2024.1 Series Release Notes

18.0.0-3

Deprecation Notes

  • The [p11_crypto_plugin]hmac_keywrap_mechanism option has been replaced by [p11_crypto_plugin]hmac_mechanism. This option was renamed to avoid confusion since this mechanism is only used to sign encrypted data and never used for key wrap encryption.

Security Issues

  • The PKCS#11 backend driver has been updated to support newer Key Wrap mechanisms. New deployments should use CKM_AES_KEY_WRAP_KWP, but CKM_AES_KEY_WRAP_PAD and CKM_AES_CBC_PAD are also supported for compatibility with older devices that have not yet implemented PKCS#11 Version 3.0.

Bug Fixes

  • Fixed Bug #2036506 - This patch replaces the hard-coded CKM_AES_CBC_PAD mechanism used to wrap pKEKs with an option to configure this mechanism. Two new options have been added to the [p11_crypto_plugin] section of the configuration file: key_wrap_mechanism and key_wrap_generate_iv. These options default to CKM_AES_CBC_PAD and True respectively to preserve backwards compatibility.

18.0.0

Upgrade Notes

  • The deprecated certificate order resource was removed. Because of this, create order API no longer accepts certificate type.

  • The certificate plugin and the certificate event plugin were both removed, because these were used for deprecated certificate resources.

  • The token_label option in the PKCS#11 driver has been removed.

Deprecation Notes

  • The following database options in the [DEFAULT] section were renamed and moved to the [database] section.

    • [DEFAULT] sql_connection was renamed to [database] connection

    • [DEFAULT] sql_idle_timeout was renamed to [database] connection_recycle_time

    • [DEFAULT] sql_max_retries was renamed to [database] max_retries

    • [DEFAULT] sql_retry_interval was renamed to [database] retry_interval

    • [DEFAULT] sql_pool_size was renamed to [database] max_pool_size`

    • [DEFAULT] sql_pool_max_overflow was renamed to [database] max_overflow

Security Issues