I would like to announce the release of tpm2-pkcs11 version 1.4.0. There are two
highlights for this release
That I would like to point out:
- Support for integrating with the tss2-fapi library via selectable backends. The ESAPI
and Sqlite3 database will continue to be the default.
- Support for "linking" existing tpm2 objects into a token. These objects can be
raw tpm blobs from tpm2_create, or tss2 engine PEM blobs.
The release has the following CHANGELOG:
### 1.4.0 - 2020-08-24
* Fix superflous error message when falling back from TPM2\_EncryptDecrypt2 interface.
* Support importing EC keys via tpm2\_ptool import.
* C\_InitToken: Fix improper SRK handle of 0x81000000, it should be 0x81000001.
* Fix a leak in in tpm.c of an EVP\_PKEY object.
* C\_GenerateKeyPair: was not adding PSS signatures as supported by RSA objects, add
* Fix PSS signatures. Non-FIPS mode TPMs produce PSS signatures with a
max salt len that poses interoperability issues with verifying clients,
notably TLS in OpenSSL.
* Fix Java PKCS11 Provider Signature Verification: #401
* VerifyRecover support, known working with Public Key RSA objects and
* db: Modfiy search and create behavior. See
* Fix printf(3) format specifier errors.
* ci: increase CI coverage to: Fedora 30, Ubuntu 16.04, Ubuntu 18.04.
* configure: check for Python version >= 3.7 and pass to Automake. No
need to set PYTHON\_INTERPRETER anymore.
* Fix segfault/memory corruption bugs in C\_Destroy().
* Fix segfault when no user pin is provisioned.
* Support C\_SetAttributeValue.
* Support for selectable backend using TPM2\_PKCS11\_BACKEND=esysdb being current
* Support for backend fapi that uses the tss2-fapi keystore instead of an sqlite db.
- This is auto-detected based on tss2-fapi being installed at configure time, and can
* C\_CreateObject: Support for CKO\_DATA objects only with CKA\_PRIVATE set to CK\_TRUE.
defaults to CK_TRUE.
* Fix: src/lib/ssl\_util.c:555:54: error: passing argument 3 of
'EVP\_PKEY\_verify\_recover' from incompatible pointer type
* Added tpm2\_ptool link commandlet for linking existing tpm2 objects into a compatible
token. For details see
Supported tpm2 objects are:
- serialized TPM2B_PUBLIC and TPM2B_PRIVATE data structures, as produced by
-u and -r outputs
- PEM encoded keys produced by
The release can be found here: