Skip to content

Releases: latchset/pkcs11-provider

Release 0.6

22 Nov 17:47
Compare
Choose a tag to compare

##Notable Changes

  • TLS 1.3 is now supported via token handling (KDFs etc..)
  • A new feature to prevent PIN lockouts when the token correctly signals authentication attempts depletion via token info.
  • Several issues with handling keys related to run a full end-to-end TLS connection on the token have been fixed
  • Most cases when early loading was needed have ben resolved, HTTP and Bind for example work without specifying early loading for the provider
  • Several memory leaks have been resolved
  • Several new tests including a whole new token (kryoptic) are tested now, as well as tlsfuzzer against a TLS server deferring all operations to the tokens.

What's Changed

  • Fix types for old 32 bit systems by @simo5 in #406
  • Fetch CKA_ALWAYS_AUTHENTICATE only for priv keys by @simo5 in #407
  • Small re-organization of documentation files by @The-Mule in #391
  • Sundry fixes/changes by @simo5 in #408
  • Update HOWTO.md by @karamellpelle in #411
  • Fix CID 500198: Integer handling issues by @simo5 in #415
  • Add testing against kryoptic in CI by @simo5 in #413
  • Libssh test fix by @Jakuje in #412
  • Off-by-one error in pool consistency check by @glguy in #420
  • Set the raw point for ECDH public data params by @simo5 in #417
  • Use a single tool for setting up the token by @simo5 in #418
  • Return OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY by @simo5 in #423
  • tests: Fix ASAN build on macOS by @neverpanic in #425
  • Extend the ttls test to be able to test different configurations by @Jakuje in #422
  • Test operations with pem keys by @simo5 in #428
  • Enable Ed25519 tests (and other forgotten ones) for kryoptic by @Jakuje in #431
  • Add CKA_DERIVE flag in server's private key template by @kshitizvars in #424
  • tests: No longer skip tests reading EC keys from cert by @Jakuje in #434
  • Add basic Ed448 tests by @Jakuje in #433
  • Allow fallback to pulling cert when checking private/public key consistency by @simo5 in #435
  • Refactor setup by @simo5 in #436
  • Increased size of EC_PRIVKEY_TMPL_SIZE by @kshitizvars in #439
  • fix: p11prov_tls_constant_time_depadding bug corrected by @sebastienandert in #440
  • Add support for importing keys into the token as session ephemeral keys by @simo5 in #441
  • tests: get rid of unnecessary redirection by @The-Mule in #447
  • Add TLS13-KDF by @simo5 in #446
  • Sundry fixes by @simo5 in #448
  • Integration test improvements (bind with kryoptic and disabling early initialization) by @The-Mule in #450
  • Passing CK_P11PROV_IMPORTED_HANDLE while creating mock public key by @kshitizvars in #449
  • tests: Run more TLS tests when forcing all server operations on token by @Jakuje in #453
  • Add documentation for URIs in PEM files by @simo5 in #456
  • Add code to prevent locking the token by mistake by @simo5 in #457
  • Add basic tlsfuzzer tests by @Jakuje in #459
  • Fix memory leaks when tokens are missing by @simo5 in #463
  • Support TLS operation with EdDSA keys by @Jakuje in #465
  • Fix memory leak of ctx_pool.contexts by @neverpanic in #471
  • tests: Use LeakSanitizer to catch future memory leaks by @Jakuje in #472

New Contributors

Full Changelog: v0.5...v0.6

Release 0.5

05 Jun 14:12
Compare
Choose a tag to compare

What's Changed

New Contributors

Full Changelog: v0.4...v0.5

Release 0.4

21 May 17:25
Compare
Choose a tag to compare

Several bugfixes:

Notable changes

  • We moved the build system to Meson
  • A feature to embed pkcs11- URIs into "fake" PEM files has been added which makes it possible to transparently use the provider with many tools that accept keys only as PEM files.

