Sync from SUSE:SLFO:Main openCryptoki revision 78767f89cd5b589a8465401f9c99b12e

ocki-3.24-remove-make-install-chgrp.patch

@@ -1,21 +1,26 @@
---- Makefile.am	2023-05-15 14:42:55.000000000 +0200
-+++ Makefile-3.21.am	2023-05-25 17:13:36.266936832 +0200
-@@ -39,14 +39,9 @@
+--- a/Makefile.am	2024-09-11 08:46:18.000000000 +0200
++++ b/Makefile.am	2024-09-20 11:31:30.709823171 +0200
+@@ -51,19 +51,9 @@
  include doc/doc.mk
  
  install-data-hook:
+-if AIX
+-	lsgroup $(pkcs_group) > /dev/null || $(GROUPADD) -a pkcs11
+-	lsuser $(pkcsslotd_user) > /dev/null || $(USERADD) -g $(pkcs_group) -d $(DESTDIR)$(RUN_PATH)/opencryptoki -c "Opencryptoki pkcsslotd user" $(pkcsslotd_user)
+-else
 -	getent group $(pkcs_group) > /dev/null || $(GROUPADD) -r $(pkcs_group)
--	getent passwd $(pkcsslotd_user) >/dev/null || $(USERADD) -r -g $(pkcs_group) -d /run/opencryptoki -s /sbin/nologin -c "Opencryptoki pkcsslotd user" $(pkcsslotd_user)
- 	$(MKDIR_P) $(DESTDIR)/run/opencryptoki/
--	$(CHOWN) $(pkcsslotd_user):$(pkcs_group) $(DESTDIR)/run/opencryptoki/
--	$(CHGRP) $(pkcs_group) $(DESTDIR)/run/opencryptoki/
- 	$(CHMOD) 0710 $(DESTDIR)/run/opencryptoki/
+-	getent passwd $(pkcsslotd_user) >/dev/null || $(USERADD) -r -g $(pkcs_group) -d $(RUN_PATH)/opencryptoki -s /sbin/nologin -c "Opencryptoki pkcsslotd user" $(pkcsslotd_user)
+-endif
+ 	$(MKDIR_P) $(DESTDIR)$(RUN_PATH)/opencryptoki/
+-	$(CHOWN) $(pkcsslotd_user):$(pkcs_group) $(DESTDIR)$(RUN_PATH)/opencryptoki/
+-	$(CHGRP) $(pkcs_group) $(DESTDIR)$(RUN_PATH)/opencryptoki/
+ 	$(CHMOD) 0710 $(DESTDIR)$(RUN_PATH)/opencryptoki/
  	$(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki
 -	$(CHGRP) $(pkcs_group) $(DESTDIR)$(localstatedir)/lib/opencryptoki
  	$(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki
  if ENABLE_LIBRARY
  	$(MKDIR_P) $(DESTDIR)$(libdir)/opencryptoki/stdll
-@@ -66,19 +61,15 @@
+@@ -83,19 +73,15 @@
  endif
  if ENABLE_PKCSHSM_MK_CHANGE
  	$(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/HSM_MK_CHANGE
@@ -24,7 +29,7 @@
  endif
  if ENABLE_CCATOK
  	cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \
- 		ln -fs libpkcs11_cca.so PKCS11_CCA.so
+ 		ln -fs libpkcs11_cca.$(SHLIBEXT) PKCS11_CCA.$(SHLIBEXT)
  	$(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/ccatok/TOK_OBJ
 -	$(CHGRP) $(pkcs_group) $(DESTDIR)$(localstatedir)/lib/opencryptoki/ccatok/TOK_OBJ
 -	$(CHGRP) $(pkcs_group) $(DESTDIR)$(localstatedir)/lib/opencryptoki/ccatok
@@ -35,9 +40,9 @@
  	$(CHMOD) 0770 $(DESTDIR)$(lockdir)/ccatok
  	test -f $(DESTDIR)$(sysconfdir)/opencryptoki || $(MKDIR_P) $(DESTDIR)$(sysconfdir)/opencryptoki || true
  	test -f $(DESTDIR)$(sysconfdir)/opencryptoki/ccatok.conf || $(INSTALL) -m 644 $(srcdir)/usr/lib/cca_stdll/ccatok.conf $(DESTDIR)$(sysconfdir)/opencryptoki/ccatok.conf || true
-@@ -87,12 +78,9 @@
+@@ -104,12 +90,9 @@
  	cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \
- 		ln -fs libpkcs11_ep11.so PKCS11_EP11.so
+ 		ln -fs libpkcs11_ep11.$(SHLIBEXT) PKCS11_EP11.$(SHLIBEXT)
  	$(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/ep11tok/TOK_OBJ
 -	$(CHGRP) $(pkcs_group) $(DESTDIR)$(localstatedir)/lib/opencryptoki/ep11tok/TOK_OBJ
 -	$(CHGRP) $(pkcs_group) $(DESTDIR)$(localstatedir)/lib/opencryptoki/ep11tok
@@ -48,16 +53,9 @@
  	$(CHMOD) 0770 $(DESTDIR)$(lockdir)/ep11tok
  	test -f $(DESTDIR)$(sysconfdir)/opencryptoki || $(MKDIR_P) $(DESTDIR)$(sysconfdir)/opencryptoki || true
  	test -f $(DESTDIR)$(sysconfdir)/opencryptoki/ep11tok.conf || $(INSTALL) -m 644 $(srcdir)/usr/lib/ep11_stdll/ep11tok.conf $(DESTDIR)$(sysconfdir)/opencryptoki/ep11tok.conf || true
-@@ -100,30 +88,24 @@
- endif
- if ENABLE_P11SAK
- 	test -f $(DESTDIR)$(sysconfdir)/opencryptoki || $(MKDIR_P) $(DESTDIR)$(sysconfdir)/opencryptoki || true
--	test -f $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || $(INSTALL) -g $(pkcs_group) -m 0640 $(srcdir)/usr/sbin/p11sak/p11sak_defined_attrs.conf $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || true
-+	test -f $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || $(INSTALL)  -m 0640 $(srcdir)/usr/sbin/p11sak/p11sak_defined_attrs.conf $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || true
- endif
- if ENABLE_ICATOK
+@@ -123,24 +106,18 @@
  	cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \
- 		ln -fs libpkcs11_ica.so PKCS11_ICA.so
+ 		ln -fs libpkcs11_ica.$(SHLIBEXT) PKCS11_ICA.$(SHLIBEXT)
  	$(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/lite/TOK_OBJ
 -	$(CHGRP) $(pkcs_group) $(DESTDIR)$(localstatedir)/lib/opencryptoki/lite/TOK_OBJ
 -	$(CHGRP) $(pkcs_group) $(DESTDIR)$(localstatedir)/lib/opencryptoki/lite
@@ -69,7 +67,7 @@
  endif
  if ENABLE_SWTOK
  	cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \
- 		ln -fs libpkcs11_sw.so PKCS11_SW.so
+ 		ln -fs libpkcs11_sw.$(SHLIBEXT) PKCS11_SW.$(SHLIBEXT)
  	$(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/swtok/TOK_OBJ
 -	$(CHGRP) $(pkcs_group) $(DESTDIR)$(localstatedir)/lib/opencryptoki/swtok/TOK_OBJ
 -	$(CHGRP) $(pkcs_group) $(DESTDIR)$(localstatedir)/lib/opencryptoki/swtok
@@ -80,9 +78,9 @@
  	$(CHMOD) 0770 $(DESTDIR)$(lockdir)/swtok
  endif
  if ENABLE_TPMTOK
-@@ -131,10 +113,8 @@
+@@ -148,10 +125,8 @@
  	cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \
- 		ln -fs libpkcs11_tpm.so PKCS11_TPM.so
+ 		ln -fs libpkcs11_tpm.$(SHLIBEXT) PKCS11_TPM.$(SHLIBEXT)
  	$(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/tpm
 -	$(CHGRP) $(pkcs_group) $(DESTDIR)$(localstatedir)/lib/opencryptoki/tpm
  	$(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/tpm
@@ -91,9 +89,9 @@
  	$(CHMOD) 0770 $(DESTDIR)$(lockdir)/tpm
  endif
  if ENABLE_ICSFTOK
-@@ -142,16 +122,14 @@
+@@ -159,10 +134,8 @@
  	cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \
- 		ln -fs libpkcs11_icsf.so PKCS11_ICSF.so
+ 		ln -fs libpkcs11_icsf.$(SHLIBEXT) PKCS11_ICSF.$(SHLIBEXT)
  	$(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/icsf
 -	$(CHGRP) $(pkcs_group) $(DESTDIR)$(localstatedir)/lib/opencryptoki/icsf
  	$(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/icsf
@@ -102,16 +100,9 @@
  	$(CHMOD) 0770 $(DESTDIR)$(lockdir)/icsf
  endif
  if ENABLE_DAEMON
- 	test -f $(DESTDIR)$(sysconfdir)/opencryptoki || $(MKDIR_P) $(DESTDIR)$(sysconfdir)/opencryptoki || true
- 	test -f $(DESTDIR)$(sysconfdir)/opencryptoki/opencryptoki.conf || $(INSTALL) -m 644 $(srcdir)/usr/sbin/pkcsslotd/opencryptoki.conf $(DESTDIR)$(sysconfdir)/opencryptoki/opencryptoki.conf || true
--	test -f $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || $(INSTALL) -m 640 -o root -g $(pkcs_group) -T $(srcdir)/doc/strength-example.conf $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || true
-+	test -f $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || $(INSTALL) -m 640 -o root -T $(srcdir)/doc/strength-example.conf $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || true
- endif
- 	$(MKDIR_P) $(DESTDIR)/etc/ld.so.conf.d
- 	echo "$(libdir)/opencryptoki" >\
-@@ -162,7 +140,6 @@
- 	@echo "Remember you must run ldconfig before using the above settings"
+@@ -181,7 +154,6 @@
  	@echo "--------------------------------------------------------------"
+ endif
  	$(MKDIR_P) $(DESTDIR)$(lockdir) $(DESTDIR)$(logdir)
 -	$(CHGRP) $(pkcs_group) $(DESTDIR)$(lockdir) $(DESTDIR)$(logdir)
  	$(CHMOD) 0770 $(DESTDIR)$(lockdir) $(DESTDIR)$(logdir)

openCryptoki.changes

@@ -1,3 +1,39 @@
+-------------------------------------------------------------------
+Fri Sep 20 08:33:19 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
+
+- Upgrade openCrytoki to version 3.24
+   (jsc#PED-10291, jsc#PED-10290, jsc#PED-10241)
+  * Add support for building Opencryptoki on the IBM AIX platform
+  * Add support for the CCA token on non-IBM Z platforms (x86_64, ppc64)
+  * Add support for protecting tokens with a token specific user group
+  * EP11: Add support for combined CKA_EXTRACTABLE and CKA_IBM_PROTKEY_EXTRACTABLE
+  * CCA: Add support for Koblitz curve secp256k1. Requires CCA v7.2 or later
+  * CCA: Add support for IBM Dilithium (CKM_IBM_DILITHIUM). 
+    - On Linux on IBM Z: Requires CCA v7.1 or later for Round2-65, and 
+    CCA v8.0 for the Round 3 variants. 
+    - On other platforms: 
+    Requires CCA v7.2.43 or later for Round2-65, the Round 3 variants are currently not supported
+  * CCA: Add support for RSA-OAEP with SHA224, SHA384, and SHA512 on en-/decrypt. 
+    - Requires CCA v8.1 or later on Linux on IBM Z, not supported on other platforms
+  * CCA: Add support for PKCS#11 v3.0 SHA3 mechanisms. 
+    - Requires CCA v8.1 on Linux on IBM Z, not supported on other platforms
+  * ICA: Support new libica AES-GCM api using the KMA instruction on z14 and later
+  * ICA/Soft/ICSF: Add support for PKCS#11 v3.0 SHA3 mechanisms
+  * ICA/Soft: Add support for SHA based key derivation mechanisms
+  * ICA/Soft: Add support for CKD_*_SP800 KDFs for ECDH
+  * EP11/CCA/ICA/Soft: Add support for CKA_ALWAYS_AUTHENTICATE
+  * EP11/CCA: Support live guest relocation for protected key (PKEY) operations
+  * Soft: Experimental support for IBM Dilithium via OpenSSL OQS provider
+  * ICSF: Add support for SHA-2 mechanisms
+  * ICSF: Performance improvements for attribute retrieval
+  * p11sak: Add support for exporting a key or certificate as URI-PEM file
+  * p11sak: Import/export of IBM Dilithium keys in 'oqsprovider' format PEM files
+  * p11sak: Add option to show the master key verification patterns of secure keys
+  * Bug fixes
+- Amended the .spec file
+- Removed obsolete patch ocki-3.23-remove-make-install-chgrp.patchi
+- Added a new patch ocki-3.24-remove-make-install-chgrp.patch
+
 -------------------------------------------------------------------
 Thu Jul 18 06:07:40 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
 

openCryptoki.spec

@@ -27,7 +27,7 @@
 %define oc_cvs_tag opencryptoki
 
 Name:           openCryptoki
-Version:        3.23.0
+Version:        3.24.0
 Release:        0
 Summary:        An Implementation of PKCS#11 (Cryptoki) v2.11 for IBM Cryptographic Hardware
 License:        CPL-1.0
@@ -39,7 +39,7 @@ Source2:        openCryptoki-TFAQ.html
 Source3:        openCryptoki-rpmlintrc
 # Patch 0 is needed because group pkcs11 doesn't exist in the build environment
 # and because we don't want(?) various file and directory permissions to be 0700.
-Patch000:       ocki-3.23-remove-make-install-chgrp.patch
+Patch000:       ocki-3.24-remove-make-install-chgrp.patch
 #
 #
 BuildRequires:  bison
@@ -136,7 +136,7 @@ Cryptographic Accelerator (FC 4960 on pSeries).
 
 %prep
 # setup -q -n %{oc_cvs_tag}-%{version}
-%autosetup -p 0 -n %{oc_cvs_tag}-%{version}
+%autosetup -p 1 -n %{oc_cvs_tag}-%{version}
 
 cp %{SOURCE2} .
 
@@ -250,8 +250,6 @@ ln -sf %{_libdir}/opencryptoki/libopencryptoki.so %{_prefix}/lib/pkcs11/PKCS11_A
   # configuration directory
 %dir %{_sysconfdir}/opencryptoki
 %config %{_sysconfdir}/opencryptoki/opencryptoki.conf
-%config %attr(640,root,%{pkcs_group}) %{_sysconfdir}/opencryptoki/strength.conf
-%config %attr(640,root,%{pkcs_group}) %{_sysconfdir}/opencryptoki/p11sak_defined_attrs.conf
 %ifarch s390 s390x
 %config %{_sysconfdir}/opencryptoki/ccatok.conf
 %config %{_sysconfdir}/opencryptoki/ep11cpfilter.conf
@@ -272,6 +270,7 @@ ln -sf %{_libdir}/opencryptoki/libopencryptoki.so %{_prefix}/lib/pkcs11/PKCS11_A
 %{_sbindir}/pkcsicsf
 %{_sbindir}/pkcsstats
 %{_sbindir}/pkcstok_migrate
+%{_sbindir}/pkcstok_admin
 %dir %{_libdir}/opencryptoki
 %dir %{_libdir}/opencryptoki/stdll
   # State and lock directories