==========================================================================
RELEASE NOTES FOR
The SKC Toolkit (Version 2017.1.19000)
Copyright 2004-2016 P6R Inc.
==========================================================================
==========================================================================
Contact Information
==========================================================================
* Sales 1.888.452.2580 (USA)
* Fax 1.831.476.7490
* Web https:
* Technical Support https:
* Blog https:
==========================================================================
Known Issues
==========================================================================
Openssl
~~~~~~~~~~~~~~~~~
This software has been compiled against OpenSSL 1.x.x releases.
If you require compatability with a different version of OpenSSL
please let us know. Also depending on how your version of OpenSSL
was compiled, it may not contain all the symbols used by this
software. If you run into undefined symbol
errors, please let us
know and we can provide you a build that will be compatible with
==========================================================================
Change Log
==========================================================================
- bugfix
+ feature addition
* improved/changed feature
! removed/depricated feature
2017.1.19000
- The NSP token's implementation of C_GetSessionInfo did not take
into account all sessions to that token. This logic is already
implemented in our PKCS#11 wrapper. Fixed the issue by using the
PKCS#11 wrapper implementation.
- Fixed an issue that caused the SSL engine to leak a DH key on every
connection.
- Fixed a memory leak when using client certificates on SSL
connections.
- Fixed typo in built-in XML string functions where case was missing
a break statement.
- Fixed a bug that caused a memory leak when using p6IDir to iterate
an empty directory.
- KMIP JSON parser did not proper convert "\udddd" Unicode code units
intothe proper numeric character
value. This is now fixed.
- Improperly encoded a wrapped key for a Register operation when the
"No Encoding" option was selected. This is now fixed.
- C_InitToken did not test that the SO's PIN length was in the
configured or default length range.
- KMIP streaming functions where returning the an invalid P6R error
code when a KMIP error was returned. Now this invalid P6R error is
no longer returned and the calling application can refer to the
returned KMIP error properly.
- The PKCS#11 to KMIP converter code did not proper generate the
required KMIP message specifying the EC key's Qlength and
RecommendedCurve attributes. This has been fixed and will now
work with KMIP servers that allow Elliptic curves to be created via
the Create Key Pair operation. In P11 this was via the
C_GenerateKeyPair function.
- p6pkcs11tool will display the names of all specification defined
mechanisms. In addition vendor defined mechanisms can be added by
just adding them to the p6p11mechanisms.conf file. The key is the
mechanism's hexadecimal numeric.
- Streaming version of Mac Verify failed during the update state.
Now fixed and works with one more update state calls made. Only
concerns KMIP version 1.3 and greater.
- KMIP XML parsing could not handle a ByteString typed element that
had an empty string value: value=""
Now this has been fixed.
- KMIP JSON parsing could not handle an element with an empty
bytestring value, value="". Now this has been fixed.
- KMIP JSON byte string parsing had a memory leak.
- Fixed an issue with handling threads created using an external API
in the p6IQueue Aysynchronous, theaded priority queue component.
- PKCS#11 command line tool now shows all objects on a token when the
"-list" command is chosen. Previously for KMIP 1.3 protocol
version and greater a bug prevented some objects from being
displayed.
- Creating any key with out key material provided is not properly
supported for server request and parsing server response. KMIP
MDO response is treated the same way a key created with no key
material. All responses from server are made to look like client
receiving a RAW key with keymaterial.pString set to NULL.
- Updated links to OASIS documents on supported KMIP and PKCS#11
protocol versions.
+ Added and interop tested all new KMIP 1.4 features.
+ Adding support for the KMIP Derive Key operation to our JNI API.
+ Extended the keystore's ability to store longer string meta-data.
This has been used to store a key's modulus value.
+ Getting the required buffer size for a custom KMIP attribute
required 2 separate calls to the Attribute enumerator's getValue()
method. Fixed it so now only one call is needed.
+ JNI KMIP implementation now supports the following KMIP 1.4
features: GCM, OAEP, PKCS#12 export, Signing Digested data,
streaming Sign, and create password. Also derive key operation has
been added.
+ Added the following new features to the KMIP CLI:
PKCS#12 export (requires KMIP 1.4), create password (requires 1.4),
derive key, added support for newly introduced 1.4 attributes.
+ Python KMIP extension now handles all KMIP 1.4 new features.
+ Added EC key generation to the KMIP CLI.
+ Added a new flag (P6SSF_METHOD_TLS1_2) to the SSL engine to support
forcing a TLSv1.2 connection. This flag can be passed into the
p6ITcpSecureSocket::initSecureSocket() method.
+ Updated the default cipher list to include Tlsv1.2 ciphers for
secure socket connections.
+ The KMIP Command line tool did not allow the OpenSSL ciphers to be
over ridden as is allowed in the SDK API. We have added a
configuration parameter KMIPsslCiphers which can hold an OpenSSL
cipher string.
+ p6kmiptool -serverinfo only showed a limited view of a KMIP
server's capability. We added support for returning the missing
additional information such as: profiles supported, validations,
RNG supported, client registration methods, and extensions
supported.
+ PKCS#11 KMIP token now supports KMIP 1.4 and its new PKCS#11 like
attributes: Sensitive, Always Sensitive, Extractable, and Never
Extractable.
+ KMIP token can convert custom attributes used to support PKCS#11
This is also supported in the PKCS#11 command line tool.
+ PKCS#11 KMIP token now supports the additional functions:
C_SignUpdate, C_SignFinal, C_VerifyUpdate, C_VerifyFinal. Previous
KMIP server releases did not support streaming sign operations now
many do.
+ PKCS#11 KMIP token now works as a PKCS#11 provider for the PrimeKey
SignServer (https:
+ the p6pkcs11tool template files (e.g., p6p11template.conf) can now
define how the
value of the command line
"-alas" parameter maps to
PKCS#11 attribute values.
+ Added the ability to create and manage key references. A key
reference holds the location of a key in a remote location (e.g.,
HSM, KMIP server etc) rather than hold the key material in the
keystore. Added new query to search for key references by remote
location.
2016.3.0.18271
- The HPE NSP token did not properly
return the
value of the
NSP we now make sure to set the attribute CKA_SENSITVE to true.
This prevents the caller from trying to
get their
value from a call
to C_GetAttributeValue(). However, these keys can still be
extracted via a call to C_Wrap().
- Fixed an issue which caused a crash on exit of the process in some
cases and a leak of a keystore instance.
- Logging issue during calls to C_GetAttributeValue could cause the
library to crash. Issue caused by PKCS#11 returning -1 for length
of attributes that could not be found. Now logging properly
handles this case.
- The ASN.1 component now has a new C program language callable
interface. The old interface is depreciated.
unknown user type was passed into C_Login. This issue has been
fixed.
- The KMIP PKCS11 token used too may instances of a generic internal
error code that would appear in logs thus providing insufficient
help in determining issues. Most uses of this generic error code
have been replaced with meaningful new P6R error codes that will
now appear in our logs.
- The KMIP client was leaking several incoming message buffers every
time the client was freed. The message buffers where incorrectly
reference counted one too many times.
- The PKCS11 KMIP token was leaking the KMIP unique identifier
returned by the KMIP encrypt/decrypt functions that represented the
key in use.
- Memory leak in the KMIP Client TTLV to internal representation
converted. This resulted in an internal memory pool not being
freed. Result is a much smaller memory foot print.
- A feature to support additions to the KMIP 1.3 Locate operation
added a memory leak to that operation. This leak has been fixed.
- Improved the error codes returned when using the command
p6kmiptool -config -add-server <some fqdn>
- Added a Java JNI API wrapper around our KMIP client that provides a
C++ API.
value changed due to a bug in the code. So
if CKA_EXTRACTABLE was
set to true it could not then be reset to false. The bug fix
resolves this problem.
- Just like our PKCS#11 library now the KMIP Command line tool
supports the configuration parameter KMIPMaxVersion. The command
line tool selects a version of the protocol to use based on the
"Discover Versions" KMIP operation. This feature limits the
largest version it can use. This is good to help prevent
unexpected changes in behavior.
- The KMIP command line tool commands did not test
for options passed
that a command did not support. The extra
options where just
ignored. Now an extra option is detected, an error is printed,
and the command fails.
- The PKCS#11 command line tool did not detect unsupported
options added to a command, instead those
options where ignored. Now the
PKCS#11 command line tool detects an unsupported option, prints an
error, and fails the command before being executed.
- Fixed typo in component registration information debug output
- HPE NSP token would fail to properly write all of a Key's
attributes if the CKA_EXTRACTABLE attribute was passed in during
key generation. This happened since the HPE token already
defaulted that value and writing two versions of the same attribute
caused several other attributes from being written. This is now
fixed.
- Added the KMIP token configuration item "tokenKMIPUseFlags" so that
a user can control the way KMIP protocol is used. Current flag
added allows the 'KEK' key role type to be included on a key used
for wrapping.
- p6kmiptool when modifying or deleting an attribute if the "-index"
parameter was not specified the index value passed to KMIP would
not default to zero. This has been fixed and the default index if
not specified is zero.
- Now support Big endian ARM architectures
- Updated the PKCS#11 command line tool's usage text providing more
information on the -import function.
- Some applications need C_SeedRandom to
return CKR_OK otherwise the
application will not use the token. The NSP does not currently
support this feature and an error is properly returned. To
integrate with such applications a configuration flag can be set so
that all calls to C_SeedRandom for a specific NSP token instance
- Improved KMIP log message generation to fix a bug where a log
message would occasionally be over written with a new log message.
- Database wrapper for Sqlite database was not properly returning
meaningful errors. Instead it just masked all errors to eFail.
This masking was removed allowing more P6R errors to be returned to
the user.
- Improved the error code return from the Keystore.setKey() function
clearly indicating that a caller is trying to insert a key that
already exists in the keystore database (i.e., eExists is
returned).
- For third party tokens the "slotFlags" parameter defined in the
p6pkcs11.conf file was ignored. This caused an issue with a call
to C_GetSlotList when the first parameter to that call
"tokenPresent" was set to true. The "slotFlags" parameter is not
properly loaded for all tokens.
- Fixed an issue that caused us to attempt to a close on an invalid
handle when a certificate file was unable to be opened.
+ We now log all attribute's values for attributes we are not sure of
we log their contents as a hex dump. We also log the string name
of many attributes (e.g., CKA_PRIVATE instead of its integer
value).
+ Added support for KMIP 1.4 Client and Server Correlation Values.
+ Adding support for KMIP 1.4 RSA OAEP and PSS encryption.
+ Added support for compiling using newer gcc compilers v5+
+ Added the "customerKeyPath" field to the p6kmiptool.conf file which
allows the user to provide their own AES 256 bit PEM encoded key to
protect the keystore generated by this tool. This over rides the
"baseKeyPath" parameter which results in this command line tool to
generate its one AES key.
+ Added the "customerKeyPath" field to the p6kmiptool.conf file which
allows the user to provide their own AES 256 bit PEM encoded key to
protect the keystore generated by this tool. This over rides the
"baseKeyPath" parameter which results in this command line tool to
generate its one AES key.
+ For the KMIP token make the KMIP socket default connection and send
timeouts to be 60 seconds. The timeouts are configurable via the
p6pkcs11.config file.
+ Updated the KMIP socket default timeouts to be 60 seconds for
connect and send. Receive is 120 seconds. All of these timeouts
are configurable via the p6kmiptool.conf file.
+ Added the ability to add the 4 KMIP Date-Time attributes that a
client is allowed to set: Activation Date, Process Start Date,
Protect Stop Date, and Deactivation Date. The user provides these
dates via a Unix timestamp on the command line.
+ Allow each instance of a multiple-instance KMIP attribute to be
either modified and/or deleted. This is done by adding a "index"
parameter to the "-modify-attribute" and "-delete-attribute"
commands.
+ Provides more flexibilty to the KMIP command line tool to define
different sets of servers an use multiple keystores. This is done
by allowing any command to pass in a path to alternative
configuration files that can also define different keystores.
+ P6R copyright notice was not being displayed properly
+ Allow the PKCS#11 token to see all keys/objects on a KMIP server,
not just the ones created by the P6R library by using an additional
configuration setting, the tokenKMIPUseFlags bit mask.
