SHA256
1
0
forked from pool/openCryptoki
openCryptoki/openCryptoki.spec

334 lines
11 KiB
RPMSpec
Raw Normal View History

#
# spec file for package openCryptoki
#
# Copyright (c) 2023 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
%define openCryptoki_32bit_arch %{ix86} s390 ppc %{arm}
# support in the workings for: ppc64
# no support in sight for: ia64
%define openCryptoki_64bit_arch s390x ppc64 ppc64le x86_64 aarch64
# autobuild:/work/cd/lib/misc/group
# openCryptoki pkcs11:x:64:
%define pkcs11_group_id 64
%define oc_cvs_tag opencryptoki
Name: openCryptoki
Version: 3.21.0
Release: 0
Summary: An Implementation of PKCS#11 (Cryptoki) v2.11 for IBM Cryptographic Hardware
License: CPL-1.0
Group: Productivity/Security
URL: https://github.com/opencryptoki/opencryptoki
Source: https://github.com/opencryptoki/%{oc_cvs_tag}/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
Source1: openCryptoki.pkcsslotd
Source2: openCryptoki-TFAQ.html
Source3: openCryptoki-rpmlintrc
# Patch 0 is needed because group pkcs11 doesn't exist in the build environment
# and because we don't want(?) various file and directory permissions to be 0700.
Patch000: ocki-3.21-remove-make-install-chgrp.patch
Accepting request 1063652 from home:ngueorguiev:branches:security - Added patch for compile errors * ocki-3.19.0-0035-Fix-compile-error-error-initializer-element-is-not-c.patch - Changed spec file to use %autosetup instead of %setup. - Updated the package openCryptoki 3.19.0 (jsc#PED-616, bsc#1207760), added the following patches: * ocki-3.19.0-0001-EP11-Unify-key-pair-generation-functions.patch * ocki-3.19.0-0002-EP11-Do-not-report-DSA-DH-parameter-generation-as-be.patch * ocki-3.19.0-0003-EP11-Do-not-pass-empty-CKA_PUBLIC_KEY_INFO-to-EP11-h.patch * ocki-3.19.0-0004-Mechtable-CKM_IBM_DILITHIUM-can-also-be-used-for-key.patch * ocki-3.19.0-0005-EP11-Remove-DSA-DH-parameter-generation-mechanisms-f.patch * ocki-3.19.0-0006-EP11-Pass-back-chain-code-for-CKM_IBM_BTC_DERIVE.patch * ocki-3.19.0-0007-EP11-Supply-CKA_PUBLIC_KEY_INFO-with-CKM_IBM_BTC_DER.patch * ocki-3.19.0-0008-EP11-Supply-CKA_PUBLIC_KEY_INFO-when-importing-priva.patch * ocki-3.19.0-0009-EP11-Fix-memory-leak-introduced-with-recent-commit.patch * ocki-3.19.0-0010-p11sak-Fix-segfault-when-dilithium-version-is-not-sp.patch * ocki-3.19.0-0011-EP11-remove-dead-code-and-unused-variables.patch * ocki-3.19.0-0012-EP11-Update-EP11-host-library-header-files.patch * ocki-3.19.0-0013-EP11-Support-EP11-host-library-version-4.patch * ocki-3.19.0-0014-EP11-Add-new-control-points.patch * ocki-3.19.0-0015-EP11-Default-unknown-CPs-to-ON.patch * ocki-3.19.0-0016-COMMON-Add-defines-for-Dilithium-round-2-and-3-varia.patch * ocki-3.19.0-0017-COMMON-Add-defines-for-Kyber.patch * ocki-3.19.0-0018-COMMON-Add-post-quantum-algorithm-OIDs.patch * ocki-3.19.0-0019-COMMON-Dilithium-key-BER-encoding-decoding-allow-dif.patch * ocki-3.19.0-0020-COMMON-EP11-Add-CKA_VALUE-holding-SPKI-PKCS-8-of-key.patch * ocki-3.19.0-0021-COMMON-EP11-Allow-to-select-Dilithium-variant-via-mo.patch * ocki-3.19.0-0022-EP11-Query-supported-PQC-variants-and-restrict-usage.patch * ocki-3.19.0-0023-POLICY-Dilithium-strength-and-signature-size-depends.patch * ocki-3.19.0-0024-TESTCASES-Test-Dilithium-variants.patch * ocki-3.19.0-0025-COMMON-EP11-Add-Kyber-key-type-and-mechanism.patch * ocki-3.19.0-0026-EP11-Add-support-for-generating-and-importing-Kyber-.patch * ocki-3.19.0-0027-EP11-Add-support-for-encrypt-decrypt-and-KEM-operati.patch * ocki-3.19.0-0028-POLICY-STATISTICS-Check-for-Kyber-KEM-KDFs-and-count.patch * ocki-3.19.0-0029-TESTCASES-Add-tests-for-CKM_IBM_KYBER.patch * ocki-3.19.0-0030-p11sak-Support-additional-Dilithium-variants.patch * ocki-3.19.0-0031-p11sak-Add-support-for-IBM-Kyber-key-type.patch * ocki-3.19.0-0032-testcase-Enhance-p11sak-testcase-to-generate-IBM-Kyb.patch * ocki-3.19.0-0033-EP11-Supply-CKA_PUBLIC_KEY_INFO-with-CKM_IBM_BTC_DER.patch * ocki-3.19.0-0034-EP11-Fix-setting-unknown-CPs-to-ON.patch OBS-URL: https://build.opensuse.org/request/show/1063652 OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=128
