| AArch64 | |
| ppc64le | |
| s390x | |
| x86-64 |
- Update to 0.25.5: * iter: fix recursive attribute loading * fix building on FreeBSD 14.0 (amd64) * Remove p11-kit-d938f4a8a3a2.patch upstream
- Update to 0.25.4:
* rpc: add support for recursive attributes
* p11-kit: add function to check run-time version of the library
* p11-kit: expose version information through macros
* p11-kit: add option to specify CKA_ID in generate-keypair and
import-object commands
* p11-kit: add --provider option to specify PKCS#11 module when
using p11-kit commands
* p11-kit: fix a bug where eddsa mechanism isn't recognized in
generate-keypair
* p11-kit: fallback to C_GetFunctionList when C_GetInterface
returns CKR_FUNCTION_NOT_SUPPORTED
* bug and build fixes
- Added a backport of an upstream commit in p11-kit-d938f4a8a3a2.patch to avoid passing an incompatible pointer type to a function which is an error by default in GCC 14.
- Update to 0.25.3: * rpc: fix serialization of NULL mechanism pointer [#601] * fix meson build failure in macOS (appleframeworks not found) [#603]
- Update to 0.25.2: * fix error code checking of readpassphrase for --login option [#595] * build fixes [#594] * test fixes [#596]
- Update to 0.25.1:
* fix probing of C_GetInterface [#535]
* p11-kit: add command to list tokens [#581]
* p11-kit: add command to list mechanisms supported by a token [#576]
* p11-kit: add command to generate private-public keypair on a token
[#551, #582]
* p11-kit: add commands to import/export certificates and public
keys into/from a token [#543, #549, #568, #588]
* p11-kit: add commands to list and delete objects of a token
[#533, #544, #571]
* p11-kit: add --login option to login into a token with object
and profile management commands [#587]
* p11-kit: adjust behavior of PKCS#11 profile management commands
[#558, #560, #583, #591]
* p11-kit: print PKCS#11 URIs in list-modules [#532]
* bug and build fixes [#528 #529, #534, #537, #540, #541, #545,
[#547], #550, #557, #572, #575, #579, #585, #586, #590]
* test fixes [#553, #580]
* Remove patch fixed upstream:
- d1d4b0ac316a27c739ff91e6c4153f1154e96e5a.patch
- Add d1d4b0ac316a27c739ff91e6c4153f1154e96e5a.patch: Fix probing of C_GetInterface.
- Update to 0.25.0:
* add PKCS#11 3.0 support
* add support for profile objects
* add ability to adjust module and config paths at run-time via
system environmental exports
* make terminal output nicer
* p11-kit: add command to print merged configuration
* p11-kit: add commands to list, add and delete profiles of a token
* trust: add command to check format of .p11-kit files
* virtual: fix libffi type signatures for PKCS#11 3.0 functions
* server: fix umask setting when --group is specified
* server: check SHELL only when neither --sh nor --csh is specified
* rpc: use space string in C_InitToken
* rpc: fix two off-by-one errors identified by asan
* modules: make logging message more translatable
* pkcs11.h: support CRYPTOKI_GNU for IBM vendor mechanisms
* pkcs11.h: add IBM specific mechanism and attributes
* pkcs11.h: add ChaCha20/Salsa20 and Poly1305 mechanisms
* pkcs11.h: add AES-GCM mechanism parameters for message-based encryption
* po: update translations from Transifex
- Update upstream p11-kit.keyring file
- Add missing lang files
- Switch to using Meson as the build system
