commit 5a473c25053b1d313258e6c4cc274e3bf4d734f0ab3f8acf70f29deafe6a0e1a Author: Nikolay Gueorguiev Date: Thu Jul 11 08:09:59 2024 +0000 - Updated the .spec file (bsc#1225876, bsc#1227280) * Amended for group %{pkcs_group} and user pkcsslotd * Copying example script files from /usr/share/doc/opencryptoki to /usr/share/opencryptoki (policy-example.conf and strength-example.conf) in case that there is 'rpm.install.excludedocs=yes' set in the zypper.conf(zypp.conf) OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=145 diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/ocki-3.23-remove-make-install-chgrp.patch b/ocki-3.23-remove-make-install-chgrp.patch new file mode 100644 index 0000000..b6a7d3a --- /dev/null +++ b/ocki-3.23-remove-make-install-chgrp.patch @@ -0,0 +1,119 @@ +--- Makefile.am 2023-05-15 14:42:55.000000000 +0200 ++++ Makefile-3.21.am 2023-05-25 17:13:36.266936832 +0200 +@@ -39,14 +39,9 @@ + include doc/doc.mk + + install-data-hook: +- getent group $(pkcs_group) > /dev/null || $(GROUPADD) -r $(pkcs_group) +- getent passwd $(pkcsslotd_user) >/dev/null || $(USERADD) -r -g $(pkcs_group) -d /run/opencryptoki -s /sbin/nologin -c "Opencryptoki pkcsslotd user" $(pkcsslotd_user) + $(MKDIR_P) $(DESTDIR)/run/opencryptoki/ +- $(CHOWN) $(pkcsslotd_user):$(pkcs_group) $(DESTDIR)/run/opencryptoki/ +- $(CHGRP) $(pkcs_group) $(DESTDIR)/run/opencryptoki/ + $(CHMOD) 0710 $(DESTDIR)/run/opencryptoki/ + $(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki +- $(CHGRP) $(pkcs_group) $(DESTDIR)$(localstatedir)/lib/opencryptoki + $(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki + if ENABLE_LIBRARY + $(MKDIR_P) $(DESTDIR)$(libdir)/opencryptoki/stdll +@@ -66,19 +61,15 @@ + endif + if ENABLE_PKCSHSM_MK_CHANGE + $(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/HSM_MK_CHANGE +- $(CHGRP) $(pkcs_group) $(DESTDIR)$(localstatedir)/lib/opencryptoki/HSM_MK_CHANGE + $(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/HSM_MK_CHANGE + endif + if ENABLE_CCATOK + cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \ + ln -fs libpkcs11_cca.so PKCS11_CCA.so + $(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/ccatok/TOK_OBJ +- $(CHGRP) $(pkcs_group) $(DESTDIR)$(localstatedir)/lib/opencryptoki/ccatok/TOK_OBJ +- $(CHGRP) $(pkcs_group) $(DESTDIR)$(localstatedir)/lib/opencryptoki/ccatok + $(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/ccatok/TOK_OBJ + $(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/ccatok + $(MKDIR_P) $(DESTDIR)$(lockdir)/ccatok +- $(CHGRP) $(pkcs_group) $(DESTDIR)$(lockdir)/ccatok + $(CHMOD) 0770 $(DESTDIR)$(lockdir)/ccatok + test -f $(DESTDIR)$(sysconfdir)/opencryptoki || $(MKDIR_P) $(DESTDIR)$(sysconfdir)/opencryptoki || true + test -f $(DESTDIR)$(sysconfdir)/opencryptoki/ccatok.conf || $(INSTALL) -m 644 $(srcdir)/usr/lib/cca_stdll/ccatok.conf $(DESTDIR)$(sysconfdir)/opencryptoki/ccatok.conf || true +@@ -87,12 +78,9 @@ + cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \ + ln -fs libpkcs11_ep11.so PKCS11_EP11.so + $(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/ep11tok/TOK_OBJ +- $(CHGRP) $(pkcs_group) $(DESTDIR)$(localstatedir)/lib/opencryptoki/ep11tok/TOK_OBJ +- $(CHGRP) $(pkcs_group) $(DESTDIR)$(localstatedir)/lib/opencryptoki/ep11tok + $(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/ep11tok/TOK_OBJ + $(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/ep11tok + $(MKDIR_P) $(DESTDIR)$(lockdir)/ep11tok +- $(CHGRP) $(pkcs_group) $(DESTDIR)$(lockdir)/ep11tok + $(CHMOD) 0770 $(DESTDIR)$(lockdir)/ep11tok + test -f $(DESTDIR)$(sysconfdir)/opencryptoki || $(MKDIR_P) $(DESTDIR)$(sysconfdir)/opencryptoki || true + test -f $(DESTDIR)$(sysconfdir)/opencryptoki/ep11tok.conf || $(INSTALL) -m 644 $(srcdir)/usr/lib/ep11_stdll/ep11tok.conf $(DESTDIR)$(sysconfdir)/opencryptoki/ep11tok.conf || true +@@ -100,30 +88,24 @@ + endif + if ENABLE_P11SAK + test -f $(DESTDIR)$(sysconfdir)/opencryptoki || $(MKDIR_P) $(DESTDIR)$(sysconfdir)/opencryptoki || true +- test -f $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || $(INSTALL) -g $(pkcs_group) -m 0640 $(srcdir)/usr/sbin/p11sak/p11sak_defined_attrs.conf $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || true ++ test -f $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || $(INSTALL) -m 0640 $(srcdir)/usr/sbin/p11sak/p11sak_defined_attrs.conf $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || true + endif + if ENABLE_ICATOK + cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \ + ln -fs libpkcs11_ica.so PKCS11_ICA.so + $(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/lite/TOK_OBJ +- $(CHGRP) $(pkcs_group) $(DESTDIR)$(localstatedir)/lib/opencryptoki/lite/TOK_OBJ +- $(CHGRP) $(pkcs_group) $(DESTDIR)$(localstatedir)/lib/opencryptoki/lite + $(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/lite/TOK_OBJ + $(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/lite + $(MKDIR_P) $(DESTDIR)$(lockdir)/lite +- $(CHGRP) $(pkcs_group) $(DESTDIR)$(lockdir)/lite + $(CHMOD) 0770 $(DESTDIR)$(lockdir)/lite + endif + if ENABLE_SWTOK + cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \ + ln -fs libpkcs11_sw.so PKCS11_SW.so + $(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/swtok/TOK_OBJ +- $(CHGRP) $(pkcs_group) $(DESTDIR)$(localstatedir)/lib/opencryptoki/swtok/TOK_OBJ +- $(CHGRP) $(pkcs_group) $(DESTDIR)$(localstatedir)/lib/opencryptoki/swtok + $(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/swtok/TOK_OBJ + $(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/swtok + $(MKDIR_P) $(DESTDIR)$(lockdir)/swtok +- $(CHGRP) $(pkcs_group) $(DESTDIR)$(lockdir)/swtok + $(CHMOD) 0770 $(DESTDIR)$(lockdir)/swtok + endif + if ENABLE_TPMTOK +@@ -131,10 +113,8 @@ + cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \ + ln -fs libpkcs11_tpm.so PKCS11_TPM.so + $(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/tpm +- $(CHGRP) $(pkcs_group) $(DESTDIR)$(localstatedir)/lib/opencryptoki/tpm + $(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/tpm + $(MKDIR_P) $(DESTDIR)$(lockdir)/tpm +- $(CHGRP) $(pkcs_group) $(DESTDIR)$(lockdir)/tpm + $(CHMOD) 0770 $(DESTDIR)$(lockdir)/tpm + endif + if ENABLE_ICSFTOK +@@ -142,16 +122,14 @@ + cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \ + ln -fs libpkcs11_icsf.so PKCS11_ICSF.so + $(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/icsf +- $(CHGRP) $(pkcs_group) $(DESTDIR)$(localstatedir)/lib/opencryptoki/icsf + $(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/icsf + $(MKDIR_P) $(DESTDIR)$(lockdir)/icsf +- $(CHGRP) $(pkcs_group) $(DESTDIR)$(lockdir)/icsf + $(CHMOD) 0770 $(DESTDIR)$(lockdir)/icsf + endif + if ENABLE_DAEMON + test -f $(DESTDIR)$(sysconfdir)/opencryptoki || $(MKDIR_P) $(DESTDIR)$(sysconfdir)/opencryptoki || true + test -f $(DESTDIR)$(sysconfdir)/opencryptoki/opencryptoki.conf || $(INSTALL) -m 644 $(srcdir)/usr/sbin/pkcsslotd/opencryptoki.conf $(DESTDIR)$(sysconfdir)/opencryptoki/opencryptoki.conf || true +- test -f $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || $(INSTALL) -m 640 -o root -g $(pkcs_group) -T $(srcdir)/doc/strength-example.conf $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || true ++ test -f $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || $(INSTALL) -m 640 -o root -T $(srcdir)/doc/strength-example.conf $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || true + endif + $(MKDIR_P) $(DESTDIR)/etc/ld.so.conf.d + echo "$(libdir)/opencryptoki" >\ +@@ -162,7 +140,6 @@ + @echo "Remember you must run ldconfig before using the above settings" + @echo "--------------------------------------------------------------" + $(MKDIR_P) $(DESTDIR)$(lockdir) $(DESTDIR)$(logdir) +- $(CHGRP) $(pkcs_group) $(DESTDIR)$(lockdir) $(DESTDIR)$(logdir) + $(CHMOD) 0770 $(DESTDIR)$(lockdir) $(DESTDIR)$(logdir) + + diff --git a/openCryptoki-3.23.0.tar.gz b/openCryptoki-3.23.0.tar.gz new file mode 100644 index 0000000..a786c37 --- /dev/null +++ b/openCryptoki-3.23.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e106ae81650338151e14b4fd96bb7a4c2a18c17ffa1b81887a75e5a20113ff96 +size 1859821 diff --git a/openCryptoki-TFAQ.html b/openCryptoki-TFAQ.html new file mode 100644 index 0000000..a80f4a8 --- /dev/null +++ b/openCryptoki-TFAQ.html @@ -0,0 +1,1320 @@ + + + + + FV Test Plan Template + + + + + + + + + + + + + + + +

Functional +Verification Test Plan for openCryptoki

+

 

+


 
 
  +

+

Version 0.2

+

08/15/2005
 
  +
  +

+

Owner: Michael A. Halcrow
mhalcrow@us.ibm.com
(512) +838-8096
11501 Burnet Rd Austin, TX 78758

+



 
  +

+
+ + + + +
+

It is the responsibility of the user of this document to + ensure that they are using the current version of this document.  + To validate that your copy of this document is at the latest + level, view the latest version of this document:   + <official document location or contact author/owner>

+
+
+
+

Document Control

+

Document Change Control

+

Initial Release: 0.1
Review +Frequency: At each major revision
Final Page Indicator: "End +of Document;" statement
Retention: Valid until superseded by +a new version/level. +

+

Reviewers/Approvers

+

<List +names of approver(s) and reviewer(s) – indicate next to name +approver or reviewer>

+

 Tom Lendacky – Reviewer

+

Emily Ratliff - Reviewer

+

Change Summary

+

+<List reviews of +this document : include review date, version reviewed, new version(if +needed),  reviewer(s),  approver(s)>

+ + + + + + + + +
+

Review Date

+
+

Version Reviewed

+
+

New Version (if needed)

+
+

Reviewer(s)

+
+

Approver(s)

+
+

 

+


  +

+

Table of Contents

+

I. +Introduction. +4

+

A. +References/Related Documents. +4

+

B. +LDP Items

+

C. +Hardware. +5

+

D. +Firmware. +5

+

E. +Limitations. +5

+

F. +General +5

+

G. +Past History. +5

+

II. +Test Plan Overview.. +5

+

A. +Additional Program Products. +5

+

B. +Test Approach and Methodology. +6

+

C. +System Operation. +6

+

D. +Performance. +6

+

E. +Standards Compliance. +7

+

F. +Stress. +7

+

G. +Regression. +7

+

H. +Ship Test +7

+

I. +Installation Documentation. +7

+

J. +Installation/Configuration Test +7

+

K. +Reliability, Availability, and Serviceability. +7

+

L. +Usability. +7

+

IV. +Quality Goals. +8

+

A. +Goals. +8

+

B. +Measurements. +8

+

V. +Status Information. +8

+

VI. +Testcase Descriptions. +9

+

A. +Naming Conventions. +9

+

B. +Testcase Location. +9

+

C. +Testcases description. +9

+

VII. +Functional Coverage Matrix. +9

+

VIII. +Approval Criteria. +10

+

End +of Document +10

+

 

+

I. +Introduction

+

A. +References/Related Documents

+

<List any documents or +references to LDP entries  covered in this plan OR used in +developing this plan>

+ + + + + + + + + + + +
+

Document/Reference + +

+
+

+ Version

+
+

+ Location

+
+

+  

+
+

+  

+
+

+  

+
+

 

+

B. LDP Items

+

<List LDP entries  covered in +this plan : include LDP  number, one-liner description, +product/package name that will include the LDP entry, and  +targeted release>

+ + + + + + + + + + + + + +
+

LDP

+

Number + (LDP) +

+
+

+ Description

+
+

+ Included in Product/Package

+
+

+ Targeted Kernel Release/Distro

+
+

+  31056

+
+

+ TCG: PKCS#11 usage of TPM: + openCryptoki future release 

+
+

+  openCryptoki

+
+

+ RHEL4 U3 

+
+

 

+

+1.      +End-Use Impact

+

<Identify/List +any  end-user impacts/benefits of this feature/LDP item(s)? +(i.e. performance,  new function allowing end-user to...,  +change in behavior of an existing function allowing end-user to ... +)>

+

+Allows users to access cryptographic +hardware through a PKCS#11 interface.

