Rocky Series Release Notes¶
Deprecated the generate_iv option name. It has been renamed to aes_gcm_generate_iv to reflect the fact that it only applies to the CKM_AES_GCM mechanism.
Fixed Story #2004734: Added a new option always_set_cka_sensitive to fix a regression that affected Safenet HSMs. The option defaults to True as required by Safenet HSMs. Other HSMs may require it be set to False.
Added new options to the PKCS#11 Cryptographic Plugin configuration to enable the use of different encryption and hmac mechanisms. Added support for CKM_AES_CBC encryption in the PKCS#11 Cryptographic Plugin.
Remap the order:put to orders:put to align with language in the orders controller.
(For deployments overriding default policies) After upgrading, please review Barbican policy files and ensure that you port any rules tied to order:put are remapped to orders:put.
Deprecated the p11_crypto_plugin:algoritm option. Users should update their configuration to use p11_crypto_plugin:encryption_mechanism instead.
By default barbican checks only the algorithm and the bit_length when creating a new secret. The xts-mode cuts the key in half for aes, so for using aes-256 with xts, you have to use a 512 bit key, but barbican allows only a maximum of 256 bit. A check for the mode within the _is_algorithm_supported method of the class SimpleCryptoPlugin was added to allow 512 bit keys for aes-xts in this plugin.
Fixed the response code for invalid subroutes for individual secrets. The API was previously responding with the incorrect code “406 - Method not allowed”, but now responds correctly with “404 - Not Found”.
default value of ‘control_exchange’ in ‘barbican.conf’ has been changed to ‘keystone’.