2023-02-07 16:45:43 +01:00
#
#
BuildRequires: bison
BuildRequires: dos2unix
BuildRequires: flex
BuildRequires: gcc-c++
BuildRequires: libitm1
BuildRequires: libtool
Accepting request 926834 from home:markkp:branches:security - Upgraded to version 3.17.0 (jsc#SLE-18326) * Removed the following obsolete patches: ocki-3.15.1-Added-error-message-handling-for-p11sak-remove-key-c.patch ocki-3.15.1-Fix-compiling-with-c.patch ocki-3.15.1-A-slot-ID-has-nothing-to-do-with-the-number-of-slots.patch ocki-3.15.1-SOFT-Fix-problem-with-C_Get-SetOperationState-and-di.patch ocki-3.15.1-Added-NULL-pointer-to-avoid-double-free-for-the-list.patch ocki-3.15.1-SOFT-Check-the-EC-Key-on-C_CreateObject-and-C_Derive.patch ocki-3.15.1-Fixed-p11sak-and-corresponding-test-case.patch ocki-3.15.1-p11sak-Fix-CKA_LABEL-handling.patch ocki-3.15.1-pkcstok_migrate-Quote-strings-with-spaces-in-opencry.patch ocki-3.15.1-pkcstok_migrate-Don-t-remove-tokversion-x.y-during-m.patch ocki-3.15.1-pkcstok_migrate-Fix-detection-if-pkcsslotd-is-still-.patch ocki-3.15.1-pkcstok_migrate-Rework-string-quoting-for-opencrypto.patch - Added the following patches for bsc#1188879: * ocki-3.15.1-pkcstok_migrate-Quote-strings-with-spaces-in-opencry.patch When modifying opencryptoki.conf during token migration, put quotes around strings that contain spaces, e.g. for the slot description and manufacturer. * ocki-3.15.1-pkcstok_migrate-Don-t-remove-tokversion-x.y-during-m.patch When migrating a slot the opencryptoki.conf file is modified. If it contains slots that already contain the 'tokversion = x.y' keyword, this is accidentally removed when migrating another slot. * ocki-3.15.1-pkcstok_migrate-Fix-detection-if-pkcsslotd-is-still-.patch Change the code to use the pid file that pkcsslotd creates, and check if the process with the pid contained in the pid file still exists and runs pkcsslotd. * ocki-3.15.1-pkcstok_migrate-Rework-string-quoting-for-opencrypto.patch Always quote the value of 'description' and 'manufacturer'. Quote the value of 'stdll', 'confname', and 'tokname' if it contains spaces, and never quote the value of 'hwversion', 'firmwareversion', and 'tokversion'. OBS-URL: https://build.opensuse.org/request/show/926834 OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=120
2021-10-21 22:48:47 +02:00
BuildRequires: libudev-devel
BuildRequires: openldap2-devel
BuildRequires: openssl-devel >= 1.0
BuildRequires: pkgconfig
BuildRequires: trousers-devel
BuildRequires: pkgconfig(systemd)
Requires(pre): %{_sbindir}/groupadd
Requires(pre): %{_sbindir}/usermod
###
BuildRequires: libcap-devel
# IBM maintains openCryptoki on these architectures:
ExclusiveArch: %{openCryptoki_32bit_arch} %{openCryptoki_64bit_arch}
%{?systemd_requires}
%ifarch s390 s390x
BuildRequires: libica-devel
BuildRequires: libica-tools
%endif
%description
The PKCS#11 version 2.11 API implemented for the IBM cryptographic
cards. This package includes support for the IBM 4758 cryptographic
coprocessor (with the PKCS#11 firmware loaded) and the IBM eServer
Cryptographic Accelerator (FC 4960 on pSeries).