+

+2.      +Files (Design/Implementation +Details – New Section)

+

<Identify/List +any  files or code  impacted by OR are new for this +feature/LDP item(s)? (i.e.  list files, or directories)>

+

+/usr/lib/opencryptoki/

+

+/var/lib/opencryptoki/

+

+/etc/pkcs11

+

+3.      +Enablement

+

<Identify +how this feature/LDP item(s) is enabled. Is it automatically +enabled/default turned on?  If not, how would an end-user +enable/"turn on" this feature/LDP item?>

+

+openCryptoki is enabled by executing +an initialization script and then running /etc/init.d/pkcsslotd. +Applications link against libopencryptoki.a and make various calls +through the library.

+

+4.      +Parameters (Design/Implementation +Details – New Section)

+

<Are +there any  parameters that can be passed to any files or +commands in conjunction with this feature/LDP item?  If so, +please list all parameters and for each parameter (or provide access +to a man page/help)>

+

+See +opencryptoki/doc/openCryptoki-HOWTO.pdf in the source base for +documentation on openCryptoki application parameters.

+

5.      +Bugs/Defects

+

<Identify +how l issues/bugs/defects be tracked? (i.e. Notes +DB, Bugzilla, Bugzilla Family, Component, etc.) List +components.> +

+

 Bugs are +tracked via the Sourceforge bugzilla: +http://sourceforge.net/tracker/?group_id=128009&atid=710344

+

6.      +Targeted Code Completion

+

<Identify +targeted code completion date.> +

+

 05/31/2005

+

+C. Hardware

+

<Identify/List supported +hardware architectures/platforms for this feature/LDP item? (i.e.  +common/architecture neutral, xSeries, pSeries, zSeries, iSeries, +Power5 only, etc..)> +

+

i386, ppc, ppc64, +s390, s390x.

+

+D. Firmware

+

<Identify/List supported/required +firmware for this feature/LDP item?> +

+

N/A

+

+E. Limitations

+

< List +any known limitations or restrictions of this feature.> +

+

N/A

+

+F. General

+

<Identify/List any other “general” +dependencies not covered above that are required to support this +feature/LDP item.> +

+

Some hardware accelerators will be +required to test specific openCryptoki STDLL's or OpenSSL will be +required to test the software STDLL. For the ICA s390 token, VICOM +emulation of certain instructions (e.g., SHA-256 or AES) will need to +be enabled.

+

+G. Past History

+

<If available, describe any past +history relating to LDP items and/or components: customer problems, +error prone areas, and any strengths/weaknesses of previous testing.>

+

Weaknesses in +testing: although testcases exist, some of them may be token specific +and therefor require updating. There is work currently in plan for +2005 to resolve this issue.

+

+

+II. Test Plan Overview

+

<Describe test goals, objectives, level of testing and scope +of this plan in relation to the LDP item(s) covered.>

+

The goals of the current tests available are to test the PKCS#11 +API and also the functionality of specific tokens (STDLL files).

+

A. +Additional Program Products

+

<Identify/List +software/products required to perform the tests covered in this plan +– be sure to list the product/package that includes the LDP +item(s)>

+ + + + + + + + + + + + + + +
+

Software/Product + Name  +

+
+

+ Description

+
+

+ Level/Version

+
+

+  OpenSSL

+
+

+  SSL and crypto libraries

+
+

+ 0.9.8+ 

+
+

B. Test +Approach and Methodology

+

<Document the test approach and +methodology to be used.>

+

Manually, by running +individual test cases included in the openCryptoki tarball.

+

C. System +Operation

+

<Document verification methods used +for hardware and software configurations/combinations.> +

+

Assume RHEL4+/s390/s390x or +SLES9+/i386/ppc/ppc64/s390/s390x

+

rpm -q openCryptoki succeeds

+

rpm -q openCryptoki-32/64bit succeeds

+

D. +Performance

+

< If applicable, document +verification methods used to determine performance equal to or better +than existing configurations.>

+

N/A

+

E. Standards +Compliance

+

<If applicable, identify applicable +test suites (SBLIM, GNU Automake, etc) to be run to verify standards +compliance.>

+

N/A

+

F. Stress

+

<If applicable, describe stress +testing to be done on the product to verify robustness during high +system and possibly network usage.  Include target length of +test and expected/acceptable breaking point>

+

N/A

+

G. Regression

+

<Identify/List a set of tests from +current and proposed set of testcases to be used during regression +testing.> +

+

The following directories under +testcases/ contain tests that should be run during regression +testing:

+ +

H. Ship Test

+

<Identify/List +a set of tests from current and proposed set of testcases to be used +during ship/final testing.> +

+

The following directories under +testcases/ contain tests that should be run prior to shipping:

+ + +

I. Installation Documentation

+

<If applicable, describe how +installation INSTRUCTIONS/DOCUMENTATION  will be verified for +the product/package containing the LDP item(s) covered in this +plan.   These instructions may be contained in README files +shipped with the software.>

+

The instructions for installing the +package are in the README and INSTALL files contained within the +package tarball.

+

J. +Installation/Configuration Test

+

<If applicable, describe the +various configurations/combinations to be used during the +installation and configuration verification tasks of  LDP +item(s) covered in this plan.> +

+

N/A

+

K. Reliability, Availability, and +Serviceability

+

<If applicable, describe the RAS +goals of the LDP item(s) covered in this plan and how these will be +verified.>

+

N/A

+

L. Usability

+

<If applicable, describe how +usability of the LDP item(s) covered in this plan will be verified.>

+

N/A

+

IV. +Quality Goals

+

A. Goals

+

<Identify the quality goals of this +plan.> +

+
    +
  1. Runs stably under load (multiple applications concurrently + making PKCS#11 calls through the openCryptoki library).

    +
  2. Provides PKCS#11 interface to an application.

    +
+

B. +Measurements

+

<What measurement methods will be +used to track goals?>. +

+

Correct operation is measured via the +tests found in the testcases/ directory.

+

V. Status +Information

+

<The following information will need to be collected and +stored on a regular basis until the execution of this  plan is +completed. Identify here the location of this stored information +(could  be tracked by project management) and how frequently it +will be updated.

+

 NOTE: Some testcases my be logged by hours of successful +test execution – which is ok.>

+

 

+

SUMMARY:

+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
+

+ Planned Number of Testcases : #

+
+

+  

+
+

+  

+
+

+  

+
+

+  

+
+

+ Date

+
+

+ Number of Testcases

+

+ Written +

+

+ (% of planned)

+
+

+ Number of Testcases

+

+ Executed +

+

+ (% of written)

+
+

+ Number of Testcases Successful +

+

+ (% of executed)

+
+

+ Defects Open/Active +

+

+ (newest -> oldest)

+
+

+  8/15/2005

+
+

+ 100 

+
+

+ 100 

+
+

+ 100 

+
+

+  

+
+

 

+

DETAILS: <List uncompleted work/testcases first>

+ + + + + + + + + + + + + + + + + + + + + + + + +
+

+  

+
+

+  

+
+

+ Execution Status

+
+

+ Testcase/Testsuite

+
+

+ Written/

+

+ Coded?

+

+ (mm/dd/yy)

+
+

+ Operating System/Distro +

+
+

+ Platform/ +

+

+ Hardware Model w/ +

+

+ Firmware Levels

+
+

+ Dependent Software Product Levels

+
+

+ Pass/Fail

+
+

+ Defects Open/Active +

+

+ (newest -> oldest)

+
+

+  testcases/ suite

+
+

+ 8/15/2005 

+
+

+ all 

+
+

+ x86, ppc, ppc64, s390, s390x 

+
+

+ SLES9 SP2, RHEL 4 U3 

+
+

+ Pass 

+
+

+  

+
+

 

+

VI. +Testcase Descriptions

+

A. Naming +Conventions

+

<If applicable, describe any name +conventions used for the testcases.>

+

N/A

+

B. Testcase Location

+

<Indicate the location/storage of +these test cases.>

+

The tests are +included in the package tarball under the testcases/ directory.

+

C. Testcases description

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+

Name of + testcase

+
+

What it + tests +

+
+

Expected + result

+
+

 speed

+
+

The implementation of many + different algorithms .

+
+

 Success.

+
+

 driver

+
+

The implementation of many + different algorithms . 

+
+

Success. 

+
+

v2.11

+
+

Implementation of AES test.

+
+

Success.

+
+

oc-digest

+
+

Implementation of hash + function tests.

+
+

Success.

+
+

VII. Functional +Coverage Matrix

+

This table describes the functional coverage of the test suite(s). +For each new or modified testcase, it shows the associated list of +assertions, whether or not the test case is automated, and whether or +not the test case is suitable for a lasting regression test suite. +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+

Testcase

+
+

Automated?

+
+

Include in Regression?

+
+

<test case name>

+
+

<Y/N>

+
+

<Y/N>

+
+
    +
  1. <assertion 1> +

    +
  2. <assertion 2> +

    +
  3. <assertion 3> +

    +
+

n.   <assertion n>

+

 

+
+

speed

+
+

N

+
+

Y

+
+

For each slot reported by +

+

$ pkcsconf -s

+
    +
  1. run “speed -slot N” [ Where + N is the slot number]

    +


    Verify that the test succeeded.

    +
+
+

driver

+
+

N

+
+

Y

+
+

For each slot reported by +

+

$ pkcsconf -s

+

1. run “driver -slot N” [ Where + N is the slot number]

+
    +


    Verify that the test succeeded.

    +
+
+

v2.11

+
+

N

+
+

Y

+
+

For each slot reported by +

+

$ pkcsconf -s

+

1. run “aes_func -slot N” [ + Where N is the slot number]

+
    +


    Verify that the test succeeded.

    +
+
+

oc-digest

+
+

N

+
+

Y

+
+

For each slot reported by +

+

$ pkcsconf -s

+

1. run “ocdigest -slot N -t + [digest] [filename] ” [ Where N is the slot number, digest is + the digest to test (i.e., md5, sha1, or sha256), and filename is + the name of the file containing the contents to hash]

+
    +


    Verify that the test succeeded.

