-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
+
+* Mon Jun 04 2012 Paul Wouters <pwouters@redhat.com> - 1.3.3-1
+- Updated to 1.3.3
+
+* Tue Apr 03 2012 Paul Wouters <pwouters@redhat.com> - 1.3.2-1
+- Updated to 1.3.2.
+- Changed user from opendnssec to ods, as used in the opendnssec package
+
+* Sat Jan 14 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.3.0-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
+
+* Thu Oct 27 2011 Paul Wouters <paul@xelerance.com> - 1.3.0-3
+- Initial Fedora package
+- Do not install the .a file
+- Use a separate "opendnssec" user to own /var/sofhsm
+
+* Tue Oct 25 2011 Paul Wouters <paul@xelerance.com> - 1.3.0-2
+- Fix description texts w.r.t. include files
+
+* Wed Oct 05 2011 Paul Wouters <paul@xelerance.com> - 1.3.0-1
+- Upgraded to 1.3.0
+
+* Thu Mar  3 2011 Paul Wouters <paul@xelerance.com> - 1.2.0-1
+- Initial package for Fedora