What's Changed

  • Remove obsolete pointer to docs in the wiki by @simo5 in #336
  • Added an option to set NULL callbacks for C_OpenSession by @Maks027 in #343
  • Run CI with integration test for libssh by @The-Mule in #340
  • RSA key comparison: exit early after MODULUS / PUBLIC_EXPONENT are compared - no round-trip to HSM by @space88man in #346
  • EC keys: implement vendor optimization when private key contains CKA_EC_POINT by @space88man in #347
  • Handle compressed EC point from OpenSSL < 3.0.8 by @space88man in #349
  • GH workflow install libssl3t64-dgbsym on debian by @0pq76r in #353
  • Minor fix for "Available profiles" debug output by @0pq76r in #354
  • Integration tests (libssh, httpd, bind) by @The-Mule in #358
  • Decoder: pkcs11-uri in pem by @0pq76r in #328
  • Fallback to a read lock on fork preparation by @simo5 in #356
  • Add pull request template by @Jakuje in #362
  • Try to run Coverity Scan on demand by @simo5 in #366
  • Add uri2pem.py tool to create pkcs11-provider PEM key files by @space88man in #363
  • ci: Run tests also against CentOS 9 (OpenSSL 3.0) by @Jakuje in #369
  • Fix minor typo (teplate->template) by @sarroutbi in #371
  • Avoid warnings related to Node20 Github actions by @sarroutbi in #373
  • Do not cache operations when provider status is uninitialized by @ifranzki in #372
  • Change names of the two covscan jobs by @simo5 in #374
  • Set correct pin-value format in tests by @sarroutbi in #376
  • ci: Switch to macOS 14 on M series chips by @neverpanic in #377
  • Use a genereic mechanism to block calls to tokens by @simo5 in #378
  • Add more generic EdDSA tests by @simo5 in #379
  • implement more tests with EdDSA keys (export and comparison) by @Jakuje in #292
  • Switch build system to Meson by @ueno in #304
  • build: Install provider in correct path by @neverpanic in #380
  • Fix tests/README (adapt to meson) by @sarroutbi in #382
  • Address various issues with meson builds by @simo5 in #385
  • fixing Covscan PR target by @simo5 in #386
  • Add tests with pin-source parameter in PKCS#11 URI by @sarroutbi in #384
  • ci: Run the CI also on ubuntu by @Jakuje in #393

New Contributors

Full Changelog: v0.3...v0.4

v0.3

22 Jan 17:37
Compare
Choose a tag to compare

What's Changed

  • Fix mismatching version in spec file by @simo5 in #261
  • Update spec file with min OpenSSL version and change log entry by @sahanaprasad07 in #262
  • Enable gpg signature verification in spec file by @sahanaprasad07 in #263
  • Initial support for explicit EC by @manison in #245
  • Skip login if token does not require login by @CharlieYJH in #258
  • Change how key export works, and add key import functionality as well as key match by @simo5 in #267
  • Smarten up handling of login session by @simo5 in #273
  • Extend key comparison tests by @manison in #275
  • Allow setting OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY for EC keys by @manison in #277
  • Change Key Generation to take a URI by @simo5 in #284
  • Reinit module only once after fork by @simo5 in #286
  • Plug a small race in token login operations by @simo5 in #288
  • Implement special parameter to define Key Usage by @simo5 in #289
  • Fix key generation template size and debug log message by @fabled in #283
  • Embed the private key with public key attributes. by @sahanaprasad07 in #293
  • CID 465959: Resource leaks by @simo5 in #294
  • Replace Oasis headers with public domain headers by @simo5 in #306
  • Fix: enable cross compilation by removing the AC_CHECK_FILE macro by @oleorhagen in #307
  • tests: Fix expected output and fix Debian package name by @Jakuje in #314
  • Side-channel proofing PKCS#1 1.5 paths (CVE-2023-6258) by @simo5 in #308
  • Minor coverity fixes by @simo5 in #315
  • Implement support for ALWAYS_AUTH and interactive prompting when the caller did not provide pin by @Jakuje in #309
  • Apply coverity Fixes by @simo5 in #318
  • Use a cached version of the URI to refresh objects by @simo5 in #316
  • Use correct strdup function in macro by @simo5 in #323
  • CKK_EC_EDWARDS: EC_PARAMS containing oID by @0pq76r in #325
  • objects: Avoid memory leak by @Jakuje in #326
  • tests: tls test without sleep by @0pq76r in #319
  • Quirk: no-operation-state by @0pq76r in #324
  • Add --with-openssl info to BUILD.md by @stgloorious in #330
  • Fix RSA key generation and test size by @simo5 in #332
  • Do not load profiles when they can't be available by @simo5 in #333
  • tests: Check csr for keys in token with openssl by @Jakuje in #334
  • Release version 0.3 by @simo5 in #335

New Contributors

Full Changelog: v0.2...v0.3

Release 0.2

07 Jul 10:14
Compare
Choose a tag to compare

This is mainly a bugfix release following up to 0.1
Thanks to all contributors that provided feedback and fixes.

