v2.1.0

This release adds support for using arbitrary key IDs with the PKCS11 module.

Features

• Add signing for Windows binary.
• Encode PKCS11 IDs that are not valid NetHSM IDs (#294, requires NetHSM v3.0 or later). These key IDs are represented on the NetHSM using the prefix 0--- and the hex-encoded PKCS11 ID. Previously, using such key IDs caused an error.
• Add Windows version information for builds in the GitHub pipeline.

Other Changes

• Updated CI pipeline to test with Fedora 42, 43, and Debian 13.
• Add default derive for ObjectKind enum.
• Update bytes, time, cryptoki-sys, and ureq dependencies.

Full Changelog

v2.1.0-rc.3

Features

• Add Windows version information for builds in the GitHub pipeline.

Full Changelog

v2.1.0-rc.2

Features

• Encode PKCS11 IDs that are not valid NetHSM IDs (#294, requires NetHSM v3.0 or later).
  These key IDs are representend on the NetHSM using the prefix 0--- and the hex-encoded PKCS11 ID.
  Previously, using such key IDs caused an error.

Full Changelog

v2.1.0-rc.1

Features

• Add signing for Windows binary.

Other changes

• Updated CI pipeline to test with Fedora 42, 43, and Debian 13.
• Add default derive for ObjectKind enum.
• Update bytes, time, cryptoki-sys, and ureq dependencies.

Full Changelog

v2.0.0

This release adds support for the new features introduced in NetHSM v3.0 and improves the key ID handling.

Breaking Changes

• Remove support for EC_P224 keys
• Remove enable_set_attribute_value config option
• Reject invalid IDs when creating or changing objects

Features

• Add support for EC_P256K1, BrainpoolP256, BrainpoolP384 and BrainpoolP512 keys (requires NetHSM v3.0 or later)
• Implement C_SetAttributeValue for CKA_ID to support renaming keys (requires NetHSM v3.0 or later)
• Add CKF_ENCRYPT flag for CKM_RSA_PKCS

Bugfixes

• Fix ID validation. The new requirements are:
  • The ID must not be empty and not be longer than 128 characters.
  • The first character must be in the range a-z, A-Z or 0-9.
  • The remaining characters must be in the range a-z, A-Z or 0-9 or one of the characters ., -, _.
  • The characters ., - and _ can only be used with NetHSM v3.0 or later.
• Remove corresponding certificate and public key objects from the cache if a private key is deleted (#260)

Compatibility

• This release is fully compatible with NetHSM v3.1.
• This release is generally compatible with NetHSM v1.0, v2.0, v2.1, v2.2 and v3.0 but not all features are available on these versions (as indicated in the changelog entries).
• RSA signatures using the PKCS1 mechanisms do not work with NetHSM v3.0.

Full Changelog

v2.0.0-rc.3

Breaking Changes

• Update RSA signature generation for NetHSM v3.1. This change is not compatible with older NetHSM versions.

Full Changelog

v2.0.0-rc.2

Breaking Changes

• Reject invalid IDs when creating or changing objects
• Update RSA signature generation for NetHSM v3.0. This change is not compatible with older NetHSM versions.

Bugfixes

• Fix ID validation. The new requirements are:
  • The ID must not be empty and not be longer than 128 characters.
  • The first character must be in the range a-z, A-Z or 0-9.
  • The remaining characters must be in the range a-z, A-Z or 0-9 or one of the characters ., -, _.

Full Changelog

v2.0.0-rc.1

Breaking Changes

• Remove support for EC_P224 keys
• Remove enable_set_attribute_value config option

Features

• Add support for EC_P256K1, BrainpoolP256, BrainpoolP384 and BrainpoolP512 keys
• Implement C_SetAttributeValue for CKA_ID to support renaming keys
• Add CKF_ENCRYPT flag for CKM_RSA_PKCS

Bugfixes

• Remove corresponding certificate and public key objects from the cache if a private key is deleted (#260)

Full Changelog

v1.7.2

1.7.2 (2025-07-25)

• Build Linux x86_64 binary against glibc v2.28

Full Changelog

v1.7.1

1.7.1 (2025-07-04)

• Fix PKCS#1v1.5 RSA signature prefix (#246)

Full Changelog