Release 0.1

This is the first release of the pkcs11 provider for OpenSSL 3

With the release of OpenSSL 3.0 the older Engines have been deprecated, this code allow the use of pkcs#11 tokens via the native OpenSSL 3 provider interface.
It supports full RFC7512 PKCS #11 URIs to specify keys and most OpenSSL commands work when openssl.cnf is properly configured to load this provider. Either by simply specifying a URI as a key or by requesting the use of provider=pkcs11 in a propquery.

The code is far from bug-free but we believe this is a good first milestone, and is ready for wider testing. It has already been tested with software tokens and a few hardware tokens, note that some software tokens will not work correctly if they directly link to OpenSSL without utilizing a separate libctx for their operation. For those tokens a p11-kit proxy may be used as a workaround (see SoftHSM tests to understand how this works).

This version requires at least OpenSSL 3.0.7 as previous versions had bugs that prevented some operations from working correctly.

This is the culmination of several months of work, with the collaboration of many people.
A big thank you to all the contributors listed below.

What's Changed

• Add minimal CI via github actions by @simo5 in #1
• Add support to return errors to OpenSSL by @simo5 in #2
• Fix operator precedence errors by @oerdnj in #9
• Modernize the autotools usage a bit by @oerdnj in #6
• Fix logical error in p11prov_rsakm_secbits by @oerdnj in #10
• Add headers to the Makefile.am by @oerdnj in #12
• Add compatibility shim for endian related functions by @oerdnj in #8
• Make RTLD_DEEPBIND optional by @oerdnj in #11
• Fix mismatch between CK_UTF8CHAR_PTR and const char * by @oerdnj in #13
• Add SPDX license headers by @oerdnj in #16
• Fix make distcheck by @simo5 in #17
• Add initial .clang-format style and reformat the sources using it by @oerdnj in #15
• Add checks to enforce at least c11 semantics by @simo5 in #19
• Fix few typos and copy&paste errors by @oerdnj in #21
• Add GitHub Action that runs Clang's scan-build by @oerdnj in #23
• Use OPENSSL_strcasecmp() instead of strcasecmp() by @oerdnj in #26
• Add missing single-line braces using clang-tidy by @oerdnj in #20
• Add GitHub Action to build with clang by @oerdnj in #24
• Enable all (most) of the warnings as errors by @oerdnj in #25
• Create CODE_OF_CONDUCT.md by @simo5 in #27
• Add doc on how to contribute to the project by @simo5 in #28
• Add skeleton Security policy by @simo5 in #29
• Add GitHub Action for Coverity Scan by @oerdnj in #30
• Add handling of pin in provider configuration by @simo5 in #31
• Fix issues found by the last Coverity Scan check by @oerdnj in #33
• Add PIN prompting support by @simo5 in #36
• Allow store to enumerate objects by @simo5 in #38
• Fix coverity issues introduced yesterday by @simo5 in #39
• Clarfiy PKCS#11 structure packing comment by @fabled in #40
• Fix PIN wiping in few places by @fabled in #41
• Make use of the session stored on the store ctx by @simo5 in #43
• Fix infinite loop in case no key was found. by @simo5 in #44
• Key loading by @simo5 in #45
• Make debug functions a little more robust by @simo5 in #46
• Fix issues found by valgrinding test suite by @fabled in #47
• Fail hard make check if nss-softokn devel files were not found by @pemensik in #50
• Debug: remove zero bytes after newlines by @simo5 in #51
• fixes for git, autotools and library lookup by @holger-dengler in #52
• Repurpose p11prov_ctx_fns as status check function by @simo5 in #53
• Fix covscan detected issues by @simo5 in #54
• Session object pooling by @simo5 in #48
• Coverity Fixes 4 by @simo5 in #57
• Rsa keygen by @simo5 in #56
• New batch of coverity findings after the last few merges by @simo5 in #58
• Add code to list and debug token mechanisms by @simo5 in #59
• uri: fix key references by label by @holger-dengler in #62
• Add RSA-PSS support by @simo5 in #61
• Add codespell to CI by @simo5 in #63
• Coverity Fixes series 6 by @simo5 in #64
• Remove double newlines in some debug functions by @simo5 in #65
• Make debugging less annoying by @simo5 in #70
• Change CI to run custom distros via containers by @simo5 in #71
• Require OpenSSL >= 3.0.5 by @simo5 in #72
• Coverity Fixes Series 7 by @simo5 in #73
• WIP: Remove the use of custom operation names by @simo5 in #67
• Avoid leaving behind a freed pointer by @simo5 in #74
• Improve store loading with multiple tokens by @simo5 in #75
• Add different ways for specifying PKCS#11 module to use by @Jakuje in #79
• CID 361508: Resource Leak by @simo5 in #80
• Improve public key export by @simo5 in #81
• Update build prerequisites by @simo5 in #85
• Fedora package and requirements clarifications by @Jakuje in #77
• Add support for generating CSRs via openssl req command by @simo5 in #87
• Implement callback for tls group capabilities by @simo5 in #90
