| Index | index by Group | index by Distribution | index by Vendor | index by creation date | index by Name | Mirrors | Help | Search |
| Name: openCryptoki-64bit | Distribution: openSUSE:Factory:zSystems |
| Version: 3.25.0 | Vendor: openSUSE |
| Release: 5.1 | Build date: Thu Aug 14 06:56:04 2025 |
| Group: Productivity/Security | Build host: reproducible |
| Size: 4322022 | Source RPM: openCryptoki-3.25.0-5.1.src.rpm |
| Packager: https://bugs.opensuse.org | |
| Url: https://github.com/opencryptoki/opencryptoki | |
| Summary: An Implementation of PKCS#11 (Cryptoki) v2.11 for IBM Cryptographic Hardware | |
This is a re-packaged binary rpm. For the package source, please look for the source of the package without the "64bit" ending The PKCS#11 version 2.11 API implemented for the IBM cryptographic cards. This package includes support for the IBM 4758 cryptographic coprocessor (with the PKCS#11 firmware loaded) and the IBM eServer Cryptographic Accelerator (FC 4960 on pSeries).
CPL-1.0
* Thu Aug 14 2025 Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Applied a patch (bsc#1248002)
* ocki-3.25-PKCSSLOTD-Remove-the-use-of-MD5.patch
* Tue Jul 29 2025 Andreas Schwab <schwab@suse.de>
- Add riscv64 to openCryptoki_64bit_arch
* Mon Jun 16 2025 Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Upgrade openCryptoki to version 3.25 (jsc#PED-3361)
* Updates/add supports
- ICA/Soft: Add support for PKCS#11 v3.0 SHAKE key derivation
- EP11: Add support for PKCS#11 v3.0 SHA3 and SHA3-HMAC mechanisms
- EP11: Add support for PKCS#11 v3.0 SHA3 mechanisms and MGFs for RSA-OAEP
- EP11: Add support for PKCS#11 v3.0 SHA3 variants of RSA-PKCS and ECDSA mechanisms
- CCA: Add support for CCA AES CIPHER secure key types
- CCA: Add support for the CKM_ECDH1_DERIVE mechanism
- Soft/ICA: Add support for the CKM_AES_KEY_WRAP[_*] mechanisms
- CCA/Soft/ICA: Add support for the CKM_RSA_AES_KEY_WRAP mechanism
- Soft/ICA: Add support for the CKM_ECDH_AES_KEY_WRAP mechanism
- ICA: Report mechanisms dependent on if libica is in FIPS mode
- P11KMIP: Add a tool for import and exporting PKCS#11 keys to a KMIP server
- EP11: Add support for opaque secure key blob import via C_CreateObject
- Soft/ICA: Add support for key wrapping with AES-GCM
- CCA: Add support for newer CCA versions on s390x and non-s390x platforms
- CCA: Add support for CKM_AES_GCM (single-part operations only)
* Amended the .spec file
* Removed obsolete patches:
- ocki-3.24-remove-group-from-tests.patch
- ocki-3.24-remove-make-install-chgrp.patch
* Applied a new patch for version 3.25
- ocki-3.25-remove-make-install-chgrp.patch
* Bug fixes
* Wed Dec 11 2024 Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Moved pkcshsm_mk_change from openCryptoki-devel to openCryptoki
(jsc#PED-10291, jsc#PED-10290)
* Tue Dec 10 2024 Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Amended the .spec file (jsc#PED-10291, jsc#PED-10290)
* Changed attributes - %attr(0640,root,%{pkcs_group}) - of files below:
- %{_sysconfdir}/opencryptoki/strength.conf
- %{_sysconfdir}/opencryptoki/p11sak_defined_attrs.conf
* Thu Nov 21 2024 Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Amended the .spec file (jsc#PED-10291, jsc#PED-10290)
- Improved handling of user/group. use existing user/group if they
exist. create user/group if not (bsc#1225876)
- Applied additional patch
* ocki-3.24-remove-group-from-tests.patch
* Fri Oct 04 2024 Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Amended the .spec file (jsc#PED-10241)
- Updated the %configure flags for i586
- Implemented a logic to exclude i586 arch
* Fri Sep 20 2024 Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Upgrade openCryptoki to version 3.24
(jsc#PED-10291, jsc#PED-10290, jsc#PED-10241)
* Add support for building Opencryptoki on the IBM AIX platform
* Add support for the CCA token on non-IBM Z platforms (x86_64, ppc64)
* Add support for protecting tokens with a token specific user group
* EP11: Add support for combined CKA_EXTRACTABLE and CKA_IBM_PROTKEY_EXTRACTABLE
* CCA: Add support for Koblitz curve secp256k1. Requires CCA v7.2 or later
* CCA: Add support for IBM Dilithium (CKM_IBM_DILITHIUM).
