An updated openCryptoki package that fixes four bugs is now available for Red Hat Enterprise Linux 5.
The openCryptoki package contains version 2.11 of the public-key cryptography standards (PKCS)#11 API, implemented for IBM Cryptocards. This package includes support for the IBM 4758 Cryptographic CoProcessor (with the PKCS#11 firmware loaded), the IBM eServer Cryptographic Accelerator (FC 4960 on IBM eServer System p), the IBM Crypto Express2 (FC 0863 or FC 0870 on IBM System z), and the IBM CP Assist for Cryptographic Function (FC 3863 on IBM System z).
Prior to this update, the process to unwrap an Advanced Encryption Standard (AES) key could, under certain circumstances, fail after a hardware cryptographic token was initialized. As a result, openCryptoki returned the error "CKR_TEMPLATE_INCOMPLETE". This update modifies the AES key unwrapping process so that it no longer fails.
Prior to this update, the message authentication code (MAC) could, under certain circumstances, fail to be verified when using the PKCS#11 API for the acceleration of cryptographic instructions and the error "411 = MAC did not verify." was retunred. This update modifies the underlying code so that the MAC is now computed successfully after being offloaded to the CPACF.
Prior to this update, openCryptoki did not correctly recognize whether secure-key crypto support was installed when the pkcs11_startup and pkcs_slot scripts were running. As a consequence, the Common Cryptographic Architecture (CCA) token did not correctly work. This update modifies the pkcs11_startup and pkcs_slot scripts to improve the secure-key crypto support check. Now, the CCA token works as expected.
Prior to this update, OpenCryptoki used linked lists to track objects and sessions in memory, performing an exhaustive search in practically every PKCS#11 call. As a consequence, the overall performance of cryptographic operations degraded exponentially with the number of objects per token or open sessions per process. This update modifies the underlying source code so that the overall performance remains constant.
All users of openCryptoki are advised to upgrade to these updated packages, which fix these bugs.