Index index by Group index by Distribution index by Vendor index by creation date index by Name Mirrors Help Search

openCryptoki-3.24.0-6.2 RPM for x86_64

From OpenSuSE Tumbleweed for x86_64

Name: openCryptoki Distribution: openSUSE Tumbleweed
Version: 3.24.0 Vendor: openSUSE
Release: 6.2 Build date: Wed Dec 11 08:25:11 2024
Group: Productivity/Security Build host: reproducible
Size: 935047 Source RPM: openCryptoki-3.24.0-6.2.src.rpm
Packager: https://bugs.opensuse.org
Url: https://github.com/opencryptoki/opencryptoki
Summary: An Implementation of PKCS#11 (Cryptoki) v2.11 for IBM Cryptographic Hardware
Opencryptoki implements the PKCS#11 specification v2.20 for a set of
cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the
Trusted Platform Module (TPM) chip. Opencryptoki also brings a software
token implementation that can be used without any cryptographic
hardware.
This package contains the Slot Daemon (pkcsslotd) and general utilities.

Provides

Requires

License

CPL-1.0

Changelog

* Wed Dec 11 2024 Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
  - Moved pkcshsm_mk_change from openCryptoki-devel to openCryptoki
      (jsc#PED-10291, jsc#PED-10290)
* Tue Dec 10 2024 Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
  - Amended the .spec file (jsc#PED-10291, jsc#PED-10290)
    * Changed attributes - %attr(0640,root,%{pkcs_group}) - of files below:
    - %{_sysconfdir}/opencryptoki/strength.conf
    - %{_sysconfdir}/opencryptoki/p11sak_defined_attrs.conf
* Thu Nov 21 2024 Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
  - Amended the .spec file (jsc#PED-10291, jsc#PED-10290)
  - Improved handling of user/group. use existing user/group if they
    exist. create user/group if not (bsc#1225876)
  - Applied additional patch
    * ocki-3.24-remove-group-from-tests.patch
* Fri Oct 04 2024 Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
  - Amended the .spec file (jsc#PED-10241)
  - Updated the %configure flags for i586
  - Implemented a logic to exclude i586 arch
* Fri Sep 20 2024 Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
  - Upgrade openCryptoki to version 3.24
    (jsc#PED-10291, jsc#PED-10290, jsc#PED-10241)
    * Add support for building Opencryptoki on the IBM AIX platform
    * Add support for the CCA token on non-IBM Z platforms (x86_64, ppc64)
    * Add support for protecting tokens with a token specific user group
    * EP11: Add support for combined CKA_EXTRACTABLE and CKA_IBM_PROTKEY_EXTRACTABLE
    * CCA: Add support for Koblitz curve secp256k1. Requires CCA v7.2 or later
    * CCA: Add support for IBM Dilithium (CKM_IBM_DILITHIUM).
    - On Linux on IBM Z: Requires CCA v7.1 or later for Round2-65, and
      CCA v8.0 for the Round 3 variants.
    - On other platforms:
      Requires CCA v7.2.43 or later for Round2-65, the Round 3 variants are currently not supported
    * CCA: Add support for RSA-OAEP with SHA224, SHA384, and SHA512 on en-/decrypt.
    - Requires CCA v8.1 or later on Linux on IBM Z, not supported on other platforms
    * CCA: Add support for PKCS#11 v3.0 SHA3 mechanisms.
    - Requires CCA v8.1 on Linux on IBM Z, not supported on other platforms
    * ICA: Support new libica AES-GCM api using the KMA instruction on z14 and later
