Release 0.5

What's Changed

• Fix session count types by @bith3ad in #398
• Fix CKA_ALLOWED_MECHANISMS attribute generation by @simo5 in #397
• Use OpenSSL random functions by @simo5 in #401
• Add support for legacy RSA_PKCS1_WITH_TLS_PADDING by @simo5 in #402
• CI Maintenance by @simo5 in #403
• Release version 0.5 by @simo5 in #404

New Contributors

• @bith3ad made their first contribution in #398

Full Changelog: v0.4...v0.5

Release 0.4

Several bugfixes:

Notable changes

• We moved the build system to Meson
• A feature to embed pkcs11- URIs into "fake" PEM files has been added which makes it possible to transparently use the provider with many tools that accept keys only as PEM files.

What's Changed

• Remove obsolete pointer to docs in the wiki by @simo5 in #336
• Added an option to set NULL callbacks for C_OpenSession by @Maks027 in #343
• Run CI with integration test for libssh by @The-Mule in #340
• RSA key comparison: exit early after MODULUS / PUBLIC_EXPONENT are compared - no round-trip to HSM by @space88man in #346
• EC keys: implement vendor optimization when private key contains CKA_EC_POINT by @space88man in #347
• Handle compressed EC point from OpenSSL < 3.0.8 by @space88man in #349
• GH workflow install libssl3t64-dgbsym on debian by @0pq76r in #353
• Minor fix for "Available profiles" debug output by @0pq76r in #354
• Integration tests (libssh, httpd, bind) by @The-Mule in #358
• Decoder: pkcs11-uri in pem by @0pq76r in #328
• Fallback to a read lock on fork preparation by @simo5 in #356
• Add pull request template by @Jakuje in #362
• Try to run Coverity Scan on demand by @simo5 in #366
• Add uri2pem.py tool to create pkcs11-provider PEM key files by @space88man in #363
• ci: Run tests also against CentOS 9 (OpenSSL 3.0) by @Jakuje in #369
• Fix minor typo (teplate->template) by @sarroutbi in #371
• Avoid warnings related to Node20 Github actions by @sarroutbi in #373
• Do not cache operations when provider status is uninitialized by @ifranzki in #372
• Change names of the two covscan jobs by @simo5 in #374
• Set correct pin-value format in tests by @sarroutbi in #376
• ci: Switch to macOS 14 on M series chips by @neverpanic in #377
• Use a genereic mechanism to block calls to tokens by @simo5 in #378
• Add more generic EdDSA tests by @simo5 in #379
• implement more tests with EdDSA keys (export and comparison) by @Jakuje in #292
• Switch build system to Meson by @ueno in #304
• build: Install provider in correct path by @neverpanic in #380
• Fix tests/README (adapt to meson) by @sarroutbi in #382
• Address various issues with meson builds by @simo5 in #385
• fixing Covscan PR target by @simo5 in #386
• Add tests with pin-source parameter in PKCS#11 URI by @sarroutbi in #384
• ci: Run the CI also on ubuntu by @Jakuje in #393

New Contributors

• @Maks027 made their first contribution in #343
• @The-Mule made their first contribution in #340
• @space88man made their first contribution in #346
• @sarroutbi made their first contribution in #371
• @ifranzki made their first contribution in #372

Full Changelog: v0.3...v0.4

v0.3

What's Changed

• Fix mismatching version in spec file by @simo5 in #261
• Update spec file with min OpenSSL version and change log entry by @sahanaprasad07 in #262
• Enable gpg signature verification in spec file by @sahanaprasad07 in #263
• Initial support for explicit EC by @manison in #245
• Skip login if token does not require login by @CharlieYJH in #258
• Change how key export works, and add key import functionality as well as key match by @simo5 in #267
• Smarten up handling of login session by @simo5 in #273
• Extend key comparison tests by @manison in #275
• Allow setting OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY for EC keys by @manison in #277
• Change Key Generation to take a URI by @simo5 in #284
• Reinit module only once after fork by @simo5 in #286
• Plug a small race in token login operations by @simo5 in #288
• Implement special parameter to define Key Usage by @simo5 in #289
• Fix key generation template size and debug log message by @fabled in #283
• Embed the private key with public key attributes. by @sahanaprasad07 in #293
• CID 465959: Resource leaks by @simo5 in #294
• Replace Oasis headers with public domain headers by @simo5 in #306
• Fix: enable cross compilation by removing the AC_CHECK_FILE macro by @oleorhagen in #307
• tests: Fix expected output and fix Debian package name by @Jakuje in #314
• Side-channel proofing PKCS#1 1.5 paths (CVE-2023-6258) by @simo5 in #308
• Minor coverity fixes by @simo5 in #315
• Implement support for ALWAYS_AUTH and interactive prompting when the caller did not provide pin by @Jakuje in #309
• Apply coverity Fixes by @simo5 in #318
• Use a cached version of the URI to refresh objects by @simo5 in #316
• Use correct strdup function in macro by @simo5 in #323
• CKK_EC_EDWARDS: EC_PARAMS containing oID by @0pq76r in #325
• objects: Avoid memory leak by @Jakuje in #326
• tests: tls test without sleep by @0pq76r in #319
• Quirk: no-operation-state by @0pq76r in #324
• Add --with-openssl info to BUILD.md by @stgloorious in #330
• Fix RSA key generation and test size by @simo5 in #332
• Do not load profiles when they can't be available by @simo5 in #333
• tests: Check csr for keys in token with openssl by @Jakuje in #334
• Release version 0.3 by @simo5 in #335