    +
+
+

VIII. Approval Criteria

+

<Explicitly identify the approval criteria for the test case +execution results.>

+

FV exit criteria: +

+ +

End of Document

+ + \ No newline at end of file diff --git a/openCryptoki-rpmlintrc b/openCryptoki-rpmlintrc new file mode 100644 index 0000000..761c90c --- /dev/null +++ b/openCryptoki-rpmlintrc @@ -0,0 +1 @@ +addFilter("openCryptoki.* tmpfile-not-in-filelist /var/lock/opencryptoki") diff --git a/openCryptoki.changes b/openCryptoki.changes new file mode 100644 index 0000000..b15c98a --- /dev/null +++ b/openCryptoki.changes @@ -0,0 +1,1237 @@ +------------------------------------------------------------------- +Thu Jul 11 07:57:25 UTC 2024 - Nikolay Gueorguiev + +- Updated the .spec file (bsc#1225876, bsc#1227280) + * Amended for group %{pkcs_group} and user pkcsslotd + * Copying example script files from /usr/share/doc/opencryptoki to + /usr/share/opencryptoki (policy-example.conf and strength-example.conf) + in case that there is 'rpm.install.excludedocs=yes' set in the + zypper.conf(zypp.conf) + +------------------------------------------------------------------- +Wed Feb 7 07:27:00 UTC 2024 - Nikolay Gueorguiev + +- Upgrade openCryptoki to version 3.23 (jsc#PED-3360, jsc#PED-3361) + * EP11: Add support for FIPS-session mode + * Updates to harden against RSA timing attacks + * Bug fixes +- Renamed ocki-3.22-remove-make-install-chgrp.patch to + ocki-3.23-remove-make-install-chgrp.patch + +------------------------------------------------------------------- +Mon Feb 5 08:59:37 UTC 2024 - Marcus Meissner + +- provide user(pkcs11) and group(pkcs11) + +------------------------------------------------------------------- +Mon Dec 4 13:40:57 UTC 2023 - Nikolay Gueorguiev + +- Amended the .spec file for pkcsslotd (jsc#1217703) + * Renamed the patch ocki-3.21-remove-make-install-chgrp.patch to + ocki-3.22-remove-make-install-chgrp.patch +------------------------------------------------------------------- +Thu Sep 21 10:55:56 UTC 2023 - Nikolay Gueorguiev + +- Upgrade to version 3.22 (jsc#PED-3361) + * openCryptoki 3.22 + - CCA: Add support for the AES-XTS key type using CPACF protected keys + - p11sak: Add support for managing certificate objects + - p11sak: Add support for public sessions (no-login option) + - p11sak: Add support for logging in as SO (security Officer) + - p11sak: Add support for importing/exporting Edwards and Montgomery keys + - p11sak: Add support for importing of RSA-PSS keys and certificates + - CCA/EP11/Soft/ICA: Ensure that the 2 key parts of an AES-XTS key are different + * Bug fixes + +------------------------------------------------------------------- +Fri May 26 06:55:10 UTC 2023 - Nikolay Gueorguiev + +- Update to version 3.21 (jsc#PED-3360, jsc#PED-3361) + * openCryptoki 3.21 + - EP11 and CCA: Support concurrent HSM master key changes + - CCA: protected-key option + - pkcsslotd: no longer run as root user and further hardening + - p11sak: Add support for additional key types (DH, DSA, generic secret) + - p11sak: Allow wildcards in label filter + - p11sak: Allow to specify hex value for CKA_ID attribute + - p11sak: Support sorting when listing keys + - p11sak: New commands: set-key-attr, copy-key to modify and copy keys + - p11sak: New commands: import-key, export-key to import and export keys + - Remove support for --disable-locks (transactional memory) + - Updates to harden against RSA timing attacks + - Bug fixes +- Amended a new patch to fit the version 3.21 + * ocki-3.21-remove-make-install-chgrp.patch +- Removed the old patch for the version 3.20 + * ocki-3.20-remove-make-install-chgrp.patch + +------------------------------------------------------------------- +Thu Feb 16 13:22:45 UTC 2023 - Nikolay Gueorguiev + +- Updated package to openCryptoki 3.20 (jsc#PED-2870) +- Removed the following obsolite patches: + * ocki-3.19.0-0001-EP11-Unify-key-pair-generation-functions.patch + * ocki-3.19.0-0002-EP11-Do-not-report-DSA-DH-parameter-generation-as-be.patch + * ocki-3.19.0-0003-EP11-Do-not-pass-empty-CKA_PUBLIC_KEY_INFO-to-EP11-h.patch + * ocki-3.19.0-0004-Mechtable-CKM_IBM_DILITHIUM-can-also-be-used-for-key.patch + * ocki-3.19.0-0005-EP11-Remove-DSA-DH-parameter-generation-mechanisms-f.patch + * ocki-3.19.0-0006-EP11-Pass-back-chain-code-for-CKM_IBM_BTC_DERIVE.patch + * ocki-3.19.0-0007-EP11-Supply-CKA_PUBLIC_KEY_INFO-with-CKM_IBM_BTC_DER.patch + * ocki-3.19.0-0008-EP11-Supply-CKA_PUBLIC_KEY_INFO-when-importing-priva.patch + * ocki-3.19.0-0009-EP11-Fix-memory-leak-introduced-with-recent-commit.patch + * ocki-3.19.0-0010-p11sak-Fix-segfault-when-dilithium-version-is-not-sp.patch + * ocki-3.19.0-0011-EP11-remove-dead-code-and-unused-variables.patch + * ocki-3.19.0-0012-EP11-Update-EP11-host-library-header-files.patch + * ocki-3.19.0-0013-EP11-Support-EP11-host-library-version-4.patch + * ocki-3.19.0-0014-EP11-Add-new-control-points.patch + * ocki-3.19.0-0015-EP11-Default-unknown-CPs-to-ON.patch + * ocki-3.19.0-0016-COMMON-Add-defines-for-Dilithium-round-2-and-3-varia.patch + * ocki-3.19.0-0017-COMMON-Add-defines-for-Kyber.patch + * ocki-3.19.0-0018-COMMON-Add-post-quantum-algorithm-OIDs.patch + * ocki-3.19.0-0019-COMMON-Dilithium-key-BER-encoding-decoding-allow-dif.patch + * ocki-3.19.0-0020-COMMON-EP11-Add-CKA_VALUE-holding-SPKI-PKCS-8-of-key.patch + * ocki-3.19.0-0021-COMMON-EP11-Allow-to-select-Dilithium-variant-via-mo.patch + * ocki-3.19.0-0022-EP11-Query-supported-PQC-variants-and-restrict-usage.patch + * ocki-3.19.0-0023-POLICY-Dilithium-strength-and-signature-size-depends.patch + * ocki-3.19.0-0024-TESTCASES-Test-Dilithium-variants.patch + * ocki-3.19.0-0025-COMMON-EP11-Add-Kyber-key-type-and-mechanism.patch + * ocki-3.19.0-0026-EP11-Add-support-for-generating-and-importing-Kyber-.patch + * ocki-3.19.0-0027-EP11-Add-support-for-encrypt-decrypt-and-KEM-operati.patch + * ocki-3.19.0-0028-POLICY-STATISTICS-Check-for-Kyber-KEM-KDFs-and-count.patch + * ocki-3.19.0-0029-TESTCASES-Add-tests-for-CKM_IBM_KYBER.patch + * ocki-3.19.0-0030-p11sak-Support-additional-Dilithium-variants.patch + * ocki-3.19.0-0031-p11sak-Add-support-for-IBM-Kyber-key-type.patch + * ocki-3.19.0-0032-testcase-Enhance-p11sak-testcase-to-generate-IBM-Kyb.patch + * ocki-3.19.0-0033-EP11-Supply-CKA_PUBLIC_KEY_INFO-with-CKM_IBM_BTC_DER.patch + * ocki-3.19.0-0034-EP11-Fix-setting-unknown-CPs-to-ON.patch + * ocki-3.19.0-0035-Fix-compile-error-error-initializer-element-is-not-c.patch +- Reworked ocki-3.19-remove-make-install-chgrp.patch to fit the current version of + the package and renamed it to ocki-3.20-remove-make-install-chgrp.patch. + +------------------------------------------------------------------- +Tue Feb 7 10:08:45 UTC 2023 - Nikolay Gueorguiev + +- Added patch for compile errors + * ocki-3.19.0-0035-Fix-compile-error-error-initializer-element-is-not-c.patch +-- Changed spec file to use %autosetup instead of %setup. + + +------------------------------------------------------------------- +Mon Feb 6 15:43:47 UTC 2023 - Nikolay Gueorguiev + +- Updated the package openCryptoki 3.19.0 (jsc#PED-616, bsc#1207760), added the + following patches: + * ocki-3.19.0-0001-EP11-Unify-key-pair-generation-functions.patch + * ocki-3.19.0-0002-EP11-Do-not-report-DSA-DH-parameter-generation-as-be.patch + * ocki-3.19.0-0003-EP11-Do-not-pass-empty-CKA_PUBLIC_KEY_INFO-to-EP11-h.patch + * ocki-3.19.0-0004-Mechtable-CKM_IBM_DILITHIUM-can-also-be-used-for-key.patch + * ocki-3.19.0-0005-EP11-Remove-DSA-DH-parameter-generation-mechanisms-f.patch + * ocki-3.19.0-0006-EP11-Pass-back-chain-code-for-CKM_IBM_BTC_DERIVE.patch + * ocki-3.19.0-0007-EP11-Supply-CKA_PUBLIC_KEY_INFO-with-CKM_IBM_BTC_DER.patch + * ocki-3.19.0-0008-EP11-Supply-CKA_PUBLIC_KEY_INFO-when-importing-priva.patch + * ocki-3.19.0-0009-EP11-Fix-memory-leak-introduced-with-recent-commit.patch + * ocki-3.19.0-0010-p11sak-Fix-segfault-when-dilithium-version-is-not-sp.patch + * ocki-3.19.0-0011-EP11-remove-dead-code-and-unused-variables.patch + * ocki-3.19.0-0012-EP11-Update-EP11-host-library-header-files.patch + * ocki-3.19.0-0013-EP11-Support-EP11-host-library-version-4.patch + * ocki-3.19.0-0014-EP11-Add-new-control-points.patch + * ocki-3.19.0-0015-EP11-Default-unknown-CPs-to-ON.patch + * ocki-3.19.0-0016-COMMON-Add-defines-for-Dilithium-round-2-and-3-varia.patch + * ocki-3.19.0-0017-COMMON-Add-defines-for-Kyber.patch + * ocki-3.19.0-0018-COMMON-Add-post-quantum-algorithm-OIDs.patch + * ocki-3.19.0-0019-COMMON-Dilithium-key-BER-encoding-decoding-allow-dif.patch + * ocki-3.19.0-0020-COMMON-EP11-Add-CKA_VALUE-holding-SPKI-PKCS-8-of-key.patch + * ocki-3.19.0-0021-COMMON-EP11-Allow-to-select-Dilithium-variant-via-mo.patch + * ocki-3.19.0-0022-EP11-Query-supported-PQC-variants-and-restrict-usage.patch + * ocki-3.19.0-0023-POLICY-Dilithium-strength-and-signature-size-depends.patch + * ocki-3.19.0-0024-TESTCASES-Test-Dilithium-variants.patch + * ocki-3.19.0-0025-COMMON-EP11-Add-Kyber-key-type-and-mechanism.patch + * ocki-3.19.0-0026-EP11-Add-support-for-generating-and-importing-Kyber-.patch + * ocki-3.19.0-0027-EP11-Add-support-for-encrypt-decrypt-and-KEM-operati.patch + * ocki-3.19.0-0028-POLICY-STATISTICS-Check-for-Kyber-KEM-KDFs-and-count.patch + * ocki-3.19.0-0029-TESTCASES-Add-tests-for-CKM_IBM_KYBER.patch + * ocki-3.19.0-0030-p11sak-Support-additional-Dilithium-variants.patch + * ocki-3.19.0-0031-p11sak-Add-support-for-IBM-Kyber-key-type.patch + * ocki-3.19.0-0032-testcase-Enhance-p11sak-testcase-to-generate-IBM-Kyb.patch + * ocki-3.19.0-0033-EP11-Supply-CKA_PUBLIC_KEY_INFO-with-CKM_IBM_BTC_DER.patch + * ocki-3.19.0-0034-EP11-Fix-setting-unknown-CPs-to-ON.patch + +------------------------------------------------------------------- +Mon Nov 28 16:24:11 UTC 2022 - Mark Post + +- Updated spec file to set permissions on /etc/opencryptoki/strength.conf + to be owned by root:pkcs11 with permissions of 640. (bsc#1205566) + +------------------------------------------------------------------- +Fri Sep 30 19:14:38 UTC 2022 - Mark Post + +- Upgrade to version 3.19.0 (jsc#PED-616) + + openCryptoki 3.19 + - CCA: check for expected master key verification patterns at token init + - CCA: check master key verification pattern of created keys to be as expected + - EP11: check for expected wrapping key verification pattern at token init + - EP11: check wrapping key verification pattern of created keys to be as expected + - p11sak/pkcsconf: display PKCS#11 URIs + - p11sak: add support for IBM specific Dilithium keys + - p11sak: allow to list keys filtered by label + - common: add support for dual-function cryptographic functions + - Add support for C_SessionCancel function (PKCS#11 v3.0) + - EP11: add support for schnorr signatures (mechanism CKM_IBM_ECDSA_OTHER) + - EP11: add support for Bitcoin key derivation (mechanism CKM_IBM_BTC_DERIVE) + - Bug fixes + + openCryptoki 3.18 + - Default to FIPS compliant token data format (tokversion = 3.12) + - Add support for restricting usage of mechanisms and keys via a global policy + - Add support for statistics counting of mechanism usage + - ICA/EP11: Support libica version 4 + - p11sak tool: Allow to set different attributes for public and private keys +- Replaced ocki-3.17-remove-make-install-chgrp.patch with an updated + version named ocki-3.19-remove-make-install-chgrp.patch to fit + the current state of the source. +- Removed the following obsolete patches: + openCryptoki-sles15-sp4-EP11-Dilithium-Specify-OID-of-key-strength-at-key-ge.patch + openCryptoki-sles15-sp4-EP11-Fix-host-library-version-query.patch + ocki-3.17-EP11-Fix-C_GetMechanismList-returning-CKR_BUFFER_TOO.patch + +------------------------------------------------------------------- +Wed Aug 10 16:34:10 UTC 2022 - Mark Post + +- Added ocki-3.17-EP11-Fix-C_GetMechanismList-returning-CKR_BUFFER_TOO.patch + for bsc#1202106. One test of the gen_purpose test cases fails with + C_GetMechanismList #2 rc=CKR_BUFFER_TOO_SMALL" error on the EP11 Token. + +------------------------------------------------------------------- +Thu Jun 2 16:21:54 UTC 2022 - Mark Post + +- Made the following changes for bsc#1199862 "Please install + p11sak_defined_attrs.conf." + * Replaced ocki-3.11-remove-make-install-chgrp.patch with + ocki-3.17-remove-make-install-chgrp.patch to remove the + "-g pkcs11" parameter from the install command in the Makefile + * Updated the spec file to include + /etc/opencryptoki/p11sak_defined_attrs.conf as a %config file + with the necessary permissions and group ownership. + +------------------------------------------------------------------- +Wed Mar 23 15:32:25 UTC 2022 - Mark Post + +- Added the following two patches for bac#1197395. The CKM_IBM_DILITHIUM + mechanism does not show up as supported by the EP11 token when an + upgraded EP11 host library is used. + * openCryptoki-sles15-sp4-EP11-Dilithium-Specify-OID-of-key-strength-at-key-ge.patch + * openCryptoki-sles15-sp4-EP11-Fix-host-library-version-query.patch + +------------------------------------------------------------------- +Thu Oct 21 19:31:51 UTC 2021 - Mark Post + +- Upgraded to version 3.17.0 (jsc#SLE-18326) + + openCryptoki 3.17 + - tools: added function to list keys to p11sak + - common: added support for OpenSSL 3.0 + - common: added support for event notifications + - ICA: added SW fallbacks + * openCryptoki 3.16 + - EP11: protected-key option + - EP11: support attribute-bound keys + - CCA: import and export of secure key objects + - Bug fixes +- Removed the following obsolete patches: + ocki-3.15.1-Added-error-message-handling-for-p11sak-remove-key-c.patch + ocki-3.15.1-Fix-compiling-with-c.patch + ocki-3.15.1-A-slot-ID-has-nothing-to-do-with-the-number-of-slots.patch + ocki-3.15.1-SOFT-Fix-problem-with-C_Get-SetOperationState-and-di.patch + ocki-3.15.1-Added-NULL-pointer-to-avoid-double-free-for-the-list.patch + ocki-3.15.1-SOFT-Check-the-EC-Key-on-C_CreateObject-and-C_Derive.patch + ocki-3.15.1-Fixed-p11sak-and-corresponding-test-case.patch + ocki-3.15.1-p11sak-Fix-CKA_LABEL-handling.patch + ocki-3.15.1-pkcstok_migrate-Quote-strings-with-spaces-in-opencry.patch + ocki-3.15.1-pkcstok_migrate-Don-t-remove-tokversion-x.y-during-m.patch + ocki-3.15.1-pkcstok_migrate-Fix-detection-if-pkcsslotd-is-still-.patch + ocki-3.15.1-pkcstok_migrate-Rework-string-quoting-for-opencrypto.patch + +------------------------------------------------------------------- +Thu Aug 5 20:33:40 UTC 2021 - Mark Post + +- Added the following patches for bsc#1188879: + * ocki-3.15.1-pkcstok_migrate-Quote-strings-with-spaces-in-opencry.patch + When modifying opencryptoki.conf during token migration, put quotes + around strings that contain spaces, e.g. for the slot description and + manufacturer. + * ocki-3.15.1-pkcstok_migrate-Don-t-remove-tokversion-x.y-during-m.patch + When migrating a slot the opencryptoki.conf file is modified. If it + contains slots that already contain the 'tokversion = x.y' keyword, + this is accidentally removed when migrating another slot. + * ocki-3.15.1-pkcstok_migrate-Fix-detection-if-pkcsslotd-is-still-.patch + Change the code to use the pid file that pkcsslotd creates, and check + if the process with the pid contained in the pid file still exists and + runs pkcsslotd. + * ocki-3.15.1-pkcstok_migrate-Rework-string-quoting-for-opencrypto.patch + Always quote the value of 'description' and 'manufacturer'. Quote the + value of 'stdll', 'confname', and 'tokname' if it contains spaces, and + never quote the value of 'hwversion', 'firmwareversion', and 'tokversion'. + +------------------------------------------------------------------- +Tue Jun 22 14:47:36 UTC 2021 - Mark Post + +- Added the following patches for bsc#1182726 " p11sak list-key segfault" + * ocki-3.15.1-Added-NULL-pointer-to-avoid-double-free-for-the-list.patch + Added NULL pointer to avoid double free() for the list-key and + remove-key commands. + * ocki-3.15.1-Fixed-p11sak-and-corresponding-test-case.patch + Note that two hunks that were unrelated to fixing the running + code were removed from this patch. + * ocki-3.15.1-p11sak-Fix-CKA_LABEL-handling.patch + +------------------------------------------------------------------- +Tue Jun 15 18:17:48 UTC 2021 - Mark Post + +- Added ocki-3.15.1-SOFT-Check-the-EC-Key-on-C_CreateObject-and-C_Derive.patch + When constructing an OpenSSL EC public or private key from PKCS#11 + attributes or ECDH public data, check that the key is valid, i.e. that + the point is on the curve. + (bsc#1185976) + +------------------------------------------------------------------- +Tue Feb 16 19:52:55 UTC 2021 - Mark Post + +- Added ocki-3.15.1-A-slot-ID-has-nothing-to-do-with-the-number-of-slots.patch + (bsc#1182120) + Fix pkcscca migration fails with usr/sb2 is not a valid slot ID +- Added ocki-3.15.1-SOFT-Fix-problem-with-C_Get-SetOperationState-and-di.patch + (bsc#1182190) + Fix a segmentation fault of the sess_opstate test on the Soft Token + +------------------------------------------------------------------- +Mon Jan 25 20:23:12 UTC 2021 - Mark Post + +- Added the following patches for bsc#1179319 + * Fix compiling with C++: + ocki-3.15.1-Fix-compiling-with-c.patch + * Added error message handling for p11sak remove-key command. + ocki-3.15.1-Added-error-message-handling-for-p11sak-remove-key-c.patch + +------------------------------------------------------------------- +Thu Jan 21 13:34:51 UTC 2021 - Thorsten Kukuk + +- Don't require pwdutils for build, dropped long ago and not needed + +------------------------------------------------------------------- +Wed Oct 21 22:28:16 UTC 2020 - Mark Post + +- Upgraded to version 3.15.1 (jsc#SLE-13749, jsc#SLE-13666, + jsc#SLE-13813, jsc#SLE-13812, jsc#SLE-13723, jsc#SLE-13714, + jsc#SLE-13715, jsc#SLE-13710, jsc#SLE-13774, jsc#SLE-13786) + * openCryptoki 3.15.1 + - Bug fixes + * openCryptoki 3.15.0 + - common: conform to PKCS 11 3.0 Baseline Provider profile + - Introduce new vendor defined interface named "Vendor IBM" + - Support C_IBM_ReencryptSingle via "Vendor IBM" interface + - CCA: support key wrapping + - SOFT: support ECC + - p11sak tool: add remove-key command + - Bug fixes + * openCryptoki 3.14.0 + - EP11: Dilitium support stage 2 + - Common: Rework on process and thread locking + - Common: Rework on btree and object locking + - ICSF: minor fixes + - TPM, ICA, ICSF: support multiple token instances + - new tool p11sak + * openCryptoki 3.13.0 + - EP11: Dilithium support + - EP11: EdDSA support + - EP11: support RSA-OAEP with non-SHA1 hash and MGF +- Removed obsolete oki-3.12-EP11-Fix-EC-uncompress-buffer-length.patch + +------------------------------------------------------------------- +Mon Jan 6 19:25:16 UTC 2020 - Mark Post + +- Added oki-3.12-EP11-Fix-EC-uncompress-buffer-length.patch (bsc#1159114) + The EP11 token may fail to import an ECC public key. Function + C_CreateObject returns CKR_BUFFER_TOO_SMALL in this case. + +------------------------------------------------------------------- +Mon Dec 2 21:29:35 UTC 2019 - Mark Post + +- Upgraded to version 3.12.1 (bsc#1157863) + * Fix pkcsep11_migrate tool + +------------------------------------------------------------------- +Tue Nov 12 04:26:21 UTC 2019 - Mark Post + +- Upgraded to version 3.12.0 (jsc#SLE-7647, jsc#SLE-7915, jsc#SLE-7918) + * Update token pin and data store encryption for soft,ica,cca and ep11 + * EP11: Allow importing of compressed EC public keys + * EP11: Add support for the CMAC mechanisms + * EP11: Add support for the IBM-SHA3 mechanisms + * SOFT: Add AES-CMAC and 3DES-CMAC support to the soft token + * ICA: Add AES-CMAC and 3DES-CMAC support to the ICA token + * EP11: Add config option USE_PRANDOM + * CCA: Use Random Number Generate Long for token_specific_rng() + * Common rng function: Prefer /dev/prandom over /dev/urandom + * ICA: add SHA*_RSA_PKCS_PSS mechanisms + * Bug fixes +- Removed obsolete ocki-3.11.1-EP11-Support-tolerated-new-crypto-cards.patch + +------------------------------------------------------------------- +Thu Oct 10 14:56:01 UTC 2019 - Mark Post + +- Added ocki-3.11.1-EP11-Support-tolerated-new-crypto-cards.patch + (bsc#1152015) + Add support for new IBM crypto card. + +------------------------------------------------------------------- +Tue Sep 3 23:02:38 UTC 2019 - Mark Post + +- Upgraded to version 3.11.1 (Fate#327837) + Bug fixes. +- Dropped obsolete ocki-3.11-Fix-target_list-passing-for-EP11-session.patch + +------------------------------------------------------------------- +Fri Feb 15 05:22:55 UTC 2019 - mpost@suse.com + +- Added ocki-3.11-Fix-target_list-passing-for-EP11-session.patch + (bsc#1123988) + +------------------------------------------------------------------- +Fri Nov 30 00:04:41 UTC 2018 - Jan Engelhardt + +- Do not ignore errors from groupadd. If groupadd fails, + installation ought not to proceed because files would have the + wrong ownership. + +------------------------------------------------------------------- +Thu Nov 29 22:45:36 UTC 2018 - mpost@suse.com + +- Don't hide error messages from the groupadd command. To eliminate + a potentially common one, check to see if the pkcs11 group is + already defined before trying to add it. +- Update the summary for the -devel package. +- Changed several PreReq entries to Requires(pre) as a result of + the output from spec-cleaner. Removed a couple of obsolete lines. +- Removed obsolete check for whether systemd is in use or not. + +------------------------------------------------------------------- +Fri Nov 16 15:00:52 UTC 2018 - mpost@suse.com + +- Upgraded to version 3.11.0 (Fate#325685) + * opencryptoki 3.11.0 + EP11 enhancements + A lot of bug fixes +- Reworked the ocki-3.1-remove-make-install-chgrp.patch to apply + properly to 3.11, and renamed it to + ocki-3.11-remove-make-install-chgrp.patch +- Removed obsolete patch ocki-3.5-icsf-coverity-memoryleakfix.patch + +------------------------------------------------------------------- +Thu Nov 15 22:01:51 UTC 2018 - mpost@suse.com + +- Upgraded to version 3.10.0 (Fate#325685) + * opencryptoki 3.10.0 + Add support to ECC on ICA token and to common code. + Add SHA224 support to SOFT token. + Improve pkcsslotd logging. + Fix sha512_hmac_sign and rsa_x509_verify for ICA token. + Fix tracing of session id. + Fix and improve testcases. + Fix spec file permission for log directory. + Fix build warnings. + * opencryptoki 3.9.0 + Fix token reinitialization + Fix conditional man pages + EP11 enhancements + EP11 EC Key import + Increase RSA max key length + Fix broken links on documentation + Define CK_FALSE and CK_TRUE macros + Improve build flags +- Dropped obsolete patch ocki-3.8.2-Fix-Hardware-Feature-Object-validation-and-tests.patch +- Made multiple changes to the spec file based on spec-cleaner output. +- Added an rpmlintrc file to squelch warnings about adding ghost + entries for files under /var/lock/opencryptoki/ + +------------------------------------------------------------------- +Tue Apr 17 22:56:43 UTC 2018 - mpost@suse.com + +- Added ocki-3.8.2-Fix-Hardware-Feature-Object-validation-and-tests.patch + (bsc#1086678) + +------------------------------------------------------------------- +Fri Mar 9 19:25:51 UTC 2018 - mpost@suse.com + +- Re-enabled ARM architectures now that gcc6 is in SLE15. (bsc#1084617) + +------------------------------------------------------------------- +Thu Nov 30 23:36:39 UTC 2017 - mpost@suse.com + +- Upgraded to version 3.8.2 (fate#323295, bsc#1066412) + * v3.8.2 + Update man pages. + Improve ock_tests for parallel execution. + Fix FindObjectsInit for hidden HW-feature. + Fix to allow vendor defined hardware features. + Fix unresolved symbols. + Fix tracing. + Code/project cleanup. + * v3.8.1 + Fix TPM data-structure reset function. + Fix error message when dlsym fails. + Update configure.ac + Update travis. + * v3.8.0 + Multi token instance feature. + Added possibility to run opencryptoki with transactional memory or locks + (--enable-locks on configure step). + Updated documentation. + Fix segfault on ec_test. + Bunch of small fixes. + +------------------------------------------------------------------- +Wed May 31 19:54:31 UTC 2017 - mpost@suse.com + +- Removed ARM architectures from the build list until gcc6 becomes + available for SLES. (bsc#1039510). + +------------------------------------------------------------------- +Fri May 12 08:46:14 UTC 2017 - mpost@suse.com + +- Updated to version 3.7.0 (Fate#321451) (bsc#1036640) + - Update example spec file + - Performance improvement. Moving from mutexes to transactional memory. + - Add ECDSA SHA2 support for EP11 and CCA. + - Fix declaration of inline functions. + - Fix wrong testcase and ber en/decoding for integers. + - Check for 'flex' and 'YACC' on configure. + - EP11 config file rework. + - Add enable-debug on travis build. + - Add testcase for C_GetOperationState/C_SetOperationState. + - Upgrade License to CPL-1.0 + - Ica token: fix openssh/ibmpkcs11 engine/libica crash. + - Fix segfault and logic in hardware feature test. + - Fix spelling of documentation and manuals. + - Fix the retrieval of p from a generated rsa key. + - Coverity scan fixes - incompatible pointer type and unused variables. + +------------------------------------------------------------------- +Tue Apr 11 17:59:42 UTC 2017 - mpost@suse.com + +- Added libica-tools to the BuildRequires due to repackaging of libica. + +------------------------------------------------------------------- +Mon Mar 20 21:51:54 UTC 2017 - mpost@suse.com + +- Modified the spec file + - Changed libca3-devel BuildRequires to just libica-devel + - Check for systemd in the 32bit postun scriptlet. + +------------------------------------------------------------------- +Mon Feb 20 19:48:33 UTC 2017 - mpost@suse.com + +- Upgraded to version 3.6.2 (fate#321451) + - Support OpenSSL-1.1. + - Add Travis CI support. + - Update autotools scripts and documentation. + - Fix SegFault when a invalid session handle is passed in + SC_EncryptUpdate and SC_DecryptUpdate. +- Updated spec file to use libica3-devel instead of libica2-devel. + +------------------------------------------------------------------- +Tue Jan 17 17:12:30 UTC 2017 - mpost@suse.com + +- Upgraded to version 3.6.1 (fate#321451) + - opencryptoki 3.6.1 + - Fix SOFT token implementation of digest functions. + - Replace deprecated OpenSSL interfaces. + + - opencryptoki 3.6 + - Replace deprecated libica interfaces. + - Performance improvement for ICA. + - Improvement in documentation on system resources. + - Improvement in testcases. + - Added support for rc=8, reasoncode=2028 in icsf token. + - Fix for session handle not set in session issue. + - Multiple fixes for lock and log directories. + - Downgraded a syslog error to warning. + - Multiple fixes based on coverity scan results. + - Added pkcs11 mapping for icsf reason code 72 for return code 8. + + - opencryptoki 3.5.1 + - Fix Illegal Intruction on pkcscca tool. + + - Removed the following obsolete patches: + - ocki-3.5-sanity-checking.patch + - ocki-3.5-icsf-reasoncode72-support.patch + - ocki-3.5-downgrade-syslogerror.patch + - ocki-3.5-icsf-sessionhandle-missing-fix.patch + - ocki-3.5-icsf-reasoncode-2028-added.patch + - ocki-3.5-added-NULLreturn-check.patch + - ocki-3.5-create-missing-tpm-token-lock-directory.patch + - ocki-3.5-fix-pkcscca-calls.patch + +------------------------------------------------------------------- +Mon Oct 31 14:19:17 UTC 2016 - jjolly@suse.com + +- Removed reference to pkcs1_startup from pkcsslotd (bsc#1007081) + +------------------------------------------------------------------- +Thu Sep 1 17:06:45 UTC 2016 - mpost@suse.com + +- Added ocki-3.5-fix-pkcscca-calls.patch (bsc#996867). + +------------------------------------------------------------------- +Fri Jul 29 17:32:24 UTC 2016 - mpost@suse.com + +- Added %doc FAQ to the spec file (bsc#991168). + +------------------------------------------------------------------- +Tue Jul 19 17:07:16 UTC 2016 - mpost@suse.com + +- Added ocki-3.5-create-missing-tpm-token-lock-directory.patch + (bsc#989602). + +------------------------------------------------------------------- +Fri Jul 8 18:06:42 UTC 2016 - mpost@suse.com + +- Added the following patches (bsc#986854) + - ocki-3.5-icsf-reasoncode72-support.patch + - ocki-3.5-icsf-coverity-memoryleakfix.patch + - ocki-3.5-downgrade-syslogerror.patch + - ocki-3.5-icsf-sessionhandle-missing-fix.patch + - ocki-3.5-icsf-reasoncode-2028-added.patch + - ocki-3.5-added-NULLreturn-check.patch + +------------------------------------------------------------------- +Mon Jun 13 20:17:04 UTC 2016 - mpost@suse.com + +- Added ocki-3.5-sanity-checking.patch (bsc#983496). +- Added %dir entry for %{_localstatedir}/log/opencryptoki/ + (bsc#983990) + +------------------------------------------------------------------- +Wed May 25 21:23:29 UTC 2016 - mpost@suse.com + +- Upgraded to openCryptoki 3.5 (bsc#978005). + - Full Coverity scan fixes. + - Fixes for compiler warnings. + - Added support for C_GetObjectSize in icsf token. + - Various bug fixes and memory leak fixes. + - Removed global read permissions from token files + - Added missing PKCS#11v2.2 constants. + - Fix for symbol resolution issue seen in Fedora 22 and 23 for + ep11 and cca tokens. + - Improvements in socket read operation when a token comes up. + - Replaced 32 bit CCA API declarations with latest header from + version 5.0 libsculcca rpm. + +------------------------------------------------------------------- +Thu Apr 14 01:47:08 UTC 2016 - mpost@suse.com + +- Upgraded to openCryptoki v3.4.1 (Fate#319576, 319585, 319592, 319938). +- Changed BuildRequires for libica_2_3_0-devel to libica2-devel. +- Changed BuildRequires for openssl-devel to specify >= 1.0 + Contrary to what the README says, version 0.9.7 isn't + sufficient. +- Removed the redundant DESTDIR= parameter from the %make_install +- Removed the following obsolete patches + opencryptoki-run-lock.patch (/var/lock and run/lock are actually the + same place) Also reverted the changed to openCryptoki-tmp.conf to match. + ocki-3.1_10_0001-ica-sha-update-empty-msg.patch + ocki-3.1-fix-implicit-decl.patch + ocki-3.1-fix-init_d-path.patch + ocki-3.1-fix-libica-link.patch + ocki-3.2_01_fix-return-type-error.patch + ocki-3.2_02_ep11-token-incorrectly-copied-the-public-key-object-.patch + ocki-3.2_03_ICSF-Token-C_SignUpdate-was-sometimes-segfaulting-an.patch + ocki-3.2_04_CKA_EC_POINT-is-not-required-in-the-ECDSA-private-ke.patch + ocki-3.2_05_icsf_ldap_handles.patch + ocki-3.2_06_icsf_sign_verify.patch + +- renamed: ocki-3.1-remove-make-install-chgrp-chmod.patch to + ocki-3.1-remove-make-install-chgrp.patch + +------------------------------------------------------------------- +Fri Nov 6 14:00:42 UTC 2015 - jjolly@suse.com + +- Get a new ldap handle for each session opened in the icsf token, + once the user has authenticated. (bsc#953347,LTC#130078) + - ocki-3.2_05_icsf_ldap_handles.patch + - ocki-3.2_06_icsf_sign_verify.patch + +------------------------------------------------------------------- +Fri Oct 2 04:05:45 UTC 2015 - jjolly@suse.com + +- Added /var/lib/opencryptoki/lite/TOK_OBJ token directory (bsc#943070) +- Added ocki-3.2_02_ep11-token-incorrectly-copied-the-public-key-object-.patch + - Fixed two public key object inclusion in EP11 token (bsc#946808) +- Added ocki-3.2_03_ICSF-Token-C_SignUpdate-was-sometimes-segfaulting-an.patch + - Fixed GPF when calling C_SignUpdate using ICFS toekn (bsc#946172) +- Added ocki-3.2_04_CKA_EC_POINT-is-not-required-in-the-ECDSA-private-ke.patch + - Fixed failure to import ECDSA because of lack of attribute (bsc#948114) + +------------------------------------------------------------------- +Thu Aug 20 00:49:21 UTC 2015 - jjolly@suse.com + +- Fixed BuildRequires: libica2-devel +- Added ocki-3.2_01_fix-return-type-error.patch +- Changing doc/README.ep11_stdll to unix-style EOL + - Added BuildRequires: dos2unix +- Removed globbing in %files and specified libraries to include (bsc#942162) + +------------------------------------------------------------------- +Tue Aug 18 02:50:08 UTC 2015 - jjolly@suse.com + +- Updated to openCryptoki v3.2 (FATE#318240) +- Removed unnecessary patches: + - ocki-3.1_01_ep11_makefile.patch + - ocki-3.1_02_ep11_m_init.patch + - ocki-3.1_03_ock_obj_mgr.patch + - ocki-3.1_04_ep11_opaque2blob_error_handl.patch + - ocki-3.1_05_ep11_readme_update.patch + - ocki-3.1_06_0001-print_mechanism-ignored-bad-returncodes-from-the-cal.patch + - ocki-3.1_06_0002-Fix-failure-when-confname-is-not-given-use-default-e.patch + - ocki-3.1_06_0003-Configure-was-checking-for-the-ep11-lib-and-the-m_in.patch + - ocki-3.1_06_0004-The-asm-zcrypt.h-header-file-uses-some-std-int-types.patch + - ocki-3.1_06_0005-Small-reworks.patch + - ocki-3.1_06_0006-The-31-bit-build-on-s390-showed-an-build-error-at-in.patch + - ocki-3.1_06_0007-ep11-is-not-building-because-not-setting-with_zcrypt.patch + - ocki-3.1_07_0001-Man-page-corrections.patch + - ocki-3.1_08_0001-Add-a-pkcscca-tool-to-help-migrate-cca-private-token.patch + - ocki-3.1_08_0002-Add-documentation-pkcscca-manpage-and-README.cca_std.patch + - ocki-3.1_09_0001-Fix-EOL-encoding-in-README.patch + +------------------------------------------------------------------- +Tue Apr 7 21:22:57 UTC 2015 - crrodriguez@opensuse.org + +- Also create parent directory /run/lock/opencryptoki in + tmpfiles snippet if it does not exists. + +------------------------------------------------------------------- +Tue Apr 7 21:19:43 UTC 2015 - crrodriguez@opensuse.org + +- spec: do not use -D__USE_BSD, a glibc-internal macro + which no longer has any meaning. + +------------------------------------------------------------------- +Tue Apr 7 21:18:21 UTC 2015 - crrodriguez@opensuse.org + +- spec: use %{_unitdir} %{_tmpfilesdir) +- spec: call tmpfiles_create macro, if defined in %post +- opencryptoki-run-lock.patch, openCryptoki-tmp.conf: use + /run/lock instead of /var/lock. + +------------------------------------------------------------------- +Wed Dec 17 10:42:43 UTC 2014 - p.drouand@gmail.com + +- Update to version 3.2 + +New pkcscca tool. Currently it assists in migrating cca private token + objects from opencryptoki version 2 to the clear key encryption method + used in opencryptoki version 3. Includes a manpage for pkcscca tool. + Changes to README.cca_stdll to assist in using the CCA token and + migrating the private token objects. + + Support for CKM_RSA_PKCS_OAEP and CKM_RSA_PKCS_PSS algorithms. + + Various bugfixes. + + New testcases for various crypto algorithms. +- Only depend on insserv if builded with sysvinit support +- Remove obsolete patches; merged on upstream release + + ocki-3.1_01_ep11_makefile.patch + + ocki-3.1_02_ep11_m_init.patch + + ocki-3.1_03_ock_obj_mgr.patch + + ocki-3.1_04_ep11_opaque2blob_error_handl.patch + + ocki-3.1_05_ep11_readme_update.patch + + ocki-3.1_06_0001-print_mechanism-ignored-bad-returncodes-from-the-cal.patch + + ocki-3.1_06_0002-Fix-failure-when-confname-is-not-given-use-default-e.patch + + ocki-3.1_06_0003-Configure-was-checking-for-the-ep11-lib-and-the-m_in.patch + + ocki-3.1_06_0004-The-asm-zcrypt.h-header-file-uses-some-std-int-types.patch + + ocki-3.1_06_0005-Small-reworks.patch + + ocki-3.1_06_0006-The-31-bit-build-on-s390-showed-an-build-error-at-in.patch + + ocki-3.1_06_0007-ep11-is-not-building-because-not-setting-with_zcrypt.patch + + ocki-3.1_07_0001-Man-page-corrections.patch + + ocki-3.1_08_0001-Add-a-pkcscca-tool-to-help-migrate-cca-private-token.patch + + ocki-3.1_08_0002-Add-documentation-pkcscca-manpage-and-README.cca_std.patch + + ocki-3.1_09_0001-Fix-EOL-encoding-in-README.patch + + ocki-3.1_10_0001-ica-sha-update-empty-msg.patch +- Project is now hosted on sourceforge; fix the Url +- Remove cvs related stuff; tarball is produced by upstream +- Use %configure macro instead of manually defined options +- Build with parallel support; use %{?