Developer's Guide
 All Files Variables Pages
Release Notes
==========================================================================
RELEASE NOTES FOR
The P6R KMIP Server Gateway (Version 2020.1.24382)
Copyright 2004-2019 P6R Inc.
==========================================================================
==========================================================================
Contact Information
==========================================================================
* Sales 1.888.452.2580 (USA)
* Fax 1.831.476.7490
* Web https://www.p6r.com
* Technical Support https://support.p6r.com
* Blog https://www.p6r.com/articles/
==========================================================================
Known Issues
==========================================================================
Openssl
~~~~~~~~~~~~~~~~~
This software has been compiled against OpenSSL 1.x.x releases.
If you require compatibility with a different version of OpenSSL
please let us know. Also depending on how your version of OpenSSL
was compiled, it may not contain all the symbols used by this
software. If you run into undefined symbol errors, please let us
know and we can provide you a build that will be compatible with
your specific options.
==========================================================================
Change Log
==========================================================================
- bugfix
+ feature addition
* improved/changed feature
! removed/depricated feature
2020.1.24382
- Create key pair was not working due to several PKCS#11 issues.
Modified KSG now this works. No able to extract a KMIP key due to
no way to load a customer KEK. Have not found how to do key
generation to create a CKK_SHAXXX_HMAC key. Added the ability to
create a generic secret P11 key by adding a KMIP extension enum
value.
- Updated KSG docs to describe where exactly the nCipher PKCS#11 DLL
needs to be placed so KSG can load it.
- There was one case where a KMIP Rekey operation resulted in a new
key without the State attribute being set. This has been fixed and
in that case the key is set to State Pre-active.
+ The nCipher nShield HSM uses C_GenerateKey with a set of Vendor
Defined mechanisms to support HMAC key generation. Their PKCS#11
API appears to still be at version 2.30 which did not have the HMAC
key derivation definition?
+ KMIP 1.4 now supports KMIP attributes that can have multiple
instances for the same attribute (e.g., Name).
2019.1.0.22611
- Bug in the p6pkcs11tool when listing keys and certificates. The
tool calls C_GetAttributeValue and if it sees the error
CKR_INVALID_TYPE it stops when that is not what the P11 Version
2.40 defines. The spec says an application has to keep going
since several valid attribute values may be returned along with
some that did not exist for the key or cert. We have fixed this
so it lists all entries it can.
- An issue prevented KSG from responding to KMIP messages encoded in
XML and JSON. This issue has been fixed.
- KSG was crashing on receiving a KMIP request for an unsupported
protocol version. Now KSG returns back an error message.
- KSG's implementation of the Locate operation was ignoring the
setting of "Storage Status Mask" just set to Archive. In this
case, KSG would just perform its normal search of un-archived
objects. Currently, KSG does not support archiving managed
objects and now returns an empty list if Storage Status Mask is set
for just archived objects.
- KSG did not properly implement the KMIP "Fresh" attribute for
cryptographic managed objects. Now Fresh is set to false after an
object is retrieved via a GET operation.
- Typo where the KMIP 1.4 attribute "Comment" was instead output as
"Comments" in any text format such as XML and JSON message formats.
This is not an issue in TTLV. Fixed by removing the 's'.
+ Have added support for KMIP 2.0 Delete Attribute which is
significantly different from its KMIP 1.X version.
+ Integer configuration file items had to be in base 10 but this made
using one of these items for a big mask unworkable. The
configuration software has been enhanced to allow integer
configuration file items to be in base 10, or 8, or 16. Thus
encoding a bit mask of flags in base 16 is now the recommended
approach.
+ The definitions of KMIP 2.0 Modify and Delete Attribute operations
is very different from the KMIP 1.X versions. KSG has been
extended to support both the 2.0 and 1.X definitions.
+ KSG now supports the KMIP 2.0 Interop operation when enabled via a
ksg.conf file property. By default this operation is disabled and
will return a feature not supported error.
+ Added configuration items so the user can define a range of KMIP
protocol versions that are allowed while all others get an
unsupported error.
2018.1.0.21423
- Under certain cases KSG would close a connection after a KMIP
request. This should only be acceptable on certain error cases.
This is now fixed.
- Network timeouts for receiving bytes off a socket, sending bytes on
a socket, and accepting an incoming connection where not
configurable. Now they are configurable but also have more
reasonable defaults. Defaults: receive timeout - 5 minutes, send
timeout - 5 minutes, accept connection - 10 seconds.
+ KSG uses the PKCS#11 C_DigestKey() API call to obtain a digest of a
newly created KMIP key. However, some HSMs do not support this
call resulting in an error in the logs. We have added a
configuration flag to disable the call to C_DigestKey() and avoid
the repeated errors in the logs.
2018.1.0.21351
- Created top level manual.dox so HTML documentation can now be
included in the official KSG build.
+ Added support for AES Key Wrap and AES Key Unwrap functions to our
Crypto layer.
+ Now the KMIP Create can ask to create a Secret Data managed object
for passwords.
+ Integrated into Jenkins
+ Updated the p6pkcs11tool so it can run on the P6 platform and not
just loader products such as SKC.
+ Added support for KMIP Re-Key operation.
+ Initial Release
==========================================================================
Notices
==========================================================================
KSL, P6R and "Project 6 Research" are trademarks of P6R Inc. All other
products, brands and company names referred to here are used for
identification purposes and are the property of their respective
trademark holders.