- skip testsuite on qemu arches, it fails
- make sure p11-kit components have matching versions (boo#1196812)
- Ensure that programs using <p11-kit/pkcs11x.h> can be compiled with CRYPTOKI_GNU. Fixes GnuTLS builds. [jsc#PED-6705] * Add p11-kit-pkcs11-gnu-Enable-testing-with-p11-kit-pkcs11x.h.patch
- Backport IBM specific mechanism and attributes (Jira#PED-584) 0001-Add-IBM-specific-mechanism-and-attributes.patch 0002-Add-support-for-serializing-CK_ECDH1_DERIVE_PARAMS-m.patch 0003-client-Allow-zero-part-length-at-C_SignUpdate.patch 0004-Fix-support-of-CKA_DERIVE_TEMPLATE.patch 0005-Add-other-SHA-variants-also-for-RSA-and-EC-signature.patch 0006-Add-support-for-missing-AES-and-DES-DES3-mechanisms.patch 0007-Add-support-for-MAC-and-HMAC-general-mechanisms.patch 0008-Add-support-for-CKM_DH_PKCS_DERIVE.patch 0009-rpc-Handle-special-cases-for-buffer-and-length.patch 0010-Add-support-for-CKM_AES_CTR.patch 0011-Add-support-for-CKM_AES_GCM.patch 0012-common-pkcs11x.h-Support-CRYPTOKI_GNU-for-IBM-vendor.patch
- Update to version 0.23.22 (bsc#1180064, bsc#1180065, bsc#1180066):
* Fix memory-safety issues that affect the RPC protocol
(CVE-2020-29361, CVE-2020-29362, and CVE-2020-29363), discovered
and fixed by David Cook
* anchor: Prefer persistent format when storing anchor [PR#329]
* common: Fix infloop in p11_path_build [PR#326, PR#327]
* proxy: C_CloseAllSessions: Make sure that calloc args are non-zero [PR#325]
* common: Check for a NULL locale before freeing it [PR#321]
* Build and test fixes [PR#313, PR#315, PR#317, PR#318, PR#319, PR#323,
PR#330, PR#333, PR#334, PR#335, PR#338, PR#339]
- Changes for version 0.23.21
* proxy: Do not assign duplicate slot IDs [PR#282]
* common: Get program name based on executable path if possible [PR#307]
* anchor: Exit with non-zero code, if any error occurs [PR#304]
* Build and test fixes [PR#283, PR#290, PR#291, PR#292, PR#296, PR#299,
PR#305, PR#306, PR#309, PR#311]
- Changes for version 0.23.20:
* Revert "Fix RPC when length-s are 0" changes [PR#276]
- Changes for version 0.23.19:
* common: add Russian PKCS#11 extensions to pkcs11x.h header [PR#255]
* Add simple bash completion for provided commands [PR#258]
* Unbreak list matching in enable-in and disable-in [PR#262]
* Fix RPC when length-s are 0 [PR#259]
* rpc: Add vsock transport support [PR#270]
* trust: Support CKA_NSS_{SERVER,EMAIL}_DISTRUST_AFTER [PR#265]
* Build fixes [PR#271, PR#272, PR#273, ...]
- Changes for version 0.23.18:
* rpc: Allow empty CK_DATE value [PR#253]
* build: Meson fixes [PR#245]
* build: Adjust feature parity between meson and autotools [PR#247]
- Changes for version 0.23.17:
* common: Fix uClibc-ng compilation [PR#237]
* trust: do not allow daylight to invalidate date validation [PR#236]
* build: Port to meson build system [PR#231, PR#234]
* rpc: On UNIX wait on condition variable instead of FD if header is for a different thread [PR#232]
* doc: Add 'server' command in help [PR#229]
* Build and test fixes [PR#230]
- Changes for version 0.23.16:
* proxy: Support C_WaitForSlotEvent() if CKF_DONT_BLOCK is specified [PR#225]
* conf: Ignore user configuration if the program is running as root [PR#226]
* proxy: Refresh slot list on every C_GetSlotList call [PR#224]
* modules: Fix index used in call to p11_dict_remove() [PR#219]