    * ICA/Soft/ICSF: Add support for PKCS#11 v3.0 SHA3 mechanisms
    * ICA/Soft: Add support for SHA based key derivation mechanisms
    * ICA/Soft: Add support for CKD_*_SP800 KDFs for ECDH
    * EP11/CCA/ICA/Soft: Add support for CKA_ALWAYS_AUTHENTICATE
    * EP11/CCA: Support live guest relocation for protected key (PKEY) operations
    * Soft: Experimental support for IBM Dilithium via OpenSSL OQS provider
    * ICSF: Add support for SHA-2 mechanisms
    * ICSF: Performance improvements for attribute retrieval
    * p11sak: Add support for exporting a key or certificate as URI-PEM file
    * p11sak: Import/export of IBM Dilithium keys in 'oqsprovider' format PEM files
    * p11sak: Add option to show the master key verification patterns of secure keys
    * Bug fixes
  - Amended the .spec file
  - Removed obsolete patch ocki-3.23-remove-make-install-chgrp.patchi
  - Added a new patch ocki-3.24-remove-make-install-chgrp.patch
* Thu Jul 18 2024 Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
  - Amended the .spec file accorinding to the recommendation in (bsc#1225876)
* Thu Jul 11 2024 Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
  - Updated the .spec file (bsc#1225876, bsc#1227280)
    * Amended for group %{pkcs_group} and user pkcsslotd
    * Copying example script files from /usr/share/doc/opencryptoki to
      /usr/share/opencryptoki (policy-example.conf and strength-example.conf)
      in case that there is 'rpm.install.excludedocs=yes' set in the
      zypper.conf(zypp.conf)
* Wed Feb 07 2024 Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
  - Upgrade openCryptoki to version 3.23 (jsc#PED-3360, jsc#PED-3361)
    * EP11: Add support for FIPS-session mode
    * Updates to harden against RSA timing attacks (bsc#1219217,CVE-2024-0914)
    * Bug fixes
  - Renamed ocki-3.22-remove-make-install-chgrp.patch to
      ocki-3.23-remove-make-install-chgrp.patch
* Mon Feb 05 2024 Marcus Meissner <meissner@suse.com>
  - provide user(pkcs11) and group(pkcs11)
* Mon Dec 04 2023 Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
  - Amended the .spec file  for pkcsslotd (jsc#1217703)
    * Renamed the patch ocki-3.21-remove-make-install-chgrp.patch to
      ocki-3.22-remove-make-install-chgrp.patch
* Thu Sep 21 2023 Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
  - Upgrade to version 3.22 (jsc#PED-3361)
    * openCryptoki 3.22
    - CCA: Add support for the AES-XTS key type using CPACF protected keys
    - p11sak: Add support for managing certificate objects
    - p11sak: Add support for public sessions (no-login option)
    - p11sak: Add support for logging in as SO (security Officer)
    - p11sak: Add support for importing/exporting Edwards and Montgomery keys
    - p11sak: Add support for importing of RSA-PSS keys and certificates
    - CCA/EP11/Soft/ICA: Ensure that the 2 key parts of an AES-XTS key are different
    * Bug fixes
* Fri May 26 2023 Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
  - Update to version 3.21 (jsc#PED-3360, jsc#PED-3361)
    * openCryptoki 3.21
    - EP11 and CCA: Support concurrent HSM master key changes
    - CCA: protected-key option
    - pkcsslotd: no longer run as root user and further hardening
