File: NEWS

package info (click to toggle)
opencryptoki 3.6.1%2Bdfsg-1
  • links: PTS
  • area: main
  • in suites: stretch
  • size: 5,628 kB
  • ctags: 5,333
  • sloc: ansic: 75,819; perl: 1,513; makefile: 614; yacc: 370; sh: 148; lex: 124
file content (66 lines) | stat: -rw-r--r-- 2,715 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
 
VERSION 3.2 ADDITIONS:
 - A new tool to assist in administering the CCA token in opencryptoki.
   Currently it only assists in migrating CCA token's private token objects
   from version 2  to version 3. 
   Prior to opencryptoki version 3, the CCA token encrypted its private token
   objects with a secure key in hardware. In version 3, it encrypts its
   private token objects with a clear key in software. Version 2 private
   token objects will require migration to version 3, if they wished to be
   used in version 3.

VERSION 3.1 ADDITIONS:
 - New ep11 token. Please see doc/README.ep11_stdll for additional
   information about the ep11 token.

 - New pkcsep11_migrate utility to assist in migrating token objects
   stored on disk, when the hardware's masterkey changes.

VERSION 3 CHANGES:
 - New ICSF token. Please see doc/README.icsf_stdll for additional
   information and how to set up the ICSF token.

 - New pkcsicsf utility that is used to set up the ICSF token.
   See its man page and doc/README.icsf_stdll for additional info.

 - No longer required to run pkcs11_startup.

   pkcs11_startup and pkcs_slotd were shell scripts that created the
   config file, pk_config_data, which was read by pkcsslotd to get
   available slot information.

   The pk_config_data configuration file has been replaced with
   /etc/opencryptoki/opencryptoki.conf.

   In version 3, the pkcsslotd daemon reads opencryptoki.conf to get slot
   information. The opencryptoki.conf by default contains slot information
   for each token currently supported by opencryptoki with the exception of
   the ICSF token, which requires some initial setup.
   Please see man page for opencryptoki.conf for further information.

   Since pk_config_data is no longer required, pkcs11_startup and
   pkcs_slotd have been removed.

 - The pkcsslotd daemon uses a socket rather than shared memory to
   transfer slot information to the opencryptoki library.

   Some shared memory usage still exists in pkcsslotd.
   Perhaps in time, the remaining need for shared memory in
   pkcsslotd can also be removed.

 - Ensure that the pkcs11 group has been created and that root
   has been added to the group. The pkcs11_startup script used to 
   check and do this, but is now obsolete. 


NOTICEABLE CHANGES MADE PRIOR to VERSION 3:

 - Opencryptoki creates several new directories and lock files in
   /var/lock/opencryptoki directory. Each token creates and uses a 
   lockfile to protect data in shared memory.

 - RSA keys may be imported into the CCA token.

 - Opencryptoki contains systemd support. 
   Note: Ensure the opencryptoki lockfiles have been entered into tmpfiles.d
         to keep them persistant across reboots.