Release Notes
Product Description
CADP for C
CADP for C provides C/C++ based APIs for performing cryptographic and key management operations using CipherTrust Manager. It communicates with the CipherTrust Manager over NAE interfaces to manage the stored objects. It can also operate over KMIP.
CipherTrust Manager
With CipherTrust Manager, organizations can leverage a range of disparate software and hardware-based encryption products, while gaining the efficiency and security benefits of having all keys stored on a centralized, hardened security appliance.
The CipherTrust Manager offers robust capabilities for managing cryptographic keys across their lifecycle, including key generation, key import and export, key rotation, and much more. The CipherTrust Manager can be integrated through open APIs with virtually any off-the-shelf encryption product, including database encryption, laptop and device encryption, file and storage level encryption, and more.
Release Description
This release of CADP for C includes the new features and enhancements listed below.
Features and Enhancements
OpenSSL Upgrade: The OpenSSL version used by CADP for C (both CAPI and PKCS#11 library) is upgraded to 3.0.8.
Supported TLS: Added support of TLS 1.3.
CADP PKCS#11
Key wrap and unwrap supported for Asymmetric keys.
Wrapping of Opaque object is supported with symmetrical keys.
Key alias is supported for symmetrical keys.
Opaque objects are supported.
GCM algorithm is supported.
Import of versioned keys is supported for symmetrical keys.
RSA DPM header format is supported for symmetrical keys.
Custom attribute supported for DSM to CM migrated keys.
Public and Private handles are now considered different entities.
CADP CAPI
- External Header Support for Versioned Keys added for AES, AES/GCM, SEED, and DESede in Local mode only.
Compatibility Information
CADP for C Version 8.15.0 is compatible with CipherTrust Manager 2.13.0 and above.
Resolved and Known Issues
This section lists the issues fixed in this release. Also, the section lists the issues known to exist in the product at the time of release. The following table defines the severity of the issues listed in this section.
| Severity | Classification | Definition |
|---|---|---|
| C | Critical | No reasonable workaround exists. |
| H | High | Reasonable workaround exists. |
| M | Medium | Medium level priority problems. |
| L | Low | Lowest level priority problems. |
CAPI library
Resolved Issues
| Issue | Severity | Synopsis |
|---|---|---|
| CADP-11245 | M | Problem: RSA Versioned key in persistent mode throwing error for decryption |
Known Issues
| Issue | Severity | Synopsis |
|---|---|---|
| CADP-12271 | H | Problem: Null value being appended to decrypted text with SEED/CBC/NoPadding |
| CADP-4910 | M | Problem: If connetion_idle_timeout is set to 0, the batch connections do not expire after _expiredTimeDiff, which is set to 240sec |
| CADP-10883 | M | Problem: Key Wrapping and UnWrapping are not working with the KMIP |
| CADP-11446 | M | Problem: Compromise Occurrence Date missing on running KMIP Revoke |
| CADP-14399 | M | Problem: FPE/AES/CARD10 is not supported in remote mode with versioned key |
| CADP-25156 | H | Problem: An error occurred while calling the I_C_KeyRefresh API |
Limitations
Korean algorithm ARIA is not supported in Local encryption mode.
ECIES is not supported in batching.
PCKS#11 library
Resolved Issues
| Issue | Severity | Synopsis |
|---|---|---|
| CADP-10609 | H | Problem: Custom Attributes of the migrated key from DSM to CM cannot be retrieved |
| CADP-8776 | H | Problem: When the C_FindObjects call is made by providing a specific CKA_CLASS, the same key handle is returned for the Private Key and Public Key |
| CADP-8157 | H | Problem: The C_FindObjects API does not return the Key Handle of a Pre-Active versioned key |
| CADP-7828 | M | Problem: Encryption with header v1.5 and v1.5base64 gives the same output |
Known Issues
| Issue | Severity | Synopsis |
|---|---|---|
| CADP-12638 | H | Problem: Version key Rotation Fails through C_GenerateKey API fails After 19 Rotation |
| CADP-12605 | M | Problem: C_GetAttibuteValue returning key name along with key alias for CKA_KEY_ALIAS |
| CADP-1192 | M | Problem: Setting CKA_SIGN and CKA_VERIFY when importing an AES key does not work |
| CADP-12441 | M | Problem: Key/Object Handles returned by C_FindObjects are different from values returned by VAE |
| CADP-7961 | M | Problem: C_DestroyObject does not delete all versions when provided a base key handle |
| CADP-14324 | M | Problem: Key Imported with C_UnwrapKey does not have MUID and KEYID |
| CADP-14373 | M | Problem: Export of particular version by MUID not matching with DSM values |
| CADP-14502 | M | Problem: Life span shows different values in pkcs11_sample_attributes.c for particular version after migration |
| CADP-14598 | M | Problem: CADP provides incorrect key state value for the DSM migrated compromised key |
| CADP-13993 | M | Problem: Different Key handle for Asymmetric keys when searched with UUID |
| CADP-1025 | M | Problem: Crypto usage mask for generated key is displayed as 588 |
| CADP-1041 | M | Problem: Crypto operations can be done with Restricted Key in local mode |
| CADP-14219 | M | Problem: Unable to change or add custom attributes of the key migrated from DSM Workaround : Upgrade to the latest version of CM |
| CADP-16096 | M | Problem: Exponent and Modulus are not calculated for Asymmetric keys in remote mode |
| CADP-14888 | M | Problem: C_FindObjects throws "Out of Memory" error for the Sun Wrapper when the number of count to return is zero or negative. |
Limitations
Wrapping and unwrapping are not supported for Asymmetric to Asymmetric keys.
Key Alias is not supported for Asymmetric keys and opaque objects.
Versioned Asymmetric keys are not supported.
DPM Headers are not supported for opaque objects, non-versioned keys, and Muti-part operations.
RSA DPM header is supported in
LEGACY_VAE compatibilitymode only.Unwrapping of Opaque object with Symmetrical key is not supported.
Wrapping and Unwrapping of Opaque object with Asymmetrical key is not supported.
Associating an alias with a specific version of the key is not supported on the CipherTrust Manager. All the aliases get associated with the most active or latest version of the key.
Asymmetric keys cannot be found (through
C_FindObjects) by using a combination of the key identifier (for example, UUID, MUID, KEYID, or ALIAS) and the key class (CKO_PUBLIC_KEYorCKO_PRIVATE_KEY).C_GenerateKeyAPI does not support creation of HMAC keys.
Supported Platforms
CADP for C is supported on the following platforms:
Windows
RHEL
RHEL 7.x
RHEL 8.x