+ NSP token now supports CKM_AES_CBC_PAD. The padding is done in the
token and not on the NSP HSM.
+ Added an optimization on how PKCS#11 KMIP token accesses KMIP
attribute values. The cryptoUsageMask is now cached for a KMIP
object in a PKCS#11 session after it is accesses the first time.
2016.2.0.16221
- Fixed issue where the key type was not being properly validated in
the p6ICryptoKey component.
- Fixed issue that cause the P6CMF_ALWAYS_CHECK_SUBJECT flags to be
ignored in the p6ICert::matchDns() method.
- Fixed an issue that cause logging to not work in the sqlite
implementation of p6IDBStmtImpl.
- Fixed an issue that caused all the flags passed into the
p6IIoBufferFactory::initialize() (except for P6IOBF_USEHEAP) to be
ignored.
- Added an unlikely used form of an extension attribute where the
attribute value is a text structure. This is required for a few
Interop test cases but an application would not want to use this
format since there are more efficient and equivalent forms.
2016.1.16066
- Made calls to C_Initialize() and C_Finalize with multi-thread and
multi-process safe by the use of an internally created semaphore.
- Fixed a case where a missing configuration item in a 3rd party
token prevented PKCS11 library from initializing.
- Key Material was being returned for CKO_SECRET_KEY and
CKO_PRIVATE_KEY objects when CKA_SENSITIVE was true and/or
CKA_EXTRACTABLE was false which is against the 2.40 PKCS11
specificiation.
- Software token was returning key material from CKO_SECRET_KEY and
CKO_PRIVATE_KEY objects even when CKA_SENSITIVE was true and/or
CKA_EXTRACTABLE was false against the PKCS11 2.40 specification
- To support a Utimaco token we need to dynamically load their PKCS11
version 2.20 library on Windows and Linux.
- The PKCS11 version 2.40 specification defines that
CK_UNAVAILABLE_INFORMATION has to be returned for certain error
cases from the function C_GetAttributeValue(). We did not do this
for all such error cases.
- Fixed an intermittent crash in the async networking code on linux
that could occur when closing the socket.
- When KMIP messages are encoded in TTLV but logs are in XML or JSON
then SKC will now automatically turn on the XML DOM pretty printing
option: P6DOMOUTPUT_PRETTYPRINT. However, when KMIP messages are
in XML or JSON no pretty printing is done in order to capture
exactly what is sent / received from the server.
- On any error other than CKR_BUFFER_TOO_SMALL functions C_Encrypt
and C_Decrypt are supposed to terminate active encryption /
decryption operations. This was not being done properly but has
now been fixed.
- p6ISymmetricCrypto::encryptEnd and p6ISymmetricCrypto::decryptEnd
did not return zero for data length returned when there is no data
to be returned. Caller would believe that there was more encrypted
/ decrypted data for a final block when there was none. Now these
functions properly return a zero data length returned when there is
no data for the caller.
- Proper handling of the CKA_ALWAYS_AUTHENTICATE attribute was not
implemented.
- Fixed race condition in the use of a semaphore that protects calls
to C_Initialize and C_Finalize.
- Created 64bit native linux installer for 64bit only versions of
Linux operating systems.
- UEFI: Fixed issue where calls to p6ShutdownUefi() did not correctly
reset the state to uninitialized.
- Fixed issue with testing access permission of Session objects.
Session objects should only be accessible by the Session that
created it.
- C_Login did not prevent a Security Officer (SO) from logging into a
read only session. Now this behavior is prevented since SO can
only log into read write sessions.
- Typo in the C_CreateObject function prevented proper checking of
permissions when creating an object.
- Sign extension was occurring on certain parts of public/private key
parts. The sign extension 0XFF bits are now being removed before
the user application gets them.
- When generating a private EC key from just the curve and D values
the public key was not being properly derived. OpenSSL requires
this so that the EC private key can be written out in PEM properly.
- If user did not follow comment instructions about passing a date
object into P6KMIPEncoder::addRevokeRequest the command would fail
server error returned. Now that function will ignore date values
passed in when revocation reason is anything other than "key
compromise".
- Fixed a memory leak in C_Initialize having to do with P6R internal
locking objects.
- Added the capability to work with PKCS#11 applications that call
C_Initialize multiple times and expect a CKR_OK value returned each
time. Also these applications will call C_Finalize once per
C_Initialize calls. We added a library wide flag that once set
will handle these broken clients since this behavior is against the
PKCS#11 specificiation.
- PIN lengths per token can now be defined via configuration. The
default for min PIN length is now 8 and the max PIN length is now
25 bytes.
- When a third party token is being used in a C_FindObject an
erroneous error code was being returned for objects that the caller
did not have read access to. The correct behavior is that these
objects are filtered out and the caller never sees them.
- As part of the PKCS#11 V2.40 Errata definition includes a new set
of OASIS defined PKCS#11 "official" header files. We have replaced
the old RSA files we were using with these new OASIS defined API
definition files.
- Improved Sqlite error handling and logging. Previously some
Sqlite error codes where being masked.
- Fixed issue that when the symmetric crypto object encrypt and
decrypt functions were called using buffers larger than 1000 bytes
junk could appended on the end of the buffer.
- Fixed bug allowing only one instance of a 3rd party token to be
created. Now any number of separate instances of a 3rd party
tokens can be created each with its own run time state.
- Improve error logging to help diagnose problems.
- DestroyMutex was not being called during C_Finalize() if the
PKCS#11 library user set the CreateMutex, LockMutex, UnlockMutex,
and DestroyMutex calls on C_Initialize().
- CKA_TRUSTED defaults to CK_FALSE when certificates are added via a
call to C_CreateObject().
- Third party tokens that do not support token re-initialization
still had their User PIN deleted on a second call to C_InitToken.
Now the user PIN is only deleted if the third party token
re-initialization code is successful.
- C_GetAttribute did not support the CKA_VALUE_LEN attribute. Now the
correct value is returned if the attribute is associated with the
object being accessed.
- Added The p6ITrustedStorage interface abstraction that any can
implement itself. It was used by the main PKCS11 wrapper classes
to proved a trusted storage for all 3rd party tokens so they would
not have to design key storage it the HSM does not store the keys
in itself (e.g., Thales and HPE HSMs).
+ Added new component p6ISemaphore which implements a platform
independent named semaphore.
+ Minimum glibc version is now 3.4
+ Integrated the Utimaco HSM PKCS#11 Version 2.20 library as a token
under the P6R PKCS#11 Version 2.40 library. Now each slot on a
Utimaco HSM can be mapped into a P6R PKCS#11 API slot holding a
Utimaco Token. The P6R Utimaco Token also converts Utimaco HSM
vendor extension mechanism codes into and out of PKCS#11 Version
2.40 codes where ever possible.
+ Added the following PKCS11 API functions to P6R's software token:
C_GenerateKey (not including domain parameters), C_GenerateKeyPair,
C_GenerateRandom, C_SignInit, C_Sign, C_VerifyInit, C_Verify,
C_EncryptInit, C_Encrypt, C_EncryptUpdate, C_EncryptFinal,
C_DecryptInit, C_Decrypt, C_DecryptUpdate, C_DecryptFinal,
C_DigestInit, and C_Digest.
+ Added streaming API calls to the p6Digest object in support of
similar functions required for our Software token in PKCS11.
+ Provide scripts to verify the environment on Centos and Ubuntu
Linux distributions. They can be run to ensure that everything
needed for SKC is present and configured properly. These scripts
are located under "(installdir)/scripts/install".
+ Low-level and p6ILogProducer logging output (in SKC) has been
improved to include a timestamp, threadid, source module and line,
log level and log module in addition to the log event itself.
+ C_CopyObject was not previously implemented for the KMIP token.
Now a full implementation supports all PKCS 11 objects can be
copied. Also all PKCS 11 attributes defined to be able to be
modified during a copy (via the 2.40 specification) are also
supported.
+ Added a new token type that allows the user of our PKCS11 library
to communicate to a Utimaco CryptoServer HSM. We map one slot of
the Utimaco HSM into one slot defined in our PKCS11 library.
+ Added a new token type that allows the user of our PKCS11 library
to communicate to a Thales nShield Connect HSM. We map one slot
of the Thales HSM into one slot defined in our PKCS11 library.
