1.9.0

[1.9.0] - 2023-01-31

Fixed

• Fix autoconf invocation on a release tarball not being a git repo for VERSION. VERSION file now generated and packaged as part of the release tarball from the git version information.
• Fix TPM2_PKCS11_OWNER_AUTH not being used when a persistent SRK is needed in the C_InitToken path.
• During an upgrade of the database to version 4, the config key 'persistent' is added instead of 'transient', causing KeyError when using the upgraded database.
• Leave the original db on upgrade failure, a bug caused the original db to be unlinked not the upgraded db.
• A bug prevented the use of CreateLoaded if the TPM supports the command.
• A bug when creating keys through the PKCS11 interface (not tpm2-ptool), the attributes for CKA_ALLOWED_MECHANISMS were encoded as a hex string and not a sequence of ints within the YAML. Correcting this will trigger a db upgrade to 8

Added

• Env varibale PKCS11_SQL_LOCK to allow setting a lock directory, eg for temprary directory so lock files do not persist across reboots.

1.9.0-rc0

[1.9.0-rc0] - 2023-01-23

Fixed

• Fix autoconf invocation on a release tarball not being a git repo for VERSION. VERSION file now generated and packaged as part of the release tarball from the git version information.
• Fix TPM2_PKCS11_OWNER_AUTH not being used when a persistent SRK is needed in the C_InitToken path.
• During an upgrade of the database to version 4, the config key 'persistent' is added instead of 'transient', causing KeyError when using the upgraded database.
• Leave the original db on upgrade failure, a bug caused the original db to be unlinked not the upgraded db.
• A bug prevented the use of CreateLoaded if the TPM supports the command.
• A bug when creating keys through the PKCS11 interface (not tpm2-ptool), the attributes for CKA_ALLOWED_MECHANISMS were encoded as a hex string and not a sequence of ints within the YAML. Correcting this will trigger a db upgrade to 8

Added

• Env varibale PKCS11_SQL_LOCK to allow setting a lock directory, eg for temprary directory so lock files do not persist across reboots.

1.8.0

[1.8.0 ] - 2022-03-21

Fixed

• Fix GetRandom Memory Leak
• Fix some spelling mistakes
• Fix unit test test_parser
• Fix importing of RSA private key through pkcs11 interface should fail.
• Fix ECDSA signature length calculation.
• Fix memory leak of tokens.
• Fix suspicious sizeof usage in _str_padded_copy
• Fix encoding errors when importing a certificate into the pkcs11 store.
• Fix try/finally scope issues in tpm2_ptool.
• Fix, an OOB access in db upgrade path.
• Fix ECDSA length calculation that was causing issues with Mutual TLS in Firefox and Chrome.

Changed

• remove unused macro set_safe_rc

Added

• Add support for OpenSSL 3. Note that calls through engine are no longer supported on OpenSSL3.
• Add tpm2_ptool export commandlet for exporting token keys into PEM and TPM blob format.

1.8.0-rc0

[1.8.0-rc0 ] - 2022-03-15

Fixed

• Fix GetRandom Memory Leak
• Fix some spelling mistakes
• Fix unit test test_parser
• Fix importing of RSA private key through pkcs11 interface should fail.
• Fix ECDSA signature length calculation.
• Fix memory leak of tokens.
• Fix suspicious sizeof usage in _str_padded_copy
• Fix encoding errors when importing a certificate into the pkcs11 store.
• Fix try/finally scope issues in tpm2_ptool.
• Fix, an OOB access in db upgrade path.
• Fix ECDSA length calculation that was causing issues with Mutual TLS in Firefox and Chrome.

Changed

• remove unused macro set_safe_rc

Added

• Add support for OpenSSL 3. Note that calls through engine are no longer supported on OpenSSL3.
• Add tpm2_ptool export commandlet for exporting token keys into PEM and TPM blob format.