%package devel
Summary: Development files for openCryptoki, a PKCS#11 implementation for IBM hardware
Group: Development/Languages/C and C++
Requires: glibc-devel
Requires: libopenssl-devel
Requires: openldap2-devel
Requires: trousers-devel
%ifarch s390 s390x
Requires: libica-devel
%endif
%description devel
The PKCS#11 version 2.01 API implemented for the IBM cryptographic
cards. This package includes support for the IBM 4758 cryptographic
co-processor (with the PKCS#11 firmware loaded) and the IBM eServer
Cryptographic Accelerator (FC 4960 on pSeries).
%ifarch %{openCryptoki_32bit_arch}
%package 32bit
Summary: An Implementation of PKCS#11 (Cryptoki) v2.11 for IBM Cryptographic Hardware
# this is needed to make sure the pkcs11 group exists before
# installation:
Group: Productivity/Security
Requires: openCryptoki
ExclusiveArch: %{openCryptoki_32bit_arch}
%description 32bit
This is a re-packaged binary rpm. For the package source, please look
for the source of the package without the "32bit" ending
The PKCS#11 version 2.11 API implemented for the IBM cryptographic
cards. This package includes support for the IBM 4758 cryptographic
coprocessor (with the PKCS#11 firmware loaded) and the IBM eServer
Cryptographic Accelerator (FC 4960 on pSeries).
%endif
%ifarch %{openCryptoki_64bit_arch}
%package 64bit
Summary: An Implementation of PKCS#11 (Cryptoki) v2.11 for IBM Cryptographic Hardware
# this is needed to make sure the pkcs11 group exists before
# installation:
Group: Productivity/Security
Requires: openCryptoki
ExclusiveArch: %{openCryptoki_64bit_arch}
%description 64bit
This is a re-packaged binary rpm. For the package source, please look
for the source of the package without the "64bit" ending
The PKCS#11 version 2.11 API implemented for the IBM cryptographic
cards. This package includes support for the IBM 4758 cryptographic
coprocessor (with the PKCS#11 firmware loaded) and the IBM eServer
Cryptographic Accelerator (FC 4960 on pSeries).
%endif
%prep
# setup -q -n %{oc_cvs_tag}-%{version}
%autosetup -p 0 -n %{oc_cvs_tag}-%{version}
cp %{SOURCE2} .
