<div class="container">
<h1>Recommended update for openCryptoki</h1>
<table class="table table-striped table-bordered">
<tbody>
<tr>
<th>Announcement ID:</th>
<td>SUSE-RU-2025:4418-1</td>
</tr>
<tr>
<th>Release Date:</th>
<td>2025-12-16T16:23:10Z</td>
</tr>
<tr>
<th>Rating:</th>
<td>important</td>
</tr>
<tr>
<th>References:</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1254422">bsc#1254422</a>
</li>
<li style="display: inline;">
<a href="https://jira.suse.com/browse/PED-3361">jsc#PED-3361</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>Affected Products:</th>
<td>
<ul class="list-group">
<li class="list-group-item">Server Applications Module 15-SP7</li>
<li class="list-group-item">SUSE Linux Enterprise Real Time 15 SP7</li>
<li class="list-group-item">SUSE Linux Enterprise Server 15 SP7</li>
<li class="list-group-item">SUSE Linux Enterprise Server for SAP Applications 15 SP7</li>
</ul>
</td>
</tr>
</tbody>
</table>
<p>An update that contains one feature and has one fix can now be installed.</p>
<h2>Description:</h2>
<p>This update for openCryptoki fixes the following issues:</p>
<ul>
<li>Upgrade openCryptoki to 3.26 (bsc#1254422)<ul>
<li>Soft: Add support for RSA keys up to 16K bits.</li>
<li>CCA: Add support for RSA keys up to 8K bits (requires CCA v8.4 or v7.6 or later).</li>
<li>p11sak: Add support for generating RSA keys up to 16K bits.</li>
<li>Soft/ICA: Add support for SHA512/224 and SHA512/256 key derivation mechanism</li>
<li>Soft/ICA/CCA/EP11: Add support for SHA-HMAC key types CKK_SHAxxx_HMAC and key gen mechanisms CKM_SHAxxx_KEY_GEN.</li>
<li>p11sak: Add support for SHA-HMAC key types and key generation.</li>
<li>p11sak: Add support for key wrap and unwrap commands to export and import private
and secret keys by means of key wrapping/unwrapping with various key wrapping mechanism.</li>
<li>p11kmip: Add support for using an HSM-protected TLS client key via a PKCS#11 provider.</li>
<li>p11sak: Add support for exporting non-sensitive private keys to password protected PEM files.</li>
<li>Add support for canceling an operation via NULL mechanism pointer at
C_XxxInit() call as an alternative to C_SessionCancel() (PKCS#11 v3.0).</li>
<li>EP11: Add support for pairing friendly BLS12-381 EC curve for sign/verify using
CKM_IBM_ECDSA_OTHER and signature/public key aggregation using CKM_IBM_EC_AGGREGATE.</li>
<li>p11sak: Add support for generating BLS12-381 EC keys.</li>
<li>EP11: Add support for IBM-specific ML-DSA and ML-KEM key types and mechanisms</li>
<li>CCA: Add support for IBM-specific ML-DSA and ML-KEM key types and mechanisms</li>
<li>Soft: Add support for IBM-specific ML-DSA and ML-KEM key types and mechanisms</li>
<li>p11sak: Add support for IBM-specific ML-DSA and ML-KEM key types.</li>
<li>Bug fixes. </li>
</ul>
</li>
<li>Upgrade openCryptoki to version 3.25 (jsc#PED-3361)<ul>
<li>ICA/Soft: Add support for PKCS#11 v3.0 SHAKE key derivation</li>
<li>EP11: Add support for PKCS#11 v3.0 SHA3 and SHA3-HMAC mechanisms</li>
<li>EP11: Add support for PKCS#11 v3.0 SHA3 mechanisms and MGFs for RSA-OAEP</li>
<li>EP11: Add support for PKCS#11 v3.0 SHA3 variants of RSA-PKCS and ECDSA mechanisms</li>
<li>CCA: Add support for CCA AES CIPHER secure key types</li>
<li>CCA: Add support for the CKM_ECDH1_DERIVE mechanism</li>
<li>Soft/ICA: Add support for the CKM_AES_KEY_WRAP[_*] mechanisms</li>
<li>CCA/Soft/ICA: Add support for the CKM_RSA_AES_KEY_WRAP mechanism</li>
<li>Soft/ICA: Add support for the CKM_ECDH_AES_KEY_WRAP mechanism</li>
<li>ICA: Report mechanisms dependent on if libica is in FIPS mode</li>
<li>P11KMIP: Add a tool for import and exporting PKCS#11 keys to a KMIP server</li>
<li>EP11: Add support for opaque secure key blob import via C_CreateObject</li>
<li>Soft/ICA: Add support for key wrapping with AES-GCM</li>
<li>CCA: Add support for newer CCA versions on s390x and non-s390x platforms</li>
<li>CCA: Add support for CKM_AES_GCM (single-part operations only)</li>
<li>Bug fixes </li>
</ul>
</li>
<li>Amended the .spec file</li>
</ul>
<h2>Patch Instructions:</h2>
<p>
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".<br/>
Alternatively you can run the command listed for your product:
</p>
<ul class="list-group">
<li class="list-group-item">
Server Applications Module 15-SP7
<br/>
<code>zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP7-2025-4418=1</code>
</li>
</ul>
<h2>Package List:</h2>
<ul>
<li>
Server Applications Module 15-SP7 (aarch64 ppc64le s390x x86_64)
<ul>
<li>openCryptoki-devel-3.26.0-150700.5.6.1</li>
<li>openCryptoki-debugsource-3.26.0-150700.5.6.1</li>
<li>openCryptoki-64bit-debuginfo-3.26.0-150700.5.6.1</li>
<li>openCryptoki-debuginfo-3.26.0-150700.5.6.1</li>
<li>openCryptoki-3.26.0-150700.5.6.1</li>
<li>openCryptoki-64bit-3.26.0-150700.5.6.1</li>
</ul>
</li>
</ul>
<h2>References:</h2>
<ul>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1254422">https://bugzilla.suse.com/show_bug.cgi?id=1254422</a>
</li>
<li>
<a href="https://jira.suse.com/browse/PED-3361">https://jira.suse.com/browse/PED-3361</a>
</li>
</ul>
</div>