- On Linux on IBM Z: Requires CCA v7.1 or later for Round2-65, and
CCA v8.0 for the Round 3 variants.
- On other platforms:
Requires CCA v7.2.43 or later for Round2-65, the Round 3 variants are currently not supported
* CCA: Add support for RSA-OAEP with SHA224, SHA384, and SHA512 on en-/decrypt.
- Requires CCA v8.1 or later on Linux on IBM Z, not supported on other platforms
* CCA: Add support for PKCS#11 v3.0 SHA3 mechanisms.
- Requires CCA v8.1 on Linux on IBM Z, not supported on other platforms
* ICA: Support new libica AES-GCM api using the KMA instruction on z14 and later
* ICA/Soft/ICSF: Add support for PKCS#11 v3.0 SHA3 mechanisms
* ICA/Soft: Add support for SHA based key derivation mechanisms
* ICA/Soft: Add support for CKD_*_SP800 KDFs for ECDH
* EP11/CCA/ICA/Soft: Add support for CKA_ALWAYS_AUTHENTICATE
* EP11/CCA: Support live guest relocation for protected key (PKEY) operations
* Soft: Experimental support for IBM Dilithium via OpenSSL OQS provider
* ICSF: Add support for SHA-2 mechanisms
* ICSF: Performance improvements for attribute retrieval
* p11sak: Add support for exporting a key or certificate as URI-PEM file
* p11sak: Import/export of IBM Dilithium keys in 'oqsprovider' format PEM files
* p11sak: Add option to show the master key verification patterns of secure keys
* Bug fixes
- Amended the .spec file
- Removed obsolete patch ocki-3.23-remove-make-install-chgrp.patchi
- Added a new patch ocki-3.24-remove-make-install-chgrp.patch
* Thu Jul 18 2024 Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Amended the .spec file accorinding to the recommendation in (bsc#1225876)
* Thu Jul 11 2024 Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Updated the .spec file (bsc#1225876, bsc#1227280)
* Amended for group %{pkcs_group} and user pkcsslotd
* Copying example script files from /usr/share/doc/opencryptoki to
/usr/share/opencryptoki (policy-example.conf and strength-example.conf)
in case that there is 'rpm.install.excludedocs=yes' set in the
zypper.conf(zypp.conf)
* Wed Feb 07 2024 Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Upgrade openCryptoki to version 3.23 (jsc#PED-3360, jsc#PED-3361)
* EP11: Add support for FIPS-session mode
* Updates to harden against RSA timing attacks (bsc#1219217,CVE-2024-0914)
* Bug fixes
- Renamed ocki-3.22-remove-make-install-chgrp.patch to
ocki-3.23-remove-make-install-chgrp.patch
* Mon Feb 05 2024 Marcus Meissner <meissner@suse.com>
- provide user(pkcs11) and group(pkcs11)
* Mon Dec 04 2023 Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Amended the .spec file for pkcsslotd (jsc#1217703)
* Renamed the patch ocki-3.21-remove-make-install-chgrp.patch to
ocki-3.22-remove-make-install-chgrp.patch
* Thu Sep 21 2023 Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Upgrade to version 3.22 (jsc#PED-3361)
* openCryptoki 3.22
- CCA: Add support for the AES-XTS key type using CPACF protected keys
- p11sak: Add support for managing certificate objects
- p11sak: Add support for public sessions (no-login option)
