All notable changes to this project should be documented in this file.
--
-
Added support to save and restore operations state
-
Support for CKM_TLS12_MASTER_KEY_DERIVE_DH
-
Removed memorydb backend
-
Refactor code that exposes handles the fips provider and defer KAT self-tests
This release adds more PKCS#11 compatibility/completeness features as well as fixes various issues.
One of the most notable additions is support for the a mechanism to derive
public keys from private keys. This allows to better handle tokens where only
the private key has been imported, but no corresponding public key object.
To make this more effective and efficient the code now automatically
generates and stores the CKA_PUBLIC_KEY_INFO attribute for all asymmetric
key types.
-
Added support to store Trust Objects
-
Added support for CKO_PROFILE objects
-
Support for CKM_PUB_KEY_FROM_PRIV_KEY
-
Support for CKA_PUBLIC_KEY_INFO
-
Fixed an error that could return sensitive values to an authenticated user when the CKA_SENSITIVE flag is set to true.
This is a bugfix release that addresses an issue with publishing to crates.io.
- fix issus publishing to crates.io
This release splits the kryoptic crate in four separate crates:
- ossl: the bindings to openssl libraries
- kryoptic: the kryoptic pkcs11 token (the .so module)
- kryoptic-lib: the builk fo the implementation of kryoptic functionality
- kryoptic-tools: utility tools (like softhsm2 migration tools)
The split between kryoptic and kryoptic-lib was necessary because of the way cargo handles libs and cdylibs, both can't be built from the same crate
The PKCS#11 3.2 API is now the default API offered to applications. New mechanisms have been added, see the rest of the changelog for details.
- The project was reorganized in a workspace with several crates
- Switch cargo setup to a workspace with several packages
- Rename and restructure some of the crates we recently crated
- Added support for SP800 ECDH KDF variant
- PKCS#11 3.2 is now the default interface
- Implemented simple KDF functions for key concatenation and XOR of a base key with provided data.
- Added support for SLH-DSA keys and operations
- Change the OSSL bindings license to Apache 2.0
- Added support for DSA signature algorithm and 3DES cipher for OSSL bindings
-
Added support for automatically deriving Private Key value from seed for ML-DSA and ML-KEM
-
Added OpenPGP (RFC9580) relevant legacy algorithms in ossl bindings
This release adds support for PQC algorithms, comprehensive doc string coverage and a few important compatibility fixes in the database format and key wrapping data formats.
-
The jsondb storage backend has been removed
-
Added initial support for tracing logs
-
Added support for FFDH key generation and derivation
-
Added support for ML-DSA signature scheme
-
Added support for SignatureVerify APIs with all algorithms
-
Fixed a database format bug that would affect cross-platform portability
-
Added doc string with Gemini's help to most files
-
Made Token Info more spec compliant and added relevant information like the software release version.
-
Fix Asymmetric keys export format for Key Wrapping and extend it to all EC key types
This release fixes several issues found by 3rd party testing, and adds preliminary support for PKCS#11 3.2 APIs. The PKCS#11 3.2 API allows us to add Post Quantum algorithms. This release adds support for the first PQ algorithm (ML-KEM). Both the pkcs#11 3.2 API and ML-KEM are optional features and can be both enabled by passing --feature mlkem at build time.
-
Added support for PKCS#11 3.2 interfaces
-
Added support for Key Encapdulation/Decapsulation and ML-KEM Support
-
Sundry fixes that result in minor, but visible, behavior changes:
- Deal with length query issues
- aes: Restrict AES-GCM to at least 1B tag length
- Fix incorrect error returned on un-initialized operations
- Ensure token store objects can be extracted if the right booleans are set
- Fix check for object sensitivity as per spec
- ecdh: Fix max ECDH output size
- Fix C_WrapKey size query
-
Minor enhancements:
This is the first release.
Kryoptic implements most of the functions available in the PKCS#11 3.1 spec with the exception of some message based operations.
The initial version supports both symmetric and asymmetric algorithms. Asymmetric Algorithms:
- ECDSA
- EDDSA
- ECDH
- RSA
Symmetric Algorithms:
- AES
Hashes and HMAC:
- SHA1
- SHA2 (224, 256, 384, 512, 512/224, 512/256)
- SHA3 (224, 256, 384, 512)
Key derivation functions:
- PBKDF2
- HKDF
- SP108
- SSHKDF
- TLSKDF
The token supports 2 main database types:
- sqlitedb: this is the default and the recommended option
- nssdb: a NSS softokn database driver, which allows to reuse an existing token (this is the same format used by the Firefox security token)
Kryoptic uses OpenSSL (3.2+) for most of the cryptography primitives. A static build option is available with libcrypto.a (or libfips.a with the fips feature), or dynamic linking to the system libcrypto.so (default) is available.
Unimplemented functions are noted in the source code and can be easily
explored by building the documentation. There is a Makefile file to provide
shortcut commands for common tasks, use make docs to build documentation
that includes non public interfaces.