%build
./bootstrap.sh
%configure --with-systemd=%{_unitdir} \
Accepting request 926834 from home:markkp:branches:security - Upgraded to version 3.17.0 (jsc#SLE-18326) * Removed the following obsolete patches: ocki-3.15.1-Added-error-message-handling-for-p11sak-remove-key-c.patch ocki-3.15.1-Fix-compiling-with-c.patch ocki-3.15.1-A-slot-ID-has-nothing-to-do-with-the-number-of-slots.patch ocki-3.15.1-SOFT-Fix-problem-with-C_Get-SetOperationState-and-di.patch ocki-3.15.1-Added-NULL-pointer-to-avoid-double-free-for-the-list.patch ocki-3.15.1-SOFT-Check-the-EC-Key-on-C_CreateObject-and-C_Derive.patch ocki-3.15.1-Fixed-p11sak-and-corresponding-test-case.patch ocki-3.15.1-p11sak-Fix-CKA_LABEL-handling.patch ocki-3.15.1-pkcstok_migrate-Quote-strings-with-spaces-in-opencry.patch ocki-3.15.1-pkcstok_migrate-Don-t-remove-tokversion-x.y-during-m.patch ocki-3.15.1-pkcstok_migrate-Fix-detection-if-pkcsslotd-is-still-.patch ocki-3.15.1-pkcstok_migrate-Rework-string-quoting-for-opencrypto.patch - Added the following patches for bsc#1188879: * ocki-3.15.1-pkcstok_migrate-Quote-strings-with-spaces-in-opencry.patch When modifying opencryptoki.conf during token migration, put quotes around strings that contain spaces, e.g. for the slot description and manufacturer. * ocki-3.15.1-pkcstok_migrate-Don-t-remove-tokversion-x.y-during-m.patch When migrating a slot the opencryptoki.conf file is modified. If it contains slots that already contain the 'tokversion = x.y' keyword, this is accidentally removed when migrating another slot. * ocki-3.15.1-pkcstok_migrate-Fix-detection-if-pkcsslotd-is-still-.patch Change the code to use the pid file that pkcsslotd creates, and check if the process with the pid contained in the pid file still exists and runs pkcsslotd. * ocki-3.15.1-pkcstok_migrate-Rework-string-quoting-for-opencrypto.patch Always quote the value of 'description' and 'manufacturer'. Quote the value of 'stdll', 'confname', and 'tokname' if it contains spaces, and never quote the value of 'hwversion', 'firmwareversion', and 'tokversion'. OBS-URL: https://build.opensuse.org/request/show/926834 OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=120
2021-10-21 22:48:47 +02:00
--with-libudev=yes \
--enable-tpmtok \
%ifarch aarch64 # Apparently, gcc for aarch64 doesn't support transactional memory
--enable-locks \
%endif
%ifarch s390 s390x
--enable-pkcsep11_migrate
%else
--disable-ccatok
%endif
make %{?_smp_mflags}
dos2unix doc/README.ep11_stdll
%install
%make_install
install -d %{buildroot}%{_includedir}
install -d %{buildroot}%{_localstatedir}/lib/opencryptoki
install -d %{buildroot}%{_initddir}
install -d %{buildroot}%{_sbindir}
install -d %{buildroot}%{_prefix}/lib/tmpfiles.d
ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rcpkcsslotd
rm -rf %{buildroot}/tmp
# Remove all development files
find %{buildroot} -type f -name "*.la" -delete -print
rm -f %{buildroot}%{_libdir}/opencryptoki/methods
%pre
%{service_add_pre pkcsslotd.service}
# autobuild:/work/cd/lib/misc/group
# openCryptoki pkcs11:x:64:
%{_sbindir}/groupadd -g %{pkcs11_group_id} -r pkcs11 2>/dev/null || true
%{_sbindir}/usermod -a -G pkcs11 root
%preun
%{service_del_preun pkcsslotd.service}
%post
# Symlink from /var/lib/opencryptoki to /etc/pkcs11
if [ ! -L %{_sysconfdir}/pkcs11 ] ; then
if [ -e %{_sysconfdir}/pkcs11/pk_config_data ] ; then
mv %{_sysconfdir}/pkcs11/* %{_localstatedir}/lib/opencryptoki
cd %{_sysconfdir} && rm -rf pkcs11 && \
ln -sf %{_localstatedir}/lib/opencryptoki pkcs11
fi
fi
/sbin/ldconfig
%{?tmpfiles_create:%tmpfiles_create %{_tmpfilesdir}/opencryptoki.conf}