- p11sak: Add support for logging in as SO (security Officer)
- p11sak: Add support for importing/exporting Edwards and Montgomery keys
- p11sak: Add support for importing of RSA-PSS keys and certificates
- CCA/EP11/Soft/ICA: Ensure that the 2 key parts of an AES-XTS key are different
* Bug fixes
* Fri May 26 2023 Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Update to version 3.21 (jsc#PED-3360, jsc#PED-3361)
* openCryptoki 3.21
- EP11 and CCA: Support concurrent HSM master key changes
- CCA: protected-key option
- pkcsslotd: no longer run as root user and further hardening
- p11sak: Add support for additional key types (DH, DSA, generic secret)
- p11sak: Allow wildcards in label filter
- p11sak: Allow to specify hex value for CKA_ID attribute
- p11sak: Support sorting when listing keys
- p11sak: New commands: set-key-attr, copy-key to modify and copy keys
- p11sak: New commands: import-key, export-key to import and export keys
- Remove support for --disable-locks (transactional memory)
- Updates to harden against RSA timing attacks
- Bug fixes
- Amended a new patch to fit the version 3.21
* ocki-3.21-remove-make-install-chgrp.patch
- Removed the old patch for the version 3.20
* ocki-3.20-remove-make-install-chgrp.patch
* Thu Feb 16 2023 Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Updated package to openCryptoki 3.20 (bsc#1207760,
jsc#PED-3376, jsc#PED-2870, jsc#PED-2869 )
- Removed the following obsolite patches:
* ocki-3.19.0-0001-EP11-Unify-key-pair-generation-functions.patch
* ocki-3.19.0-0002-EP11-Do-not-report-DSA-DH-parameter-generation-as-be.patch
* ocki-3.19.0-0003-EP11-Do-not-pass-empty-CKA_PUBLIC_KEY_INFO-to-EP11-h.patch
* ocki-3.19.0-0004-Mechtable-CKM_IBM_DILITHIUM-can-also-be-used-for-key.patch
* ocki-3.19.0-0005-EP11-Remove-DSA-DH-parameter-generation-mechanisms-f.patch
* ocki-3.19.0-0006-EP11-Pass-back-chain-code-for-CKM_IBM_BTC_DERIVE.patch
* ocki-3.19.0-0007-EP11-Supply-CKA_PUBLIC_KEY_INFO-with-CKM_IBM_BTC_DER.patch
* ocki-3.19.0-0008-EP11-Supply-CKA_PUBLIC_KEY_INFO-when-importing-priva.patch
* ocki-3.19.0-0009-EP11-Fix-memory-leak-introduced-with-recent-commit.patch
* ocki-3.19.0-0010-p11sak-Fix-segfault-when-dilithium-version-is-not-sp.patch
* ocki-3.19.0-0011-EP11-remove-dead-code-and-unused-variables.patch
* ocki-3.19.0-0012-EP11-Update-EP11-host-library-header-files.patch
* ocki-3.19.0-0013-EP11-Support-EP11-host-library-version-4.patch
* ocki-3.19.0-0014-EP11-Add-new-control-points.patch
* ocki-3.19.0-0015-EP11-Default-unknown-CPs-to-ON.patch
* ocki-3.19.0-0016-COMMON-Add-defines-for-Dilithium-round-2-and-3-varia.patch
* ocki-3.19.0-0017-COMMON-Add-defines-for-Kyber.patch
* ocki-3.19.0-0018-COMMON-Add-post-quantum-algorithm-OIDs.patch
* ocki-3.19.0-0019-COMMON-Dilithium-key-BER-encoding-decoding-allow-dif.patch
* ocki-3.19.0-0020-COMMON-EP11-Add-CKA_VALUE-holding-SPKI-PKCS-8-of-key.patch
* ocki-3.19.0-0021-COMMON-EP11-Allow-to-select-Dilithium-variant-via-mo.patch
* ocki-3.19.0-0022-EP11-Query-supported-PQC-variants-and-restrict-usage.patch