* Fix Win32 p11_dl_error crash [PR#218]
* modules: check gl.modules before iterates on it when freeing [PR#217]
* trust: Ignore unreadable content in anchors [PR#215]
* extract-jks: Prefer _p11_extract_jks_timestamp to SOURCE_DATE_EPOCH [PR#213]
- Changes for version 0.23.15:
* trust: Improve error handling if backed trust file is corrupted [PR#206]
* url: Prefer upper-case letters in hex characters when encoding [PR#193]
* trust/extract-jks.c: also honor SOURCE_DATE_EPOCH time [PR#202]
* virtual: Prefer fixed closures to libffi closures [PR#196]
* Fix issues spotted by coverity and cppcheck [PR#194, PR#204]
* Build and test fixes [PR#164, PR#191, PR#199, PR#201]
- Changes for version 0.23.14:
* proxy: Avoid invalid memory access when unloading proxy module [PR#180]
* Update pkcs11 header to allow SoftHSMv2 to compile [PR#181]
* build: Restore libpthread dependency [PR#183]
* Build fixes [PR#188]
- Changes for version 0.23.13:
* server: Enable socket activation through systemd [PR#173]
* rpc-server: p11_kit_remote_serve_tokens: Allow exporting all modules
[PR#174]
* proxy: Fail early if there is no slot mapping [PR#175]
* Remove hard dependency on libpthread [PR#177]
* Build fixes [PR#170, PR#176]
- Changes for version 0.23.12
* Fix compile error when PKCS#11 GNU calling convention is enabled [PR#160]
* Fix getauxval() and secure_getenv() emulation on macOS and FreeBSD [PR#167]
* Build and test fixes on macOS [PR#162, PR#168]
- Changes for version 0.23.11
* trust: Add extractor for edk2/cacerts.bin [PR#139]
* modules: Add option to control module visibility from proxy [PR#140]
* trust: Prevent trust module being loaded by proxy module [PR#142]
* library: Use dedicated locale object for printing error [PR#148]
* Treat CKR_CRYPTOKI_ALREADY_INITIALIZED correctly [PR#134]
* Improve const correctness for P11KitUri [PR#152]
* PKCS#11 URI scheme comparison is now case insensitive [PR#156]
* Build and test fixes [PR#151, PR#149, PR#141, PR#138, PR#135]
- Changes for version 0.23.10
* filter: Respect "write-protected" vendor-specific attribute in
PKCS#11 URI [PR#129]
* server: Improve shell integration and documentation [PR#107, PR#108]
* proxy: Reuse existing slot ID mapping in after fork() [PR#120]
* trust: Forcibly mark "Default Trust" read-only [PR#123]
* New function p11_kit_override_system_files() which can be used for
testing [PR#110]
* trust: Filter out duplicate extensions [PR#69]
* Update translations [PR#128]
* Bug fixes [PR#125, PR#126]
- Changes for version 0.23.9
* Fix p11-kit server regressions [PR#103, PR#104]
* trust: Respect anyExtendedKeyUsage in CA certificates [PR#99]
* Build fixes related to reallocarray [PR#96, PR#98, PR#100]
- Changes for version 0.23.8
* Improve vendor query attributes handling in PKCS#11 URI [PR#92]
* Add OTP and GOST mechanisms to pkcs11.h [PR#90, PR#91]
* New envvar P11_KIT_NO_USER_CONFIG to stop looking at user
configurations [PR#87]
* Build fixes for Solaris and 32-bit big-endian platforms [PR#81, PR#86]
- Changes for version 0.23.7
* Fix memory issues with "p11-kit server" [PR#78]
* Build fixes [PR#77 ...]
- Changes for version 0.23.6
* Port "p11-kit server" to Windows and portability fixes of the RPC
protocol [PR#67, PR#72, PR#74]
* Recover the old behavior of "trust anchor --remove" [PR#70, PR#71]
* Build fixes [PR#63 ...]