%{service_add_post pkcsslotd.service}
%postun
if [ -L %{_sysconfdir}/pkcs11 ] ; then
rm %{_sysconfdir}/pkcs11
fi
%{service_del_postun pkcsslotd.service}
%ifarch %{openCryptoki_32bit_arch}
%postun 32bit
if [ -L %{_sysconfdir}/pkcs11 ] ; then
rm %{_sysconfdir}/pkcs11
fi
%{service_del_postun pkcsslotd.service}
%post 32bit
# Old library name links
cd %{_libdir}/opencryptoki && ln -sf ./libopencryptoki.so PKCS11_API.so
ln -sf %{_sbindir} %{_libdir}/opencryptoki/methods
rm -rf %{_libdir}/pkcs11/stdll
test -d %{_prefix}/lib/pkcs11 || mkdir -p %{_prefix}/lib/pkcs11
cd %{_prefix}/lib/pkcs11
ln -sf ../opencryptoki/stdll stdll
cd stdll
[ -f libpkcs11_cca.so ] && ln -sf ./libpkcs11_cca.so PKCS11_CCA.so || true
[ -f libpkcs11_tpm.so ] && ln -sf ./libpkcs11_tpm.so PKCS11_TPM.so || true
[ -f libpkcs11_ica.so ] && ln -sf ./libpkcs11_ica.so PKCS11_ICA.so || true
[ -f libpkcs11_sw.so ] && ln -sf ./libpkcs11_sw.so PKCS11_SW.so || true
/sbin/ldconfig
%endif
%ifarch %{openCryptoki_64bit_arch}
%post 64bit
# Old library name for 64bit libs were under /usr/lib/pkcs11. For migration purposes only.
test -d %{_prefix}/lib/pkcs11 || mkdir -p %{_prefix}/lib/pkcs11
ln -sf %{_libdir}/opencryptoki/libopencryptoki.so %{_prefix}/lib/pkcs11/PKCS11_API.so64
/sbin/ldconfig
%endif
%files
%doc openCryptoki-TFAQ.html FAQ
%doc doc/*
Accepting request 1008258 from home:markkp:branches:security - Upgrade to version 3.19.0 (jsc#PED-616) + openCryptoki 3.19 - CCA: check for expected master key verification patterns at token init - CCA: check master key verification pattern of created keys to be as expected - EP11: check for expected wrapping key verification pattern at token init - EP11: check wrapping key verification pattern of created keys to be as expected - p11sak/pkcsconf: display PKCS#11 URIs - p11sak: add support for IBM specific Dilithium keys - p11sak: allow to list keys filtered by label - common: add support for dual-function cryptographic functions - Add support for C_SessionCancel function (PKCS#11 v3.0) - EP11: add support for schnorr signatures (mechanism CKM_IBM_ECDSA_OTHER) - EP11: add support for Bitcoin key derivation (mechanism CKM_IBM_BTC_DERIVE) - Bug fixes + openCryptoki 3.18 - Default to FIPS compliant token data format (tokversion = 3.12) - Add support for restricting usage of mechanisms and keys via a global policy - Add support for statistics counting of mechanism usage - ICA/EP11: Support libica version 4 - p11sak tool: Allow to set different attributes for public and private keys - Replaced ocki-3.17-remove-make-install-chgrp.patch with an updated version named ocki-3.19-remove-make-install-chgrp.patch to fit the current state of the source. - Removed the following obsolete patches: openCryptoki-sles15-sp4-EP11-Dilithium-Specify-OID-of-key-strength-at-key-ge.patch openCryptoki-sles15-sp4-EP11-Fix-host-library-version-query.patch ocki-3.17-EP11-Fix-C_GetMechanismList-returning-CKR_BUFFER_TOO.patch - Added ocki-3.17-EP11-Fix-C_GetMechanismList-returning-CKR_BUFFER_TOO.patch for bsc#1202106. One test of the gen_purpose test cases fails with C_GetMechanismList #2 rc=CKR_BUFFER_TOO_SMALL" error on the EP11 Token. - Made the following changes for bsc#1199862 "Please install p11sak_defined_attrs.conf." * Replaced ocki-3.11-remove-make-install-chgrp.patch with ocki-3.17-remove-make-install-chgrp.patch to remove the "-g pkcs11" parameter from the install command in the Makefile * Updated the spec file to include /etc/opencryptoki/p11sak_defined_attrs.conf as a %config file with the necessary permissions and group ownership. OBS-URL: https://build.opensuse.org/request/show/1008258 OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=124
