Release Notes
Introduction
These release notes apply to version 3.2.0 of the nShield Web Services Option pack for Security World. They contain information specific to this release such as new features, defect fixes, and known issues.
Features of nShield Web Service Option Pack 3.2.0
New configuration option
-
New Security world configuration:
WSOP now accesses the Security world files, like the module and world files, from the database instead of the kmdata directory. There is a new
HKNSO
configuration option for the hash value which must be set before starting WSOP.See Configure the Web Services Option Pack in the User Guide for more information.
New Algorithm support
Support for following encryption and decryption algorithms has been added:
-
RSA-OAEP-384
-
RSA-OAEP-512
RSA-OAEP Label support added
As defined in RFC 8017, support has been added for a label L input for encryption and decryption operations with RSA-OAEP.
Please refer to the REST API section of the User Documentation for more information.
New PKCS #11 migration support
PKCS #11 object migration support for the following key types has been added to the DBMT:
-
CKK_SHA256_HMAC
-
CKK_SHA384_HMAC
-
CKK_SHA512_HMAC
-
CKK_RSA
New PKCS #11 functionality
-
Support for message digesting and random number generation functions:
-
C_DigestInit
-
C_Digest
-
C_DigestUpdate
-
C_DigestFinal
-
C_GenerateRandom
-
-
New mechanisms for message digest:
-
CKM_SHA_1
-
CKM_SHA224
-
CKM_SHA256
-
CKM_SHA384
-
CKM_SHA512
-
CKM_SHA3_224
-
CKM_SHA3_256
-
CKM_SHA3_384
-
CKM_SHA3_512
-
-
Generation of RSA keys with
C_GenerateKeyPair
:-
CKK_RSA
key types generated usingCKM_RSA_PKCS_KEY_PAIR_GEN
-
-
New RSA mechanisms for encrypt and decrypt:
-
CKM_RSA_PKCS
-
CKM_RSA_PKCS_OAEP
which is supported when used with aCK_RSA_PKCS_MGF_TYPE
value that is one of the following:-
CKG_MGF1_SHA1
-
CKG_MGF1_SHA256
-
CKG_MGF1_SHA384
-
CKG_MGF1_SHA512
-
-
-
New RSA mechanisms for sign and verify:
-
CKM_SHA256_RSA_PKCS
-
CKM_SHA384_RSA_PKCS
-
CKM_SHA512_RSA_PKCS
-
CKM_SHA256_RSA_PKCS_PSS
-
CKM_SHA384_RSA_PKCS_PSS
-
CKM_SHA512_RSA_PKCS_PSS
-
-
New AES mechanism for encrypt and decrypt:
-
CKM_AES_GCM
(not supported with Security Worlds conforming to FIPS 140 Level 3)
-
PKCS #11 v3.0 compliance.
This release is compliant with PKCS #11 Version 3.0 (https://docs.oasis-open.org/pkcs11/pkcs11-base/v3.0/os/pkcs11-base-v3.0-os.html). Support for the following has been added:
-
CKO_PROFILE
objects. -
CKP_BASELINE_PROVIDER
conforming to the Baseline Provider Clause defined in section 3.3 of PKCS #11 Cryptographic Token Interface Profiles Version 3.0 (https://docs.oasis-open.org/pkcs11/pkcs11-profiles/v3.0/pkcs11-profiles-v3.0.html). -
Cancellation of active operations by calling
C_EncryptInit
,C_DecryptInit
,C_SignInit
,C_VerifyInit
, orC_DigestInit
withpMechanism
set toNULL_PTR
. -
CKA_UNIQUE_ID
. This attribute can also be used for objects created in earlier versions of the WSOP PKCS #11 library. -
C_GetInterface
andC_GetInterfaceList
. Interface versions 2.40 and 3.0 are supported.
