pool/openCryptoki
SHA256
17
0
Fork 1
Code Issues Pull Requests Activity

Compare commits

base: pool:factory
Branches Tags
pool:factory pool:slfo-main pool:slfo-1.2
..
compare: pool:slfo-1.2
Branches Tags
pool:factory pool:slfo-main pool:slfo-1.2

1 Commits
factory ... slfo-1.2

Author SHA256 Message Date
Adrian Schröter
c3bf64bbeb Sync changes to SLFO-1.2 branch 2025-08-20 09:58:19 +02:00
5 changed files with 46 additions and 89 deletions
Expand all files Collapse all files

4
ocki-3.26-remove-make-install-chgrp.patch → ocki-3.25-remove-make-install-chgrp.patch
View File

@@ -1,5 +1,5 @@
--- a/Makefile.am 2025-11-11 08:58:19.000000000 +0100
+++ b/Makefile.am 2025-11-12 10:21:00.563936369 +0100
--- a/Makefile.am 2025-06-10 08:52:39.000000000 +0200
+++ b/Makefile.am 2025-06-16 12:25:31.040661532 +0200
@@ -51,19 +51,9 @@
include doc/doc.mk

BIN
openCryptoki-3.25.0.tar.gz LFS Normal file
View File

Binary file not shown.

BIN
openCryptoki-3.26.0.tar.gz LFS
View File

Binary file not shown.

62
openCryptoki.changes
View File

@@ -1,50 +1,5 @@
-------------------------------------------------------------------
Thu Jan 8 10:14:17 UTC 2026 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Modified the .spec file for Immutable Mode (jsc#PED-14798)
-------------------------------------------------------------------
Wed Nov 12 09:04:02 UTC 2025 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Upgrade openCryptoki to 3.26
* Soft: Add support for RSA keys up to 16K bits.
* CCA: Add support for RSA keys up to 8K bits (requires CCA v8.4 or v7.6 or later).
* p11sak: Add support for generating RSA keys up to 16K bits.
* Soft/ICA: Add support for SHA512/224 and SHA512/256 key derivation mechanism (CKM_SHA512_224_KEY_DERIVATION and CKM_SHA512_256_KEY_DERIVATION).
* Soft/ICA/CCA/EP11: Add support for SHA-HMAC key types CKK_SHAxxx_HMAC and key gen mechanisms CKM_SHAxxx_KEY_GEN.
* p11sak: Add support for SHA-HMAC key types and key generation.
* p11sak: Add support for key wrap and unwrap commands to export and import private and secret keys by means of key wrapping/unwrapping
with various key wrapping mechanism.
* p11kmip: Add support for using an HSM-protected TLS client key via a PKCS#11 provider.
* p11sak: Add support for exporting non-sensitive private keys to password protected PEM files.
* Add support for canceling an operation via NULL mechanism pointer at C_XxxInit() call as an alternative to C_SessionCancel() (PKCS#11 v3.0).
* EP11: Add support for pairing friendly BLS12-381 EC curve for sign/verify using CKM_IBM_ECDSA_OTHER and signature/public key aggregation using CKM_IBM_EC_AGGREGATE.
* p11sak: Add support for generating BLS12-381 EC keys.
* EP11: Add support for IBM-specific ML-DSA and ML-KEM key types and mechanisms (requires an EP11 host library v4.2 or later, and
a CEX8P crypto card with firmware v9.6 or later on IBM z17, and v8.39 or later on IBM z16).
* CCA: Add support for IBM-specific ML-DSA and ML-KEM key types and mechanisms (requires CCA v8.4 or later).
* Soft: Add support for IBM-specific ML-DSA and ML-KEM key types and mechanisms (requires OpenSSL 3.5 or later, or the OQS-provider must be configured).
* p11sak: Add support for IBM-specific ML-DSA and ML-KEM key types.
* Bug fixes.
- Removed obsolete patches
* ocki-3.25-remove-make-install-chgrp.patch
* ocki-3.25-PKCSSLOTD-Remove-the-use-of-MD5.patch
- Applied a new patch for version 3.26
* ocki-3.26-remove-make-install-chgrp.patch
-------------------------------------------------------------------
Thu Aug 14 04:56:04 UTC 2025 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Applied a patch (bsc#1248002)
* ocki-3.25-PKCSSLOTD-Remove-the-use-of-MD5.patch
-------------------------------------------------------------------
Tue Jul 29 07:27:20 UTC 2025 - Andreas Schwab <schwab@suse.de>
- Add riscv64 to openCryptoki_64bit_arch
-------------------------------------------------------------------
Mon Jun 16 09:43:23 UTC 2025 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
Mon Jul 7 15:12:38 UTC 2025 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Upgrade openCryptoki to version 3.25 (jsc#PED-3361)
* Updates/add supports
@@ -68,17 +23,17 @@ Mon Jun 16 09:43:23 UTC 2025 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- ocki-3.24-remove-group-from-tests.patch
- ocki-3.24-remove-make-install-chgrp.patch
* Applied a new patch for version 3.25
- ocki-3.25-remove-make-install-chgrp.patch
* Bug fixes
- ocki-3.25-remove-make-install-chgrp.patch
* Bug fixes
-------------------------------------------------------------------
Wed Dec 11 07:25:11 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
Wed Dec 11 07:35:28 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Moved pkcshsm_mk_change from openCryptoki-devel to openCryptoki
(jsc#PED-10291, jsc#PED-10290)
- Moved pkcshsm_mk_change from openCryptoki-devel to openCryptoki
(jsc#PED-10291, jsc#PED-10290)
-------------------------------------------------------------------
Tue Dec 10 07:08:59 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
Tue Dec 10 08:13:46 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Amended the .spec file (jsc#PED-10291, jsc#PED-10290)
* Changed attributes - %attr(0640,root,%{pkcs_group}) - of files below:
@@ -86,7 +41,7 @@ Tue Dec 10 07:08:59 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- %{_sysconfdir}/opencryptoki/p11sak_defined_attrs.conf
-------------------------------------------------------------------
Thu Nov 21 10:42:00 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
Mon Nov 25 11:42:14 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Amended the .spec file (jsc#PED-10291, jsc#PED-10290)
- Improved handling of user/group. use existing user/group if they
@@ -1378,3 +1333,4 @@ Tue Feb 5 11:01:16 CET 2002 - froh@suse.de
Wed Jan 30 16:20:48 CET 2002 - froh@suse.de
- initial version