_smp_mflags} macro + +------------------------------------------------------------------- +Fri Sep 5 15:30:59 UTC 2014 - jjolly@suse.com + +- Fixed ica token's SHA update function when passing zero message + size (bnc#892644) +- Added patch ocki-3.1_10_0001-ica-sha-update-empty-msg.patch + +------------------------------------------------------------------- +Fri Sep 5 04:05:02 UTC 2014 - jjolly@suse.com + +- Fixed README.ep11_stdll to have Unix-style EOL characters. +- Added patch ocki-3.1_09_0001-Fix-EOL-encoding-in-README.patch + +------------------------------------------------------------------- +Thu Sep 4 21:51:32 UTC 2014 - jjolly@suse.com + +- Added all files from %src/doc as rpm %doc (bnc#894780) + +------------------------------------------------------------------- +Thu Sep 4 21:17:04 UTC 2014 - jjolly@suse.com + +- Added pkcscca utility and documentation to convert private + token objects from v2 to v3. (bnc#893757) +- Added patches: + - ocki-3.1_08_0001-Add-a-pkcscca-tool-to-help-migrate-cca-private-token.patch + - ocki-3.1_08_0002-Add-documentation-pkcscca-manpage-and-README.cca_std.patch + +------------------------------------------------------------------- +Thu Sep 4 20:35:01 UTC 2014 - jjolly@suse.com + +- Fixed pkcsslotd and opencryptoki.conf man pages (bnc#889183) +- Added patch ocki-3.1_07_0001-Man-page-corrections.patch + +------------------------------------------------------------------- +Fri Aug 15 02:14:21 UTC 2014 - sfalken@opensuse.org + +- Specfile Cleanup, Added directory macros in appropriate places + +------------------------------------------------------------------- +Thu Jun 26 06:55:03 UTC 2014 - jjolly@suse.com + +- Several package changes as per bnc#880217 + - Added openCryptoki-tmp.conf for lock directory management + - Added 'lite' token support + - Changed from init.d daemon to systemd service + - Updated macros in %pre %post %preun and %postun sections + - Added missing icsf and ep11tok directories to %files section + ocki-3.1_01_ep11_makefile.patch + ocki-3.1_02_ep11_m_init.patch + +- Patches added: + ocki-3.1-fix-libica-link.patch + ocki-3.1_03_ock_obj_mgr.patch + ocki-3.1_04_ep11_opaque2blob_error_handl.patch + ocki-3.1_05_ep11_readme_update.patch + ocki-3.1_06_0001-print_mechanism-ignored-bad-returncodes-from-the-cal.patch + ocki-3.1_06_0002-Fix-failure-when-confname-is-not-given-use-default-e.patch + ocki-3.1_06_0003-Configure-was-checking-for-the-ep11-lib-and-the-m_in.patch + ocki-3.1_06_0004-The-asm-zcrypt.h-header-file-uses-some-std-int-types.patch + ocki-3.1_06_0005-Small-reworks.patch + ocki-3.1_06_0006-The-31-bit-build-on-s390-showed-an-build-error-at-in.patch + ocki-3.1_06_0007-ep11-is-not-building-because-not-setting-with_zcrypt.patch + +------------------------------------------------------------------- +Thu Jun 5 13:28:29 UTC 2014 - jjolly@suse.com + +- Moved libpkcs11_icsf 32-bit out of s390-specific files + +------------------------------------------------------------------- +Thu Jun 5 13:00:31 UTC 2014 - jjolly@suse.com + +- Made ep11tok.conf and pkcsep11_migrate specific to s390/s390x +- Added libpkcs11_ep11.so and libpkcs11_icsf.so to 32-bit s390/s390x + +------------------------------------------------------------------- +Thu Jun 5 05:06:34 UTC 2014 - jjolly@suse.com + +- EP11 token available in the opencryptoki V3.1 package (bnc#879303) + - Specfile changed to include ep11tok.conf + - Specfile changed to include pkcsep11_migrate and pkcsicsf tools + - Specfile changed to BuildRequires openldap2-devel + - ocki-3.1_06_0001-print_mechanism-ignored-bad-returncodes-from-the-cal.patch + - print_mechanism() ignored bad returncodes from the called + function token_specific_get_mechanism_list() + - ocki-3.1_06_0002-Fix-failure-when-confname-is-not-given-use-default-e.patch + - Fix failure when confname is not given, use default + ep11tok.conf instead + - ocki-3.1_06_0003-Configure-was-checking-for-the-ep11-lib-and-the-m_in.patch + - Removed check for ep11 lib at configure + - ocki-3.1_06_0004-The-asm-zcrypt.h-header-file-uses-some-std-int-types.patch + - Move stdint.h before zcrypt.h to resolve dependencies + - ocki-3.1_06_0005-Small-reworks.patch + - testcase fixes and file permission changes + - ocki-3.1_06_0006-The-31-bit-build-on-s390-showed-an-build-error-at-in.patch + - Fix for s390 31-bit build error + - ocki-3.1_06_0007-ep11-is-not-building-because-not-setting-with_zcrypt.patch + - zcrypt library included in build by default + +------------------------------------------------------------------- +Fri Mar 7 19:03:59 UTC 2014 - jjolly@suse.com + +- Patches applied (bnc#865549) + - Fixed Makefile to complement common code dependencies + - switched to official m_init() function based on library change + - checking the global token object count + - catch the return code from object_mgr_find_in_map1 + - some README updates about usage and restrictions + +------------------------------------------------------------------- +Wed Mar 5 17:58:21 CET 2014 - ro@suse.de + +- fix build on x86 (add CCA and TPM to filelist) +- fix libica detection on s390/s390x to get ICA module built + +------------------------------------------------------------------- +Mon Feb 4 17:16:25 UTC 2014 - jjolly@suse.com + +- Updated to openCryptoki v3.1: See ChangeLog for complete details + (FATE#315426) + - opencryptoki-3.1 + - New ep11 token to support IBM Crypto Express adpaters + (starting with Crypto Express 4S adapters) configured with + Enterprise PKCS#11(EP11) firmware. (FATE#315330) + - opencryptoki-3.0 + - New opencryptoki.conf file to replace pk_config_data and + pkcs11_starup. The opencryptoki.conf contains slot entry + information for tokens. + - Removed pkcs_slot and pkcs11_startup shell scripts. + - ICA token supports CKM_DES_OFB64, CKM_DES_CFB8, CKM_DES_CFB6 + mechanisms using 3DES keys. (FATE#315323) + - ICA token supports CKM_DES3_MAC and CKM_DES3_MAC_GENERAL + mechanisms. (FATE#315323) + - ICA token supports CKM_AES_OFB, CKM_AES_CFB8, CKM_AES_CFB64, + CKM_AES_CFB128, CKM_AES_MAC, and CKM_AES_MAC_GENERAL + mechanisms. (FATE#315323) + - opencryptoki-2.4.1 (21 Feb 2012) + - SHA256 support added for CCA token (FATE#315289) +- Using insserv macros in %post, %preun and %postun sections +- Cleaned up spec file +- removed patches: + - ocki-2.2.6-PIN-backspace.patch +- added patches: + - ocki-3.1-fix-implicit-decl.patch + - ocki-3.1-remove-make-install-chgrp-chmod.patch + - ocki-3.1-fix-init_d-path.patch + +------------------------------------------------------------------- +Tue Feb 4 13:22:49 CET 2014 - ro@suse.de + +- add aarch64 to 64bit archs + +------------------------------------------------------------------- +Tue Dec 10 19:25:44 UTC 2013 - dvaleev@suse.com + +- enable ppc64le + +------------------------------------------------------------------- +Sat Dec 8 18:51:31 UTC 2012 - meissner@suse.com + +- remove -o from groupadd +- fixed sed script to not a grouplist with leading , + +------------------------------------------------------------------- +Sun Nov 27 06:59:49 UTC 2011 - coolo@suse.com + +- don't package man pages twice + +------------------------------------------------------------------- +Sun Nov 27 06:52:25 UTC 2011 - coolo@suse.com + +- add libtool as buildrequire to avoid implicit dependency + +------------------------------------------------------------------- +Mon Sep 27 08:02:22 CEST 2010 - meissner@suse.de + +- enable TPM support (bnc#641919) + +------------------------------------------------------------------- +Fri Feb 20 06:01:56 CET 2009 - jjolly@suse.de + +- pkcsslotd: Updated to use new pidfile location (bnc#475800) + +------------------------------------------------------------------- +Fri Jan 23 23:02:19 CET 2009 - jjolly@suse.de + +- Added fix to allow backspacing during PIN entry (bnc#448089) + +------------------------------------------------------------------- +Fri Jan 23 07:42:59 CET 2009 - olh@suse.de + +- run ldconfig in postinstall [bnc#417925] + +------------------------------------------------------------------- +Tue Dec 9 14:16:37 CET 2008 - kukuk@suse.de + +- Enable build on x86_64 [bnc#417925] + +------------------------------------------------------------------- +Thu Nov 6 06:25:48 CET 2008 - jjolly@suse.de + +- Overhaul of the specfile. All platforms build the base package + and each architecture builds the appropriate 32 or 64 bit package + +------------------------------------------------------------------- +Fri Sep 12 06:55:17 CEST 2008 - jjolly@suse.de + +- Updated to openCryptoki v2.2.6 + +------------------------------------------------------------------- +Thu Aug 28 18:21:26 CEST 2008 - ro@suse.de + +- fix init script + +------------------------------------------------------------------- +Fri Mar 30 01:29:49 CEST 2007 - ro@suse.de + +- added pwdutils to buildreq + +------------------------------------------------------------------- +Fri Oct 20 02:25:46 CEST 2006 - ro@suse.de + +- fix missing return values from non-void funcs + +------------------------------------------------------------------- +Fri Apr 21 13:06:00 CEST 2006 - uli@suse.de + +- pkcsslotd: create PID file in the right place, delete it on + exit (bug #164664) + +------------------------------------------------------------------- +Tue Apr 11 13:29:07 CEST 2006 - uli@suse.de + +- added 64-bit patches from IBM (bug #145666) + +------------------------------------------------------------------- +Mon Apr 10 13:30:50 CEST 2006 - uli@suse.de + +- added small change missing from patch for bug #156651 + +------------------------------------------------------------------- +Mon Apr 3 13:57:52 CEST 2006 - uli@suse.de + +- fixed location of pkcs11_startup in init script (bug #162372) + +------------------------------------------------------------------- +Mon Mar 13 15:05:17 CET 2006 - uli@suse.de + +- fixed proc_t structure mixup (bug #156651) + +------------------------------------------------------------------- +Thu Mar 9 17:18:33 CET 2006 - uli@suse.de + +- initialize head pointer (bug #156229) + +------------------------------------------------------------------- +Mon Mar 6 13:20:21 CET 2006 - uli@suse.de + +- %ghost symlinks that