+ Added a new token type that allows the user of our PKCS11 library
to communicate to a FutureX HSM. We map one slot of the FutureX
HSM into one slot defined in our PKCS11 library.
+ Added a new token type that allows the user of our PKCS11 library
to communicate to a DocuSign ARX PrivateServer HSM. We map one
slot of the DocuSign HSM into one slot defined in our PKCS11
library.
+ Created a new command line tool named p6pkcs11tool to help support
manage tokens and their individual configuration needs. The tool
also allows the TLS client side certificate to be replaced once /
before it expires.
+ New interface added - p6IKeystoreSSL2 which adds replace methjods
that correspond to the existing import methods in p6iKeystoreSSL.
New interface added - p6IKeystore3 which modified all the replace
methods to return the UUID of the new item.
+ Added a new interface named p6ITrustedStorage which defines basic
operations to a trusted storage mechanism.
+ Enhanced formatStrin() and formatStringW() to indicate common
format string errors in the output buffer to make those issues more
obvious.
+ Allow the XML and JSON message formats to encode the Cryptographic
Usage Mask attribute as a decimal number.
+ Added support for HPE's Network Security Processor HSM in our
PKCS11 implementation.
* Removed pkcs11 standard header files from each example. They are
already located in the SKC's include directory.
* Changed p6InitializeLoader() and p6CleanupLoader() to implement
reference counting so that multiple/nested calls will work more
easily and cleanup appropriately.
2015.1.0.14795
- (linux) Fixed a problem in the example makefiles that caused the
wrong calling convention to be used on 32bit platforms resulting in
the example crashing.
- (UEFI) Fixed Release UEFI build is throwing warnings about /Ob21s
being an invalid compiler option
- (UEFI) Fixed UEFI unit test fails testing KMIP decoder with "UNIQUE
ID NOT FOUND"
+ Added flag to ensure interoperation with KMIP servers that have a
bug properly reading out of a network socket.
+ Added TTLV logging before only had XML, JSON or just a simple dump
of the entire binary message with no parsing.
* Updated documentation for building examples to include 64bit.
2015.1.14630
- Added missing file SkcPkg.dec for UEFI platforms.
- Updated the file comment to be correct for KMIP example 14
- Corrected the link order of libraries in some example Makefiles
- Removed support for SSLv2 since it is vulnerable and many platforms
are now shipping with openSSL versions that have this support
compiled out. Specify P6SSF_METHOD_SSLV2 for a connection is
synonymous with P6SSF_METHOD_NEGOTIATE.
! Removed Solaris makefiles from the examples.
2015.1.14544
- Supports PKCS 11 reset token allowing easy linking of KMIP
credentials via the use of the keystore link capability
- KMIP server side Notify and Put responses needs an empty payload
rather than return no payload.
- Fixed an issue where the loader would needlessly read from
/dev/random on startup causing large delays on low entropy systems
(VMs).
+ Added support for Attestation to the API which was added fully in
KMIP 1.2.
+ Added support allowing KMIP client to get any Key or certificate as
a binary blob format.
+ Added SuiteB support.
+ Added limited UEFI platform support. A library providing support
for accessing the low-level KMIP TTLV encoder/decoder interfaces is
provided and linkable with native PE format UEFI drivers and
applications. byte-code format is not supported.
+ Added support for Elliptical Curve Private Keys to support SuiteB
crypto.
+ Added full support for KMIP 1.3 streaming Encryption and Hashing.
+ Add support for importing PEM encoded SSL credentials into the
keystore. Keys and certs are automatically placed in the correct
namespaces, using the correct keys so that the SSL network layer
will automatically find them. Import from file and buffer is
supported. The new interface is named p6IKeystoreSSL.
1.2.0.13950
- Fixed interface leak in the p6IMempool component.
- Fixed minor issue in key store that prevented updating a Key's meta
data.
- Simple memory leak error in database layer fixed.
- Fixed the "deprecated conversion from string constant" compiler
warning in the ex-kmip1-1.cpp example.
- Passing back more Sqlite error codes from database layer.
- Fixed small bug in database component where an error code was being
over ridden by another function.
