Version 1.1

The pkcs11-provider team is proud to announce version 1.1
This version introduces Quantum Resistant algorithms support via PKCS#11 3.2 interfaces and has initial support for the new opaque symmetric keys that OpenSSL supports via the EVP_SKEY interfaces.

Notable Changes

• EVP_SKEY support for AES ciphers and HKDF key derivation
• PKCS#11 3.2 support
• Support for the ML-DSA Quantum Resistant algorithm

What's Changed

• docs: fix some typos flagged by Lintian by @bluca in #519
• Drop use of certtool from setup by @simo5 in #520
• Allow Raw RSA signatures by @simo5 in #522
• tests: make tlsfuzzer tests compatible with openssl-3.5 by @The-Mule in #525
• Fix handling of Invalid attributes by @Jakuje in #526
• Cleanup and corner case of RSA-PSS handling by @Jakuje in #524
• Allow custom clang-format and clang-format-diff by @bukka in #534
• Add CFLAGS to the custom code generation by @bukka in #537
• Fix CS in p11prov_obj_pool_free by @bukka in #539
• Debug logs time by @bukka in #532
• Debug logs extra by @bukka in #531
• ci: Fix DNF caching by @Jakuje in #527
• Fix CS in the generate code by @bukka in #541
• packaging: Enable gpgcheck by default for downstream builds by @Jakuje in #542
• Correctly handle some aspects of key import by @simo5 in #544
• FIX: Compare attributes of type bignum as native-endian bignum by @bashmachnikov in #545
• tests: extend FIPS mode to NSS softokn by @The-Mule in #548
• Prevent login prompt when reading public RSA keys by @Jakuje in #549
• CI: Add testing with OpenSSL master branch by @The-Mule in #550
• CI: split openssl action into two jobs by @The-Mule in #554
• Add support for EVP_SKEY with AES cipher by @simo5 in #553
• Test disabling symmetric operation for tokens by @simo5 in #561
• Run all pkcs11 tests from libssh by @Jakuje in #564
• Remove unused environtment variables by @Jakuje in #566
• Allow build on RHEL 8 by @manison in #572
• Ensure CMS with Explicit EC works by @simo5 in #563
• Fine tune how default slot is selected by @simo5 in #578
• Add proper version and build info to provider by @simo5 in #577
• Fix covscan checks by @simo5 in #579
• Import covscan fixes fro the covscan branch by @simo5 in #581
• AES: better handling of ctx params by @simo5 in #585
• Update changed-files to a newer version by @simo5 in #587
• Update interfaces to Pkcs11 32 by @simo5 in #591
• Fix RSA fallback signing/verification code by @simo5 in #593
• tests: tpkey: make function without return value return void by @a3f in #594
• Add login-behaviour to p11prov_rand_generate session by @sandevins in #598
• Add support for new composite signature functions available from OpenSSL 3.4 onwards by @simo5 in #596
• Split signature algorithms in separate files by @simo5 in #600
• Fix pkcs11 header file bug by @simo5 in #604
• Fix coverity check container by @simo5 in #605
• Add support for ML-DSA by @simo5 in #602
• tests: Silence a new shellcheck warning by @neverpanic in #608
• Fix warnings when building against older OpenSSL by @neverpanic in #607
• Fix errors when performing an openssl req by @sandevins in #615
• Improve support of OSSL_OBJECT_SKEY by @beldmit in #617
• Run more ML-DSA tests and fix unhandled corner cases by @Jakuje in #619
• We already have the P11PROV_OBJ* we need by @beldmit in #621
• tests: enable ML-DSA for kryoptic token only by @The-Mule in #624
• test: skip ml-dsa pkey tests on demand by @The-Mule in #625
• test: skip ml-dsa pkey tests on demand (fixed) by @The-Mule in #628
• Add support for crazy low level TLS-MAC unpacking by @simo5 in #630
• Add a couple of tests to build on ARM-64 by @simo5 in #623
• Implement SKEY derive for HKDF by @simo5 in #631
• Fix bug in PKCS#11 header by @simo5 in #633

New Contributors

• @bluca made their first contribution in #519
• @bashmachnikov made their first contribution in #545
• @a3f made their first contribution in #594
• @sandevins made their first contribution in #598

Full Changelog: v1.0...v1.1.0