are generated in %post (bug #154961) + +------------------------------------------------------------------- +Thu Feb 2 13:15:13 CET 2006 - uli@suse.de + +- stuffed memleak (patch by IBM, bug #147036) + +------------------------------------------------------------------- +Wed Feb 1 13:31:05 CET 2006 - uli@suse.de + +- changed RPM layout to meet IBM's demands (based on patch by IBM, + bug #145666) +- removed mmap, per-user data store support (patch by IBM, bug + #145666) + +------------------------------------------------------------------- +Wed Jan 25 21:38:59 CET 2006 - mls@suse.de + +- converted neededforbuild to BuildRequires + +------------------------------------------------------------------- +Thu Jan 12 10:25:37 CET 2006 - hare@suse.de + +- Update to 2.2.2-rc2 + +------------------------------------------------------------------- +Wed Jan 11 17:11:58 CET 2006 - hare@suse.de + +- Update to 2.2.1-rc2 +- Fixed build errors +- Cleaned up spec file. + +------------------------------------------------------------------- +Wed Dec 14 01:32:20 CET 2005 - ro@suse.de + +- copy TFAQ to build directory (fix build) + +------------------------------------------------------------------- +Mon Dec 12 15:35:22 CET 2005 - hare@suse.de + +- Update to 2.1.6-rc5. +- Port fixes from SLES9 SP3. + +------------------------------------------------------------------- +Tue Nov 15 18:03:22 CET 2005 - uli@suse.de + +- enabled for ARM + +------------------------------------------------------------------- +Thu Feb 17 12:58:00 CET 2005 - od@suse.de + +- fix #50050: + - ./configure.in: wrong test against $host makes ppc(64) miss + -DPKCS64 in CFLAGS + - corrected: S390 flag was set for ppc in this conditional + +------------------------------------------------------------------- +Mon Aug 16 12:52:01 CEST 2004 - ro@suse.de + +- run full autoreconf / simplify specfile a little + +------------------------------------------------------------------- +Tue Apr 27 08:26:46 CEST 2004 - hare@suse.de + +- Print correct error message (#37427 again). + +------------------------------------------------------------------- +Fri Apr 23 08:18:14 CEST 2004 - hare@suse.de + +- Check for the correct module on startup (#37427) + +------------------------------------------------------------------- +Sun Apr 18 17:57:30 CEST 2004 - olh@suse.de + +- update to openCryptoki-2.1.5, ppc64 version (#39026) + +------------------------------------------------------------------- +Wed Feb 18 01:29:07 CET 2004 - ro@suse.de + +- adapt filelist on ppc + +------------------------------------------------------------------- +Thu Feb 12 14:27:08 CET 2004 - kukuk@suse.de + +- Fix owner/group of files/directories + +------------------------------------------------------------------- +Fri Dec 5 12:28:30 CET 2003 - ro@suse.de + +- no need to specify "root" as supplementary group for root, + it's already primary + +------------------------------------------------------------------- +Wed Jul 30 18:12:32 CEST 2003 - hare@suse.de + +- Update to openCryptoki-2.1.3 +- Fixed configure errors. + +------------------------------------------------------------------- +Mon Jun 23 02:12:34 CEST 2003 - ro@suse.de + +- added directories to filelist + +------------------------------------------------------------------- +Wed Jun 4 00:31:28 CEST 2003 - ro@suse.de + +- remove CVS subdirs +- remove unpackaged files from buildroot + +------------------------------------------------------------------- +Thu Nov 21 01:34:11 CET 2002 - ro@suse.de + +- removed duplicates from configure.in + +------------------------------------------------------------------- +Tue Oct 1 10:51:18 CEST 2002 - froh@suse.de + +- exclude ppc64 from the architectures, the package is built for. + 64bit mode is not supported by IBM yet; dlopen wrappers are also + missing 64bit filename handling. (#20380) +- actually compress the openCryptoki-1.4*.tar.bz2 + +------------------------------------------------------------------- +Tue Sep 24 20:18:36 CEST 2002 - ro@suse.de + +- make it even build ... + +------------------------------------------------------------------- +Tue Sep 24 14:25:51 CEST 2002 - froh@suse.de + +- make openCryptoki-XXbit PreReq: openCryptoki to enforce pkcs11 group + creation before package installation (#20079) +- correct version number (the patch actiually lifts openCryptoki to 1.5) +- fix groupadd call to no longer silently ignore errors in all cases + using (hopefully) posix exit codes. alternative would be to use + undocumented '-f' option of groupadd. + +------------------------------------------------------------------- +Fri Sep 20 13:37:22 CEST 2002 - froh@suse.de + +- add user root to group pkcs11 to enable root to administrate the + crypto hardware support (#19566) + +------------------------------------------------------------------- +Mon Aug 26 17:24:21 CEST 2002 - okir@suse.de + +- misc security fixes (#18377) + +------------------------------------------------------------------- +Fri Aug 23 17:14:45 CEST 2002 - froh@suse.de + +- replaced openCryptoki-tools with openCryptoki-32bit and + openCryptoki-64bit + +------------------------------------------------------------------- +Thu Aug 22 10:45:35 CEST 2002 - froh@suse.de + +- moved dlopen objects that are available for non-x86 out of the + ifarch ix86 +- moved postun to tools subpackge (which contains the daemon) +- removed include files. no development support for now. +- replaced %%ix86, etc by appropriate generic %%openCryptoki_tools_arch + and %%openCryptoki_no_tools_arch + +------------------------------------------------------------------- +Wed Aug 21 12:06:21 CEST 2002 - ro@suse.de + +- replaced all i386 occurrences with %ix86 +- changed filelist to what's really built + +------------------------------------------------------------------- +Tue Aug 20 12:24:50 CEST 2002 - froh@suse.de + +- split package to openCryptoki and openCryptoki-tools to allow + parallel installation of 32bit tools with 64bit dlopen objects for + foreign middleware. +- removed automatical insserv on install, because the package needs + manual configuration (#18031) + +------------------------------------------------------------------- +Mon Aug 12 11:01:37 CEST 2002 - froh@suse.de + +- added missing %post before insserv (Bug #17600) + +------------------------------------------------------------------- +Fri Aug 9 13:03:05 CEST 2002 - kukuk@suse.de + +- Fix path in PreReq. + +------------------------------------------------------------------- +Wed Aug 7 12:36:09 CEST 2002 - froh@suse.de + +- add groupadd pkcs11 in %pre install + +------------------------------------------------------------------- +Mon Jul 29 17:21:49 CEST 2002 - froh@suse.de + +- updated to current version +- removed old START_ variable + +------------------------------------------------------------------- +Fri Jun 14 00:07:03 CEST 2002 - ro@suse.de + +- always use macros when calling insserv + +------------------------------------------------------------------- +Tue Apr 9 21:06:49 CEST 2002 - bk@suse.de + +- add lib64 support + +------------------------------------------------------------------- +Tue Feb 5 11:01:16 CET 2002 - froh@suse.de + +- Added openssl to #neededforbuild, which is needed in addition to + openssl-devel + +------------------------------------------------------------------- +Wed Jan 30 16:20:48 CET 2002 - froh@suse.de + +- initial version + +------------------------------------------------------------------- diff --git a/openCryptoki.pkcsslotd b/openCryptoki.pkcsslotd new file mode 100644 index 0000000..b4500ad --- /dev/null +++ b/openCryptoki.pkcsslotd @@ -0,0 +1,150 @@ +#! /bin/sh +# Copyright (c) 1995-2000 SuSE GmbH Nuernberg, Germany. +# +# Author: Jiri Smid +# +# /etc/init.d/pkcsslotd +# +# and symbolic its link +# +# /usr/sbin/rcpkcsslotd +# +### BEGIN INIT INFO +# Provides: pkcsslotd +# Required-Start: $remote_fs +# Required-Stop: $null +# Should-Start: z90crypt +# Should-Stop: z90crypt +# Default-Start: 3 5 +# Default-Stop: 0 1 2 6 +# Description: Start the pkcsslotd daemon +# Short-Description: Start the pkcsslotd daemon +### END INIT INFO + +. /etc/rc.status + +PKCSSLOTD_PID_FILE=/var/lib/opencryptoki/.slotpid +# Check for missing binaries (stale symlinks should not happen) +PKCSSLOTD_BIN=/usr/sbin/pkcsslotd +test -x $PKCSSLOTD_BIN || exit 5 + +# Shell functions sourced from /etc/rc.status: +# rc_check check and set local and overall rc status +# rc_status check and set local and overall rc status +# rc_status -v ditto but be verbose in local rc status +# rc_status -v -r ditto and clear the local rc status +# rc_failed set local and overall rc status to failed +# rc_reset clear local rc status (overall remains) +# rc_exit exit appropriate to overall rc status + +# Check for machine architecture +PKCS_ARCH=$(/bin/uname -m) + +# First reset status of this service +rc_reset +case "$1" in + start) + case "$PKCS_ARCH" in + s390|s390x) + PKCS_MODULE="z90crypt" + ;; + *) + PKCS_MODULE="leedslite" + ;; + esac + lsmod | grep $PKCS_MODULE > /dev/null 2>&1 \ + || echo "$PKCS_MODULE module is not installed - PKCS#11 will not be hardware accelerated" + + echo -n "Starting pkcsslotd daemon:" + + ## Start daemon with startproc(8). If this fails + ## the echo return value is set appropriate. + + if [ ! -f $PKCSSLOTD_PID_FILE ]; then + # $PKCSSLOTD_PID_FILE does not exist + startproc -f $PKCSSLOTD_BIN + elif ! ps -h --pid `cat $PKCSSLOTD_PID_FILE` | grep "$PKCSSLOTD_BIN" 2>&1 >/dev/null; then + # $PKCSSLOTD_PID_FILE exists but named pid not + rm -f $PKCSSLOTD_PID_FILE + startproc -f $PKCSSLOTD_BIN + else + # just to have "failed" message + startproc $PKCSSLOTD_BIN + fi + + # Remember status and be verbose + rc_status -v + ;; + stop) + echo -n "Shutting down pkcsslotd daemon:" + ## Stop daemon with killproc(8) and if this fails + ## set echo the echo return value. + + killproc -p $PKCSSLOTD_PID_FILE -TERM $PKCSSLOTD_BIN + + # Remember status and be verbose + rc_status -v + ;; + try-restart) + ## Stop the service and if this succeeds (i.e. the + ## service was running before), start it again. + $0 status >/dev/null && $0 restart + + # Remember status and be quiet + rc_status + ;; + restart) + ## Stop the service and regardless of whether it was + ## running or not, start it again. + $0 stop + $0 start + + # Remember status and be quiet + rc_status + ;; + force-reload) + ## Signal the daemon to reload its config. Most daemons + ## do this on signal 1 (SIGHUP). + ## If it does not support it, restart. + + echo -n "Reload service pkcsslotd" + ## if it supports it: + killproc -p $PKCSSLOTD_PID_FILE -HUP $PKCSSLOTD_BIN + #touch $PKCSSLOTD_PID_FILE + rc_status -v + + ;; + reload) + ## Like force-reload, but if daemon does not support + ## signalling, do nothing (!) + + # If it supports signalling: + echo -n "Reload service pkcsslotd" + killproc -p $PKCSSLOTD_PID_FILE -HUP $PKCSSLOTD_BIN + #touch $PKCSSLOTD_PID_FILE + rc_status -v + + # If it does not support reload: + #exit 3 + ;; + status) + echo -n "Checking for service pkcsslotd: " + ## Check status with checkproc(8), if process is running + ## checkproc will return with exit status 0. + + # Status has a slightly different for the status command: + # 0 - service running + # 1 - service dead, but /var/run/ pid file exists + # 2 - service dead, but /var/lock/ lock file exists + # 3 - service not running + + # NOTE: checkproc returns LSB compliant status values. + checkproc $PKCSSLOTD_BIN + rc_status -v + ;; + *) + echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload}" + exit 