OASIS Pub Key Crypto Std PKCS #11 CRYPTOgraphic TOKen Interface
'crypto-key' API provides a standard discoverable installation
configuration setup and way to load and enumerate modules.
For more information see the project home page:
https://p11-glue.github.io/p11-glue/p11-kit.html
The following test packages have been uploaded to the Cygwin distribution:
- p11-kit 0.26.2-1
- p11-kit-server 0.26.2-1
- p11-kit-trust 0.26.2-1
- libp11-kit-doc 0.26.2-1
- libp11-kit-devel 0.26.2-1
- libp11-kit0 0.26.2-1
In addition to many other changes, this package has been converted from
autotools to meson/ninja/cmake build.
Please test these packages as extensively as possible, especially if you
are a Cygwin package maintainer, as they are used by many security apps.
Package maintainers should install this test release and rerun checks of
as many libraries and packages depending on these packages as possible.
If no issues are reported in the next few weeks, this release may be
promoted to current stable.
For changes since the previous Cygwin release, see below or after
installation read /usr/share/doc/ncurses/NEWS:
0.26.2
- rpc: fix NULL dereference via C_DeriveKey with specific NULL parameters
(CVE-2026-2100)
0.26.1
- trust: Ensure compatibility of CKA_NSS_TRUST and CKA_TRUST
0.26.0
- pkcs11: Update PKCS11 headers to version 3.2
- trust: Lookup DNs in reverse order (RFC4514 section 2.1)
- Update translations
0.25.10
- ci fixes
0.25.9
- subprojects/pkcs11-json: Update git submodule
0.25.8
- rpc: Unbreak protocol compatibility by reverting "rpc: Correctly map
Mozilla certificate distrust attributes"
0.25.7
- Build fixes from tarball with Meson
0.25.6
- rpc: Add module configuration option to specify server address
- rpc: Correctly map Mozilla certificate distrust attributes
- rpc: Fix empty array attribute handling
- server: Remove libsystemd dependency for socket activation
- Avoid segfault if p11_library_init_impl/p11_library_uninit are called
multiple times
- Add zsh completions
- pkcs11: Update pkcs11.h to version 3.1
- pkcs11: Add IBM specific mechanisms
- server: check SHELL if (and only if) neither --sh nor --csh is specified
- trust: don't create file names longer then 255
- trust: sort paths for reproducible extract
- Build and test fixes
- Update translations
0.25.5
- iter: fix recursive attribute loading
- fix building on FreeBSD 14.0 (amd64)
- test fix
0.25.4
- rpc: add support for recursive attributes
- p11-kit: add function to check run-time version of the library
- p11-kit: expose version information through macros
- p11-kit: add option to specify CKA_ID in generate-keypair and
import-object commands
- p11-kit: add --provider option to specify PKCS#11 module when using
p11-kit commands
- p11-kit: fix a bug where eddsa mechanism isn't recognized in generate-keypair
- p11-kit: fallback to C_GetFunctionList when C_GetInterface returns
CKR_FUNCTION_NOT_SUPPORTED
- bug and build fixes
0.25.3
- rpc: fix serialization of NULL mechanism pointer
- fix meson build failure in macOS (appleframeworks not found)
0.25.2
- fix error code checking of readpassphrase for --login option
- build fixes
- test fixes
0.25.1
- fix probing of C_GetInterface
- p11-kit: add command to list tokens
- p11-kit: add command to list mechanisms supported by a token
- p11-kit: add command to generate private-public keypair on a token
- p11-kit: add commands to import/export certificates and public keys
into/from a token
- p11-kit: add commands to list and delete objects of a token
- p11-kit: add --login option to login into a token with object and
profile management commands
- p11-kit: adjust behavior of PKCS#11 profile management commands
- p11-kit: print PKCS#11 URIs in list-modules
- bug and build fixes
- test fixes
0.25.0
- add PKCS#11 3.0 support
- add support for profile objects
- add ability to adjust module and config paths at run-time via system
environmental exports
- make terminal output nicer
- p11-kit: add command to print merged configuration
- p11-kit: add commands to list, add and delete profiles of a token
- trust: add command to check format of .p11-kit files
- virtual: fix libffi type signatures for PKCS#11 3.0 functions
- server: fix umask setting when --group is specified
- server: check SHELL only when neither --sh nor --csh is specified
- rpc: use space string in C_InitToken
- rpc: fix two off-by-one errors identified by asan
- modules: make logging message more translatable
- pkcs11.h: support CRYPTOKI_GNU for IBM vendor mechanisms
- pkcs11.h: add IBM specific mechanism and attributes
- pkcs11.h: add ChaCha20/Salsa20 and Poly1305 mechanisms
- pkcs11.h: add AES-GCM mechanism parameters for message-based encryption
- po: update translations from Transifex
- bug and build fixes
- test fixes
0.24.1
- rpc: Support protocol version negotiation
- proxy: Support copying attribute array recursively
- Link libp11-kit so that it cannot unload
- Translation improvements
- Build fixes
0.24.0
- Use inclusive language on certificate distrust. Note: This changes
the directory and attribute names to distrust certain CAs to
"blocklist"
- Fix issues spotted by coverity and ASan
- Integrate gettext with tools more tightly
- rpc: Forbid use of array of attributes
- Build fixes
0.23.22
- Fix memory-safety issues that affect the RPC protocol
(CVE-2020-29361, CVE-2020-29362, and CVE-2020-29363)
- anchor: Prefer persistent format when storing anchor
- common: Fix infloop in p11_path_build
- proxy: C_CloseAllSessions: Make sure that calloc args are non-zero
- common: Check for a NULL locale before freeing it
- Build and test fixes
0.23.21
- proxy: Do not assign duplicate slot IDs
- common: Get program name based on executable path if possible
- anchor: Exit with non-zero code, if any error occurs
- Build and test fixes
--
*** CYGWIN-ANNOUNCE UNSUBSCRIBE INFO ***
The easiest way to unsubscribe is to visit
<https://cygwin.com/mailman/options/cygwin-announce>, and click 'Unsubscribe'.
If you need more information on unsubscribing, start reading here:
<https://sourceware.org/lists.html#unsubscribe>.