What's Changed

  • CID 451133: Fix errors using config option names by @simo5 in #221
  • Set default digest for digest_sign/verify functions by @simo5 in #224
  • Add a quirk to prevent calling the module on exit by @simo5 in #225
  • Support OSSL_PKEY_PARAM_DEFAULT/MANDATORY_DIGEST by @simo5 in #227
  • Fix public key exporting by @simo5 in #228
  • Fix SoftHSM issues wth PSS keys by @simo5 in #229
  • Improve URI management by @simo5 in #230
  • CID 452520: Copy-paste error by @simo5 in #231
  • Implement support to expose PKCS#11 Random as openssl rand provider by @simo5 in #233
  • Add tunable to influence session caching by @simo5 in #236
  • some setup nits for OpenSSL by @baentsch in #241
  • Add quirk to control CKA_ALLOWED_MECHANISMS by @simo5 in #237
  • Add debugging of config options by @simo5 in #242
  • Add manpage by converting wiki's markdown by @simo5 in #244
  • Run tests under valgrind, address-sanitizer and address several memory-related issues by @Jakuje in #243
  • Minor coverity fixes by @simo5 in #246
  • Do not link provider to libssl by @simo5 in #251
  • tests: Avoid bogus failures from ossl helper by @Jakuje in #254
  • Fixes to spec file to include the right release, source URL, man page, and docs. by @sahanaprasad07 in #253
  • spec file clean up. by @sahanaprasad07 in #255
  • Run Shellcheck as part of CI and squash the shellcheck and yamlint warnings by @Jakuje in #256
  • Set the value for CRYPTO_LIBS flag correctly by @sahanaprasad07 in #257

New Contributors

Full Changelog: v0.1...v0.2

Release 0.1

30 Mar 13:49
Compare
Choose a tag to compare

This is the first release of the pkcs11 provider for OpenSSL 3

With the release of OpenSSL 3.0 the older Engines have been deprecated, this code allow the use of pkcs#11 tokens via the native OpenSSL 3 provider interface.
It supports full RFC7512 PKCS #11 URIs to specify keys and most OpenSSL commands work when openssl.cnf is properly configured to load this provider. Either by simply specifying a URI as a key or by requesting the use of provider=pkcs11 in a propquery.

The code is far from bug-free but we believe this is a good first milestone, and is ready for wider testing. It has already been tested with software tokens and a few hardware tokens, note that some software tokens will not work correctly if they directly link to OpenSSL without utilizing a separate libctx for their operation. For those tokens a p11-kit proxy may be used as a workaround (see SoftHSM tests to understand how this works).

This version requires at least OpenSSL 3.0.7 as previous versions had bugs that prevented some operations from working correctly.

This is the culmination of several months of work, with the collaboration of many people.
A big thank you to all the contributors listed below.

