kryoptic-lib 1.5.1

A PKCS #11 software token written in Rust
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289

# Changelog

All notable changes to this project should be documented in this file.

## [Unreleased]

## [1.5.1]
## 2026-06-04

This release adds important bug fixes and minor additional features on top of
the 1.5.0 release.

### What Changed

* Added support for deduplicating objects on insertion
    - [Add support for object
       dedup](https://github.com/latchset/kryoptic/pull/453)

* Added a user guide and manpages
    - [Add Kryoptic user guide](https://github.com/latchset/kryoptic/pull/443)

* Added openssl bindings for GCM-SIV
    - [ossl: Add support for
       GCM-SIV](https://github.com/latchset/kryoptic/pull/440)

* Added debug logging for PKCS#11 entry-points
    - [Refactor lib.rs and add PKCS#11 API-level
       logging](https://github.com/latchset/kryoptic/pull/427)

## [1.5.0]
## 2026-03-04

### What Changed

* Added support to save and restore operations state
    - [Add support for C_[Get|Set]OperationState
       functions](https://github.com/latchset/kryoptic/pull/389)

* Support for CKM_TLS12_MASTER_KEY_DERIVE_DH
    - [Minor TLS improvements](https://github.com/latchset/kryoptic/pull/399)

* Removed memorydb backend
    - [R.I.P Memory backend](https://github.com/latchset/kryoptic/pull/415)

* Refactor code that exposes handles the fips provider and defer KAT self-tests
    - [Fips defer tests](https://github.com/latchset/kryoptic/pull/423)

## [1.4.0]
## 2025-11-24

This release adds more PKCS#11 compatibility/completeness features as well
as fixes various issues.

One of the most notable additions is support for the a mechanism to derive
public keys from private keys. This allows to better handle tokens where only
the private key has been imported, but no corresponding public key object.
To make this more effective and efficient the code now automatically
generates and stores the `CKA_PUBLIC_KEY_INFO` attribute for all asymmetric
key types.

### What Changed

* Added support to store Trust Objects
    - [Add support for CKO_TRUST
       objects](https://github.com/latchset/kryoptic/pull/348)

* Added support for CKO_PROFILE objects
  - [Support CKO_PROFILES objects in
     Kryoptic](https://github.com/latchset/kryoptic/pull/353)

* Support for CKM_PUB_KEY_FROM_PRIV_KEY
  - [Implement simple derivation function that extracts a public key from a
     private key](https://github.com/latchset/kryoptic/pull/357)

* Support for CKA_PUBLIC_KEY_INFO
  - [Store computed CKA_PUBLIC_KEY_INFO on
     keys]( https://github.com/latchset/kryoptic/pull/366)

* Fixed an error that could return sensitive values to an
  **authenticated** user when the CKA_SENSITIVE flag is set to true.
  - [Add test for sensitive key attribute
     extraction](https://github.com/latchset/kryoptic/pull/373)

## [1.3.1]
## 2025-09-18

This is a bugfix release that addresses an issue with publishing to crates.io.

### What Changed

* fix issus publishing to crates.io
  - [Remove large test vectors from release
     artifacts](https://github.com/latchset/kryoptic/pull/337)

# [1.3.0]
## 2025-09-18

This release splits the kryoptic crate in four separate crates:
- ossl: the bindings to openssl libraries
- kryoptic: the kryoptic pkcs11 token (the .so module)
- kryoptic-lib: the builk fo the implementation of kryoptic functionality
- kryoptic-tools: utility tools (like softhsm2 migration tools)

The split between kryoptic and kryoptic-lib was necessary because of the way
cargo handles libs and cdylibs, both can't be built from the same crate

The PKCS#11 3.2 API is now the default API offered to applications.
New mechanisms have been added, see the rest of the changelog for details.

### What Changed

* The project was reorganized in a workspace with several crates
 - [Switch cargo setup to a workspace with several
    packages](https://github.com/latchset/kryoptic/pull/263)
 - [Rename and restructure some of the crates we recently
    crated](https://github.com/latchset/kryoptic/pull/281)

* Added support for SP800 ECDH KDF variant
 - [Support Sp800 ECDH KDF
    flavor](https://github.com/latchset/kryoptic/pull/273)

* PKCS#11 3.2 is now the default interface
 - [Make PKCS#11 3.2 the default
    interface](https://github.com/latchset/kryoptic/pull/276)

* Implemented simple KDF functions for key concatenation and XOR of
  a base key with provided data.
 - [Implement simple KDFs](https://github.com/latchset/kryoptic/pull/278)

* Added support for SLH-DSA keys and operations
 - [Add support for SLH-DSA](https://github.com/latchset/kryoptic/pull/316)

* Change the OSSL bindings license to Apache 2.0
 - [Change ossl lisence to ASL 2.0](https://github.com/latchset/kryoptic/pull/322)

* Added support for DSA signature algorithm and 3DES cipher for OSSL bindings
 - [Add support for legacy algorithms (DSA, 3DES)](https://github.com/latchset/kryoptic/pull/321)

* Added support for automatically deriving Private Key value from seed for
  ML-DSA and ML-KEM
  - [Handle imports where only the Seed is
     provided](https://github.com/latchset/kryoptic/pull/330)

* Added OpenPGP (RFC9580) relevant legacy algorithms in ossl bindings
  - [Implement remaining legacy algorithms needed for OpenPGP](https://github.com/latchset/kryoptic/pull/334)

# [1.2.0]
## 2025-06-09

This release adds support for PQC algorithms, comprehensive doc string coverage
and a few important compatibility fixes in the database format and key wrapping
data formats.

