SUSE-RU-2025:4418-1: important: Recommended update for openCryptoki

Wed Dec 17 08:30:14 UTC 2025

# Recommended update for openCryptoki

Announcement ID: SUSE-RU-2025:4418-1  
Release Date: 2025-12-16T16:23:10Z  
Rating: important  
References:

  * bsc#1254422
  * jsc#PED-3361

Affected Products:

  * Server Applications Module 15-SP7
  * SUSE Linux Enterprise Real Time 15 SP7
  * SUSE Linux Enterprise Server 15 SP7
  * SUSE Linux Enterprise Server for SAP Applications 15 SP7

An update that contains one feature and has one fix can now be installed.

## Description:

This update for openCryptoki fixes the following issues:

  * Upgrade openCryptoki to 3.26 (bsc#1254422)
    * Soft: Add support for RSA keys up to 16K bits.
    * CCA: Add support for RSA keys up to 8K bits (requires CCA v8.4 or v7.6 or later).
    * p11sak: Add support for generating RSA keys up to 16K bits.
    * Soft/ICA: Add support for SHA512/224 and SHA512/256 key derivation mechanism
    * Soft/ICA/CCA/EP11: Add support for SHA-HMAC key types CKK_SHAxxx_HMAC and key gen mechanisms CKM_SHAxxx_KEY_GEN.
    * p11sak: Add support for SHA-HMAC key types and key generation.
    * p11sak: Add support for key wrap and unwrap commands to export and import private and secret keys by means of key wrapping/unwrapping with various key wrapping mechanism.
    * p11kmip: Add support for using an HSM-protected TLS client key via a PKCS#11 provider.
    * p11sak: Add support for exporting non-sensitive private keys to password protected PEM files.
    * Add support for canceling an operation via NULL mechanism pointer at C_XxxInit() call as an alternative to C_SessionCancel() (PKCS#11 v3.0).
    * EP11: Add support for pairing friendly BLS12-381 EC curve for sign/verify using CKM_IBM_ECDSA_OTHER and signature/public key aggregation using CKM_IBM_EC_AGGREGATE.
    * p11sak: Add support for generating BLS12-381 EC keys.
    * EP11: Add support for IBM-specific ML-DSA and ML-KEM key types and mechanisms
    * CCA: Add support for IBM-specific ML-DSA and ML-KEM key types and mechanisms
    * Soft: Add support for IBM-specific ML-DSA and ML-KEM key types and mechanisms
    * p11sak: Add support for IBM-specific ML-DSA and ML-KEM key types.
    * Bug fixes. 
  * Upgrade openCryptoki to version 3.25 (jsc#PED-3361)
    * ICA/Soft: Add support for PKCS#11 v3.0 SHAKE key derivation
    * EP11: Add support for PKCS#11 v3.0 SHA3 and SHA3-HMAC mechanisms
    * EP11: Add support for PKCS#11 v3.0 SHA3 mechanisms and MGFs for RSA-OAEP
    * EP11: Add support for PKCS#11 v3.0 SHA3 variants of RSA-PKCS and ECDSA mechanisms
    * CCA: Add support for CCA AES CIPHER secure key types
    * CCA: Add support for the CKM_ECDH1_DERIVE mechanism
    * Soft/ICA: Add support for the CKM_AES_KEY_WRAP[_*] mechanisms
    * CCA/Soft/ICA: Add support for the CKM_RSA_AES_KEY_WRAP mechanism
    * Soft/ICA: Add support for the CKM_ECDH_AES_KEY_WRAP mechanism
    * ICA: Report mechanisms dependent on if libica is in FIPS mode
    * P11KMIP: Add a tool for import and exporting PKCS#11 keys to a KMIP server
    * EP11: Add support for opaque secure key blob import via C_CreateObject
    * Soft/ICA: Add support for key wrapping with AES-GCM
    * CCA: Add support for newer CCA versions on s390x and non-s390x platforms
    * CCA: Add support for CKM_AES_GCM (single-part operations only)
    * Bug fixes 
  * Amended the .spec file

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".  
Alternatively you can run the command listed for your product:

  * Server Applications Module 15-SP7  
    zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP7-2025-4418=1

## Package List:

  * Server Applications Module 15-SP7 (aarch64 ppc64le s390x x86_64)
    * openCryptoki-devel-3.26.0-150700.5.6.1
    * openCryptoki-debugsource-3.26.0-150700.5.6.1
    * openCryptoki-64bit-debuginfo-3.26.0-150700.5.6.1
    * openCryptoki-debuginfo-3.26.0-150700.5.6.1
    * openCryptoki-3.26.0-150700.5.6.1
    * openCryptoki-64bit-3.26.0-150700.5.6.1

## References:

  * https://bugzilla.suse.com/show_bug.cgi?id=1254422
  * https://jira.suse.com/browse/PED-3361

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-updates/attachments/20251217/6ae7d6ce/attachment.htm>