    - p11sak: Add support for additional key types (DH, DSA, generic secret)
    - p11sak: Allow wildcards in label filter
    - p11sak: Allow to specify hex value for CKA_ID attribute
    - p11sak: Support sorting when listing keys
    - p11sak: New commands: set-key-attr, copy-key to modify and copy keys
    - p11sak: New commands: import-key, export-key to import and export keys
    - Remove support for --disable-locks (transactional memory)
    - Updates to harden against RSA timing attacks
    - Bug fixes
  - Amended a new patch to fit the version 3.21
    * ocki-3.21-remove-make-install-chgrp.patch
  - Removed the old patch for the version 3.20
    * ocki-3.20-remove-make-install-chgrp.patch
* Thu Feb 16 2023 Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
  - Updated package to openCryptoki 3.20 (bsc#1207760,
      jsc#PED-3376, jsc#PED-2870, jsc#PED-2869 )
  - Removed the following obsolite patches:
    * ocki-3.19.0-0001-EP11-Unify-key-pair-generation-functions.patch
    * ocki-3.19.0-0002-EP11-Do-not-report-DSA-DH-parameter-generation-as-be.patch
    * ocki-3.19.0-0003-EP11-Do-not-pass-empty-CKA_PUBLIC_KEY_INFO-to-EP11-h.patch
    * ocki-3.19.0-0004-Mechtable-CKM_IBM_DILITHIUM-can-also-be-used-for-key.patch
    * ocki-3.19.0-0005-EP11-Remove-DSA-DH-parameter-generation-mechanisms-f.patch
    * ocki-3.19.0-0006-EP11-Pass-back-chain-code-for-CKM_IBM_BTC_DERIVE.patch
    * ocki-3.19.0-0007-EP11-Supply-CKA_PUBLIC_KEY_INFO-with-CKM_IBM_BTC_DER.patch
    * ocki-3.19.0-0008-EP11-Supply-CKA_PUBLIC_KEY_INFO-when-importing-priva.patch
    * ocki-3.19.0-0009-EP11-Fix-memory-leak-introduced-with-recent-commit.patch
    * ocki-3.19.0-0010-p11sak-Fix-segfault-when-dilithium-version-is-not-sp.patch
    * ocki-3.19.0-0011-EP11-remove-dead-code-and-unused-variables.patch
    * ocki-3.19.0-0012-EP11-Update-EP11-host-library-header-files.patch
    * ocki-3.19.0-0013-EP11-Support-EP11-host-library-version-4.patch
    * ocki-3.19.0-0014-EP11-Add-new-control-points.patch
    * ocki-3.19.0-0015-EP11-Default-unknown-CPs-to-ON.patch
    * ocki-3.19.0-0016-COMMON-Add-defines-for-Dilithium-round-2-and-3-varia.patch
    * ocki-3.19.0-0017-COMMON-Add-defines-for-Kyber.patch
    * ocki-3.19.0-0018-COMMON-Add-post-quantum-algorithm-OIDs.patch
    * ocki-3.19.0-0019-COMMON-Dilithium-key-BER-encoding-decoding-allow-dif.patch
    * ocki-3.19.0-0020-COMMON-EP11-Add-CKA_VALUE-holding-SPKI-PKCS-8-of-key.patch
    * ocki-3.19.0-0021-COMMON-EP11-Allow-to-select-Dilithium-variant-via-mo.patch
    * ocki-3.19.0-0022-EP11-Query-supported-PQC-variants-and-restrict-usage.patch
    * ocki-3.19.0-0023-POLICY-Dilithium-strength-and-signature-size-depends.patch
    * ocki-3.19.0-0024-TESTCASES-Test-Dilithium-variants.patch
    * ocki-3.19.0-0025-COMMON-EP11-Add-Kyber-key-type-and-mechanism.patch
    * ocki-3.19.0-0026-EP11-Add-support-for-generating-and-importing-Kyber-.patch
    * ocki-3.19.0-0027-EP11-Add-support-for-encrypt-decrypt-and-KEM-operati.patch
    * ocki-3.19.0-0028-POLICY-STATISTICS-Check-for-Kyber-KEM-KDFs-and-count.patch
    * ocki-3.19.0-0029-TESTCASES-Add-tests-for-CKM_IBM_KYBER.patch
    * ocki-3.19.0-0030-p11sak-Support-additional-Dilithium-variants.patch
    * ocki-3.19.0-0031-p11sak-Add-support-for-IBM-Kyber-key-type.patch