New Contributors

• @CharlieYJH made their first contribution in #258
• @oleorhagen made their first contribution in #307
• @0pq76r made their first contribution in #325
• @stgloorious made their first contribution in #330

Full Changelog: v0.2...v0.3

Release 0.2

This is mainly a bugfix release following up to 0.1
Thanks to all contributors that provided feedback and fixes.

What's Changed

• CID 451133: Fix errors using config option names by @simo5 in #221
• Set default digest for digest_sign/verify functions by @simo5 in #224
• Add a quirk to prevent calling the module on exit by @simo5 in #225
• Support OSSL_PKEY_PARAM_DEFAULT/MANDATORY_DIGEST by @simo5 in #227
• Fix public key exporting by @simo5 in #228
• Fix SoftHSM issues wth PSS keys by @simo5 in #229
• Improve URI management by @simo5 in #230
• CID 452520: Copy-paste error by @simo5 in #231
• Implement support to expose PKCS#11 Random as openssl rand provider by @simo5 in #233
• Add tunable to influence session caching by @simo5 in #236
• some setup nits for OpenSSL by @baentsch in #241
• Add quirk to control CKA_ALLOWED_MECHANISMS by @simo5 in #237
• Add debugging of config options by @simo5 in #242
• Add manpage by converting wiki's markdown by @simo5 in #244
• Run tests under valgrind, address-sanitizer and address several memory-related issues by @Jakuje in #243
• Minor coverity fixes by @simo5 in #246
• Do not link provider to libssl by @simo5 in #251
• tests: Avoid bogus failures from ossl helper by @Jakuje in #254
• Fixes to spec file to include the right release, source URL, man page, and docs. by @sahanaprasad07 in #253
• spec file clean up. by @sahanaprasad07 in #255
• Run Shellcheck as part of CI and squash the shellcheck and yamlint warnings by @Jakuje in #256
• Set the value for CRYPTO_LIBS flag correctly by @sahanaprasad07 in #257

New Contributors

• @baentsch made their first contribution in #241
• @sahanaprasad07 made their first contribution in #253

Full Changelog: v0.1...v0.2

Release 0.1

This is the first release of the pkcs11 provider for OpenSSL 3

With the release of OpenSSL 3.0 the older Engines have been deprecated, this code allow the use of pkcs#11 tokens via the native OpenSSL 3 provider interface.
It supports full RFC7512 PKCS #11 URIs to specify keys and most OpenSSL commands work when openssl.cnf is properly configured to load this provider. Either by simply specifying a URI as a key or by requesting the use of provider=pkcs11 in a propquery.

The code is far from bug-free but we believe this is a good first milestone, and is ready for wider testing. It has already been tested with software tokens and a few hardware tokens, note that some software tokens will not work correctly if they directly link to OpenSSL without utilizing a separate libctx for their operation. For those tokens a p11-kit proxy may be used as a workaround (see SoftHSM tests to understand how this works).

This version requires at least OpenSSL 3.0.7 as previous versions had bugs that prevented some operations from working correctly.

This is the culmination of several months of work, with the collaboration of many people.
A big thank you to all the contributors listed below.

What's Changed

• Add minimal CI via github actions by @simo5 in #1
• Add support to return errors to OpenSSL by @simo5 in #2
• Fix operator precedence errors by @oerdnj in #9
• Modernize the autotools usage a bit by @oerdnj in #6
• Fix logical error in p11prov_rsakm_secbits by @oerdnj in #10
• Add headers to the Makefile.am by @oerdnj in #12
• Add compatibility shim for endian related functions by @oerdnj in #8
• Make RTLD_DEEPBIND optional by @oerdnj in #11
• Fix mismatch between CK_UTF8CHAR_PTR and const char * by @oerdnj in #13
• Add SPDX license headers by @oerdnj in #16
• Fix make distcheck by @simo5 in #17
• Add initial .clang-format style and reformat the sources using it by @oerdnj in #15
• Add checks to enforce at least c11 semantics by @simo5 in #19
• Fix few typos and copy&paste errors by @oerdnj in #21
• Add GitHub Action that runs Clang's scan-build by @oerdnj in #23
• Use OPENSSL_strcasecmp() instead of strcasecmp() by @oerdnj in #26
• Add missing single-line braces using clang-tidy by @oerdnj in #20
• Add GitHub Action to build with clang by @oerdnj in #24
• Enable all (most) of the warnings as errors by @oerdnj in #25
• Create CODE_OF_CONDUCT.md by @simo5 in #27
• Add doc on how to contribute to the project by @simo5 in #28
• Add skeleton Security policy by @simo5 in #29
• Add GitHub Action for Coverity Scan by @oerdnj in #30
• Add handling of pin in provider configuration by @simo5 in #31
• Fix issues found by the last Coverity Scan check by @oerdnj in #33
• Add PIN prompting support by @simo5 in #36
• Allow store to enumerate objects by @simo5 in #38
• Fix coverity issues introduced yesterday by @simo5 in #39
• Clarfiy PKCS#11 structure packing comment by @fabled in #40
• Fix PIN wiping in few places by @fabled in #41
• Make use of the session stored on the store ctx by @simo5 in #43
• Fix infinite loop in case no key was found. by @simo5 in #44
• Key loading by @simo5 in #45
• Make debug functions a little more robust by @simo5 in #46
• Fix issues found by valgrinding test suite by @fabled in #47
• Fail hard make check if nss-softokn devel files were not found by @pemensik in #50
• Debug: remove zero bytes after newlines by @simo5 in #51
• fixes for git, autotools and library lookup by @holger-dengler in #52
• Repurpose p11prov_ctx_fns as status check function by @simo5 in #53
• Fix covscan detected issues by @simo5 in #54
• Session object pooling by @simo5 in #48
• Coverity Fixes 4 by @simo5 in #57
• Rsa keygen by @simo5 in #56
• New batch of coverity findings after the last few merges by @simo5 in #58
• Add code to list and debug token mechanisms by @simo5 in #59
• uri: fix key references by label by @holger-dengler in #62
• Add RSA-PSS support by @simo5 in #61
• Add codespell to CI by @simo5 in #63
• Coverity Fixes series 6 by @simo5 in #64
• Remove double newlines in some debug functions by @simo5 in #65
• Make debugging less annoying by @simo5 in #70
• Change CI to run custom distros via containers by @simo5 in #71
• Require OpenSSL >= 3.0.5 by @simo5 in #72
• Coverity Fixes Series 7 by @simo5 in #73
• WIP: Remove the use of custom operation names by @simo5 in #67
• Avoid leaving behind a freed pointer by @simo5 in #74
• Improve store loading with multiple tokens by @simo5 in #75
• Add different ways for specifying PKCS#11 module to use by @Jakuje in #79
• CID 361508: Resource Leak by @simo5 in #80
• Improve public key export by @simo5 in #81
• Update build prerequisites by @simo5 in #85
• Fedora package and requirements clarifications by @Jakuje in #77
• Add support for generating CSRs via openssl req command by @simo5 in #87
• Implement callback for tls group capabilities by @simo5 in #90
• Improve signature debugging wrt paramter setting by @simo5 in #95
• Fix detection of endianness by @Jakuje in #100
• Fix openssl ca certificate releated issues by @simo5 in #98
• CID 376412: Fix lost error out by @simo5 in #102
• run tests also using SoftHSM by @Jakuje in #97
• Add support to expose digest mechanisms through the provider by @simo5 in #103
• Coverity Fixes series 9 by @simo5 in #104
• Refactor test suite by @simo5 in #106
• Debug Improvements by @holger-dengler in #107
• Rename the module binary to just pkcs11.so by @simo5 in #108
• Fix "tests" when built outside source directory by @dengert in #111
• Use OSSL_PARAM_get_utf8_string_ptr() when possible by @fabled in #115
• Add basic support to load certificates from tokens by @simo5 in #116
• Add p11prov_mech_by_mechanism() helper and use it by @fabled in #118
• Remove space padding from slot and token info by @fabled in #119
• Simplify and fix signature DER AlgorithmInfo by @fabled in #117
• Fix ECDSA signatures and improve tests by @fabled in #121
• Fix RSA signatures with pre-calculated hash by @fabled in ...