2c1758
Name:			opencryptoki
81ac5a
Summary:		Implementation of the PKCS#11 (Cryptoki) specification v3.0
447573
Version:		3.19.0
447573
Release:		2%{?dist}
2c1758
License:		CPL
2c1758
URL:			https://github.com/opencryptoki/opencryptoki
2c1758
Source0:		https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
2c1758
# https://bugzilla.redhat.com/show_bug.cgi?id=732756
2c1758
Patch0:			opencryptoki-3.11.0-group.patch
2c1758
# bz#1373833, change tmpfiles snippets from /var/lock/* to /run/lock/*
2c1758
Patch1:			opencryptoki-3.11.0-lockdir.patch
364b05
# add missing p11sak_defined_attrs.conf, strength.conf
364b05
Patch2:			opencryptoki-3.18.0-p11sak.patch
2c1758
# upstream patches
447573
Patch100:		opencryptoki-3.19.0-fix-memory-leak.patch
447573
Patch101:		0001-EP11-Unify-key-pair-generation-functions.patch
447573
Patch102:		0002-EP11-Do-not-report-DSA-DH-parameter-generation-as-be.patch
447573
Patch103:		0003-EP11-Do-not-pass-empty-CKA_PUBLIC_KEY_INFO-to-EP11-h.patch
447573
Patch104:		0004-Mechtable-CKM_IBM_DILITHIUM-can-also-be-used-for-key.patch
447573
Patch105:		0005-EP11-Remove-DSA-DH-parameter-generation-mechanisms-f.patch
447573
Patch106:		0006-EP11-Pass-back-chain-code-for-CKM_IBM_BTC_DERIVE.patch
447573
Patch107:		0007-EP11-Supply-CKA_PUBLIC_KEY_INFO-with-CKM_IBM_BTC_DER.patch
447573
Patch108:		0008-EP11-Supply-CKA_PUBLIC_KEY_INFO-when-importing-priva.patch
447573
Patch109:		0009-EP11-Fix-memory-leak-introduced-with-recent-commit.patch
447573
Patch110:		0010-p11sak-Fix-segfault-when-dilithium-version-is-not-sp.patch
447573
Patch111:		0011-EP11-remove-dead-code-and-unused-variables.patch
447573
Patch112:		0012-EP11-Update-EP11-host-library-header-files.patch
447573
Patch113:		0013-EP11-Support-EP11-host-library-version-4.patch
447573
Patch114:		0014-EP11-Add-new-control-points.patch
447573
Patch115:		0015-EP11-Default-unknown-CPs-to-ON.patch
447573
Patch116:		0016-COMMON-Add-defines-for-Dilithium-round-2-and-3-varia.patch
447573
Patch117:		0017-COMMON-Add-defines-for-Kyber.patch
447573
Patch118:		0018-COMMON-Add-post-quantum-algorithm-OIDs.patch
447573
Patch119:		0019-COMMON-Dilithium-key-BER-encoding-decoding-allow-dif.patch
447573
Patch120:		0020-COMMON-EP11-Add-CKA_VALUE-holding-SPKI-PKCS-8-of-key.patch
447573
Patch121:		0021-COMMON-EP11-Allow-to-select-Dilithium-variant-via-mo.patch
447573
Patch122:		0022-EP11-Query-supported-PQC-variants-and-restrict-usage.patch
447573
Patch123:		0023-POLICY-Dilithium-strength-and-signature-size-depends.patch
447573
Patch124:		0024-TESTCASES-Test-Dilithium-variants.patch
447573
Patch125:		0025-COMMON-EP11-Add-Kyber-key-type-and-mechanism.patch
447573
Patch126:		0026-EP11-Add-support-for-generating-and-importing-Kyber-.patch
447573
Patch127:		0027-EP11-Add-support-for-encrypt-decrypt-and-KEM-operati.patch
447573
Patch128:		0028-POLICY-STATISTICS-Check-for-Kyber-KEM-KDFs-and-count.patch
447573
Patch129:		0029-TESTCASES-Add-tests-for-CKM_IBM_KYBER.patch
447573
Patch130:		0030-p11sak-Support-additional-Dilithium-variants.patch
447573
Patch131:		0031-p11sak-Add-support-for-IBM-Kyber-key-type.patch
447573
Patch132:		0032-testcase-Enhance-p11sak-testcase-to-generate-IBM-Kyb.patch
447573
Patch133:		0033-EP11-Supply-CKA_PUBLIC_KEY_INFO-with-CKM_IBM_BTC_DER.patch
447573
Patch134:		0034-EP11-Fix-setting-unknown-CPs-to-ON.patch
2c1758
364b05
Requires(pre):		coreutils diffutils
2c1758
Requires: 		(selinux-policy >= 34.1.8-1 if selinux-policy-targeted)
2c1758
BuildRequires:		gcc
2c1758
BuildRequires:		gcc-c++
81ac5a
BuildRequires:		openssl-devel >= 1.1.1
2c1758
%if 0%{?tmptok}
2c1758
BuildRequires:		trousers-devel
2c1758
%endif
2c1758
BuildRequires:		openldap-devel
2c1758
BuildRequires:		autoconf automake libtool
2c1758
BuildRequires:		bison flex
2c1758
BuildRequires:		systemd-devel
2c1758
BuildRequires:		libitm-devel
2c1758
BuildRequires:		expect
2c1758
BuildRequires:		make
2c1758
%ifarch s390 s390x
81ac5a
BuildRequires:		libica-devel >= 3.3
2c1758
%endif
2c1758
Requires(pre):		%{name}-libs%{?_isa} = %{version}-%{release}
2c1758
Requires:		%{name}-libs%{?_isa} = %{version}-%{release}
2c1758
Requires:		%{name}(token)
2c1758
Requires(post):		systemd
2c1758
Requires(preun):	systemd
2c1758
Requires(postun):	systemd
2c1758
2c1758
2c1758
%description
81ac5a
Opencryptoki implements the PKCS#11 specification v2.20 for a set of
2c1758
cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the
2c1758
Trusted Platform Module (TPM) chip. Opencryptoki also brings a software
2c1758
token implementation that can be used without any cryptographic
2c1758
hardware.
2c1758
This package contains the Slot Daemon (pkcsslotd) and general utilities.
2c1758
2c1758
2c1758
%package libs
2c1758
Summary:		The run-time libraries for opencryptoki package
2c1758
Requires(pre):	shadow-utils
2c1758
2c1758
%description libs
81ac5a
Opencryptoki implements the PKCS#11 specification v2.20 for a set of
2c1758
cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the
2c1758
Trusted Platform Module (TPM) chip. Opencryptoki also brings a software
2c1758
token implementation that can be used without any cryptographic
2c1758
hardware.
2c1758
This package contains the PKCS#11 library implementation, and requires
2c1758
at least one token implementation (packaged separately) to be fully
2c1758
functional.
2c1758
2c1758
2c1758
%package devel
2c1758
Summary:		Development files for openCryptoki
2c1758
Requires:		%{name}-libs%{?_isa} = %{version}-%{release}
2c1758
2c1758
%description devel
2c1758
This package contains the development header files for building
2c1758
opencryptoki and PKCS#11 based applications
2c1758
2c1758
2c1758
%package swtok
2c1758
Summary:		The software token implementation for opencryptoki
2c1758
Requires(pre):		%{name}-libs%{?_isa} = %{version}-%{release}
2c1758
Requires:		%{name}-libs%{?_isa} = %{version}-%{release}
2c1758
Provides:		%{name}(token)
2c1758
2c1758
%description swtok
81ac5a
Opencryptoki implements the PKCS#11 specification v2.20 for a set of
2c1758
cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the
2c1758
Trusted Platform Module (TPM) chip. Opencryptoki also brings a software
2c1758
token implementation that can be used without any cryptographic
2c1758
hardware.
2c1758
This package brings the software token implementation to use opencryptoki
2c1758
without any specific cryptographic hardware.
2c1758
2c1758
2c1758
%package tpmtok
2c1758
Summary:		Trusted Platform Module (TPM) device support for opencryptoki
2c1758
Requires(pre):		%{name}-libs%{?_isa} = %{version}-%{release}
2c1758
Requires:		%{name}-libs%{?_isa} = %{version}-%{release}
2c1758
Provides:		%{name}(token)
2c1758
2c1758
%description tpmtok
81ac5a
Opencryptoki implements the PKCS#11 specification v2.20 for a set of
2c1758
cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the
2c1758
Trusted Platform Module (TPM) chip. Opencryptoki also brings a software
2c1758
token implementation that can be used without any cryptographic
2c1758
hardware.
2c1758
This package brings the necessary libraries and files to support
2c1758
Trusted Platform Module (TPM) devices in the opencryptoki stack.
2c1758
2c1758
2c1758
%package icsftok
2c1758
Summary:		ICSF token support for opencryptoki
2c1758
Requires(pre):		%{name}-libs%{?_isa} = %{version}-%{release}
2c1758
Requires:		%{name}-libs%{?_isa} = %{version}-%{release}
2c1758
Provides:		%{name}(token)
2c1758
2c1758
%description icsftok
81ac5a
Opencryptoki implements the PKCS#11 specification v2.20 for a set of
2c1758
cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the
2c1758
Trusted Platform Module (TPM) chip. Opencryptoki also brings a software
2c1758
token implementation that can be used without any cryptographic
2c1758
hardware.
2c1758
This package brings the necessary libraries and files to support
2c1758
ICSF token in the opencryptoki stack.
2c1758
2c1758
2c1758
%ifarch s390 s390x
2c1758
%package icatok
2c1758
Summary:		ICA cryptographic devices (clear-key) support for opencryptoki
2c1758
Requires(pre):		%{name}-libs%{?_isa} = %{version}-%{release}
2c1758
Requires:		%{name}-libs%{?_isa} = %{version}-%{release}
2c1758
Provides:		%{name}(token)
2c1758
2c1758
%description icatok
81ac5a
Opencryptoki implements the PKCS#11 specification v2.20 for a set of
2c1758
cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the
2c1758
Trusted Platform Module (TPM) chip. Opencryptoki also brings a software
2c1758
token implementation that can be used without any cryptographic
2c1758
hardware.
2c1758
This package brings the necessary libraries and files to support ICA
2c1758
devices in the opencryptoki stack. ICA is an interface to IBM
2c1758
cryptographic hardware such as IBM 4764 or 4765 that uses the
2c1758
"accelerator" or "clear-key" path.
2c1758
2c1758
%package ccatok
2c1758
Summary:		CCA cryptographic devices (secure-key) support for opencryptoki
2c1758
Requires(pre):		%{name}-libs%{?_isa} = %{version}-%{release}
2c1758
Requires:		%{name}-libs%{?_isa} = %{version}-%{release}
2c1758
Provides:		%{name}(token)
2c1758
2c1758
%description ccatok
81ac5a
Opencryptoki implements the PKCS#11 specification v2.20 for a set of
2c1758
cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the
2c1758
Trusted Platform Module (TPM) chip. Opencryptoki also brings a software
2c1758
token implementation that can be used without any cryptographic
2c1758
hardware.
2c1758
This package brings the necessary libraries and files to support CCA
2c1758
devices in the opencryptoki stack. CCA is an interface to IBM
2c1758
cryptographic hardware such as IBM 4764 or 4765 that uses the
2c1758
"co-processor" or "secure-key" path.
2c1758
2c1758
%package ep11tok
2c1758
Summary:		CCA cryptographic devices (secure-key) support for opencryptoki
2c1758
Requires(pre):		%{name}-libs%{?_isa} = %{version}-%{release}
2c1758
Requires:		%{name}-libs%{?_isa} = %{version}-%{release}
2c1758
Provides:		%{name}(token)
2c1758
2c1758
%description ep11tok
81ac5a
Opencryptoki implements the PKCS#11 specification v2.20 for a set of
2c1758
cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the
2c1758
Trusted Platform Module (TPM) chip. Opencryptoki also brings a software
2c1758
token implementation that can be used without any cryptographic
2c1758
hardware.
2c1758
This package brings the necessary libraries and files to support EP11
2c1758
tokens in the opencryptoki stack. The EP11 token is a token that uses
2c1758
the IBM Crypto Express adapters (starting with Crypto Express 4S adapters)
2c1758
configured with Enterprise PKCS#11 (EP11) firmware.
2c1758
%endif
2c1758
2c1758
2c1758
%prep
2c1758
%autosetup -p1
2c1758
2c1758
2c1758
%build
2c1758
./bootstrap.sh
2c1758
2c1758
%configure --with-systemd=%{_unitdir} --enable-testcases	\
2c1758
%if 0%{?tpmtok}
2c1758
    --enable-tpmtok \
2c1758
%else
2c1758
    --disable-tpmtok \
2c1758
%endif
2c1758
%ifarch s390 s390x
2c1758
    --enable-icatok --enable-ccatok --enable-ep11tok --enable-pkcsep11_migrate
2c1758
%else
2c1758
    --disable-icatok --disable-ccatok --disable-ep11tok --disable-pkcsep11_migrate
2c1758
%endif
2c1758
2c1758
%make_build CHGRP=/bin/true
2c1758
2c1758
2c1758
%install
2c1758
%make_install CHGRP=/bin/true
2c1758
364b05
%pre
364b05
# don't touch opencryptoki.conf even if it is unchanged due to new tokversion
364b05
# backup config file
364b05
%global cfile /etc/opencryptoki/opencryptoki.conf
364b05
%global csuffix .rpmsave.XyoP
364b05
if test $1 -gt 1 && test -f %{cfile} ; then
364b05
    cp -p %{cfile} %{cfile}%{csuffix}
364b05
fi
2c1758
2c1758
%pre libs
2c1758
getent group pkcs11 >/dev/null || groupadd -r pkcs11
2c1758
exit 0
2c1758
2c1758
%post
364b05
# restore the config file from %pre
364b05
if test $1 -gt 1 && test -f %{cfile} ; then
364b05
    if ( ! cmp -s %{cfile} %{cfile}%{csuffix} ) ; then
364b05
        cp -p %{cfile} %{cfile}.rpmnew
364b05
    fi
364b05
    cp -p %{cfile}%{csuffix} %{cfile} && rm -f %{cfile}%{csuffix}
364b05
fi
364b05
2c1758
%systemd_post pkcsslotd.service
2c1758
if test $1 -eq 1; then
2c1758
	%tmpfiles_create %{name}.conf
2c1758
fi
2c1758
2c1758
%preun
2c1758
%systemd_preun pkcsslotd.service
2c1758
2c1758
%postun
2c1758
%systemd_postun_with_restart pkcsslotd.service
2c1758
2c1758
2c1758
%files
2c1758
%doc ChangeLog FAQ README.md
2c1758
%doc doc/opencryptoki-howto.md
2c1758
%doc doc/README.token_data
364b05
%doc %{_docdir}/%{name}/*.conf
2c1758
%dir %{_sysconfdir}/%{name}
2c1758
%config(noreplace) %{_sysconfdir}/%{name}/%{name}.conf
81ac5a
%attr(0640, root, pkcs11) %config(noreplace) %{_sysconfdir}/%{name}/p11sak_defined_attrs.conf
364b05
%attr(0640, root, pkcs11) %config(noreplace) %{_sysconfdir}/%{name}/strength.conf