Compatibility
Supported hardware
This release is targeted at deployments with any of the following nShield HSMs:
-
nShield Solo PCI Express (500+, and 6000+)
-
nShield Solo XC (Base, Mid, High)
-
nShield nShield 5S (Base, Mid, High)
-
nShield Connect (500+, 1500+, and 6000+)
-
nShield Connect XC (Base, Mid, High, Serial Console)
-
nShield nShield 5C (Base, Mid, High, Serial Console)
Supported operating systems
This release has been tested for compatibility with the following operating systems:
-
Red Hat Enterprise Linux Server 7 x64
-
Red Hat Enterprise Linux Server 8 x64
-
Red Hat Enterprise Linux Server 9 x64
-
SUSE Enterprise Linux 12 x64
-
SUSE Enterprise Linux 15 x64
-
Oracle Enterprise Linux 7.6 x64
-
Oracle Enterprise Linux 8 x64
Additionally the PKCS #11 library has been tested for compatibility with the following operating systems:
-
Windows Server 2019 x64
-
Windows Server 2022 x64
-
Windows 10 x64
-
Windows 11 x64
Supported Security World versions
This release can be used with the following nShield Security World Software installations:
-
Security World v12.80
-
Security World v13.3+ and v13.4+
Security World v12.8x is required in order to migrate kmdata files using the Database Management Tool. |
Firmware versions supported by the 12.60 release are also supported by WSOP. See the nShield 12.80 Security World Software release notes for further details.
Defect Fixes
Reference | Description in v3.1 | Fix in v3.2 |
---|---|---|
NSE-52845 |
When operating close to the active Protection Domain capacity limit, attempts to activate further domains can sometimes be blocked and available capacity in the cache lost. |
Cache behaviour for Protection Domain activations has been improved. |
NSE-54972 |
N/A |
Fixed an issue in the Web Services PKCS#11 library where setting CKA_WRAP or CKA_UNWRAP in a key generation template could override values of CKA_SIGN and CKA_VERIFY. |
NSE-54829 |
N/A |
It is now possible to create a CKO_CERTIFICATE object with CKA_TRUSTED = CK_FALSE using the Web Services PKCS#11 library. |
NSE-53998 |
N/A |
Fixed an issue where corecrypto error messages could be truncated when recorded in the Web Services PKCS#11 library log file. |
NSE-52902 |
N/A |
Improved accuracy of log messages for ulCount in C_GenerateKey and C_CreateObject in the Web Services PKCS#11 library log file. |
NSE-54419 |
N/A |
The correct version information is now reported back by the DBMT. |
NSE-54535 |
N/A |
The branding of the release notes documentation has been corrected. |
NSE-54495 |
N/A |
Fixed the issue where the DBMT required a combined certificate and key file for the TLS connection instead of individual files as specified in the configuration file. |
NSE-55660 |
N/A |
The command line interface of the DBMT has been improved for usability regarding migrating an individual key via the appname and keyident values. |
NSE-56545 |
N/A |
Fixed an issue in the PKCS#11 library where conflicting entries for the same attribute in the template supplied to C_FindObjects could result in invalid search results. |
NSE-56423 |
N/A |
Fixed an issue in the PKCS#11 library where C_FindObjects can fail to return matching objects when the template includes a value for CKA_OBJECT_ID that contains NUL bytes. |
NSE-56737 |
N/A |
Fixed an issue in the PKCS#11 library where parallel calls to C_Logout on the same session could result in function failure. |
NSE-56124 |
N/A |
Fixed an issue which prevented the WSOP server from using an HSM protected private key for TLS. |
NSE-56353 |
N/A |
Improvements have been made to key record data for future compatibility. |
NSE-54687 |
N/A |
Fixed a DBMT issue which could cause an error when attempting to upgrade a very large quantity of keys. |
NSE-57049 |
N/A |
Fixed an issue in the Web Services PKCS#11 library that would cause C_GetSlotList to return 0 slots if the library had to retry the web request. |
Known Issues
Reference | Description |
---|---|
NSE-48648 |
The Web Services PKCS#11 library has a dependency on a third party called |
NSE-53106 |
String fields such as CKA_LABEL and CKA_APPLICATION should not contain any HTML character for example |
NSE-54022 |
The WSOP server can temporarily become unresponsive if a large number of time intensive requests are sent concurrently. This will cease when the requests are completed. |
NSE-56651 |
An incorrect HTTP response status code of 422 is returned (instead of 400) when a key generation request is rejected because the key ident parameter contains non-alphanumeric characters. |
NSE-56623 |
Key records from previous releases may be incompatible with future releases of WSOP and be limited in future functionality. It is recommended that a new database is used for this release to ensure maximum future compatibility. |
NSE-56871 |
The |
NSE-56921 |
WSOP will not self recover if the connection to the MongoDB server is interrupted enough for the periodic health check to fail. If this happens, the WSOP service will need to be restarted before the system can resume operation. |
NSE-57190 |
When a CRL is processed, invalid certificates can be ignored silently. However, a successfully revoked certificate is reported correctly in the logs. |