* ocki-3.19.0-0023-POLICY-Dilithium-strength-and-signature-size-depends.patch
* ocki-3.19.0-0024-TESTCASES-Test-Dilithium-variants.patch
* ocki-3.19.0-0025-COMMON-EP11-Add-Kyber-key-type-and-mechanism.patch
* ocki-3.19.0-0026-EP11-Add-support-for-generating-and-importing-Kyber-.patch
* ocki-3.19.0-0027-EP11-Add-support-for-encrypt-decrypt-and-KEM-operati.patch
* ocki-3.19.0-0028-POLICY-STATISTICS-Check-for-Kyber-KEM-KDFs-and-count.patch
* ocki-3.19.0-0029-TESTCASES-Add-tests-for-CKM_IBM_KYBER.patch
* ocki-3.19.0-0030-p11sak-Support-additional-Dilithium-variants.patch
* ocki-3.19.0-0031-p11sak-Add-support-for-IBM-Kyber-key-type.patch
* ocki-3.19.0-0032-testcase-Enhance-p11sak-testcase-to-generate-IBM-Kyb.patch
* ocki-3.19.0-0033-EP11-Supply-CKA_PUBLIC_KEY_INFO-with-CKM_IBM_BTC_DER.patch
* ocki-3.19.0-0034-EP11-Fix-setting-unknown-CPs-to-ON.patch
* ocki-3.19.0-0035-Fix-compile-error-error-initializer-element-is-not-c.patch
- Reworked ocki-3.19-remove-make-install-chgrp.patch to fit the current version of
the package and renamed it to ocki-3.20-remove-make-install-chgrp.patch.
* Tue Feb 07 2023 Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Added patch for compile errors
* ocki-3.19.0-0035-Fix-compile-error-error-initializer-element-is-not-c.patch
-- Changed spec file to use %autosetup instead of %setup.
* Mon Feb 06 2023 Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Updated the package openCryptoki 3.19.0 (jsc#PED-616, bsc#1207760), added the
following patches:
* ocki-3.19.0-0001-EP11-Unify-key-pair-generation-functions.patch
* ocki-3.19.0-0002-EP11-Do-not-report-DSA-DH-parameter-generation-as-be.patch
* ocki-3.19.0-0003-EP11-Do-not-pass-empty-CKA_PUBLIC_KEY_INFO-to-EP11-h.patch
* ocki-3.19.0-0004-Mechtable-CKM_IBM_DILITHIUM-can-also-be-used-for-key.patch
* ocki-3.19.0-0005-EP11-Remove-DSA-DH-parameter-generation-mechanisms-f.patch
* ocki-3.19.0-0006-EP11-Pass-back-chain-code-for-CKM_IBM_BTC_DERIVE.patch
* ocki-3.19.0-0007-EP11-Supply-CKA_PUBLIC_KEY_INFO-with-CKM_IBM_BTC_DER.patch
* ocki-3.19.0-0008-EP11-Supply-CKA_PUBLIC_KEY_INFO-when-importing-priva.patch
* ocki-3.19.0-0009-EP11-Fix-memory-leak-introduced-with-recent-commit.patch
* ocki-3.19.0-0010-p11sak-Fix-segfault-when-dilithium-version-is-not-sp.patch
* ocki-3.19.0-0011-EP11-remove-dead-code-and-unused-variables.patch
* ocki-3.19.0-0012-EP11-Update-EP11-host-library-header-files.patch
* ocki-3.19.0-0013-EP11-Support-EP11-host-library-version-4.patch
* ocki-3.19.0-0014-EP11-Add-new-control-points.patch
* ocki-3.19.0-0015-EP11-Default-unknown-CPs-to-ON.patch
* ocki-3.19.0-0016-COMMON-Add-defines-for-Dilithium-round-2-and-3-varia.patch
* ocki-3.19.0-0017-COMMON-Add-defines-for-Kyber.patch
* ocki-3.19.0-0018-COMMON-Add-post-quantum-algorithm-OIDs.patch
* ocki-3.19.0-0019-COMMON-Dilithium-key-BER-encoding-decoding-allow-dif.patch
* ocki-3.19.0-0020-COMMON-EP11-Add-CKA_VALUE-holding-SPKI-PKCS-8-of-key.patch
* ocki-3.19.0-0021-COMMON-EP11-Allow-to-select-Dilithium-variant-via-mo.patch
