New Features/Improvements/Bug Fixes
Support for Oracle TDE heartbeat ciphertext caching (JIRA: PROD-3660).
Internal dependency (tokio/mio) updates
- Added support for AES CMAC in PKCS#11 (JIRA: PROD-3418).
- Fixed an error where PKCS#11 library creates threads even if
CKF_LIBRARY_CANT_CREATE_OS_THREADSis passed (JIRA: PROD-3818).
- Improvements to memory management of
C_FindObjectswhile using PKCS#11 library (JIRA: PROD-3354).
opaque_objects_are_not_certificates = truesetting.
- Fixed PKCS#11 library where AES keys were getting created as HMAC when using "
signing_aes_key_as_hmac" option (JIRA: PROD-3591).
- Fixed issues in "
AES-GCM Wrap" and "
AES-CMAC" (JIRA: PROD-3425).
- Added support for encrypted PKCS#8 format (API) (JIRA: PROD-1953).
- Fixed an issue where integrating HSMG with nCipher fails with “pkcs11: 00000000 Error: Module 1 has failed”.
- The default number of slots is reduced to 32 from 500:
Applications use the Fortanix DSM PKCS#11 library to interact with Fortanix DSM for key management and cryptographic operations. The PKCS#11 specification has notions of slots and tokens, which correspond to physical entities in an HSM. Multiple clients or applications connecting to a token on an HSM have equal access to the entire keyspace. However, Fortanix DSM allows access to several applications simultaneously while guaranteeing strong cryptographic separation of key spaces. This is equivalent to every application having access to its own HSM. Fortanix DSM PKCS#11 library implements this by mapping the application credential to the user PIN, and by having an arbitrarily large number of slots (numbered from 0), with a single token (numbered 1) already initialized. The number of slots defaults to 32 (numbered 0-31) and can be configured through the environment variable