63
openCryptoki.spec
View File

@@ -1,7 +1,7 @@
#
# spec file for package openCryptoki
#
# Copyright (c) 2026 SUSE LLC
# Copyright (c) 2024 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -19,7 +19,7 @@
%define openCryptoki_32bit_arch %{ix86} s390 ppc %{arm}
# support in the workings for: ppc64
# no support in sight for: ia64
%define openCryptoki_64bit_arch s390x ppc64 ppc64le x86_64 aarch64 riscv64
%define openCryptoki_64bit_arch s390x ppc64 ppc64le x86_64 aarch64
# autobuild:/work/cd/lib/misc/group
# openCryptoki pkcs11:x:64:
%define pkcs11_group_id 64
@@ -27,7 +27,7 @@
%define oc_cvs_tag opencryptoki
Name: openCryptoki
Version: 3.26.0
Version: 3.25.0
Release: 0
Summary: An Implementation of PKCS#11 (Cryptoki) v2.11 for IBM Cryptographic Hardware
License: CPL-1.0
@@ -39,7 +39,8 @@ Source2: openCryptoki-TFAQ.html
Source3: openCryptoki-rpmlintrc
# Patch 0 is needed because group pkcs11 doesn't exist in the build environment
# and because we don't want(?) various file and directory permissions to be 0700.
Patch000: ocki-3.26-remove-make-install-chgrp.patch
Patch000: ocki-3.25-remove-make-install-chgrp.patch
#
#
BuildRequires: bison
BuildRequires: dos2unix
@@ -169,25 +170,10 @@ dos2unix doc/README.ep11_stdll
%install
%make_install
install -d %{buildroot}%{_includedir}
# Move data templates from /var to /usr/share/opencryptoki for tmpfiles to use
install -d %{buildroot}%{_datadir}/opencryptoki/templates
install -d %{buildroot}%{_localstatedir}/lib/opencryptoki
install -d %{buildroot}%{_initddir}
install -d %{buildroot}%{_sbindir}
install -d %{buildroot}%{_prefix}/lib/tmpfiles.d
# Define the tmpfiles.d configuration
cat > %{buildroot}%{_prefix}/lib/tmpfiles.d/opencryptoki.conf <<EOF
# Type Path Mode UID GID Age Argument
d /var/lib/opencryptoki 0755 root pkcs11 - -
d /var/lib/opencryptoki/swtok 0770 root pkcs11 - -
d /var/lib/opencryptoki/swtok/TOK_OBJ 0770 root pkcs11 - -
d /var/lib/opencryptoki/tpm 0770 root pkcs11 - -
d /var/lib/opencryptoki/icsf 0770 root pkcs11 - -
d /var/log/opencryptoki 0770 root pkcs11 - -
L+ /etc/pkcs11 - - - - /var/lib/opencryptoki
EOF
# Remove manual directory creation in %install that belongs in /var
rm -rf %{buildroot}%{_localstatedir}/lib/opencryptoki
rm -rf %{buildroot}%{_localstatedir}/log/opencryptoki
#
mkdir -p %{buildroot}%{_datadir}/opencryptoki
cp %{buildroot}%{_datadir}/doc/opencryptoki/*.conf %{buildroot}%{_datadir}/opencryptoki
@@ -212,13 +198,22 @@ getent passwd pkcsslotd 2>/dev/null || %{_sbindir}/useradd -g %{pkcs_group} -r p
%{service_del_preun pkcsslotd.service}
%post
# Use the systemd-tmpfiles macro to ensure directories are created on next boot/transaction
%tmpfiles_create %{_tmpfilesdir}/opencryptoki.conf
# Symlink from /var/lib/opencryptoki to /etc/pkcs11
if [ ! -L %{_sysconfdir}/pkcs11 ] ; then
if [ -e %{_sysconfdir}/pkcs11/pk_config_data ] ; then
mv %{_sysconfdir}/pkcs11/* %{_localstatedir}/lib/opencryptoki
cd %{_sysconfdir} && rm -rf pkcs11 && \
ln -sf %{_localstatedir}/lib/opencryptoki pkcs11
fi
fi
/sbin/ldconfig
%{?tmpfiles_create:%tmpfiles_create %{_tmpfilesdir}/opencryptoki.conf}
%{service_add_post pkcsslotd.service}
%postun
/sbin/ldconfig
if [ -L %{_sysconfdir}/pkcs11 ] ; then
rm %{_sysconfdir}/pkcs11
fi
%{service_del_postun pkcsslotd.service}
%ifarch %{openCryptoki_32bit_arch}
@@ -286,6 +281,8 @@ ln -sf %{_libdir}/opencryptoki/libopencryptoki.so %{_prefix}/lib/pkcs11/PKCS11_A
%ifnarch i586
%config %{_sysconfdir}/opencryptoki/ccatok.conf
%{_sbindir}/pkcscca
%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/ccatok
%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/ccatok/TOK_OBJ
%endif
%{_sbindir}/p11kmip
%{_sbindir}/pkcsslotd
@@ -297,12 +294,20 @@ ln -sf %{_libdir}/opencryptoki/libopencryptoki.so %{_prefix}/lib/pkcs11/PKCS11_A
%dir %{_libdir}/opencryptoki
%dir %{_libdir}/opencryptoki/stdll
# State and lock directories
%dir %attr(755,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki
%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/swtok
%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/swtok/TOK_OBJ
%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/tpm
%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/icsf
%ifarch s390 s390x
%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/ep11tok
%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/ep11tok/TOK_OBJ
%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/lite
%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/lite/TOK_OBJ
%endif
%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/log/opencryptoki/
%{_mandir}/man*/*
%{_sbindir}/pkcshsm_mk_change
#
%{_prefix}/lib/tmpfiles.d/opencryptoki.conf
# Ensure we don't package files in /var directly
%ghost %dir %attr(755,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki
%files devel
%dir %{_libdir}/opencryptoki
@@ -321,10 +326,6 @@ ln -sf %{_libdir}/opencryptoki/libopencryptoki.so %{_prefix}/lib/pkcs11/PKCS11_A
%{_libdir}/opencryptoki/stdll/libpkcs11_cca.so
%ghost %{_libdir}/opencryptoki/stdll/PKCS11_CCA.so
%endif
%ifnarch i586
%{_libdir}/opencryptoki/stdll/libpkcs11_cca.so
%endif
%ghost %{_libdir}/opencryptoki/stdll/PKCS11_CCA.so
%{_libdir}/opencryptoki/stdll/libpkcs11_tpm.so
%ghost %{_libdir}/opencryptoki/stdll/PKCS11_TPM.so
%{_libdir}/opencryptoki/stdll/libpkcs11_sw.so