2022-10-05 18:08:30 +02:00
%dir %{_datadir}/doc/opencryptoki
%{_datadir}/doc/opencryptoki/policy-example.conf
%{_datadir}/doc/opencryptoki/strength-example.conf
# configuration directory
%dir %{_sysconfdir}/opencryptoki
%config %{_sysconfdir}/opencryptoki/opencryptoki.conf
%config %attr(640,root,%{pkcs_group}) %{_sysconfdir}/opencryptoki/strength.conf
%config %attr(640,root,%{pkcs_group}) %{_sysconfdir}/opencryptoki/p11sak_defined_attrs.conf
%ifarch s390 s390x
Accepting request 1008258 from home:markkp:branches:security - Upgrade to version 3.19.0 (jsc#PED-616) + openCryptoki 3.19 - CCA: check for expected master key verification patterns at token init - CCA: check master key verification pattern of created keys to be as expected - EP11: check for expected wrapping key verification pattern at token init - EP11: check wrapping key verification pattern of created keys to be as expected - p11sak/pkcsconf: display PKCS#11 URIs - p11sak: add support for IBM specific Dilithium keys - p11sak: allow to list keys filtered by label - common: add support for dual-function cryptographic functions - Add support for C_SessionCancel function (PKCS#11 v3.0) - EP11: add support for schnorr signatures (mechanism CKM_IBM_ECDSA_OTHER) - EP11: add support for Bitcoin key derivation (mechanism CKM_IBM_BTC_DERIVE) - Bug fixes + openCryptoki 3.18 - Default to FIPS compliant token data format (tokversion = 3.12) - Add support for restricting usage of mechanisms and keys via a global policy - Add support for statistics counting of mechanism usage - ICA/EP11: Support libica version 4 - p11sak tool: Allow to set different attributes for public and private keys - Replaced ocki-3.17-remove-make-install-chgrp.patch with an updated version named ocki-3.19-remove-make-install-chgrp.patch to fit the current state of the source. - Removed the following obsolete patches: openCryptoki-sles15-sp4-EP11-Dilithium-Specify-OID-of-key-strength-at-key-ge.patch openCryptoki-sles15-sp4-EP11-Fix-host-library-version-query.patch ocki-3.17-EP11-Fix-C_GetMechanismList-returning-CKR_BUFFER_TOO.patch - Added ocki-3.17-EP11-Fix-C_GetMechanismList-returning-CKR_BUFFER_TOO.patch for bsc#1202106. One test of the gen_purpose test cases fails with C_GetMechanismList #2 rc=CKR_BUFFER_TOO_SMALL" error on the EP11 Token. - Made the following changes for bsc#1199862 "Please install p11sak_defined_attrs.conf." * Replaced ocki-3.11-remove-make-install-chgrp.patch with ocki-3.17-remove-make-install-chgrp.patch to remove the "-g pkcs11" parameter from the install command in the Makefile * Updated the spec file to include /etc/opencryptoki/p11sak_defined_attrs.conf as a %config file with the necessary permissions and group ownership. OBS-URL: https://build.opensuse.org/request/show/1008258 OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=124
2022-10-05 18:08:30 +02:00
%config %{_sysconfdir}/opencryptoki/ccatok.conf
%config %{_sysconfdir}/opencryptoki/ep11cpfilter.conf
%config %{_sysconfdir}/opencryptoki/ep11tok.conf
%{_sbindir}/pkcsep11_migrate
%endif
%{_sbindir}/p11sak
%{_unitdir}/pkcsslotd.service
%{_tmpfilesdir}/opencryptoki.conf
%{_sbindir}/rcpkcsslotd
# utilities
%ifarch s390 s390x
%{_sbindir}/pkcsep11_session
%{_sbindir}/pkcscca
%endif
%{_sbindir}/pkcsslotd
%{_sbindir}/pkcsconf
%{_sbindir}/pkcsicsf
