Accepting request 1089144 from home:ngueorguiev:branches:security

- Update to version 3.21 (jsc#PED-3360, jsc#PED-3361) * openCryptoki 3.21 - EP11 and CCA: Support concurrent HSM master key changes - CCA: protected-key option - pkcsslotd: no longer run as root user and further hardening - p11sak: Add support for additional key types (DH, DSA, generic secret) - p11sak: Allow wildcards in label filter - p11sak: Allow to specify hex value for CKA_ID attribute - p11sak: Support sorting when listing keys - p11sak: New commands: set-key-attr, copy-key to modify and copy keys - p11sak: New commands: import-key, export-key to import and export keys - Remove support for --disable-locks (transactional memory) - Updates to harden against RSA timing attacks - Bug fixes - Amended a patch to fit the version 3.21 * ocki-3.21-remove-make-install-chgrp.patch OBS-URL: https://build.opensuse.org/request/show/1089144 OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=133
2023-05-26 06:46:11 +00:00 · 2023-05-26 06:46:11 +00:00 · 788aa4046a
commit 788aa4046a
parent 8c6d50ec24
5 changed files with 90 additions and 53 deletions
--- a/ocki-3.21-remove-make-install-chgrp.patch
+++ b/ocki-3.21-remove-make-install-chgrp.patch
@ -1,105 +1,119 @@
--- opencryptoki-3.20.0/Makefile.am	2023-02-13 03:22:42.000000000 -0500
-+++ opencryptoki-3.20.0/Makefile.am	2023-02-13 10:40:14.561790695 -0500
-@@ -39,7 +39,6 @@
+--- Makefile.am	2023-05-15 14:42:55.000000000 +0200
+++ Makefile-3.21.am	2023-05-25 17:13:36.266936832 +0200
+@@ -39,14 +39,9 @@
 include doc/doc.mk
 
 install-data-hook:
-	getent group pkcs11 > /dev/null || $(GROUPADD) -r pkcs11
+-	getent group $(pkcs_group) > /dev/null || $(GROUPADD) -r $(pkcs_group)
+-	getent passwd $(pkcsslotd_user) >/dev/null || $(USERADD) -r -g $(pkcs_group) -d /run/opencryptoki -s /sbin/nologin -c "Opencryptoki pkcsslotd user" $(pkcsslotd_user)
+ 	$(MKDIR_P) $(DESTDIR)/run/opencryptoki/
+-	$(CHOWN) $(pkcsslotd_user):$(pkcs_group) $(DESTDIR)/run/opencryptoki/
+-	$(CHGRP) $(pkcs_group) $(DESTDIR)/run/opencryptoki/
+ 	$(CHMOD) 0710 $(DESTDIR)/run/opencryptoki/
+ 	$(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki
+-	$(CHGRP) $(pkcs_group) $(DESTDIR)$(localstatedir)/lib/opencryptoki
+ 	$(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki
 if ENABLE_LIBRARY
 	$(MKDIR_P) $(DESTDIR)$(libdir)/opencryptoki/stdll
- 	$(MKDIR_P) $(DESTDIR)$(libdir)/pkcs11
-@@ -60,12 +59,9 @@
+@@ -66,19 +61,15 @@
+ endif
+ if ENABLE_PKCSHSM_MK_CHANGE
+ 	$(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/HSM_MK_CHANGE
+-	$(CHGRP) $(pkcs_group) $(DESTDIR)$(localstatedir)/lib/opencryptoki/HSM_MK_CHANGE
+ 	$(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/HSM_MK_CHANGE
+ endif
+ if ENABLE_CCATOK
 	cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \
 		ln -fs libpkcs11_cca.so PKCS11_CCA.so
 	$(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/ccatok/TOK_OBJ
-	$(CHGRP) pkcs11 $(DESTDIR)$(localstatedir)/lib/opencryptoki/ccatok/TOK_OBJ
-	$(CHGRP) pkcs11 $(DESTDIR)$(localstatedir)/lib/opencryptoki/ccatok
+-	$(CHGRP) $(pkcs_group) $(DESTDIR)$(localstatedir)/lib/opencryptoki/ccatok/TOK_OBJ
+-	$(CHGRP) $(pkcs_group) $(DESTDIR)$(localstatedir)/lib/opencryptoki/ccatok
 	$(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/ccatok/TOK_OBJ
 	$(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/ccatok
 	$(MKDIR_P) $(DESTDIR)$(lockdir)/ccatok
-	$(CHGRP) pkcs11 $(DESTDIR)$(lockdir)/ccatok
+-	$(CHGRP) $(pkcs_group) $(DESTDIR)$(lockdir)/ccatok
 	$(CHMOD) 0770 $(DESTDIR)$(lockdir)/ccatok
 	test -f $(DESTDIR)$(sysconfdir)/opencryptoki || $(MKDIR_P) $(DESTDIR)$(sysconfdir)/opencryptoki || true
 	test -f $(DESTDIR)$(sysconfdir)/opencryptoki/ccatok.conf || $(INSTALL) -m 644 $(srcdir)/usr/lib/cca_stdll/ccatok.conf $(DESTDIR)$(sysconfdir)/opencryptoki/ccatok.conf || true
-@@ -74,12 +70,9 @@
+@@ -87,12 +78,9 @@
 	cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \
 		ln -fs libpkcs11_ep11.so PKCS11_EP11.so
 	$(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/ep11tok/TOK_OBJ
-	$(CHGRP) pkcs11 $(DESTDIR)$(localstatedir)/lib/opencryptoki/ep11tok/TOK_OBJ
-	$(CHGRP) pkcs11 $(DESTDIR)$(localstatedir)/lib/opencryptoki/ep11tok
+-	$(CHGRP) $(pkcs_group) $(DESTDIR)$(localstatedir)/lib/opencryptoki/ep11tok/TOK_OBJ
+-	$(CHGRP) $(pkcs_group) $(DESTDIR)$(localstatedir)/lib/opencryptoki/ep11tok
 	$(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/ep11tok/TOK_OBJ
 	$(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/ep11tok
 	$(MKDIR_P) $(DESTDIR)$(lockdir)/ep11tok
-	$(CHGRP) pkcs11 $(DESTDIR)$(lockdir)/ep11tok
+-	$(CHGRP) $(pkcs_group) $(DESTDIR)$(lockdir)/ep11tok
 	$(CHMOD) 0770 $(DESTDIR)$(lockdir)/ep11tok
 	test -f $(DESTDIR)$(sysconfdir)/opencryptoki || $(MKDIR_P) $(DESTDIR)$(sysconfdir)/opencryptoki || true
 	test -f $(DESTDIR)$(sysconfdir)/opencryptoki/ep11tok.conf || $(INSTALL) -m 644 $(srcdir)/usr/lib/ep11_stdll/ep11tok.conf $(DESTDIR)$(sysconfdir)/opencryptoki/ep11tok.conf || true
-@@ -87,30 +80,24 @@
+@@ -100,30 +88,24 @@
 endif
 if ENABLE_P11SAK
 	test -f $(DESTDIR)$(sysconfdir)/opencryptoki || $(MKDIR_P) $(DESTDIR)$(sysconfdir)/opencryptoki || true
-	test -f $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || $(INSTALL) -g pkcs11 -m 0640 $(srcdir)/usr/sbin/p11sak/p11sak_defined_attrs.conf $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || true
-+	test -f $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || $(INSTALL) -m 0640 $(srcdir)/usr/sbin/p11sak/p11sak_defined_attrs.conf $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || true
+-	test -f $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || $(INSTALL) -g $(pkcs_group) -m 0640 $(srcdir)/usr/sbin/p11sak/p11sak_defined_attrs.conf $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || true
+	test -f $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || $(INSTALL)  -m 0640 $(srcdir)/usr/sbin/p11sak/p11sak_defined_attrs.conf $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || true
 endif
 if ENABLE_ICATOK
 	cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \
 		ln -fs libpkcs11_ica.so PKCS11_ICA.so
 	$(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/lite/TOK_OBJ
-	$(CHGRP) pkcs11 $(DESTDIR)$(localstatedir)/lib/opencryptoki/lite/TOK_OBJ
-	$(CHGRP) pkcs11 $(DESTDIR)$(localstatedir)/lib/opencryptoki/lite
+-	$(CHGRP) $(pkcs_group) $(DESTDIR)$(localstatedir)/lib/opencryptoki/lite/TOK_OBJ
+-	$(CHGRP) $(pkcs_group) $(DESTDIR)$(localstatedir)/lib/opencryptoki/lite
 	$(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/lite/TOK_OBJ
 	$(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/lite
 	$(MKDIR_P) $(DESTDIR)$(lockdir)/lite
-	$(CHGRP) pkcs11 $(DESTDIR)$(lockdir)/lite
+-	$(CHGRP) $(pkcs_group) $(DESTDIR)$(lockdir)/lite
 	$(CHMOD) 0770 $(DESTDIR)$(lockdir)/lite
 endif
 if ENABLE_SWTOK
 	cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \
 		ln -fs libpkcs11_sw.so PKCS11_SW.so
 	$(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/swtok/TOK_OBJ
-	$(CHGRP) pkcs11 $(DESTDIR)$(localstatedir)/lib/opencryptoki/swtok/TOK_OBJ
-	$(CHGRP) pkcs11 $(DESTDIR)$(localstatedir)/lib/opencryptoki/swtok
+-	$(CHGRP) $(pkcs_group) $(DESTDIR)$(localstatedir)/lib/opencryptoki/swtok/TOK_OBJ
+-	$(CHGRP) $(pkcs_group) $(DESTDIR)$(localstatedir)/lib/opencryptoki/swtok
 	$(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/swtok/TOK_OBJ
 	$(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/swtok
 	$(MKDIR_P) $(DESTDIR)$(lockdir)/swtok
-	$(CHGRP) pkcs11 $(DESTDIR)$(lockdir)/swtok
+-	$(CHGRP) $(pkcs_group) $(DESTDIR)$(lockdir)/swtok
 	$(CHMOD) 0770 $(DESTDIR)$(lockdir)/swtok
 endif
 if ENABLE_TPMTOK
-@@ -118,10 +105,8 @@
+@@ -131,10 +113,8 @@
 	cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \
 		ln -fs libpkcs11_tpm.so PKCS11_TPM.so
 	$(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/tpm
-	$(CHGRP) pkcs11 $(DESTDIR)$(localstatedir)/lib/opencryptoki/tpm
+-	$(CHGRP) $(pkcs_group) $(DESTDIR)$(localstatedir)/lib/opencryptoki/tpm
 	$(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/tpm
 	$(MKDIR_P) $(DESTDIR)$(lockdir)/tpm
-	$(CHGRP) pkcs11 $(DESTDIR)$(lockdir)/tpm
+-	$(CHGRP) $(pkcs_group) $(DESTDIR)$(lockdir)/tpm
 	$(CHMOD) 0770 $(DESTDIR)$(lockdir)/tpm
 endif
 if ENABLE_ICSFTOK
-@@ -129,16 +114,14 @@
+@@ -142,16 +122,14 @@
 	cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \
 		ln -fs libpkcs11_icsf.so PKCS11_ICSF.so
 	$(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/icsf
-	$(CHGRP) pkcs11 $(DESTDIR)$(localstatedir)/lib/opencryptoki/icsf
+-	$(CHGRP) $(pkcs_group) $(DESTDIR)$(localstatedir)/lib/opencryptoki/icsf
 	$(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/icsf
 	$(MKDIR_P) $(DESTDIR)$(lockdir)/icsf
-	$(CHGRP) pkcs11 $(DESTDIR)$(lockdir)/icsf
+-	$(CHGRP) $(pkcs_group) $(DESTDIR)$(lockdir)/icsf
 	$(CHMOD) 0770 $(DESTDIR)$(lockdir)/icsf
 endif
 if ENABLE_DAEMON
 	test -f $(DESTDIR)$(sysconfdir)/opencryptoki || $(MKDIR_P) $(DESTDIR)$(sysconfdir)/opencryptoki || true
 	test -f $(DESTDIR)$(sysconfdir)/opencryptoki/opencryptoki.conf || $(INSTALL) -m 644 $(srcdir)/usr/sbin/pkcsslotd/opencryptoki.conf $(DESTDIR)$(sysconfdir)/opencryptoki/opencryptoki.conf || true
-	test -f $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || $(INSTALL) -m 640 -o root -g pkcs11 -T $(srcdir)/doc/strength-example.conf $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || true
+-	test -f $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || $(INSTALL) -m 640 -o root -g $(pkcs_group) -T $(srcdir)/doc/strength-example.conf $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || true
 +	test -f $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || $(INSTALL) -m 640 -o root -T $(srcdir)/doc/strength-example.conf $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || true
 endif
 	$(MKDIR_P) $(DESTDIR)/etc/ld.so.conf.d
 	echo "$(libdir)/opencryptoki" >\
-@@ -149,7 +132,6 @@
+@@ -162,7 +140,6 @@
 	@echo "Remember you must run ldconfig before using the above settings"
 	@echo "--------------------------------------------------------------"
 	$(MKDIR_P) $(DESTDIR)$(lockdir) $(DESTDIR)$(logdir)
-	$(CHGRP) pkcs11 $(DESTDIR)$(lockdir) $(DESTDIR)$(logdir)
+-	$(CHGRP) $(pkcs_group) $(DESTDIR)$(lockdir) $(DESTDIR)$(logdir)
 	$(CHMOD) 0770 $(DESTDIR)$(lockdir) $(DESTDIR)$(logdir)
 