1.7.0

1.7.0 - 2021-09-27

• DB Schema Change from 5 to 7.
  • Backup your DB before upgrading
• Fixed compilation issues with GCC11.
• Fixed errors on releases due to newer compilers from failing by only adding -Werror for non-release builds.
• Fixed error message when the DB is too new in tpm2_ptool.
• Added support for tpm2_ptool import with ssh-keygen format keys. Note: Requires cryptography >= 3.0.
• Changed default long level from error to warning.
• Added better error message for FAPI backend errors along with docs/FAPI.md document.
• Changed tpm2_ptool make --algorithm optional.
• Fixed error message of wrong attribute name on expected attribute check to be false.
• Added support for ECDSA 256, 384 and 512.
• Fixed a bug in the Python code DB upgrade path from 4 to 5 where it didn't add AES mode CTR to
  CKA_ALLOWED_MECHANISMS.
• Added tpm2_ptool support for ECC key size 192.
• Added support passwordless login for tokens, ie not setting CKF_LOGIN_REQUIRED.
• Fixed Running integration tests when Java version has the -ea, like on Debian 11 and OpenJDK 17.
• Added support for HMAC keys using tpm2_ptool and the C_Sign and C_Verify interfaces.
  The following interfaces in ptool have support:
  • addkey: previous working versions of tpm2-tools will support this.
  • link: previous working versions of tpm2-tools will support this.
  • import: requires tpm2-tools 5.2+ for support.
• Fixed leaking of temp file descriptors in tpm2_ptool.
• Fixed wrong free in tpm code, should use Esys_Free.
• Fixed a space formatting issue in tpm2_ptool verify.
• Fixed leaked file descriptor in tpm2_ptool.
• Fixed a few suspicious sizeof usages in str_padded_copy
• Fixed a memory leak of the token list on a failure condition in initialization.

1.7.0-rc1

1.7.0-rc1 - 2021-09-10

• DB Schema Change from 5 to 7.
  • Backup your DB before upgrading
• Fixed compilation issues with GCC11.
• Fixed errors on releases due to newer compilers from failing by only adding -Werror for non-release builds.
• Fixed error message when the DB is too new in tpm2_ptool.
• Added support for tpm2_ptool import with ssh-keygen format keys. Note: Requires cryptography >= 3.0.
• Changed default long level from error to warning.
• Added better error message for FAPI backend errors along with docs/FAPI.md document.
• Changed tpm2_ptool make --algorithm optional.
• Fixed error message of wrong attribute name on expected attribute check to be false.
• Added support for ECDSA 256, 384 and 512.
• Fixed a bug in the Python code DB upgrade path from 4 to 5 where it didn't add AES mode CTR to
  CKA_ALLOWED_MECHANISMS.
• Added tpm2_ptool support for ECC key size 192.
• Added support passwordless login for tokens, ie not setting CKF_LOGIN_REQUIRED.
• Fixed Running integration tests when Java version has the -ea, like on Debian 11 and OpenJDK 17.
• Added support for HMAC keys using tpm2_ptool and the C_Sign and C_Verify interfaces.
  The following interfaces in ptool have support:
  • addkey: previous working versions of tpm2-tools will support this.
  • link: previous working versions of tpm2-tools will support this.
  • import: requires tpm2-tools 5.2+ for support.
• Fixed leaking of temp file descriptors in tpm2_ptool.
• Fixed wrong free in tpm code, should use Esys_Free.
• Fixed a space formatting issue in tpm2_ptool verify.
• Fixed leaked file descriptor in tpm2_ptool.
• Fixed a few suspicious sizeof usages in str_padded_copy
• Fixed a memory leak of the token list on a failure condition in initialization.

1.7.0-rc0

1.7.0-rc0 - 2021-09-02

• DB Schema Change from 5 to 7.
  • Backup your DB before upgrading
• Fixed compilation issues with GCC11.
• Fixed erros on releases due to newer compilers from failing by only adding -Werror for non-release builds.
• Fixed error message when the DB is too new in tpm2_ptool.
• Added support for tpm2_ptool import with ssh-keygen format keys. Note: Requires cryptography >= 3.0.
• Changed default long level from error to warning.
• Added better error message for FAPI backend errors along with docs/FAPI.md document.
• Changed tpm2_ptool make --algorithm optional.
• Fixed error message of wrong attribute name on expected attribute check to be false.
• Added support for ECDSA 256, 384 and 512.
• Fixed a bug in the Python code DB upgrade path from 4 to 5 where it didn't add AES mode CTR to
  CKA_ALLOWED_MECHANISMS.
• Added tpm2_ptool support for ECC key size 192.
• Added support passwordless login for tokens, ie not setting CKF_LOGIN_REQUIRED.
• Fixed Running integration tests when Java version has the -ea, like on Debian 11 and OpenJDK 17.
• Added support for HMAC keys using tpm2_ptool and the C_Sign and C_Verify interfaces.
  The following interfaces in ptool have support:
  • addkey: previous working versions of tpm2-tools will support this.
  • link: previous working versions of tpm2-tools will support this.
  • import: requires tpm2-tools 5.2+ for support.
• Fixed leaking of temp file descriptors in tpm2_ptool.
• Fixed wrong free in tpm code, should use Esys_Free.
• Fixed a space formatting issue in tpm2_ptool verify.
• Fixed leaked file descriptor in tpm2_ptool.

