1.137. openCryptoki
1.137.1. RHBA-2009:1685: bug fix update
Note
This update has already been released (prior to the GA of this release) as errata RHBA-2009:1685
The openCryptoki package contains version 2.11 of the PKCS#11 API, implemented for IBM Cryptocards. This package includes support for the IBM 4758 Cryptographic CoProcessor (with the PKCS#11 firmware loaded), the IBM eServer Cryptographic Accelerator (FC 4960 on IBM eServer System p), the IBM Crypto Express2 (FC 0863 or FC 0870 on IBM System z), the IBM CP Assist for Cryptographic Function (FC 3863 on IBM System z).
These updated openCryptoki packages provide fixes for the following bugs:
* after initializing a hardware cryptographic token, attempting to unwrap an AES key failed and caused openCryptoki to return a "CKR_TEMPLATE_INCOMPLETE" error code. With this update, AES key unwrapping now succeeds as expected. (BZ#540471)
* the openCryptoki API enables programs to offload the computation of the message authentication code (MAC) to the Central Processor Assist for Cryptographic Function (CPACF) of cryptographic hardware. When using PKCS#11 for the acceleration of cryptographic instructions, openCryptoki returned an error code of "411", indicating that the MAC was unable to be verified. With this update, the MAC is now computed successfully after being offloaded to the CPACF. (BZ#540474)
* openCryptoki was not properly recognizing that secure-key crypto support was installed, and so the "CCA" token was not being enabled for use. (BZ#545379)
All users of openCryptoki are advised to upgrade to these updated packages, which resolve these issues.