Accepting request 1008258 from home:markkp:branches:security - Upgrade to version 3.19.0 (jsc#PED-616) + openCryptoki 3.19 - CCA: check for expected master key verification patterns at token init - CCA: check master key verification pattern of created keys to be as expected - EP11: check for expected wrapping key verification pattern at token init - EP11: check wrapping key verification pattern of created keys to be as expected - p11sak/pkcsconf: display PKCS#11 URIs - p11sak: add support for IBM specific Dilithium keys - p11sak: allow to list keys filtered by label - common: add support for dual-function cryptographic functions - Add support for C_SessionCancel function (PKCS#11 v3.0) - EP11: add support for schnorr signatures (mechanism CKM_IBM_ECDSA_OTHER) - EP11: add support for Bitcoin key derivation (mechanism CKM_IBM_BTC_DERIVE) - Bug fixes + openCryptoki 3.18 - Default to FIPS compliant token data format (tokversion = 3.12) - Add support for restricting usage of mechanisms and keys via a global policy - Add support for statistics counting of mechanism usage - ICA/EP11: Support libica version 4 - p11sak tool: Allow to set different attributes for public and private keys - Replaced ocki-3.17-remove-make-install-chgrp.patch with an updated version named ocki-3.19-remove-make-install-chgrp.patch to fit the current state of the source. - Removed the following obsolete patches: openCryptoki-sles15-sp4-EP11-Dilithium-Specify-OID-of-key-strength-at-key-ge.patch openCryptoki-sles15-sp4-EP11-Fix-host-library-version-query.patch ocki-3.17-EP11-Fix-C_GetMechanismList-returning-CKR_BUFFER_TOO.patch - Added ocki-3.17-EP11-Fix-C_GetMechanismList-returning-CKR_BUFFER_TOO.patch for bsc#1202106. One test of the gen_purpose test cases fails with C_GetMechanismList #2 rc=CKR_BUFFER_TOO_SMALL" error on the EP11 Token. - Made the following changes for bsc#1199862 "Please install p11sak_defined_attrs.conf." * Replaced ocki-3.11-remove-make-install-chgrp.patch with ocki-3.17-remove-make-install-chgrp.patch to remove the "-g pkcs11" parameter from the install command in the Makefile * Updated the spec file to include /etc/opencryptoki/p11sak_defined_attrs.conf as a %config file with the necessary permissions and group ownership. OBS-URL: https://build.opensuse.org/request/show/1008258 OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=124
2022-10-05 18:08:30 +02:00
%{_sbindir}/pkcsstats
%{_sbindir}/pkcstok_migrate
%dir %{_libdir}/opencryptoki
%dir %{_libdir}/opencryptoki/stdll
# State and lock directories
%dir %attr(755,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki
%ifarch s390 s390x
%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/ccatok
%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/ccatok/TOK_OBJ
%endif
%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/swtok
%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/swtok/TOK_OBJ
%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/tpm
%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/icsf
%ifarch s390 s390x
%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/ep11tok
%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/ep11tok/TOK_OBJ
%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/lite
%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/lite/TOK_OBJ
%endif
%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/log/opencryptoki/
%{_mandir}/man*/*
%files devel
%dir %{_libdir}/opencryptoki
%dir %{_libdir}/opencryptoki/stdll
%{_includedir}/opencryptoki