- KMIP Server properly generates a response with unique batch id from
the request if present.
- KMIP 1.3: KMIP server missing HTTP status line for HTTPS response,
now returns HTTP/1.0 200 OK as is required by the protocol.
- EC keys not being loaded properly from file or keystore.
- Several XML
value equivalent of TTLV constants where done
improperly. All XML values have been verified.
- Fix an issue where the timeout
value in conditional variables was
not calculated correctly on non-windows platforms.
- Fixed a problem with timeout not being calculated correct on
Solaris in the waitTimed() method of p6ICondvar
- Fixed interface leak in p6IKeystore::setKey()
? replaceChildAt XML node function was not in use and incorrectly
implemented has been depreciated and now does nothing.
+ New methods added to p6ITcpSecureSocket that allow the peer
certificate and certificate chain for the current SSL connection to
be retrieved. As well as method to provision
a keystore with the current connection remote root certificate.
+ Added support for Elliptic Curve keys and Suite B via customer
provided OpenSSL.
+ (KMIP 1.3) Provide experimental KMIP 1.3 functionality: streaming
crypto operations, Query extensions, Server to client Query
operation, and extension to the locate operation.
+ Allow an application to modify the KMIP protocol version in effect
after initialization. This way a client can default to a low
protocol version then execute discoverVersions() getting the
server's supported versions. Then the client can reset the KMIP
protocol to use on the existing TLS session.
+ KMIP users may want to cache symmetric keys obtained from KMIP into
our keystore. To be able to do this we need to be able to load a
key without a pre-defined IV.
+ Added a new runtime function named getCryptoProviderVersion() to
retrieve a string describing the version of underlying crypto
provider (eg. "OpenSSL 1.0.1g 7 Apr 2014"). Documenation can be
found in p6runtimeapi.h.
+ (KMIP 1.3) Added KMIP 1.3 streaming to all crypto functions
including Hash.
+ OpenSSL is not longer provided as part of the SKC Toolkit.
Customers must have OpenSSL pre-installed and functional in order
to use SKC. If OpenSSL is installed in a non-standard location on
*nix machines, then the LD_LIBRARY_PATH environment variable must
be set and include the path where the OpenSSL DLLs are located.
This version of SKC is compatible with all OpenSSL versions 1.0.x.
* Renamed the P6SSF_METHOD_SSLV23 flag to P6SSF_METHOD_NEGOTIATE to
make it's intended action more obvious.
1.1.0.13094
- Fixed conditional variables incorrectly calculating the timeout
value.
- Fixed an exception in the reuglar expression engine.
- Fixed a reference counting issue in p6IDir relating to directory
enumeration.
- Fixed and issue on windows platforms where network code could
return incorrent errors.
- Updated copyright in documentation.
- Fix release notes not displaying properly in html documentation.
- Fix broken knowledgebase link in documentation.
- Fix for JSON parsing not properly un-escaping "\\".
- Fix reference counting issue with p6IDOMXML::replaceChildAt().
- Fix issue with public and private keys using the same GUID in
p6ICryptoKey component.
- Fixed p6ISocketOptions::soLinger() not correctly setting linger time.
- Fixed memory leak in several KMIP enumerators
- Fixed signature sealing the key material to meta data did not include
the assigned UUID.
+ Updated sqlite to 3.8.4.1.
+ Updated openSSL to 1.0.1g.
+ Updated postgresql client library to 9.3.4
+ Updated zlib to 1.2.8
+ Improved binary logging of KMIP messages.
+ Added ability to link items in the keystore together, and query for linked item.
+ Added 64bit support.
+ Added experimental support for KMIP put and notify.
+ Added 6 new KMIP examples.
1.0.2.12459
- Change registry file layout to per DLL, allowing
components to be added without having to edit
the component registry file.
- Fixed a crash in the kmip example code.
- Added threading support to p6loader.
- Added multi-threaded priority queue to the p6loader.
1.0.1.12003
1.0.0.11921
Initial Public Release.
==========================================================================
Notices
==========================================================================
SKC, P6R and "Project 6 Research" are trademarks of P6R Inc. All other
products, brands and company names referred to here are used for
identification purposes and are the property of their respective
trademark holders.