1.6.0

1.6.0 - 2021-05-03

• Spelling and grammar fixes throughout the project.
• tpm2_ptool: fix bug in verify commandlet where --sopin leads to local variable referenced before assignment. See #624.
• Docs: add a document describing SSH Hostkey configuration using tpm2-pkcs11.
• Support changes in tpm2-tss-engine using TPM2_RH_OWNER instead of 0.
  • Since upstream commit tpm2-software/tpm2-tss-engine@06f57a3.
• Fix endian issue in test_db.
• Fix tpm2_ptool error messages when exceptions are raised during execution of tpm2-tools commands.
• Support CKA_DERIVE=true which will support the newest pkcs11-tool EC template.
• Fix requirement of having ESYS >= 2.4, see #632 for details.
• Fix docs/INITIALIZING.md reference to --pobj-pin, should be --hierarchy-auth.
• Fix missing libyaml dependency in documentation.
• Fix bug in DB update logic where errors in handlers were ignored.
• Fix NPD bug when ESAPI and FAPI return 0 tokens.
• Add support for over TPM sized AES buffers.
• Add support for mechanism CKM_AES_CBC_PAD.
• Add support for mechanism CKM_AES_CTR.
• Add support for RSA 3072 (3k) keys.
• Remove usage of function Esys_TR_GetTpmHandle. FAPI Backend will no longer depend on ESAPI 2.4 or
  greater.
• Add Experimental RSA 4096 support. Use at your own risk.

1.6.0-rc0

1.6.0-rc0 - 2021-04-26

• Spelling and grammar fixes throughout the project.
• tpm2_ptool: fix bug in verify commandlet where --sopin leads to local variable referenced before assignment. See #624.
• Docs: add a document describing SSH Hostkey configuration using tpm2-pkcs11.
• Support changes in tpm2-tss-engine using TPM2_RH_OWNER instead of 0.
  • Since upstream commit tpm2-software/tpm2-tss-engine@06f57a3.
• Fix endian issue in test_db.
• Fix tpm2_ptool error messages when exceptions are raised during execution of tpm2-tools commands.
• Support CKA_DERIVE=true which will support the newest pkcs11-tool EC template.
• Fix requirement of having ESYS >= 2.4, see #632 for details.
• Fix docs/INITIALIZING.md reference to --pobj-pin, should be --hierarchy-auth.
• Fix missing libyaml dependency in documentation.
• Fix bug in DB update logic where errors in handlers were ignored.
• Fix NPD bug when ESAPI and FAPI return 0 tokens.
• Add support for over TPM sized AES buffers.
• Add support for mechanism CKM_AES_CBC_PAD.
• Add support for mechanism CKM_AES_CTR.
• Add support for RSA 3072 (3k) keys.
• Remove usage of function Esys_TR_GetTpmHandle. FAPI Backend will no longer depend on ESAPI 2.4 or
  greater.
• Add Experimental RSA 4096 support. Use at your own risk.

1.5.0

1.5.0 - 2020-11-16

• C_Decrypt: Fix CKM_RSA_PKCS11 scheme not removing PKCS v1.5 block padding from returned plaintext.
• C_Digest/C_DigestFinal: Fix Section 5.2 style returns.
• C_OpenSession: fix valid session handles starting at 0, 0 is invalid per the spec.
• C_OpenSession: fix handle issuance bug where handles could be exhausted at out of bounds.
• Support swtpm in testing infrastructure.
• Fix C_Encrypt/C_Decrypt interface not setting size when output buffer in NULL.
• Fix warning ../configure: line 14383: ]: command not found
• Fix CKM_RSA_PKCS_PSS mechanism.
• C_GetMechanismList: Fix index 0 of the returned list being invalid.
• C_GetMechanismInfo: Fix errors like ERROR: Unknown mechanism, got: 0xd.
• Docs: use full paths from project root to help fix 404 errors.
• tpm2_ptool init to attempt to persistent created primary object at 0x81000001 and fallback to
  first available address on failure.