What's Changed

  • Add minimal CI via github actions by @simo5 in #1
  • Add support to return errors to OpenSSL by @simo5 in #2
  • Fix operator precedence errors by @oerdnj in #9
  • Modernize the autotools usage a bit by @oerdnj in #6
  • Fix logical error in p11prov_rsakm_secbits by @oerdnj in #10
  • Add headers to the Makefile.am by @oerdnj in #12
  • Add compatibility shim for endian related functions by @oerdnj in #8
  • Make RTLD_DEEPBIND optional by @oerdnj in #11
  • Fix mismatch between CK_UTF8CHAR_PTR and const char * by @oerdnj in #13
  • Add SPDX license headers by @oerdnj in #16
  • Fix make distcheck by @simo5 in #17
  • Add initial .clang-format style and reformat the sources using it by @oerdnj in #15
  • Add checks to enforce at least c11 semantics by @simo5 in #19
  • Fix few typos and copy&paste errors by @oerdnj in #21
  • Add GitHub Action that runs Clang's scan-build by @oerdnj in #23
  • Use OPENSSL_strcasecmp() instead of strcasecmp() by @oerdnj in #26
  • Add missing single-line braces using clang-tidy by @oerdnj in #20
  • Add GitHub Action to build with clang by @oerdnj in #24
  • Enable all (most) of the warnings as errors by @oerdnj in #25
  • Create CODE_OF_CONDUCT.md by @simo5 in #27
  • Add doc on how to contribute to the project by @simo5 in #28
  • Add skeleton Security policy by @simo5 in #29
  • Add GitHub Action for Coverity Scan by @oerdnj in #30
  • Add handling of pin in provider configuration by @simo5 in #31
  • Fix issues found by the last Coverity Scan check by @oerdnj in #33
  • Add PIN prompting support by @simo5 in #36
  • Allow store to enumerate objects by @simo5 in #38
  • Fix coverity issues introduced yesterday by @simo5 in #39
  • Clarfiy PKCS#11 structure packing comment by @fabled in #40
  • Fix PIN wiping in few places by @fabled in #41
  • Make use of the session stored on the store ctx by @simo5 in #43
  • Fix infinite loop in case no key was found. by @simo5 in #44
  • Key loading by @simo5 in #45
  • Make debug functions a little more robust by @simo5 in #46
  • Fix issues found by valgrinding test suite by @fabled in #47
  • Fail hard make check if nss-softokn devel files were not found by @pemensik in #50
  • Debug: remove zero bytes after newlines by @simo5 in #51
  • fixes for git, autotools and library lookup by @holger-dengler in #52
  • Repurpose p11prov_ctx_fns as status check function by @simo5 in #53
  • Fix covscan detected issues by @simo5 in #54
  • Session object pooling by @simo5 in #48
  • Coverity Fixes 4 by @simo5 in #57
  • Rsa keygen by @simo5 in #56
  • New batch of coverity findings after the last few merges by @simo5 in #58
  • Add code to list and debug token mechanisms by @simo5 in #59
  • uri: fix key references by label by @holger-dengler in #62
  • Add RSA-PSS support by @simo5 in #61
  • Add codespell to CI by @simo5 in #63
  • Coverity Fixes series 6 by @simo5 in #64
  • Remove double newlines in some debug functions by @simo5 in #65
  • Make debugging less annoying by @simo5 in #70
  • Change CI to run custom distros via containers by @simo5 in #71
  • Require OpenSSL >= 3.0.5 by @simo5 in #72
  • Coverity Fixes Series 7 by @simo5 in #73
  • WIP: Remove the use of custom operation names by @simo5 in #67
  • Avoid leaving behind a freed pointer by @simo5 in #74
  • Improve store loading with multiple tokens by @simo5 in #75
  • Add different ways for specifying PKCS#11 module to use by @Jakuje in #79
  • CID 361508: Resource Leak by @simo5 in #80
  • Improve public key export by @simo5 in #81
  • Update build prerequisites by @simo5 in #85
  • Fedora package and requirements clarifications by @Jakuje in #77
  • Add support for generating CSRs via openssl req command by @simo5 in #87
  • Implement callback for tls group capabilities by @simo5 in #90
  • Improve signature debugging wrt paramter setting by @simo5 in #95
  • Fix detection of endianness by @Jakuje in #100
  • Fix openssl ca certificate releated issues by @simo5 in #98
  • CID 376412: Fix lost error out by @simo5 in #102
  • run tests also using SoftHSM by @Jakuje in #97
  • Add support to expose digest mechanisms through the provider by @simo5 in #103
  • Coverity Fixes series 9 by @simo5 in #104
  • Refactor test suite by @simo5 in #106
  • Debug Improvements by @holger-dengler in #107
  • Rename the module binary to just pkcs11.so by @simo5 in #108
  • Fix "tests" when built outside source directory by @dengert in #111
  • Use OSSL_PARAM_get_utf8_string_ptr() when possible by @fabled in #115
  • Add basic support to load certificates from tokens by @simo5 in #116
  • Add p11prov_mech_by_mechanism() helper and use it by @fabled in #118
  • Remove space padding from slot and token info by @fabled in #119
  • Simplify and fix signature DER AlgorithmInfo by @fabled in #117
  • Fix ECDSA signatures and improve tests by @fabled in #121
  • Fix RSA signatures with pre-calculated hash by @fabled in ...
Read more