    * ocki-3.19.0-0032-testcase-Enhance-p11sak-testcase-to-generate-IBM-Kyb.patch
    * ocki-3.19.0-0033-EP11-Supply-CKA_PUBLIC_KEY_INFO-with-CKM_IBM_BTC_DER.patch
    * ocki-3.19.0-0034-EP11-Fix-setting-unknown-CPs-to-ON.patch
    * ocki-3.19.0-0035-Fix-compile-error-error-initializer-element-is-not-c.patch
  - Reworked ocki-3.19-remove-make-install-chgrp.patch to fit the current version of
    the package and renamed it to  ocki-3.20-remove-make-install-chgrp.patch.
* Tue Feb 07 2023 Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
  - Added patch for compile errors
    * ocki-3.19.0-0035-Fix-compile-error-error-initializer-element-is-not-c.patch
  -- Changed spec file to use %autosetup instead of %setup.
* Mon Feb 06 2023 Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
  - Updated the package openCryptoki 3.19.0 (jsc#PED-616, bsc#1207760), added the
    following patches:
    * ocki-3.19.0-0001-EP11-Unify-key-pair-generation-functions.patch
    * ocki-3.19.0-0002-EP11-Do-not-report-DSA-DH-parameter-generation-as-be.patch
    * ocki-3.19.0-0003-EP11-Do-not-pass-empty-CKA_PUBLIC_KEY_INFO-to-EP11-h.patch
    * ocki-3.19.0-0004-Mechtable-CKM_IBM_DILITHIUM-can-also-be-used-for-key.patch
    * ocki-3.19.0-0005-EP11-Remove-DSA-DH-parameter-generation-mechanisms-f.patch
    * ocki-3.19.0-0006-EP11-Pass-back-chain-code-for-CKM_IBM_BTC_DERIVE.patch
    * ocki-3.19.0-0007-EP11-Supply-CKA_PUBLIC_KEY_INFO-with-CKM_IBM_BTC_DER.patch
    * ocki-3.19.0-0008-EP11-Supply-CKA_PUBLIC_KEY_INFO-when-importing-priva.patch
    * ocki-3.19.0-0009-EP11-Fix-memory-leak-introduced-with-recent-commit.patch
    * ocki-3.19.0-0010-p11sak-Fix-segfault-when-dilithium-version-is-not-sp.patch
    * ocki-3.19.0-0011-EP11-remove-dead-code-and-unused-variables.patch
    * ocki-3.19.0-0012-EP11-Update-EP11-host-library-header-files.patch
    * ocki-3.19.0-0013-EP11-Support-EP11-host-library-version-4.patch
    * ocki-3.19.0-0014-EP11-Add-new-control-points.patch
    * ocki-3.19.0-0015-EP11-Default-unknown-CPs-to-ON.patch
    * ocki-3.19.0-0016-COMMON-Add-defines-for-Dilithium-round-2-and-3-varia.patch
    * ocki-3.19.0-0017-COMMON-Add-defines-for-Kyber.patch
    * ocki-3.19.0-0018-COMMON-Add-post-quantum-algorithm-OIDs.patch
    * ocki-3.19.0-0019-COMMON-Dilithium-key-BER-encoding-decoding-allow-dif.patch
    * ocki-3.19.0-0020-COMMON-EP11-Add-CKA_VALUE-holding-SPKI-PKCS-8-of-key.patch
    * ocki-3.19.0-0021-COMMON-EP11-Allow-to-select-Dilithium-variant-via-mo.patch
    * ocki-3.19.0-0022-EP11-Query-supported-PQC-variants-and-restrict-usage.patch
    * ocki-3.19.0-0023-POLICY-Dilithium-strength-and-signature-size-depends.patch
    * ocki-3.19.0-0024-TESTCASES-Test-Dilithium-variants.patch
    * ocki-3.19.0-0025-COMMON-EP11-Add-Kyber-key-type-and-mechanism.patch
    * ocki-3.19.0-0026-EP11-Add-support-for-generating-and-importing-Kyber-.patch
    * ocki-3.19.0-0027-EP11-Add-support-for-encrypt-decrypt-and-KEM-operati.patch
    * ocki-3.19.0-0028-POLICY-STATISTICS-Check-for-Kyber-KEM-KDFs-and-count.patch
    * ocki-3.19.0-0029-TESTCASES-Add-tests-for-CKM_IBM_KYBER.patch
    * ocki-3.19.0-0030-p11sak-Support-additional-Dilithium-variants.patch
    * ocki-3.19.0-0031-p11sak-Add-support-for-IBM-Kyber-key-type.patch