1 + ;; +esac +rc_exit diff --git a/openCryptoki.spec b/openCryptoki.spec new file mode 100644 index 0000000..02783cb --- /dev/null +++ b/openCryptoki.spec @@ -0,0 +1,347 @@ +# +# spec file for package openCryptoki +# +# Copyright (c) 2024 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +%define openCryptoki_32bit_arch %{ix86} s390 ppc %{arm} +# support in the workings for: ppc64 +# no support in sight for: ia64 +%define openCryptoki_64bit_arch s390x ppc64 ppc64le x86_64 aarch64 +# autobuild:/work/cd/lib/misc/group +# openCryptoki pkcs11:x:64: +%define pkcs11_group_id 64 +%define pkcs_group pkcs11 +%define oc_cvs_tag opencryptoki + +Name: openCryptoki +Version: 3.23.0 +Release: 0 +Summary: An Implementation of PKCS#11 (Cryptoki) v2.11 for IBM Cryptographic Hardware +License: CPL-1.0 +Group: Productivity/Security +URL: https://github.com/opencryptoki/opencryptoki +Source: https://github.com/opencryptoki/%{oc_cvs_tag}/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz +Source1: openCryptoki.pkcsslotd +Source2: openCryptoki-TFAQ.html +Source3: openCryptoki-rpmlintrc +# Patch 0 is needed because group pkcs11 doesn't exist in the build environment +# and because we don't want(?) various file and directory permissions to be 0700. +Patch000: ocki-3.23-remove-make-install-chgrp.patch +# +# +BuildRequires: bison +BuildRequires: dos2unix +BuildRequires: flex +BuildRequires: gcc-c++ +BuildRequires: libcap-devel +BuildRequires: libitm1 +BuildRequires: libtool +BuildRequires: libudev-devel +BuildRequires: openldap2-devel +BuildRequires: openssl-devel >= 1.0 +BuildRequires: pkgconfig +BuildRequires: trousers-devel +BuildRequires: pkgconfig(systemd) +### +Requires(pre): %{_sbindir}/groupadd +Requires(pre): %{_sbindir}/useradd +Requires(pre): %{_sbindir}/usermod +### +Provides: user(pkcs11) +Provides: group(pkcs11) + +# IBM maintains openCryptoki on these architectures: +ExclusiveArch: %{openCryptoki_32bit_arch} %{openCryptoki_64bit_arch} +%{?systemd_requires} +%ifarch s390 s390x +BuildRequires: libica-devel +BuildRequires: libica-tools +%endif + +%description +The PKCS#11 version 2.11 API implemented for the IBM cryptographic +cards. This package includes support for the IBM 4758 cryptographic +coprocessor (with the PKCS#11 firmware loaded) and the IBM eServer +Cryptographic Accelerator (FC 4960 on pSeries). + +%package devel +Summary: Development files for openCryptoki, a PKCS#11 implementation for IBM hardware +Group: Development/Languages/C and C++ +Requires: glibc-devel +Requires: libopenssl-devel +Requires: openldap2-devel +Requires: trousers-devel +%ifarch s390 s390x +Requires: libica-devel +%endif + +%description devel +The PKCS#11 version 2.01 API implemented for the IBM cryptographic +cards. This package includes support for the IBM 4758 cryptographic +co-processor (with the PKCS#11 firmware loaded) and the IBM eServer +Cryptographic Accelerator (FC 4960 on pSeries). + +%ifarch %{openCryptoki_32bit_arch} +%package 32bit +Summary: An Implementation of PKCS#11 (Cryptoki) v2.11 for IBM Cryptographic Hardware +# this is needed to make sure the pkcs11 group exists before +# installation: +Group: Productivity/Security +Requires: openCryptoki +ExclusiveArch: %{openCryptoki_32bit_arch} + +%description 32bit +This is a re-packaged binary rpm. For the package source, please look +for the source of the package without the "32bit" ending + +The PKCS#11 version 2.11 API implemented for the IBM cryptographic +cards. This package includes support for the IBM 4758 cryptographic +coprocessor (with the PKCS#11 firmware loaded) and the IBM eServer +Cryptographic Accelerator (FC 4960 on pSeries). + +%endif + +%ifarch %{openCryptoki_64bit_arch} +%package 64bit +Summary: An Implementation of PKCS#11 (Cryptoki) v2.11 for IBM Cryptographic Hardware +# this is needed to make sure the pkcs11 group exists before +# installation: +Group: Productivity/Security +Requires: openCryptoki +ExclusiveArch: %{openCryptoki_64bit_arch} + +%description 64bit +This is a re-packaged binary rpm. For the package source, please look +for the source of the package without the "64bit" ending + +The PKCS#11 version 2.11 API implemented for the IBM cryptographic +cards. This package includes support for the IBM 4758 cryptographic +coprocessor (with the PKCS#11 firmware loaded) and the IBM eServer +Cryptographic Accelerator (FC 4960 on pSeries). + +%endif + +%prep +# setup -q -n %{oc_cvs_tag}-%{version} +%autosetup -p 0 -n %{oc_cvs_tag}-%{version} + +cp %{SOURCE2} . + +%build +./bootstrap.sh + +%configure --with-systemd=%{_unitdir} \ + --with-libudev=yes \ + --enable-tpmtok \ +%ifarch aarch64 # Apparently, gcc for aarch64 doesn't support transactional memory + --enable-locks \ +%endif +%ifarch s390 s390x + --enable-pkcsep11_migrate +%else + --disable-ccatok +%endif + +make %{?_smp_mflags} +dos2unix doc/README.ep11_stdll + +%install +%make_install +install -d %{buildroot}%{_includedir} +install -d %{buildroot}%{_localstatedir}/lib/opencryptoki +install -d %{buildroot}%{_initddir} +install -d %{buildroot}%{_sbindir} +install -d %{buildroot}%{_prefix}/lib/tmpfiles.d +# +mkdir -p %{buildroot}%{_datadir}/opencryptoki +cp %{buildroot}%{_datadir}/doc/opencryptoki/*.conf %{buildroot}%{_datadir}/opencryptoki +# +ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rcpkcsslotd +rm -rf %{buildroot}/tmp + +# Remove all development files +find %{buildroot} -type f -name "*.la" -delete -print +rm -f %{buildroot}%{_libdir}/opencryptoki/methods + +%pre +%{service_add_pre pkcsslotd.service} +# autobuild:/work/cd/lib/misc/group +# openCryptoki pkcs11:x:64: +# openCryptoki pkcsslotd:x:64: +%{_sbindir}/groupadd -g %{pkcs11_group_id} -r %{pkcs_group} 2>/dev/null || getent group %{pkcs_group} 2>/dev/null || true +%{_sbindir}/useradd -g %{pkcs11_group_id} -r pkcsslotd -s /sbin/nologin -d /run/opencryptoki 2>/dev/null || getent passwd pkcsslotd 2>/dev/null || true +%{_sbindir}/usermod -a -G %{pkcs_group} root + +%preun +%{service_del_preun pkcsslotd.service} + +%post +# Symlink from /var/lib/opencryptoki to /etc/pkcs11 +if [ ! -L %{_sysconfdir}/pkcs11 ] ; then + if [ -e %{_sysconfdir}/pkcs11/pk_config_data ] ; then + mv %{_sysconfdir}/pkcs11/* %{_localstatedir}/lib/opencryptoki + cd %{_sysconfdir} && rm -rf pkcs11 && \ + ln -sf %{_localstatedir}/lib/opencryptoki pkcs11 + fi +fi +/sbin/ldconfig +%{?tmpfiles_create:%tmpfiles_create %{_tmpfilesdir}/opencryptoki.conf} +%{service_add_post pkcsslotd.service} + +%postun +if [ -L %{_sysconfdir}/pkcs11 ] ; then + rm %{_sysconfdir}/pkcs11 +fi +%{service_del_postun pkcsslotd.service} + +%ifarch %{openCryptoki_32bit_arch} +%postun 32bit +if [ -L %{_sysconfdir}/pkcs11 ] ; then + rm %{_sysconfdir}/pkcs11 +fi +%{service_del_postun pkcsslotd.service} + +%post 32bit +# Old library name links +cd %{_libdir}/opencryptoki && ln -sf ./libopencryptoki.so PKCS11_API.so +ln -sf %{_sbindir} %{_libdir}/opencryptoki/methods +rm -rf %{_libdir}/pkcs11/stdll +test -d %{_prefix}/lib/pkcs11 || mkdir -p %{_prefix}/lib/pkcs11 +cd %{_prefix}/lib/pkcs11 +ln -sf ../opencryptoki/stdll stdll +cd stdll +[ -f libpkcs11_cca.so ] && ln -sf ./libpkcs11_cca.so PKCS11_CCA.so || true +[ -f libpkcs11_tpm.so ] && ln -sf ./libpkcs11_tpm.so PKCS11_TPM.so || true +[ -f libpkcs11_ica.so ] && ln -sf ./libpkcs11_ica.so PKCS11_ICA.so || true +[ -f libpkcs11_sw.so ] && ln -sf ./libpkcs11_sw.so PKCS11_SW.so || true +/sbin/ldconfig +%endif + +%ifarch %{openCryptoki_64bit_arch} +%post 64bit +# Old library name for 64bit libs were under /usr/lib/pkcs11. For migration purposes only. +test -d %{_prefix}/lib/pkcs11 || mkdir -p %{_prefix}/lib/pkcs11 +ln -sf %{_libdir}/opencryptoki/libopencryptoki.so %{_prefix}/lib/pkcs11/PKCS11_API.so64 +/sbin/ldconfig +%endif + +%files +%doc openCryptoki-TFAQ.html FAQ +%doc doc/* +%dir %{_datadir}/doc/opencryptoki +%doc %{_datadir}/doc/opencryptoki/policy-example.conf +%doc %{_datadir}/doc/opencryptoki/strength-example.conf +%dir %{_datadir}/opencryptoki +%{_datadir}/opencryptoki/policy-example.conf +%{_datadir}/opencryptoki/strength-example.conf + # configuration directory +%dir %{_sysconfdir}/opencryptoki +%config %{_sysconfdir}/opencryptoki/opencryptoki.conf +%config %attr(640,root,%{pkcs_group}) %{_sysconfdir}/opencryptoki/strength.conf +%config %attr(640,root,%{pkcs_group}) %{_sysconfdir}/opencryptoki/p11sak_defined_attrs.conf +%ifarch s390 s390x +%config %{_sysconfdir}/opencryptoki/ccatok.conf +%config %{_sysconfdir}/opencryptoki/ep11cpfilter.conf +%config %{_sysconfdir}/opencryptoki/ep11tok.conf +%{_sbindir}/pkcsep11_migrate +%endif +%{_sbindir}/p11sak +%{_unitdir}/pkcsslotd.service +%{_tmpfilesdir}/opencryptoki.conf +%{_sbindir}/rcpkcsslotd + # utilities +%ifarch s390 s390x +%{_sbindir}/pkcsep11_session +%{_sbindir}/pkcscca +%endif +%{_sbindir}/pkcsslotd +%{_sbindir}/pkcsconf +%{_sbindir}/pkcsicsf +%{_sbindir}/pkcsstats +%{_sbindir}/pkcstok_migrate +%dir %{_libdir}/opencryptoki +%dir %{_libdir}/opencryptoki/stdll + # State and lock directories +%dir %attr(755,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki +%ifarch s390 s390x +%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/ccatok +%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/ccatok/TOK_OBJ +%endif +%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/swtok +%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/swtok/TOK_OBJ +%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/tpm +%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/icsf +%ifarch s390 s390x +%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/ep11tok +%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/ep11tok/TOK_OBJ +%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/lite +%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/lite/TOK_OBJ +%endif +%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/log/opencryptoki/ +%{_mandir}/man*/* + +%files devel +%dir %{_libdir}/opencryptoki +%dir %{_libdir}/opencryptoki/stdll +%{_includedir}/opencryptoki +%{_libdir}/pkgconfig/opencryptoki.pc +### +%{_sbindir}/pkcshsm_mk_change + +%ifarch %{openCryptoki_32bit_arch} +%files 32bit + # these don't conflict because they only exist as 64bit binaries if + # there is no 32bit version of them usable +%{_libdir}/opencryptoki/libopencryptoki.so +%ghost %{_libdir}/opencryptoki/PKCS11_API.so +%{_libdir}/opencryptoki/*.0 +%ifarch s390 +%{_libdir}/opencryptoki/stdll/libpkcs11_cca.so +%ghost %{_libdir}/opencryptoki/stdll/PKCS11_CCA.so +%endif +%{_libdir}/opencryptoki/stdll/libpkcs11_tpm.so +%ghost %{_libdir}/opencryptoki/stdll/PKCS11_TPM.so +%{_libdir}/opencryptoki/stdll/libpkcs11_sw.so +%ghost %{_libdir}/opencryptoki/stdll/PKCS11_SW.so +%{_libdir}/opencryptoki/stdll/libpkcs11_icsf.so +%ghost %{_libdir}/opencryptoki/stdll/PKCS11_ICSF.so +%ifarch s390 s390x +%{_libdir}/opencryptoki/stdll/libpkcs11_ica.so +%ghost %{_libdir}/opencryptoki/stdll/PKCS11_ICA.so +%{_libdir}/opencryptoki/stdll/libpkcs11_ep11.so +%ghost %{_libdir}/opencryptoki/stdll/PKCS11_EP11.so +%endif +%{_libdir}/opencryptoki/stdll/*.0 +%dir %{_libdir}/pkcs11 +%ghost %{_libdir}/pkcs11/stdll +%ghost %{_libdir}/pkcs11/methods +%{_libdir}/pkcs11/*.so +%{_sysconfdir}/ld.so.conf.d/* +%endif + +%ifarch %{openCryptoki_64bit_arch} +%files 64bit +%dir %{_libdir}/opencryptoki +%{_libdir}/opencryptoki/*.so +%{_libdir}/opencryptoki/*.0 +%dir %{_libdir}/opencryptoki/stdll +%{_libdir}/opencryptoki/stdll/*.so +%{_libdir}/opencryptoki/stdll/*.0 +%{_libdir}/pkcs11 +%{_sysconfdir}/ld.so.conf.d/* +%endif + +%changelog