- Changes for version 0.23.5
* Fix license notice of common/unix-peer.c [PR#58]
* Remove systemd unit files for now [PR#60]
* Build fixes for FreeBSD [PR#56]
- Changes for version 0.23.4
* Recognize query attributes defined in PKCS#11 URI (RFC7512) [PR#31,
PR#37, PR#52]
* The trust policy module now recognizes CKA_NSS_MOZILLA_CA_POLICY
attribute, used by Firefox [#99453, PR#46]
* Add 'trust dump' command to dump all PKCS#11 objects in the
persistence format [PR#44]
* New experimental 'p11-kit server' command that allows PKCS#11
forwarding through a Unix domain socket. A client-side module
p11-kit-client.so is also provided [PR#15]
* Add systemd unit files for exporting the proxy module through a
Unix domain socket [PR#35]
* New P11KitIter API to iterate over slots, tokens, and modules in
addition to objects [PR#28]
* libffi dependency is now optional [PR#9]
* Build fixes for FreeBSD, macOS, and Windows [PR#32, PR#39, PR#45]
- Changes for version 0.23.3
* Install private executables in libexecdir [fdo#98817]
* Fix link error of proxy module on macOS [fdo#98022]
* Use new PKCS#11 URI specification for URIs [fdo#97245]
* Support x-init-reserved argument of C_Initialize() in remote modules
[fdo#80519]
* Incorporate changes from PKCS#11 2.40 specification
* Bump libtool library version
* Documentation fixes
* Build fixes [fdo#87192 ...]
- Move RPM macros to %_rpmmacrodir.
- New server subpackage
- Change keyring to new maintainer Daiki Ueno
- Avoid bareword to fix build failure
- Remove obsolete patches:
* p11-kit-biarch.patch
* 0001-Support-loading-new-NSS-attribute-CKA_NSS_MOZILLA_CA.patch
* 0001-Fix-a-typo-in-x-cetrificate-value-see-also-https-bug.patch
- Also build documentation (boo#1013125)
- support loading NSS attribute CKA_NSS_MOZILLA_CA_POLICY so Firefox detects built in certificates (boo#1154871, 0001-Fix-a-typo-in-x-cetrificate-value-see-also-https-bug.patch, 0001-Support-loading-new-NSS-attribute-CKA_NSS_MOZILLA_CA.patch)
- Use %license instead of %doc [bsc#1082318]
- 32-bit compatibility fixes:
* Add PKCS11 module to p11-kit-32bit (bsc#996047#c39)
* Add p11-kit-nss-trust-32bit NSS module
* Fix potential bi-arch issue with private binaries
(fdo#98817, p11-kit-biarch.patch)
- Update to 0.23.2 * Fix forking issues with libffi * Fix various crashes in corner cases * Updated translations * Build fixes - Make building more verbose - Enable tests - Small spec file cleanup with spec-cleaner
- Update to version 0.23.1 (stable) * Use new PKCS#11 URI draft fields for URIs [fdo#86474 fdo#87582] * Add pem-directory-hash extract format * Build fixes - Remove 0001-trust-allow-to-also-add-openssl-style-hashes-to-pem-d.diff; fixed on upstream release - Remove autoconf, automake and libtool require; unneeded dependencies - Add gtk-doc require; needed to build html documentation - Remove redundant %clean section
- remove patches: * trust-Print-label-of-certificate-when-complaining-.patch * trust-Dont-use-invalid-public-keys-for-looking-up-.patch - new version 0.20.7 (stable) * New public pkcs11x.h header containing extensions [fdo#83495] * Export necessary defines to lookup attached extensions [fdo#83495] * Build fixes - new version 0.20.6 (stable) * Make the p11-kit-proxy.so module respect critical = no [fdo#83651] * Build fix for FreeBSD [fdo#75674] - new version 0.20.5 (stable) * Don't use invalid keys for looking up stapled extensions [fdo#82328] * Better error messages when invalid certificate extensions * Fix parsing of some odd OpenSSL TRUSTED CERTIFICATE files * Fix some leaks, and memory issues * Silence some clang scanner warnings - new version 0.20.4 (stable) * Don't complain about C_Finalize after a fork * Fix typo
- new version 0.20.3 * Fix problems reinitializing managed modules after fork * Fix bad bookeeping when fail initializing one of the modules * Fix case where module would be unloaded while in use [#74919] * Remove assertions when module used before initialized [#74919] * Fix handling of mmap failure and mapping empty files [#74773] * Stable p11_kit_be_quiet() and p11_kit_be_loud() functions * Require automake 1.12 or later * Build fixes for Windows [#76594 #74149] - apply patches to avoid errors from certificates with invalid public key (fdo#82328, bnc#890908, trust-Dont-use-invalid-public-keys-for-looking-up-.patch, trust-Print-label-of-certificate-when-complaining-.patch)
- New version 0.20.2
* Fix bug where blacklist didn't affect extracted ca-anchors if the anchor
and blacklist were not in the same trust path (regression) [fdo#73558]
* Check for race in BasicConstraints stapled extension [fdo#69314]
* Build fixes and cleanup
- added .sig file. trying to locate source of the keyring.