### What Changed

* The jsondb storage backend has been removed
  - [Drop jsondb](https://github.com/latchset/kryoptic/pull/262)

* Added initial support for tracing logs
  - [Add some basic infrastructure to perform
     tracing](https://github.com/latchset/kryoptic/pull/259)

* Added support for FFDH key generation and derivation
  - [Add support fo FFDH key generation and
     derivation](https://github.com/latchset/kryoptic/pull/257)

* Added support for ML-DSA signature scheme

* Added support for SignatureVerify APIs with all algorithms
  - [Support SignatureVerify APIs with all
     algorithms](https://github.com/latchset/kryoptic/pull/216)

* Fixed a database format bug that would affect cross-platform portability
  - [Add better support for array of
     attributes](https://github.com/latchset/kryoptic/pull/219)

* Added doc string with Gemini's help to most files
  - [Add more documentation strings and cleanup
     changes](https://github.com/latchset/kryoptic/pull/229)

* Made Token Info more spec compliant and added relevant information like the
  software release version.
  - [Make token info a little more
     useful](https://github.com/latchset/kryoptic/pull/237)

* Fix Asymmetric keys export format for Key Wrapping and extend it to all EC key
  types
  - [Fix PrivateKeyInfo ASN.1
     structure](https://github.com/latchset/kryoptic/pull/238)
  - [Add Key wrapping support and tests for all EC
     keys](https://github.com/latchset/kryoptic/pull/239)

# [1.1.0]
## 2025-04-14

This release fixes several issues found by 3rd party testing, and adds
preliminary support for PKCS#11 3.2 APIs.
The PKCS#11 3.2 API allows us to add Post Quantum algorithms.
This release adds support for the first PQ algorithm (ML-KEM).
Both the pkcs#11 3.2 API and ML-KEM are optional features and can be
both enabled by passing --feature mlkem at build time.

### What Changed

* Added support for PKCS#11 3.2 interfaces
  - [Pkcs11 3.2 Draft](https://github.com/latchset/kryoptic/pull/149)

* Added support for Key Encapdulation/Decapsulation and ML-KEM Support
  - [Add Encapsulation/Decapsulation and ML-KEM
     support](https://github.com/latchset/kryoptic/pull/197)

* Sundry fixes that result in minor, but visible, behavior changes:
  - [Deal with length query
     issues](https://github.com/latchset/kryoptic/pull/185)
  - [aes: Restrict AES-GCM to at least 1B tag
     length](https://github.com/latchset/kryoptic/pull/189)
  - [Fix incorrect error returned on un-initialized
     operations](https://github.com/latchset/kryoptic/pull/192)
  - [Ensure token store objects can be extracted if the right booleans are
     set](https://github.com/latchset/kryoptic/pull/194)
  - [Fix check for object sensitivity as per
     spec](https://github.com/latchset/kryoptic/pull/198)
  - [ecdh: Fix max ECDH output
     size](https://github.com/latchset/kryoptic/pull/203)
  - [Fix C_WrapKey size query](https://github.com/latchset/kryoptic/pull/202)

* Minor enhancements:
  - [Add Stricter FIPS options to
     configuration](https://github.com/latchset/kryoptic/pull/199)
  - [Allow digesting AES keys and add test
     coverage.](https://github.com/latchset/kryoptic/pull/204)


# [1.0.0]
## 2025-03-11

### What Changed

This is the first release.

Kryoptic implements most of the functions available in the PKCS#11 3.1 spec with
the exception of some message based operations.

The initial version supports both symmetric and asymmetric algorithms.
Asymmetric Algorithms:
- ECDSA
- EDDSA
- ECDH
- RSA

Symmetric Algorithms:
- AES

Hashes and HMAC:
- SHA1
- SHA2 (224, 256, 384, 512, 512/224, 512/256)
- SHA3 (224, 256, 384, 512)

Key derivation functions:
- PBKDF2
- HKDF
- SP108
- SSHKDF
- TLSKDF

The token supports 2 main database types:
- sqlitedb: this is the default and the recommended option
- nssdb: a NSS softokn database driver, which allows to reuse
an existing token (this is the same format used by the Firefox
security token)

Kryoptic uses OpenSSL (3.2+) for most of the cryptography primitives.
A static build option is available with libcrypto.a (or libfips.a with the
fips feature), or dynamic linking to the system libcrypto.so (default) is
available.

Unimplemented functions are noted in the source code and can be easily
explored by building the documentation. There is a Makefile file to provide
shortcut commands for common tasks, use `make docs` to build documentation
that includes non public interfaces.

[1.0.0]: https://github.com/latchset/kryoptic/releases/tag/v1.0.0
[1.1.0]: https://github.com/latchset/kryoptic/releases/tag/v1.1.0
[1.2.0]: https://github.com/latchset/kryoptic/releases/tag/v1.2.0
[1.3.0]: https://github.com/latchset/kryoptic/releases/tag/v1.3.0
[1.3.1]: https://github.com/latchset/kryoptic/releases/tag/v1.3.1
[1.4.0]: https://github.com/latchset/kryoptic/releases/tag/v1.4.0
[1.5.0]: https://github.com/latchset/kryoptic/releases/tag/v1.5.0
[1.5.1]: https://github.com/latchset/kryoptic/releases/tag/v1.5.1