Rocky Series Release Notes


Deprecation Notes

  • Deprecated the generate_iv option name. It has been renamed to aes_gcm_generate_iv to reflect the fact that it only applies to the CKM_AES_GCM mechanism.

Bug Fixes

  • Fixed Story #2004734: Added a new option always_set_cka_sensitive to fix a regression that affected Safenet HSMs. The option defaults to True as required by Safenet HSMs. Other HSMs may require it be set to False.


New Features

  • Added new options to the PKCS#11 Cryptographic Plugin configuration to enable the use of different encryption and hmac mechanisms. Added support for CKM_AES_CBC encryption in the PKCS#11 Cryptographic Plugin.

  • Remap the order:put to orders:put to align with language in the orders controller.

Upgrade Notes

  • (For deployments overriding default policies) After upgrading, please review Barbican policy files and ensure that you port any rules tied to order:put are remapped to orders:put.

Deprecation Notes

  • Deprecated the p11_crypto_plugin:algoritm option. Users should update their configuration to use p11_crypto_plugin:encryption_mechanism instead.

Bug Fixes

  • By default barbican checks only the algorithm and the bit_length when creating a new secret. The xts-mode cuts the key in half for aes, so for using aes-256 with xts, you have to use a 512 bit key, but barbican allows only a maximum of 256 bit. A check for the mode within the _is_algorithm_supported method of the class SimpleCryptoPlugin was added to allow 512 bit keys for aes-xts in this plugin.

  • Fixed the response code for invalid subroutes for individual secrets. The API was previously responding with the incorrect code “406 - Method not allowed”, but now responds correctly with “404 - Not Found”.

Other Notes

  • default value of ‘control_exchange’ in ‘barbican.conf’ has been changed to ‘keystone’.