All notable changes to this project should be documented in this file.
- The project was reorganized in a workspace with several crates
- Switch cargo setup to a workspace with several packages
- Rename and restructure some of the crates we recently crated
- Added support for SP800 ECDH KDF variant
- PKCS#11 3.2 is now the default interface
- Implemented simple KDF functions for key concatenation and XOR of a base key with provided data.
This release adds support for PQC algorithms, comprehensive doc string coverage and a few important compatibility fixes in the database format and key wrapping data formats.
-
The jsondb storage backend has been removed
-
Added initial support for tracing logs
-
Added support for FFDH key generation and derivation
-
Added support for ML-DSA signature scheme
-
Added support for SignatureVerify APIs with all algorithms
-
Fixed a database format bug that would affect cross-platform portability
-
Added doc string with Gemini's help to most files
-
Made Token Info more spec compliant and added relevant information like the software release version.
-
Fix Asymmetric keys export format for Key Wrapping and extend it to all EC key types
This release fixes several issues found by 3rd party testing, and adds preliminary support for PKCS#11 3.2 APIs. The PKCS#11 3.2 API allows us to add Post Quantum algorithms. This release adds support for the first PQ algorithm (ML-KEM). Both the pkcs#11 3.2 API and ML-KEM are optional features and can be both enabled by passing --feature mlkem at build time.
-
Added support for PKCS#11 3.2 interfaces
-
Added support for Key Encapdulation/Decapsulation and ML-KEM Support
-
Sundry fixes that result in minor, but visible, behavior changes:
- Deal with length query issues
- aes: Restrict AES-GCM to at least 1B tag length
- Fix incorrect error returned on un-initialized operations
- Ensure token store objects can be extracted if the right booleans are set
- Fix check for object sensitivity as per spec
- ecdh: Fix max ECDH output size
- Fix C_WrapKey size query
-
Minor enhancements:
This is the first release.
Kryoptic implements most of the functions available in the PKCS#11 3.1 spec with the exception of some message based operations.
The initial version supports both symmetric and asymmetric algorithms. Asymmetric Algorithms:
- ECDSA
- EDDSA
- ECDH
- RSA
Symmetric Algorithms:
- AES
Hashes and HMAC:
- SHA1
- SHA2 (224, 256, 384, 512, 512/224, 512/256)
- SHA3 (224, 256, 384, 512)
Key derivation functions:
- PBKDF2
- HKDF
- SP108
- SSHKDF
- TLSKDF
The token supports 2 main database types:
- sqlitedb: this is the default and the recommended option
- nssdb: a NSS softokn database driver, which allows to reuse an existing token (this is the same format used by the Firefox security token)
Kryoptic uses OpenSSL (3.2+) for most of the cryptography primitives. A static build option is available with libcrypto.a (or libfips.a with the fips feature), or dynamic linking to the system libcrypto.so (default) is available.
Unimplemented functions are noted in the source code and can be easily
explored by building the documentation. There is a Makefile file to provide
shortcut commands for common tasks, use make docs to build documentation
that includes non public interfaces.