* ocki-3.19.0-0022-EP11-Query-supported-PQC-variants-and-restrict-usage.patch
* ocki-3.19.0-0023-POLICY-Dilithium-strength-and-signature-size-depends.patch
* ocki-3.19.0-0024-TESTCASES-Test-Dilithium-variants.patch
* ocki-3.19.0-0025-COMMON-EP11-Add-Kyber-key-type-and-mechanism.patch
* ocki-3.19.0-0026-EP11-Add-support-for-generating-and-importing-Kyber-.patch
* ocki-3.19.0-0027-EP11-Add-support-for-encrypt-decrypt-and-KEM-operati.patch
* ocki-3.19.0-0028-POLICY-STATISTICS-Check-for-Kyber-KEM-KDFs-and-count.patch
* ocki-3.19.0-0029-TESTCASES-Add-tests-for-CKM_IBM_KYBER.patch
* ocki-3.19.0-0030-p11sak-Support-additional-Dilithium-variants.patch
* ocki-3.19.0-0031-p11sak-Add-support-for-IBM-Kyber-key-type.patch
* ocki-3.19.0-0032-testcase-Enhance-p11sak-testcase-to-generate-IBM-Kyb.patch
* ocki-3.19.0-0033-EP11-Supply-CKA_PUBLIC_KEY_INFO-with-CKM_IBM_BTC_DER.patch
* ocki-3.19.0-0034-EP11-Fix-setting-unknown-CPs-to-ON.patch
* Mon Nov 28 2022 Mark Post <mpost@suse.com>
- Updated spec file to set permissions on /etc/opencryptoki/strength.conf
to be owned by root:pkcs11 with permissions of 640. (bsc#1205566)
* Fri Sep 30 2022 Mark Post <mpost@suse.com>
- Upgrade to version 3.19.0 (jsc#PED-616)
+ openCryptoki 3.19
- CCA: check for expected master key verification patterns at token init
- CCA: check master key verification pattern of created keys to be as expected
- EP11: check for expected wrapping key verification pattern at token init
- EP11: check wrapping key verification pattern of created keys to be as expected
- p11sak/pkcsconf: display PKCS#11 URIs
- p11sak: add support for IBM specific Dilithium keys
- p11sak: allow to list keys filtered by label
- common: add support for dual-function cryptographic functions
- Add support for C_SessionCancel function (PKCS#11 v3.0)
- EP11: add support for schnorr signatures (mechanism CKM_IBM_ECDSA_OTHER)
- EP11: add support for Bitcoin key derivation (mechanism CKM_IBM_BTC_DERIVE)
- Bug fixes
+ openCryptoki 3.18
- Default to FIPS compliant token data format (tokversion = 3.12)
- Add support for restricting usage of mechanisms and keys via a global policy
- Add support for statistics counting of mechanism usage
- ICA/EP11: Support libica version 4
- p11sak tool: Allow to set different attributes for public and private keys
- Replaced ocki-3.17-remove-make-install-chgrp.patch with an updated
version named ocki-3.19-remove-make-install-chgrp.patch to fit
the current state of the source.
- Removed the following obsolete patches:
openCryptoki-sles15-sp4-EP11-Dilithium-Specify-OID-of-key-strength-at-key-ge.patch
openCryptoki-sles15-sp4-EP11-Fix-host-library-version-query.patch
ocki-3.17-EP11-Fix-C_GetMechanismList-returning-CKR_BUFFER_TOO.patch
* Wed Aug 10 2022 Mark Post <mpost@suse.com>
- Added ocki-3.17-EP11-Fix-C_GetMechanismList-returning-CKR_BUFFER_TOO.patch
for bsc#1202106. One test of the gen_purpose test cases fails with
C_GetMechanismList #2 rc=CKR_BUFFER_TOO_SMALL" error on the EP11 Token.