• Improve signature debugging wrt paramter setting by @simo5 in #95
• Fix detection of endianness by @Jakuje in #100
• Fix openssl ca certificate releated issues by @simo5 in #98
• CID 376412: Fix lost error out by @simo5 in #102
• run tests also using SoftHSM by @Jakuje in #97
• Add support to expose digest mechanisms through the provider by @simo5 in #103
• Coverity Fixes series 9 by @simo5 in #104
• Refactor test suite by @simo5 in #106
• Debug Improvements by @holger-dengler in #107
• Rename the module binary to just pkcs11.so by @simo5 in #108
• Fix "tests" when built outside source directory by @dengert in #111
• Use OSSL_PARAM_get_utf8_string_ptr() when possible by @fabled in #115
• Add basic support to load certificates from tokens by @simo5 in #116
• Add p11prov_mech_by_mechanism() helper and use it by @fabled in #118
• Remove space padding from slot and token info by @fabled in #119
• Simplify and fix signature DER AlgorithmInfo by @fabled in #117
• Fix ECDSA signatures and improve tests by @fabled in #121
• Fix RSA signatures with pre-calculated hash by @fabled in #122
• Coverity fixes #10 by @simo5 in #120
• Minor fixups found during code review and experiments by @Jakuje in #131
• Add fallback to cert to get public key attributes by @simo5 in #129
• Defer requiring login to token by @simo5 in #130
• Add guided RFE issue creation by @simo5 in #134
• Aligning public and private key generation templates by @beldmit in #137
• Skip slots that are not usable and check mechanism before selecting slot by @simo5 in #141
• Wrap PKCS#11 interface calls by @simo5 in #142
• We can reduce this requirement by @beldmit in #136
• Add code that makes certs usable in OpenSSL by @simo5 in #143
• Generate certificates for SoftHSM tests by @Jakuje in #144
• Fix tests Readme to be more up to date by @simo5 in #146
• Some housekeeping commits by @simo5 in #147
• Simplify debug machinery and print line/function by @simo5 in #150
• Use closed loop for FindObjectsInit/Final by @simo5 in #151
• Allow pass custom OpenSSL dir by @beldmit in #152
• Small enhancements to encoder.c by @simo5 in #153
• Caching of keys in session objects and refactoring of session management by @simo5 in #154
• Some interesting coverity discoveries by @simo5 in #156
• Streamlinbe fetch_attrs interface by @simo5 in #155
• Allow retrieving group name for EC keys by @Jakuje in #158
• Add a simple code generator by @simo5 in #157
• Detect if token is write protected by @simo5 in #159
• Optimize EC_KEY data parsing and storage by @simo5 in #165
• Session locking fixes by @simo5 in #162
• CID 433656: Invalid type in argument to printf by @simo5 in #170
• Improve authentication to tokens by @simo5 in #167
• Fix prompting for PIN by @simo5 in #173
• Some minor fixes related to asprintf and endianness check by @ueno in #174
• Key generation callbacks by @simo5 in #166
• Eliminate use of asprintf by @simo5 in #175
• Fix test as OpenSSL change output formatting by @simo5 in #180
• macOS build fixes by @neverpanic in #181
• Ecc siganture fallback for non-raw signature mechanisms by @simo5 in #182
• Simplify utulity to fetch attributes by @simo5 in #183
• Add basic instructions on how to use the provider by @simo5 in #186
• Relax state check on login session by @simo5 in #189
• Ensure we always use our own libctx by @simo5 in #192
• Change how we determine if login is required by @simo5 in #190
• Better PSS params defaults handling by @simo5 in #193
• Retry store_fetch with login if nothing found by @simo5 in #197
• Fix broken debug output to stderr by @manison in #199
• Error early if RSA PSS is not supported by @simo5 in #200
• Delay pkcs11 module loading and initialization by @simo5 in #202
• Use a single name when loading from store by @simo5 in #204
• Fix leak of EC_GROUP on error paths by @simo5 in #207
• Add demoCA tests to test certificate signing by @simo5 in #208
• Add support for EDDSA by @simo5 in #210
• Add early load behavior configuration and test it by @simo5 in #214
• Add test to exercise a full TLS connection by @simo5 in #216
• Add support for setting/removing error stack marks by @simo5 in #218
• Test reading pubkey from certificate by @Jakuje in #213
• Add support to cleanup after fork, and test it by @simo5 in #135
• Add options for caching by @simo5 in #220

New Contributors

• @simo5 made their first contribution in #1
• @oerdnj made their first contribution in #9
• @fabled made their first contribution in #40
• @pemensik made their first contribution in #50
• @holger-dengler made their first contribution in #52
• @Jakuje made their first contribution in #79
• @dengert made their first contribution in #111
• @beldmit made their first contribution in #137
• @ueno made their first contribution in #174
• @neverpanic made their first contribution in #181
• @manison made their first contribution in #199

Full Changelog: https://github.com/latchset/pkcs11-provider/commits/v0.1