- trust: allow to also add openssl style hashes to pem-directory 0001-trust-allow-to-also-add-openssl-style-hashes-to-pem-d.diff
- upgrade to 0.20.1 which is 0.19 declared stable * Extract compat trust data after we've changes * Skip compat extraction if running as non-root * Better failure messages when removing anchors
- new version 0.19.4 * 'trust anchor' now adds/removes certificate anchors * 'trust list' lists trust policy stuff * 'p11-kit extract' is now 'trust extract' * 'p11-kit extract-trust' is now 'trust extract-compat' * Workarounds for working on broken zfsonlinux.org [#68525] * Add --with-module-config parameter to the configure script [#68122] * Add support for removing stored PKCS#11 objects in trust module
- new version 0.19.3 * Fix up problems with automake testing * Fix a bunch of memory leaks in newly refactored code * Don't use _GNU_SOURCE and the unportability it brings * Add basic 'trust anchor' command to store a new anchor * Support for writing out trust token objects * Port to use CKA_PUBLIC_KEY_INFO and updated trust store spec * Add option to use freebl for hashing * Implement reloading of token data * Fix warnings and possible minor bugs higlighted by code scanners * Don't load configs in home directories when running setuid or setgid * Support treating ~/.config as $XDG_CONFIG_HOME * Use $XDG_DATA_HOME/pkcs11 as default user config directory * Use $TMPDIR instead of $TEMP while testing * Open files and fds with O_CLOEXEC * Abort initialization if a critical module fails to load * Don't use thread-unsafe functions: strerror, getpwuid * Fix p11_kit_space_strlen() result when empty string * Refactoring of where various components live
- fix 32bit provides of libnssckbi.so - repace p11-kit-extract-trust with update-ca-certificates
- provide libnssckbi.so to replace mozilla-nss-certs
- add p11-kit-nss-trust subpackage that serves as drop-in replacement for mozilla-nss-certs
- use /etc/pki/trust and /usr/share/pki/trust as system CA certificate store
- Update to version 0.19.1: + Refactor API to be able to handle managed modules. + Deprecate much of old p11-kit API. + Implement concept of managed modules. + Make C_CloseAllSessions function work for multiple callers. + New dependency on libffi. + Fix possible threading problems reported by hellgrind. + Add log-calls option. + Mark p11_kit_message() as a stable function. + Use our own unit testing framework. - Add pkgconfig(libffi) BuildRequires: new dependency.
- Update to version 0.18.2: + Build fixes (fdo#64378)
- 0001-common-Use-reallocarray-instead-of-realloc-as-approp.patch 0001-Check-for-arithmetic-overflows-before-allocating.patch 0001-Follow-up-to-arithmetic-overflow-fix.patch: Fixed multiple integer overflows in rpc code (bsc#1180064 CVE-2020-29361)
- Add support for CKA_NSS_{SERVER,EMAIL}_DISTRUST_AFTER (bsc#1187993,
0001-trust-Support-CKA_NSS_-SERVER-EMAIL-_DISTRUST_AFTER.patch)
- add bcond to spec file to enable debug easily
- CVE-2020-29362: Fixed a 4 byte overread (bsc#1180065) Added p11-kit-CVE-2020-29362.patch: