Releases: tpm2-software/tpm2-pkcs11
Releases · tpm2-software/tpm2-pkcs11
1.9.0
[1.9.0] - 2023-01-31
Fixed
- Fix autoconf invocation on a release tarball not being a git repo for VERSION. VERSION file now generated and packaged as part of the release tarball from the git version information.
- Fix TPM2_PKCS11_OWNER_AUTH not being used when a persistent SRK is needed in the C_InitToken path.
- During an upgrade of the database to version 4, the config key 'persistent' is added instead of 'transient', causing KeyError when using the upgraded database.
- Leave the original db on upgrade failure, a bug caused the original db to be unlinked not the upgraded db.
- A bug prevented the use of CreateLoaded if the TPM supports the command.
- A bug when creating keys through the PKCS11 interface (not tpm2-ptool), the attributes for
CKA_ALLOWED_MECHANISMS
were encoded as a hex string and not a sequence of ints within the YAML. Correcting this will trigger a db upgrade to 8
Added
- Env varibale
PKCS11_SQL_LOCK
to allow setting a lock directory, eg for temprary directory so lock files do not persist across reboots.
1.9.0-rc0
[1.9.0-rc0] - 2023-01-23
Fixed
- Fix autoconf invocation on a release tarball not being a git repo for VERSION. VERSION file now generated and packaged as part of the release tarball from the git version information.
- Fix TPM2_PKCS11_OWNER_AUTH not being used when a persistent SRK is needed in the C_InitToken path.
- During an upgrade of the database to version 4, the config key 'persistent' is added instead of 'transient', causing KeyError when using the upgraded database.
- Leave the original db on upgrade failure, a bug caused the original db to be unlinked not the upgraded db.
- A bug prevented the use of CreateLoaded if the TPM supports the command.
- A bug when creating keys through the PKCS11 interface (not tpm2-ptool), the attributes for
CKA_ALLOWED_MECHANISMS
were encoded as a hex string and not a sequence of ints within the YAML. Correcting this will trigger a db upgrade to 8
Added
- Env varibale
PKCS11_SQL_LOCK
to allow setting a lock directory, eg for temprary directory so lock files do not persist across reboots.
1.8.0
[1.8.0 ] - 2022-03-21
Fixed
- Fix GetRandom Memory Leak
- Fix some spelling mistakes
- Fix unit test test_parser
- Fix importing of RSA private key through pkcs11 interface should fail.
- Fix ECDSA signature length calculation.
- Fix memory leak of tokens.
- Fix suspicious sizeof usage in _str_padded_copy
- Fix encoding errors when importing a certificate into the pkcs11 store.
- Fix try/finally scope issues in tpm2_ptool.
- Fix, an OOB access in db upgrade path.
- Fix ECDSA length calculation that was causing issues with Mutual TLS in Firefox and Chrome.
Changed
- remove unused macro set_safe_rc
Added
- Add support for OpenSSL 3. Note that calls through engine are no longer supported on OpenSSL3.
- Add tpm2_ptool export commandlet for exporting token keys into PEM and TPM blob format.
1.8.0-rc0
[1.8.0-rc0 ] - 2022-03-15
Fixed
- Fix GetRandom Memory Leak
- Fix some spelling mistakes
- Fix unit test test_parser
- Fix importing of RSA private key through pkcs11 interface should fail.
- Fix ECDSA signature length calculation.
- Fix memory leak of tokens.
- Fix suspicious sizeof usage in _str_padded_copy
- Fix encoding errors when importing a certificate into the pkcs11 store.
- Fix try/finally scope issues in tpm2_ptool.
- Fix, an OOB access in db upgrade path.
- Fix ECDSA length calculation that was causing issues with Mutual TLS in Firefox and Chrome.
Changed
- remove unused macro set_safe_rc
Added
- Add support for OpenSSL 3. Note that calls through engine are no longer supported on OpenSSL3.
- Add tpm2_ptool export commandlet for exporting token keys into PEM and TPM blob format.
1.7.0
1.7.0 - 2021-09-27
- DB Schema Change from 5 to 7.
- Backup your DB before upgrading
- Fixed compilation issues with GCC11.
- Fixed errors on releases due to newer compilers from failing by only adding
-Werror
for non-release builds. - Fixed error message when the DB is too new in tpm2_ptool.
- Added support for tpm2_ptool import with ssh-keygen format keys. Note: Requires cryptography >= 3.0.
- Changed default long level from error to warning.
- Added better error message for FAPI backend errors along with docs/FAPI.md document.
- Changed
tpm2_ptool
make--algorithm
optional. - Fixed error message of wrong attribute name on expected attribute check to be false.
- Added support for ECDSA 256, 384 and 512.
- Fixed a bug in the Python code DB upgrade path from 4 to 5 where it didn't add AES mode CTR to
CKA_ALLOWED_MECHANISMS. - Added tpm2_ptool support for ECC key size 192.
- Added support passwordless login for tokens, ie not setting CKF_LOGIN_REQUIRED.
- Fixed Running integration tests when Java version has the
-ea
, like on Debian 11 and OpenJDK 17. - Added support for HMAC keys using tpm2_ptool and the C_Sign and C_Verify interfaces.
The following interfaces in ptool have support:- addkey: previous working versions of tpm2-tools will support this.
- link: previous working versions of tpm2-tools will support this.
- import: requires tpm2-tools 5.2+ for support.
- Fixed leaking of temp file descriptors in tpm2_ptool.
- Fixed wrong free in tpm code, should use Esys_Free.
- Fixed a space formatting issue in tpm2_ptool verify.
- Fixed leaked file descriptor in tpm2_ptool.
- Fixed a few suspicious sizeof usages in str_padded_copy
- Fixed a memory leak of the token list on a failure condition in initialization.
1.7.0-rc1
1.7.0-rc1 - 2021-09-10
- DB Schema Change from 5 to 7.
- Backup your DB before upgrading
- Fixed compilation issues with GCC11.
- Fixed errors on releases due to newer compilers from failing by only adding
-Werror
for non-release builds. - Fixed error message when the DB is too new in tpm2_ptool.
- Added support for tpm2_ptool import with ssh-keygen format keys. Note: Requires cryptography >= 3.0.
- Changed default long level from error to warning.
- Added better error message for FAPI backend errors along with docs/FAPI.md document.
- Changed
tpm2_ptool
make--algorithm
optional. - Fixed error message of wrong attribute name on expected attribute check to be false.
- Added support for ECDSA 256, 384 and 512.
- Fixed a bug in the Python code DB upgrade path from 4 to 5 where it didn't add AES mode CTR to
CKA_ALLOWED_MECHANISMS. - Added tpm2_ptool support for ECC key size 192.
- Added support passwordless login for tokens, ie not setting CKF_LOGIN_REQUIRED.
- Fixed Running integration tests when Java version has the
-ea
, like on Debian 11 and OpenJDK 17. - Added support for HMAC keys using tpm2_ptool and the C_Sign and C_Verify interfaces.
The following interfaces in ptool have support:- addkey: previous working versions of tpm2-tools will support this.
- link: previous working versions of tpm2-tools will support this.
- import: requires tpm2-tools 5.2+ for support.
- Fixed leaking of temp file descriptors in tpm2_ptool.
- Fixed wrong free in tpm code, should use Esys_Free.
- Fixed a space formatting issue in tpm2_ptool verify.
- Fixed leaked file descriptor in tpm2_ptool.
- Fixed a few suspicious sizeof usages in str_padded_copy
- Fixed a memory leak of the token list on a failure condition in initialization.
1.7.0-rc0
1.7.0-rc0 - 2021-09-02
- DB Schema Change from 5 to 7.
- Backup your DB before upgrading
- Fixed compilation issues with GCC11.
- Fixed erros on releases due to newer compilers from failing by only adding
-Werror
for non-release builds. - Fixed error message when the DB is too new in tpm2_ptool.
- Added support for tpm2_ptool import with ssh-keygen format keys. Note: Requires cryptography >= 3.0.
- Changed default long level from error to warning.
- Added better error message for FAPI backend errors along with docs/FAPI.md document.
- Changed
tpm2_ptool
make--algorithm
optional. - Fixed error message of wrong attribute name on expected attribute check to be false.
- Added support for ECDSA 256, 384 and 512.
- Fixed a bug in the Python code DB upgrade path from 4 to 5 where it didn't add AES mode CTR to
CKA_ALLOWED_MECHANISMS. - Added tpm2_ptool support for ECC key size 192.
- Added support passwordless login for tokens, ie not setting CKF_LOGIN_REQUIRED.
- Fixed Running integration tests when Java version has the
-ea
, like on Debian 11 and OpenJDK 17. - Added support for HMAC keys using tpm2_ptool and the C_Sign and C_Verify interfaces.
The following interfaces in ptool have support:- addkey: previous working versions of tpm2-tools will support this.
- link: previous working versions of tpm2-tools will support this.
- import: requires tpm2-tools 5.2+ for support.
- Fixed leaking of temp file descriptors in tpm2_ptool.
- Fixed wrong free in tpm code, should use Esys_Free.
- Fixed a space formatting issue in tpm2_ptool verify.
- Fixed leaked file descriptor in tpm2_ptool.
1.6.0
1.6.0 - 2021-05-03
- Spelling and grammar fixes throughout the project.
- tpm2_ptool: fix bug in verify commandlet where
--sopin
leads to local variable referenced before assignment. See #624. - Docs: add a document describing SSH Hostkey configuration using tpm2-pkcs11.
- Support changes in tpm2-tss-engine using TPM2_RH_OWNER instead of 0.
- Since upstream commit tpm2-software/tpm2-tss-engine@06f57a3.
- Fix endian issue in test_db.
- Fix tpm2_ptool error messages when exceptions are raised during execution of tpm2-tools commands.
- Support CKA_DERIVE=true which will support the newest pkcs11-tool EC template.
- Fix requirement of having ESYS >= 2.4, see #632 for details.
- Fix docs/INITIALIZING.md reference to
--pobj-pin
, should be--hierarchy-auth
. - Fix missing libyaml dependency in documentation.
- Fix bug in DB update logic where errors in handlers were ignored.
- Fix NPD bug when ESAPI and FAPI return 0 tokens.
- Add support for over TPM sized AES buffers.
- Add support for mechanism CKM_AES_CBC_PAD.
- Add support for mechanism CKM_AES_CTR.
- Add support for RSA 3072 (3k) keys.
- Remove usage of function Esys_TR_GetTpmHandle. FAPI Backend will no longer depend on ESAPI 2.4 or
greater. - Add Experimental RSA 4096 support. Use at your own risk.
1.6.0-rc0
1.6.0-rc0 - 2021-04-26
- Spelling and grammar fixes throughout the project.
- tpm2_ptool: fix bug in verify commandlet where
--sopin
leads to local variable referenced before assignment. See #624. - Docs: add a document describing SSH Hostkey configuration using tpm2-pkcs11.
- Support changes in tpm2-tss-engine using TPM2_RH_OWNER instead of 0.
- Since upstream commit tpm2-software/tpm2-tss-engine@06f57a3.
- Fix endian issue in test_db.
- Fix tpm2_ptool error messages when exceptions are raised during execution of tpm2-tools commands.
- Support CKA_DERIVE=true which will support the newest pkcs11-tool EC template.
- Fix requirement of having ESYS >= 2.4, see #632 for details.
- Fix docs/INITIALIZING.md reference to
--pobj-pin
, should be--hierarchy-auth
. - Fix missing libyaml dependency in documentation.
- Fix bug in DB update logic where errors in handlers were ignored.
- Fix NPD bug when ESAPI and FAPI return 0 tokens.
- Add support for over TPM sized AES buffers.
- Add support for mechanism CKM_AES_CBC_PAD.
- Add support for mechanism CKM_AES_CTR.
- Add support for RSA 3072 (3k) keys.
- Remove usage of function Esys_TR_GetTpmHandle. FAPI Backend will no longer depend on ESAPI 2.4 or
greater. - Add Experimental RSA 4096 support. Use at your own risk.
1.5.0
1.5.0 - 2020-11-16
- C_Decrypt: Fix CKM_RSA_PKCS11 scheme not removing PKCS v1.5 block padding from returned plaintext.
- C_Digest/C_DigestFinal: Fix Section 5.2 style returns.
- C_OpenSession: fix valid session handles starting at 0, 0 is invalid per the spec.
- C_OpenSession: fix handle issuance bug where handles could be exhausted at out of bounds.
- Support swtpm in testing infrastructure.
- Fix C_Encrypt/C_Decrypt interface not setting size when output buffer in NULL.
- Fix warning ../configure: line 14383: ]: command not found
- Fix CKM_RSA_PKCS_PSS mechanism.
- C_GetMechanismList: Fix index 0 of the returned list being invalid.
- C_GetMechanismInfo: Fix errors like ERROR: Unknown mechanism, got: 0xd.
- Docs: use full paths from project root to help fix 404 errors.
- tpm2_ptool init to attempt to persistent created primary object at 0x81000001 and fallback to
first available address on failure.