Accepting request 1008258 from home:markkp:branches:security - Upgrade to version 3.19.0 (jsc#PED-616) + openCryptoki 3.19 - CCA: check for expected master key verification patterns at token init - CCA: check master key verification pattern of created keys to be as expected - EP11: check for expected wrapping key verification pattern at token init - EP11: check wrapping key verification pattern of created keys to be as expected - p11sak/pkcsconf: display PKCS#11 URIs - p11sak: add support for IBM specific Dilithium keys - p11sak: allow to list keys filtered by label - common: add support for dual-function cryptographic functions - Add support for C_SessionCancel function (PKCS#11 v3.0) - EP11: add support for schnorr signatures (mechanism CKM_IBM_ECDSA_OTHER) - EP11: add support for Bitcoin key derivation (mechanism CKM_IBM_BTC_DERIVE) - Bug fixes + openCryptoki 3.18 - Default to FIPS compliant token data format (tokversion = 3.12) - Add support for restricting usage of mechanisms and keys via a global policy - Add support for statistics counting of mechanism usage - ICA/EP11: Support libica version 4 - p11sak tool: Allow to set different attributes for public and private keys - Replaced ocki-3.17-remove-make-install-chgrp.patch with an updated version named ocki-3.19-remove-make-install-chgrp.patch to fit the current state of the source. - Removed the following obsolete patches: openCryptoki-sles15-sp4-EP11-Dilithium-Specify-OID-of-key-strength-at-key-ge.patch openCryptoki-sles15-sp4-EP11-Fix-host-library-version-query.patch ocki-3.17-EP11-Fix-C_GetMechanismList-returning-CKR_BUFFER_TOO.patch - Added ocki-3.17-EP11-Fix-C_GetMechanismList-returning-CKR_BUFFER_TOO.patch for bsc#1202106. One test of the gen_purpose test cases fails with C_GetMechanismList #2 rc=CKR_BUFFER_TOO_SMALL" error on the EP11 Token. - Made the following changes for bsc#1199862 "Please install p11sak_defined_attrs.conf." * Replaced ocki-3.11-remove-make-install-chgrp.patch with ocki-3.17-remove-make-install-chgrp.patch to remove the "-g pkcs11" parameter from the install command in the Makefile * Updated the spec file to include /etc/opencryptoki/p11sak_defined_attrs.conf as a %config file with the necessary permissions and group ownership. OBS-URL: https://build.opensuse.org/request/show/1008258 OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=124
2022-10-05 18:08:30 +02:00
%{_libdir}/pkgconfig/opencryptoki.pc
###
%{_sbindir}/pkcshsm_mk_change
%ifarch %{openCryptoki_32bit_arch}
%files 32bit
# these don't conflict because they only exist as 64bit binaries if
# there is no 32bit version of them usable
%{_libdir}/opencryptoki/libopencryptoki.so
%ghost %{_libdir}/opencryptoki/PKCS11_API.so
%{_libdir}/opencryptoki/*.0
%ifarch s390
%{_libdir}/opencryptoki/stdll/libpkcs11_cca.so
%ghost %{_libdir}/opencryptoki/stdll/PKCS11_CCA.so
%endif
%{_libdir}/opencryptoki/stdll/libpkcs11_tpm.so
%ghost %{_libdir}/opencryptoki/stdll/PKCS11_TPM.so
%{_libdir}/opencryptoki/stdll/libpkcs11_sw.so
%ghost %{_libdir}/opencryptoki/stdll/PKCS11_SW.so
%{_libdir}/opencryptoki/stdll/libpkcs11_icsf.so
%ghost %{_libdir}/opencryptoki/stdll/PKCS11_ICSF.so
%ifarch s390 s390x
%{_libdir}/opencryptoki/stdll/libpkcs11_ica.so
%ghost %{_libdir}/opencryptoki/stdll/PKCS11_ICA.so
%{_libdir}/opencryptoki/stdll/libpkcs11_ep11.so
%ghost %{_libdir}/opencryptoki/stdll/PKCS11_EP11.so
%endif
%{_libdir}/opencryptoki/stdll/*.0
%dir %{_libdir}/pkcs11
%ghost %{_libdir}/pkcs11/stdll
%ghost %{_libdir}/pkcs11/methods
%{_libdir}/pkcs11/*.so
%{_sysconfdir}/ld.so.conf.d/*
%endif
%ifarch %{openCryptoki_64bit_arch}
%files 64bit
%dir %{_libdir}/opencryptoki
%{_libdir}/opencryptoki/*.so
%{_libdir}/opencryptoki/*.0
%dir %{_libdir}/opencryptoki/stdll
%{_libdir}/opencryptoki/stdll/*.so
%{_libdir}/opencryptoki/stdll/*.0
%{_libdir}/pkcs11
%{_sysconfdir}/ld.so.conf.d/*
%endif
%changelog