Releases: opencryptoki/opencryptoki
Releases · opencryptoki/opencryptoki
Version 3.26.0
- Soft: Add support for RSA keys up to 16K bits.
- CCA: Add support for RSA keys up to 8K bits (requires CCA v8.4 or v7.6 or later).
- p11sak: Add support for generating RSA keys up to 16K bits.
- Soft/ICA: Add support for SHA512/224 and SHA512/256 key derivation mechanism (CKM_SHA512_224_KEY_DERIVATION and CKM_SHA512_256_KEY_DERIVATION).
- Soft/ICA/CCA/EP11: Add support for SHA-HMAC key types CKK_SHAxxx_HMAC and key gen mechanisms CKM_SHAxxx_KEY_GEN.
- p11sak: Add support for SHA-HMAC key types and key generation.
- p11sak: Add support for key wrap and unwrap commands to export and import private and secret keys by means of key wrapping/unwrapping with various key wrapping mechanism.
- p11kmip: Add support for using an HSM-protected TLS client key via a PKCS#11 provider.
- p11sak: Add support for exporting non-sensitive private keys to password protected PEM files.
- Add support for canceling an operation via NULL mechanism pointer at C_XxxInit() call as an alternative to C_SessionCancel() (PKCS#11 v3.0).
- EP11: Add support for pairing friendly BLS12-381 EC curve for sign/verify using CKM_IBM_ECDSA_OTHER and signature/public key aggregation using CKM_IBM_EC_AGGREGATE.
- p11sak: Add support for generating BLS12-381 EC keys.
- EP11: Add support for IBM-specific ML-DSA and ML-KEM key types and mechanisms (requires an EP11 host library v4.2 or later, and a CEX8P crypto card with firmware v9.6 or later on IBM z17, and v8.39 or later on IBM z16).
- CCA: Add support for IBM-specific ML-DSA and ML-KEM key types and mechanisms (requires CCA v8.4 or later).
- Soft: Add support for IBM-specific ML-DSA and ML-KEM key types and mechanisms (requires OpenSSL 3.5 or later, or the OQS-provider must be configured).
- p11sak: Add support for IBM-specific ML-DSA and ML-KEM key types.
- Bug fixes.
Version 3.25.0
- ICA/Soft: Add support for PKCS#11 v3.0 SHAKE key derivation
- EP11: Add support for PKCS#11 v3.0 SHA3 and SHA3-HMAC mechanisms
- EP11: Add support for PKCS#11 v3.0 SHA3 mechanisms and MGFs for RSA-OAEP
- EP11: Add support for PKCS#11 v3.0 SHA3 variants of RSA-PKCS and ECDSA mechanisms
- CCA: Add support for CCA AES CIPHER secure key types
- CCA: Add support for the CKM_ECDH1_DERIVE mechanism
- Soft/ICA: Add support for the CKM_AES_KEY_WRAP[_*] mechanisms
- CCA/Soft/ICA: Add support for the CKM_RSA_AES_KEY_WRAP mechanism
- Soft/ICA: Add support for the CKM_ECDH_AES_KEY_WRAP mechanism
- ICA: Report mechanisms dependent on if libica is in FIPS mode
- P11KMIP: Add a tool for import and exporting PKCS#11 keys to a KMIP server
- EP11: Add support for opaque secure key blob import via C_CreateObject
- Soft/ICA: Add support for key wrapping with AES-GCM
- CCA: Add support for newer CCA versions on s390x and non-s390x platforms
- CCA: Add support for CKM_AES_GCM (single-part operations only)
- Bug fixes
Version 3.24.0
- Add support for building Opencryptoki on the IBM AIX platform
- Add support for the CCA token on non-IBM Z platforms (x86_64, ppc64)
- Add support for protecting tokens with a token specific user group
- EP11: Add support for combined CKA_EXTRACTABLE and CKA_IBM_PROTKEY_EXTRACTABLE
- CCA: Add support for Koblitz curve secp256k1. Requires CCA v7.2 or later
- CCA: Add support for IBM Dilithium (CKM_IBM_DILITHIUM). On Linux on IBM Z: Requires CCA v7.1 or later for Round2-65, and CCA v8.0 for the Round 3 variants. On other platforms: Requires CCA v7.2.43 or later for Round2-65, the Round 3 variants are currently not supported
- CCA: Add support for RSA-OAEP with SHA224, SHA384, and SHA512 on en-/decrypt. Requires CCA v8.1 or later on Linux on IBM Z, not supported on other platforms
- CCA: Add support for PKCS#11 v3.0 SHA3 mechanisms. Requires CCA v8.1 on Linux on IBM Z, not supported on other platforms
- ICA: Support new libica AES-GCM api using the KMA instruction on z14 and later
- ICA/Soft/ICSF: Add support for PKCS#11 v3.0 SHA3 mechanisms
- ICA/Soft: Add support for SHA based key derivation mechanisms
- ICA/Soft: Add support for CKD_*_SP800 KDFs for ECDH
- EP11/CCA/ICA/Soft: Add support for CKA_ALWAYS_AUTHENTICATE
- EP11/CCA: Support live guest relocation for protected key (PKEY) operations
- Soft: Experimental support for IBM Dilithium via OpenSSL OQS provider
- ICSF: Add support for SHA-2 mechanisms
- ICSF: Performance improvements for attribute retrieval
- p11sak: Add support for exporting a key or certificate as URI-PEM file
- p11sak: Import/export of IBM Dilithium keys in 'oqsprovider' format PEM files
- p11sak: Add option to show the master key verification patterns of secure keys
- Bug fixes
Version 3.23.0
- EP11: Add support for FIPS-session mode
- Updates to harden against RSA timing attacks
- Bug fixes
Version 3.22.0
- CCA: Add support for the AES-XTS key type using CPACF protected keys
- p11sak: Add support for managing certificate objects
- p11sak: Add support for public sessions (no-login option)
- p11sak: Add support for logging in as SO (security Officer)
- p11sak: Add support for importing/exporting Edwards and Montgomery keys
- p11sak: Add support for importing of RSA-PSS keys and certificates
- CCA/EP11/Soft/ICA: Ensure that the 2 key parts of an AES-XTS key are different
- Bug fixes