 
--- a/openCryptoki-3.20.0.tar.gz
+++ b/openCryptoki-3.20.0.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:9cdbb92c046444623f2b5f8d3ea2052fe0954ea548b4415c1f9d67c9935e06f0
-size 1655534
--- a/openCryptoki-3.21.0.tar.gz
+++ b/openCryptoki-3.21.0.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:26fcb547028d3964b88736bcb64bdd20c3d5369f9e7117dba584e51a47cf1f4d
+size 1787924
--- a/openCryptoki.changes
+++ b/openCryptoki.changes
@ -1,3 +1,23 @@
+-------------------------------------------------------------------
+Thu May 25 15:51:09 UTC 2023 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
+
+- Update to version 3.21 (jsc#PED-3360, jsc#PED-3361)
+  * openCryptoki 3.21
+    - EP11 and CCA: Support concurrent HSM master key changes
+    - CCA: protected-key option
+    - pkcsslotd: no longer run as root user and further hardening
+    - p11sak: Add support for additional key types (DH, DSA, generic secret)
+    - p11sak: Allow wildcards in label filter
+    - p11sak: Allow to specify hex value for CKA_ID attribute
+    - p11sak: Support sorting when listing keys
+    - p11sak: New commands: set-key-attr, copy-key to modify and copy keys
+    - p11sak: New commands: import-key, export-key to import and export keys
+    - Remove support for --disable-locks (transactional memory)
+    - Updates to harden against RSA timing attacks
+    - Bug fixes
+- Amended a patch to fit the version 3.21
+  * ocki-3.21-remove-make-install-chgrp.patch
+
 -------------------------------------------------------------------
 Thu Feb 16 13:22:45 UTC 2023 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>