* Thu Jun 02 2022 Mark Post <mpost@suse.com>
- Made the following changes for bsc#1199862 "Please install
p11sak_defined_attrs.conf."
* Replaced ocki-3.11-remove-make-install-chgrp.patch with
ocki-3.17-remove-make-install-chgrp.patch to remove the
"-g pkcs11" parameter from the install command in the Makefile
* Updated the spec file to include
/etc/opencryptoki/p11sak_defined_attrs.conf as a %config file
with the necessary permissions and group ownership.
* Wed Mar 23 2022 Mark Post <mpost@suse.com>
- Added the following two patches for bac#1197395. The CKM_IBM_DILITHIUM
mechanism does not show up as supported by the EP11 token when an
upgraded EP11 host library is used.
* openCryptoki-sles15-sp4-EP11-Dilithium-Specify-OID-of-key-strength-at-key-ge.patch
* openCryptoki-sles15-sp4-EP11-Fix-host-library-version-query.patch
/etc/ld.so.conf.d/opencryptoki-s390x.conf /usr/lib64/opencryptoki /usr/lib64/opencryptoki/PKCS11_API.so /usr/lib64/opencryptoki/libopencryptoki.so /usr/lib64/opencryptoki/libopencryptoki.so.0 /usr/lib64/opencryptoki/libopencryptoki.so.0.0.0 /usr/lib64/opencryptoki/stdll /usr/lib64/opencryptoki/stdll/PKCS11_CCA.so /usr/lib64/opencryptoki/stdll/PKCS11_EP11.so /usr/lib64/opencryptoki/stdll/PKCS11_ICA.so /usr/lib64/opencryptoki/stdll/PKCS11_ICSF.so /usr/lib64/opencryptoki/stdll/PKCS11_SW.so /usr/lib64/opencryptoki/stdll/PKCS11_TPM.so /usr/lib64/opencryptoki/stdll/libpkcs11_cca.so /usr/lib64/opencryptoki/stdll/libpkcs11_cca.so.0 /usr/lib64/opencryptoki/stdll/libpkcs11_cca.so.0.0.0 /usr/lib64/opencryptoki/stdll/libpkcs11_ep11.so /usr/lib64/opencryptoki/stdll/libpkcs11_ep11.so.0 /usr/lib64/opencryptoki/stdll/libpkcs11_ep11.so.0.0.0 /usr/lib64/opencryptoki/stdll/libpkcs11_ica.so /usr/lib64/opencryptoki/stdll/libpkcs11_ica.so.0 /usr/lib64/opencryptoki/stdll/libpkcs11_ica.so.0.0.0 /usr/lib64/opencryptoki/stdll/libpkcs11_icsf.so /usr/lib64/opencryptoki/stdll/libpkcs11_icsf.so.0 /usr/lib64/opencryptoki/stdll/libpkcs11_icsf.so.0.0.0 /usr/lib64/opencryptoki/stdll/libpkcs11_sw.so /usr/lib64/opencryptoki/stdll/libpkcs11_sw.so.0 /usr/lib64/opencryptoki/stdll/libpkcs11_sw.so.0.0.0 /usr/lib64/opencryptoki/stdll/libpkcs11_tpm.so /usr/lib64/opencryptoki/stdll/libpkcs11_tpm.so.0 /usr/lib64/opencryptoki/stdll/libpkcs11_tpm.so.0.0.0 /usr/lib64/pkcs11 /usr/lib64/pkcs11/PKCS11_API.so /usr/lib64/pkcs11/libopencryptoki.so /usr/lib64/pkcs11/methods /usr/lib64/pkcs11/stdll
Generated by rpm2html 1.8.1
Fabrice Bellet, Wed Oct 22 23:18:26 2025