2c1758
%{_tmpfilesdir}/%{name}.conf
2c1758
%{_unitdir}/pkcsslotd.service
2c1758
%{_sbindir}/p11sak
2c1758
%{_sbindir}/pkcstok_migrate
2c1758
%{_sbindir}/pkcsconf
2c1758
%{_sbindir}/pkcsslotd
364b05
%{_sbindir}/pkcsstats
2c1758
%{_mandir}/man1/p11sak.1*
2c1758
%{_mandir}/man1/pkcstok_migrate.1*
2c1758
%{_mandir}/man1/pkcsconf.1*
364b05
%{_mandir}/man1/pkcsstats.1*
364b05
%{_mandir}/man5/policy.conf.5*
364b05
%{_mandir}/man5/strength.conf.5*
2c1758
%{_mandir}/man5/%{name}.conf.5*
81ac5a
%{_mandir}/man5/p11sak_defined_attrs.conf.5*
2c1758
%{_mandir}/man7/%{name}.7*
2c1758
%{_mandir}/man8/pkcsslotd.8*
2c1758
%{_libdir}/opencryptoki/methods
2c1758
%{_libdir}/pkcs11/methods
2c1758
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}
2c1758
%ghost %dir %attr(770,root,pkcs11) %{_rundir}/lock/%{name}
2c1758
%ghost %dir %attr(770,root,pkcs11) %{_rundir}/lock/%{name}/*
2c1758
%dir %attr(770,root,pkcs11) %{_localstatedir}/log/opencryptoki
2c1758
2c1758
%files libs
2c1758
%license LICENSE
2c1758
%{_sysconfdir}/ld.so.conf.d/*
2c1758
# Unversioned .so symlinks usually belong to -devel packages, but opencryptoki
2c1758
# needs them in the main package, because:
2c1758
#   documentation suggests that programs should dlopen "PKCS11_API.so".
2c1758
%dir %{_libdir}/opencryptoki
2c1758
%{_libdir}/opencryptoki/libopencryptoki.*
2c1758
%{_libdir}/opencryptoki/PKCS11_API.so
2c1758
%dir %{_libdir}/opencryptoki/stdll
2c1758
%dir %{_libdir}/pkcs11
2c1758
%{_libdir}/pkcs11/libopencryptoki.so
2c1758
%{_libdir}/pkcs11/PKCS11_API.so
2c1758
%{_libdir}/pkcs11/stdll
2c1758
2c1758
%files devel
2c1758
%{_includedir}/%{name}/
447573
%{_libdir}/pkgconfig/%{name}.pc
2c1758
2c1758
%files swtok
2c1758
%{_libdir}/opencryptoki/stdll/libpkcs11_sw.*
2c1758
%{_libdir}/opencryptoki/stdll/PKCS11_SW.so
2c1758
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/swtok/
2c1758
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/swtok/TOK_OBJ/
2c1758
2c1758
%if 0%{?tmptok}
2c1758
%files tpmtok
2c1758
%doc doc/README.tpm_stdll
2c1758
%{_libdir}/opencryptoki/stdll/libpkcs11_tpm.*
2c1758
%{_libdir}/opencryptoki/stdll/PKCS11_TPM.so
2c1758
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/tpm/
2c1758
%endif
2c1758
2c1758
%files icsftok
2c1758
%doc doc/README.icsf_stdll
2c1758
%{_sbindir}/pkcsicsf
2c1758
%{_mandir}/man1/pkcsicsf.1*
2c1758
%{_libdir}/opencryptoki/stdll/libpkcs11_icsf.*
2c1758
%{_libdir}/opencryptoki/stdll/PKCS11_ICSF.so
2c1758
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/icsf/
2c1758
2c1758
%ifarch s390 s390x
2c1758
%files icatok
2c1758
%{_libdir}/opencryptoki/stdll/libpkcs11_ica.*
2c1758
%{_libdir}/opencryptoki/stdll/PKCS11_ICA.so
2c1758
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/lite/
2c1758
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/lite/TOK_OBJ/
2c1758
2c1758
%files ccatok
2c1758
%doc doc/README.cca_stdll
447573
%config(noreplace) %{_sysconfdir}/%{name}/ccatok.conf
2c1758
%{_sbindir}/pkcscca
2c1758
%{_mandir}/man1/pkcscca.1*
2c1758
%{_libdir}/opencryptoki/stdll/libpkcs11_cca.*
2c1758
%{_libdir}/opencryptoki/stdll/PKCS11_CCA.so
2c1758
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ccatok/
2c1758
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ccatok/TOK_OBJ/
2c1758
2c1758
%files ep11tok
2c1758
%doc doc/README.ep11_stdll
2c1758
%config(noreplace) %{_sysconfdir}/%{name}/ep11tok.conf
2c1758
%config(noreplace) %{_sysconfdir}/%{name}/ep11cpfilter.conf
2c1758
%{_sbindir}/pkcsep11_migrate
2c1758
%{_sbindir}/pkcsep11_session
2c1758
%{_mandir}/man1/pkcsep11_migrate.1*
2c1758
%{_mandir}/man1/pkcsep11_session.1*
2c1758
%{_libdir}/opencryptoki/stdll/libpkcs11_ep11.*
2c1758
%{_libdir}/opencryptoki/stdll/PKCS11_EP11.so
2c1758
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ep11tok/
2c1758
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ep11tok/TOK_OBJ/
2c1758
%endif
2c1758
2c1758
2c1758
%changelog
447573
* Mon Jan 30 2023 Than Ngo <than@redhat.com> - 3.19.0-2
447573
- Resolves: #2044182, Support of ep11 token for new IBM Z Hardware (IBM z16) 
447573
447573
* Tue Oct 11 2022 Than Ngo <than@redhat.com> - 3.19.0-1
447573
- Resolves: #2126294, opencryptoki fails after generating > 500 RSA keys
447573
- Resolves: #2110314, rebase to 3.19.0
447573
- Resolves: #2110989, openCryptoki key generation with expected MKVP only on CCA and EP11 tokens
447573
- Resolves: #2110476, openCryptoki ep11 token: master key consistency
447573
- Resolves: #2018458, openCryptoki ep11 token: vendor specific key derivation
447573
364b05
* Fri Jul 29 2022 Than Ngo <than@redhat.com> - 3.18.0-4
364b05
- Related: #2044179, do not touch opencryptoki.conf if it is in place already and even if it is unchanged
364b05
364b05
* Tue Jun 07 2022 Than Ngo <than@redhat.com> - 3.18.0-3
364b05
- Related: #2044179, fix json output
364b05
364b05
* Mon May 09 2022 Than Ngo <than@redhat.com> - 3.18.0-2
364b05
- Related: #2044179, add missing strength.conf
364b05
364b05
* Mon May 09 2022 Than Ngo <than@redhat.com> - 3.18.0-1
364b05
- Resolves: #2044179, rebase to 3.18.0
364b05
- Resolves: #2068091, pkcsconf -t failed with Segmentation fault in FIPS mode
364b05
- Resolves: #2066763, Dilithium support not available
364b05
- Resolves: #2064697, OpenSSL 3.0 Compatibility for IBM Security Libraries and Tools
364b05
- Resolves: #2044181, support crypto profiles
364b05
- Resolves: #2044180, add crypto counters
364b05
364b05
* Tue May 03 2022 Than Ngo <than@redhat.com> - 3.17.0-6
364b05
- Resolves: #2066763, Dilithium support not available
364b05
cd49d5
* Mon Mar 14 2022 Than Ngo <than@redhat.com> - 3.17.0-5
364b05
- Resolves: #2064697, ICA/EP11: Support libica version 4
cd49d5
a0eb7f
* Mon Jan 17 2022 Than Ngo <than@redhat.com> - 3.17.0-4
a0eb7f
- Resolves: #2040678, API: Unlock GlobMutex if user and group check fails
a0eb7f
81ac5a
* Sat Dec 04 2021 Than Ngo <than@redhat.com> - 3.17.0-3
81ac5a
- Related: #2015888, added missing patch pkcsslotd-pidfile
81ac5a
81ac5a
* Wed Nov 24 2021 Than Ngo <than@redhat.com> - 3.17.0-2
81ac5a
- Related: #2015888, add missing p11sak_defined_attrs.conf
81ac5a
81ac5a
* Wed Nov 03 2021 Than Ngo <than@redhat.com> - 3.17.0-1
81ac5a
- Resolves: #2015888, rebase to 3.17.0
81ac5a
- Resolves: #2017720, openCryptoki key management tool 
81ac5a
2c1758
* Thu Aug 26 2021 Than Ngo <than@redhat.com> - 3.16.0-12
2c1758
- Related: #1989138, Support for OpenSSL 3.0
2c1758
2c1758
* Mon Aug 23 2021 Than Ngo <than@redhat.com> - 3.16.0-11
2c1758
- Resolves: #1989138, Support for OpenSSL 3.0
2c1758
2c1758
* Thu Aug 19 2021 Than Ngo <than@redhat.com> - 3.16.0-10
2c1758
- Resolves: #1987186, pkcstok_migrate leaves options with multiple strings in opencryptoki.conf options without double-quotes
2c1758
2c1758
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 3.16.0-9
2c1758
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
2c1758
  Related: rhbz#1991688
2c1758
2c1758
* Wed Jul 28 2021 Florian Weimer <fweimer@redhat.com> - 3.16.0-8
2c1758
- Rebuild to pick up OpenSSL 3.0 Beta ABI (#1984097)
2c1758
2c1758
* Fri Jul 16 2021 Than Ngo <than@redhat.com> - 3.16.0-7
2c1758
- Resolves: #1974365, Fix detection if pkcsslotd is still running
2c1758
2c1758
* Fri Jun 25 2021 Than Ngo <than@redhat.com> - 3.16.0-6
2c1758
- Resolves: #1974693, pkcsslotd PIDfile below legacy directory /var/run/
2c1758
2c1758
* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 3.16.0-5
2c1758
- Rebuilt for RHEL 9 BETA for openssl 3.0
2c1758
  Related: rhbz#1971065
2c1758
2c1758
* Tue Jun 15 2021 Than Ngo <than@redhat.com> - 3.16.0-4
2c1758
- Related: #1924120, add conditional requirement on new selinux-policy
2c1758
2c1758
* Mon May 17 2021 Than Ngo <than@redhat.com> - 3.16.0-3
2c1758
- Resolves: #1959894, Soft token does not check if an EC key is valid
2c1758
- Resolves: #1924120, Event Notification Support
2c1758
2c1758
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 3.16.0-2
2c1758
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
2c1758
2c1758
* Wed Mar 31 2021 Dan Horák <dan[at]danny.cz> - 3.16.0-1
2c1758
- Rebase to 3.16.0
2c1758
2c1758
* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 3.15.1-6
2c1758
- Rebuilt for updated systemd-rpm-macros
2c1758
  See https://pagure.io/fesco/issue/2583.
2c1758
2c1758
* Fri Feb 12 2021 Than Ngo <than@redhat.com> - 3.15.1-5
2c1758
- Added upstream patch, a slot ID has nothing to do with the number of slots
2c1758
2c1758
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.15.1-4
2c1758
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
2c1758
2c1758
* Tue Dec 22 2020 Than Ngo <than@redhat.com> - 3.15.1-3
2c1758
- Drop tpm1.2 support by default
2c1758
2c1758
* Tue Dec 22 2020 Than Ngo <than@redhat.com> - 3.15.1-2
2c1758
- Fix compiling with c++
2c1758
- Added error message handling for p11sak remove-key command
2c1758
- Add BR on make
2c1758
2c1758
* Mon Nov 02 2020 Than Ngo <than@redhat.com> - 3.15.1-1
2c1758
- Rebase to 3.15.1
2c1758
2c1758
* Mon Oct 19 2020 Dan Horák <dan[at]danny.cz> - 3.15.0-1
2c1758
- Rebase to 3.15.0
2c1758
2c1758
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.14.0-6
2c1758
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
2c1758
2c1758
* Tue Jul 14 2020 Tom Stellard <tstellar@redhat.com> - 3.14.0-5
2c1758
- Use make macros
2c1758
- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
2c1758
2c1758
* Wed Jul 08 2020 Than Ngo <than@redhat.com> - 3.14.0-4
2c1758
- added PIN conversion tool
2c1758
2c1758
* Wed Jul 01 2020 Than Ngo <than@redhat.com> - 3.14.0-3
2c1758
- upstream fix - handle early error cases in C_Initialize
2c1758
2c1758
* Wed May 27 2020 Than Ngo <than@redhat.com> - 3.14.0-2
2c1758
- fix regression, segfault in C_SetPin
2c1758
2c1758
* Fri May 15 2020 Dan Horák <dan[at]danny.cz> - 3.14.0-1
2c1758
- Rebase to 3.14.0
2c1758
2c1758
* Fri Mar 06 2020 Dan Horák <dan[at]danny.cz> - 3.13.0-1
2c1758
- Rebase to 3.13.0
2c1758
2c1758
* Mon Feb 03 2020 Dan Horák <dan[at]danny.cz> - 3.12.1-3
2c1758
- fix build with gcc 10
2c1758
2c1758
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.12.1-2
2c1758
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
2c1758
2c1758
* Wed Nov 27 2019 Dan Horák <dan[at]danny.cz> - 3.12.1-1
2c1758
- Rebase to 3.12.1
2c1758
2c1758
* Wed Nov 13 2019 Dan Horák <dan[at]danny.cz> - 3.12.0-1
2c1758
- Rebase to 3.12.0
2c1758
2c1758
* Sun Sep 22 2019 Dan Horák <dan[at]danny.cz> - 3.11.1-1
2c1758
- Rebase to 3.11.1
2c1758
2c1758
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.11.0-5
2c1758
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
2c1758
2c1758
* Thu Mar 28 2019 Than Ngo <than@redhat.com> - 3.11.0-4
2c1758
- enable testcase by default
2c1758
- fix URL
2c1758
2c1758
* Tue Feb 19 2019 Than Ngo <than@redhat.com> - 3.11.0-3
2c1758
- Resolved #1063763 - opencryptoki tools should inform the user that he is not in pkcs11 group
2c1758
2c1758
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.11.0-2
2c1758
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
2c1758
2c1758
* Thu Jan 31 2019 Than Ngo <than@redhat.com> - 3.11.0-1
2c1758
- Updated to 3.11.0
2c1758
- Resolved #1341079 - Failed to create directory or subvolume "/var/lock/opencryptoki"
2c1758
- Ported root's group membership's patch for 3.11.0
2c1758
2c1758
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 3.10.0-2
2c1758
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
2c1758
2c1758
* Tue Jun 12 2018 Dan Horák <dan[at]danny.cz> - 3.10.0-1
2c1758
- Rebase to 3.10.0
2c1758
2c1758
* Fri Feb 23 2018 Dan Horák <dan[at]danny.cz> - 3.9.0-1
2c1758
- Rebase to 3.9.0
2c1758
2c1758
* Thu Feb 08 2018 Fedora Release Engineering <releng@fedoraproject.org> - 3.8.2-3
2c1758
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
2c1758
2c1758
* Fri Nov 24 2017 Dan Horák <dan[at]danny.cz> - 3.8.2-2
2c1758
- use upstream tmpfiles config
2c1758
2c1758
* Thu Nov 23 2017 Dan Horák <dan[at]danny.cz> - 3.8.2-1
2c1758
- Rebase to 3.8.2 (#1512678)
2c1758
2c1758
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 3.7.0-3
2c1758
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
2c1758
2c1758
* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 3.7.0-2
2c1758
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
2c1758
2c1758
* Wed May 17 2017 Sinny Kumari <sinny@redhat.com> - 3.7.0-1
2c1758
- Rebase to 3.7.0
2c1758
- Added libitm-devel as BuildRequires
2c1758
2c1758
* Mon Apr 03 2017 Sinny Kumari <sinny@redhat.com> - 3.6.2-1
2c1758
- Rebase to 3.6.2
2c1758
- RHBZ#1424017 - opencryptoki: FTBFS in rawhide
2c1758
2c1758
* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 3.5.1-2
2c1758
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
2c1758
2c1758
* Thu Sep 01 2016 Jakub Jelen <jjelen@redhat.com> - 3.5.1-1
2c1758
- New upstream release
2c1758
2c1758
* Tue May 03 2016 Jakub Jelen <jjelen@redhat.com> - 3.5-1
2c1758
- New upstream release
2c1758
2c1758
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 3.4.1-2
2c1758
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
2c1758
2c1758
* Mon Dec 07 2015 Jakub Jelen <jjelen@redhat.com> 3.4.1-1
2c1758
- New bugfix upstream release
2c1758
2c1758
* Wed Nov 18 2015 Jakub Jelen <jjelen@redhat.com> 3.4-1
2c1758
- New upstream release
2c1758
- Adding post-release patch fixing compile warnings
2c1758
2c1758
* Thu Aug 27 2015 Jakub Jelen <jjelen@redhat.com> 3.3-1.1
2c1758
- New upstream release
2c1758
- Correct dependencies for group creation
2c1758
2c1758
* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.2-4
2c1758
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
2c1758
2c1758
* Thu May 07 2015 Jakub Jelen <jjelen@redhat.com> 3.2-3
2c1758
- Few more undefined symbols fixed for s390(x) specific targets
2c1758
- Do not require --no-undefined, because s390(x) requires some
2c1758
2c1758
* Mon May 04 2015 Jakub Jelen <jjelen@redhat.com> 3.2-2
2c1758
- Fix missing sources and libraries in makefiles causing undefined symbols (#1193560)
2c1758
- Make inline function compatible for GCC5
2c1758
2c1758
* Wed Sep 10 2014 Petr Lautrbach <plautrba@redhat.com> 3.2-1
2c1758
- new upstream release 3.2
2c1758
- add new sub-package opencryptoki-ep11tok on s390x
2c1758
2c1758
* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.1-2
2c1758
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
2c1758
2c1758
* Thu Jul 24 2014 Petr Lautrbach <plautrba@redhat.com> 3.1-1
2c1758
- new upstream release 3.1
2c1758
2c1758
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.0-11
2c1758
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
2c1758
2c1758
* Mon Feb 17 2014 Petr Lautrbach <plautrba@redhat.com> 3.0-10
2c1758
- create the right lock directory for cca tokens (#1054442)
2c1758
2c1758
* Wed Jan 29 2014 Petr Lautrbach <plautrba@redhat.com> 3.0-9
2c1758
- use Requires(pre): opencryptoki-libs for subpackages
2c1758
2c1758
* Mon Jan 20 2014 Dan Horák <dan[at]danny.cz> - 3.0-8
2c1758
- include token specific directories (#1013017, #1045775, #1054442)
2c1758
- fix pkcsconf crash for non-root users (#10054661)
2c1758
- the libs subpackage must care of creating the pkcs11 group, it's the first to be installed
2c1758
2c1758
* Tue Dec 03 2013 Dan Horák <dan[at]danny.cz> - 3.0-7
2c1758
- fix build with -Werror=format-security (#1037228)
2c1758
2c1758
* Fri Nov 22 2013 Dan Horák <dan[at]danny.cz> - 3.0-6
2c1758
- apply post-3.0 fixes (#1033284)
2c1758
2c1758
* Tue Nov 19 2013 Dan Horák <dan[at]danny.cz> - 3.0-5
2c1758
- update opencryptoki man page (#1001729)
2c1758
2c1758
* Fri Aug 23 2013 Dan Horák <dan[at]danny.cz> - 3.0-4
2c1758
- update unit file (#995002)
2c1758
2c1758
* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.0-3
2c1758
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
2c1758
2c1758
* Tue Jul 23 2013 Dan Horák <dan[at]danny.cz> - 3.0-2
2c1758
- update pkcsconf man page (#948460)
2c1758
2c1758
* Mon Jul 22 2013 Dan Horák <dan[at]danny.cz> - 3.0-1
2c1758
- new upstream release 3.0
2c1758
2c1758
* Tue Jun 25 2013 Dan Horák <dan[at]danny.cz> - 2.4.3.1-1
2c1758
- new upstream release 2.4.3.1
2c1758
2c1758
* Fri May 03 2013 Dan Horák <dan[at]danny.cz> - 2.4.3-1
2c1758
- new upstream release 2.4.3
2c1758
2c1758