    * ocki-3.19.0-0032-testcase-Enhance-p11sak-testcase-to-generate-IBM-Kyb.patch
    * ocki-3.19.0-0033-EP11-Supply-CKA_PUBLIC_KEY_INFO-with-CKM_IBM_BTC_DER.patch
    * ocki-3.19.0-0034-EP11-Fix-setting-unknown-CPs-to-ON.patch
* Mon Nov 28 2022 Mark Post <mpost@suse.com>
  - Updated spec file to set permissions on /etc/opencryptoki/strength.conf
    to be owned by root:pkcs11 with permissions of 640. (bsc#1205566)
* Fri Sep 30 2022 Mark Post <mpost@suse.com>
  - Upgrade to version 3.19.0 (jsc#PED-616)
    + openCryptoki 3.19
    - CCA: check for expected master key verification patterns at token init
    - CCA: check master key verification pattern of created keys to be as expected
    - EP11: check for expected wrapping key verification pattern at token init
    - EP11: check wrapping key verification pattern of created keys to be as expected
    - p11sak/pkcsconf: display PKCS#11 URIs
    - p11sak: add support for IBM specific Dilithium keys
    - p11sak: allow to list keys filtered by label
    - common: add support for dual-function cryptographic functions
    - Add support for C_SessionCancel function (PKCS#11 v3.0)
    - EP11: add support for schnorr signatures (mechanism CKM_IBM_ECDSA_OTHER)
    - EP11: add support for Bitcoin key derivation (mechanism CKM_IBM_BTC_DERIVE)
    - Bug fixes
    + openCryptoki 3.18
    - Default to FIPS compliant token data format (tokversion = 3.12)
    - Add support for restricting usage of mechanisms and keys via a global policy
    - Add support for statistics counting of mechanism usage
    - ICA/EP11: Support libica version 4
    - p11sak tool: Allow to set different attributes for public and private keys
  - Replaced ocki-3.17-remove-make-install-chgrp.patch with an updated
    version named ocki-3.19-remove-make-install-chgrp.patch to fit
    the current state of the source.
  - Removed the following obsolete patches:
    openCryptoki-sles15-sp4-EP11-Dilithium-Specify-OID-of-key-strength-at-key-ge.patch
    openCryptoki-sles15-sp4-EP11-Fix-host-library-version-query.patch
    ocki-3.17-EP11-Fix-C_GetMechanismList-returning-CKR_BUFFER_TOO.patch
* Wed Aug 10 2022 Mark Post <mpost@suse.com>
  - Added ocki-3.17-EP11-Fix-C_GetMechanismList-returning-CKR_BUFFER_TOO.patch
    for bsc#1202106. One test of the gen_purpose test cases fails with
    C_GetMechanismList #2 rc=CKR_BUFFER_TOO_SMALL" error on the EP11 Token.
* Thu Jun 02 2022 Mark Post <mpost@suse.com>
  - Made the following changes for bsc#1199862 "Please install
    p11sak_defined_attrs.conf."
    * Replaced ocki-3.11-remove-make-install-chgrp.patch with
      ocki-3.17-remove-make-install-chgrp.patch to remove the
      "-g pkcs11" parameter from the install command in the Makefile
    * Updated the spec file to include
      /etc/opencryptoki/p11sak_defined_attrs.conf as a %config file
      with the necessary permissions and group ownership.
* Wed Mar 23 2022 Mark Post <mpost@suse.com>
  - Added the following two patches for bac#1197395. The CKM_IBM_DILITHIUM
    mechanism does not show up as supported by the EP11 token when an
    upgraded EP11 host library is used.
    * openCryptoki-sles15-sp4-EP11-Dilithium-Specify-OID-of-key-strength-at-key-ge.patch
    * openCryptoki-sles15-sp4-EP11-Fix-host-library-version-query.patch

Files

/etc/opencryptoki
/etc/opencryptoki/ccatok.conf
/etc/opencryptoki/opencryptoki.conf
/etc/opencryptoki/p11sak_defined_attrs.conf
/etc/opencryptoki/strength.conf
/usr/lib/systemd/system/pkcsslotd.service
/usr/lib/tmpfiles.d/opencryptoki.conf
/usr/lib64/opencryptoki
/usr/lib64/opencryptoki/stdll
/usr/sbin/p11sak
/usr/sbin/pkcscca
/usr/sbin/pkcsconf
/usr/sbin/pkcshsm_mk_change
/usr/sbin/pkcsicsf
/usr/sbin/pkcsslotd
/usr/sbin/pkcsstats
/usr/sbin/pkcstok_admin
/usr/sbin/pkcstok_migrate
/usr/sbin/rcpkcsslotd
/usr/share/doc/opencryptoki
/usr/share/doc/opencryptoki/policy-example.conf
/usr/share/doc/opencryptoki/strength-example.conf
/usr/share/doc/packages/openCryptoki
/usr/share/doc/packages/openCryptoki/FAQ
/usr/share/doc/packages/openCryptoki/README.cca_stdll
/usr/share/doc/packages/openCryptoki/README.devel
/usr/share/doc/packages/openCryptoki/README.ep11_stdll
/usr/share/doc/packages/openCryptoki/README.icsf_stdll
/usr/share/doc/packages/openCryptoki/README.token_data
/usr/share/doc/packages/openCryptoki/README.tpm_stdll
/usr/share/doc/packages/openCryptoki/coding_style.md
/usr/share/doc/packages/openCryptoki/doc.mk
/usr/share/doc/packages/openCryptoki/openCryptoki-TFAQ.html
/usr/share/doc/packages/openCryptoki/opencryptoki-howto.md
/usr/share/doc/packages/openCryptoki/policy-example.conf
/usr/share/doc/packages/openCryptoki/strength-example.conf
/usr/share/doc/packages/openCryptoki/system_resources
/usr/share/man/man1/p11sak.1.gz
/usr/share/man/man1/pkcscca.1.gz
/usr/share/man/man1/pkcsconf.1.gz
/usr/share/man/man1/pkcshsm_mk_change.1.gz
/usr/share/man/man1/pkcsicsf.1.gz
/usr/share/man/man1/pkcsstats.1.gz
/usr/share/man/man1/pkcstok_admin.1.gz
/usr/share/man/man1/pkcstok_migrate.1.gz
/usr/share/man/man5/opencryptoki.conf.5.gz
/usr/share/man/man5/p11sak_defined_attrs.conf.5.gz
/usr/share/man/man5/policy.conf.5.gz
/usr/share/man/man5/strength.conf.5.gz
/usr/share/man/man7/opencryptoki.7.gz
/usr/share/man/man8/pkcsslotd.8.gz
/usr/share/opencryptoki
/usr/share/opencryptoki/policy-example.conf
/usr/share/opencryptoki/strength-example.conf
/var/lib/opencryptoki
/var/lib/opencryptoki/ccatok
/var/lib/opencryptoki/ccatok/TOK_OBJ
/var/lib/opencryptoki/icsf
/var/lib/opencryptoki/swtok
/var/lib/opencryptoki/swtok/TOK_OBJ
/var/lib/opencryptoki/tpm
/var/log/opencryptoki


Generated by rpm2html 1.8.1

Fabrice Bellet, Sun Jan 12 01:37:12 2025