--- a/openCryptoki.spec
+++ b/openCryptoki.spec
@ -26,20 +26,19 @@
 %define oc_cvs_tag opencryptoki

 Name:           openCryptoki
-Version:        3.20.0
+Version:        3.21.0
 Release:        0
 Summary:        An Implementation of PKCS#11 (Cryptoki) v2.11 for IBM Cryptographic Hardware
 License:        CPL-1.0
 Group:          Productivity/Security
 URL:            https://github.com/opencryptoki/opencryptoki
-# Source:         https://github.com/opencryptoki/%{oc_cvs_tag}/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
 Source:         https://github.com/opencryptoki/%{oc_cvs_tag}/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
 Source1:        openCryptoki.pkcsslotd
 Source2:        openCryptoki-TFAQ.html
 Source3:        openCryptoki-rpmlintrc
-# Patch 1 is needed because group pkcs11 doesn't exist in the build environment
+# Patch 0 is needed because group pkcs11 doesn't exist in the build environment
 # and because we don't want(?) various file and directory permissions to be 0700.
-Patch001:       ocki-3.20-remove-make-install-chgrp.patch
+Patch000:       ocki-3.21-remove-make-install-chgrp.patch
 #
 #
 BuildRequires:  bison
@ -56,6 +55,8 @@ BuildRequires:  trousers-devel
 BuildRequires:  pkgconfig(systemd)
 Requires(pre):  %{_sbindir}/groupadd
 Requires(pre):  %{_sbindir}/usermod
+###
+BuildRequires:  libcap-devel

 # IBM maintains openCryptoki on these architectures:
 ExclusiveArch:  %{openCryptoki_32bit_arch} %{openCryptoki_64bit_arch}
@ -130,7 +131,7 @@ Cryptographic Accelerator (FC 4960 on pSeries).

 %prep
 # setup -q -n %{oc_cvs_tag}-%{version}
-%autosetup -p 1 -n %{oc_cvs_tag}-%{version}
+%autosetup -p 0 -n %{oc_cvs_tag}-%{version}

 cp %{SOURCE2} .

@ -235,8 +236,8 @@ ln -sf %{_libdir}/opencryptoki/libopencryptoki.so %{_prefix}/lib/pkcs11/PKCS11_A
  # configuration directory
 %dir %{_sysconfdir}/opencryptoki
 %config %{_sysconfdir}/opencryptoki/opencryptoki.conf
-%config %attr(640,root,pkcs11) %{_sysconfdir}/opencryptoki/strength.conf
-%config %attr(640,root,pkcs11) %{_sysconfdir}/opencryptoki/p11sak_defined_attrs.conf
+%config %attr(640,root,%{pkcs_group}) %{_sysconfdir}/opencryptoki/strength.conf
+%config %attr(640,root,%{pkcs_group}) %{_sysconfdir}/opencryptoki/p11sak_defined_attrs.conf
 %ifarch s390 s390x
 %config %{_sysconfdir}/opencryptoki/ccatok.conf
 %config %{_sysconfdir}/opencryptoki/ep11cpfilter.conf
@ -260,22 +261,22 @@ ln -sf %{_libdir}/opencryptoki/libopencryptoki.so %{_prefix}/lib/pkcs11/PKCS11_A
 %dir %{_libdir}/opencryptoki
 %dir %{_libdir}/opencryptoki/stdll
  # State and lock directories
-%dir %attr(755,root,pkcs11) %{_localstatedir}/lib/opencryptoki
+%dir %attr(755,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki
 %ifarch s390 s390x
-%dir %attr(770,root,pkcs11) %{_localstatedir}/lib/opencryptoki/ccatok
-%dir %attr(770,root,pkcs11) %{_localstatedir}/lib/opencryptoki/ccatok/TOK_OBJ
+%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/ccatok
+%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/ccatok/TOK_OBJ
 %endif
-%dir %attr(770,root,pkcs11) %{_localstatedir}/lib/opencryptoki/swtok
-%dir %attr(770,root,pkcs11) %{_localstatedir}/lib/opencryptoki/swtok/TOK_OBJ
-%dir %attr(770,root,pkcs11) %{_localstatedir}/lib/opencryptoki/tpm
-%dir %attr(770,root,pkcs11) %{_localstatedir}/lib/opencryptoki/icsf
+%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/swtok
+%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/swtok/TOK_OBJ
+%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/tpm
+%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/icsf
 %ifarch s390 s390x
-%dir %attr(770,root,pkcs11) %{_localstatedir}/lib/opencryptoki/ep11tok
-%dir %attr(770,root,pkcs11) %{_localstatedir}/lib/opencryptoki/ep11tok/TOK_OBJ
-%dir %attr(770,root,pkcs11) %{_localstatedir}/lib/opencryptoki/lite
-%dir %attr(770,root,pkcs11) %{_localstatedir}/lib/opencryptoki/lite/TOK_OBJ
+%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/ep11tok
+%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/ep11tok/TOK_OBJ
+%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/lite
+%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/lite/TOK_OBJ
 %endif
-%dir %attr(770,root,pkcs11) %{_localstatedir}/log/opencryptoki/
+%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/log/opencryptoki/
 %{_mandir}/man*/*

 %files devel
@ -283,6 +284,8 @@ ln -sf %{_libdir}/opencryptoki/libopencryptoki.so %{_prefix}/lib/pkcs11/PKCS11_A
 %dir %{_libdir}/opencryptoki/stdll
 %{_includedir}/opencryptoki
 %{_libdir}/pkgconfig/opencryptoki.pc
+###
+%{_sbindir}/pkcshsm_mk_change

 %ifarch %{openCryptoki_32bit_arch}
 %files 32bit