* Thu Apr 04 2013 Dan Horák <dan[at]danny.cz> - 2.4.2-4
2c1758
- enable hardened build
2c1758
- switch to systemd macros in scriptlets (#850240)
2c1758
2c1758
* Mon Jan 28 2013 Dan Horák <dan[at]danny.cz> - 2.4.2-3
2c1758
- add virtual opencryptoki(token) Provides to token modules and as Requires
2c1758
  to main package (#904986)
2c1758
2c1758
* Fri Jul 20 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.4.2-2
2c1758
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
2c1758
2c1758
* Thu Jun 21 2012 Dan Horák <dan[at]danny.cz> - 2.4.2-1
2c1758
- new upstream release 2.4.2
2c1758
- add pkcs_slot man page
2c1758
- don't add root to the pkcs11 group
2c1758
2c1758
* Mon Jun 11 2012 Dan Horák <dan[at]danny.cz> - 2.4.1-2
2c1758
- fix unresolved symbols in TPM module (#830129)
2c1758
2c1758
* Sat Feb 25 2012 Dan Horák <dan[at]danny.cz> - 2.4.1-1
2c1758
- new upstream release 2.4.1
2c1758
- convert from initscript to systemd unit
2c1758
- import fixes from RHEL-6 about root's group membership (#732756, #730903)
2c1758
2c1758
* Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.4-2
2c1758
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
2c1758
2c1758
* Thu Jul 07 2011 Dan Horák <dan[at]danny.cz> - 2.4-1
2c1758
- new upstream release 2.4
2c1758
2c1758
* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.3.3-2
2c1758
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
2c1758
2c1758
* Mon Jan 17 2011 Dan Horák <dan[at]danny.cz> 2.3.3-1
2c1758
- new upstream release 2.3.3
2c1758
2c1758
* Tue Nov 09 2010 Michal Schmidt <mschmidt@redhat.com> 2.3.2-2
2c1758
- Apply Obsoletes to package names, not provides.
2c1758
2c1758
* Tue Sep 14 2010 Dan Horák <dan[at]danny.cz> 2.3.2-1
2c1758
- new upstream release 2.3.2
2c1758
- put STDLLs in separate packages to match upstream package design
2c1758
2c1758
* Thu Jul 08 2010 Michal Schmidt <mschmidt@redhat.com> 2.3.1-7
2c1758
- Move the LICENSE file to the -libs subpackage.
2c1758
2c1758
* Tue Jun 29 2010 Dan Horák <dan[at]danny.cz> 2.3.1-6
2c1758
- rebuilt with CCA enabled (#604287)
2c1758
- fixed issues from #546274
2c1758
2c1758
* Fri Apr 30 2010 Dan Horák <dan[at]danny.cz> 2.3.1-5
2c1758
- fixed one more issue in the initscript (#547324)
2c1758
2c1758
* Mon Apr 26 2010 Dan Horák <dan[at]danny.cz> 2.3.1-4
2c1758
- fixed pidfile creating and usage (#547324)
2c1758
2c1758
* Mon Feb 08 2010 Michal Schmidt <mschmidt@redhat.com> 2.3.1-3
2c1758
- Also list 'reload' and 'force-reload' in "Usage: ...".
2c1758
2c1758
* Mon Feb 08 2010 Michal Schmidt <mschmidt@redhat.com> 2.3.1-2
2c1758
- Support 'force-reload' in the initscript.
2c1758
2c1758
* Wed Jan 27 2010 Michal Schmidt <mschmidt@redhat.com> 2.3.1-1
2c1758
- New upstream release 2.3.1.
2c1758
- opencryptoki-2.3.0-fix-nss-breakage.patch was merged.
2c1758
2c1758
* Fri Jan 22 2010 Dan Horák <dan[at]danny.cz> 2.3.0-5
2c1758
- made pkcsslotd initscript LSB compliant (#522149)
2c1758
2c1758
* Mon Sep 07 2009 Michal Schmidt <mschmidt@redhat.com> 2.3.0-4
2c1758
- Added opencryptoki-2.3.0-fix-nss-breakage.patch on upstream request.
2c1758
2c1758
* Fri Aug 21 2009 Tomas Mraz <tmraz@redhat.com> - 2.3.0-3
2c1758
- rebuilt with new openssl
2c1758
2c1758
* Sun Aug 16 2009 Michal Schmidt <mschmidt@redhat.com> 2.3.0-2
2c1758
- Require libica-2.0.
2c1758
2c1758
* Fri Aug 07 2009 Michal Schmidt <mschmidt@redhat.com> 2.3.0-1
2c1758
- New upstream release 2.3.0:
2c1758
  - adds support for RSA 4096 bit keys in the ICA token.
2c1758
2c1758
* Tue Jul 21 2009 Michal Schmidt <mschmidt@redhat.com> - 2.2.8-5
2c1758
- Require arch-specific dependency on -libs.
2c1758
2c1758
* Tue Jul 21 2009 Michal Schmidt <mschmidt@redhat.com> - 2.2.8-4
2c1758
- Return support for crypto hw on s390.
2c1758
- Renamed to opencryptoki.
2c1758
- Simplified multilib by putting libs in subpackage as suggested by Dan Horák.
2c1758
2c1758
* Tue Jul 21 2009 Michal Schmidt <mschmidt@redhat.com> - 2.2.8-2
2c1758
- Fedora package based on RHEL-5 package.