1.10.0-rc0

[1.10.0-rc0] - 2026-05-01

Added:

• DB Schema Change from 8 to 9.
  • Backup your DB before upgrading

Fixed:

• Formatting of error cases.
• tpm backend: tpm_unseal returning false, instead of NULL. Fixes compiler warnings.
• warning: src/lib/utils.c:243:17: error: initialization discards 'const' qualifier from pointer target type.
• missing ECDH1_DERIVE in supported mechanisms. See PR #913 for details.
• Database upgrade failure on upgrade ERROR: Backup DB exists at "/etc/tpm2_pkcs11/tpm2_pkcs11.sqlite3.old" not overwriting....
  • Looking for .old when it should have been .bak.
• Database version 7 to 8 upgrade could have missed performing the upgrade of the database through the C code, add DB Schema version 9 and perform the update.
• Use ASN1 OpenSSL helpers rather than direct struct access. Newer OpenSSL everything is opaque.

1.9.2

[1.9.2] - 2025-09-29

Fixed:

• Fix tpm2_ptool destroy command failures.
• Warning "UserWarning: Unknown distribution option: 'tests_require'" from setup.py.
• Missing SHA1-RSA-PKCS from CKM_ALLOWED_MECHANISMS.
• In tests requiring Python, don't override HOME as it may be needed for user installed packages.
• Certificate finding logic in pkcs11-tool usage where --label was used instead of --token-label.
• Configure: Fix detection of javac.
• Configure: Fix detection of pkcs11 python module.
• Fix incorrect logging statement in create_pkcs_store.sh.
• Fix links in documentation.
• Fix OpenSuse Leap CI builds.
• Fix improper handling of chunks across IV multi-part handling.
• Fix memory leak.

Added

• Add support for importing persistent TPM2 keys with tpm2_ptool.

1.9.2-rc0

[1.9.2-rc0] - 2025-09-13

Fixed:

• tpm2_ptool destroy removal error on persistent pobjects.
• Warning "UserWarning: Unknown distribution option: 'tests_require'" from setup.py.
• Missing SHA1-RSA-PKCS from CKM_ALLOWED_MECHANISMS.
• In tests requiring Python, don't override HOME as it may be needed for user installed packages.
• Certificate finding login in pkcs11-tool usage where --label was used instead of --token-label.
• Configure Fix detection of javac.
• Configure Fix detection of pkcs11 python module.
• Fix incorrect logging statement in create_pkcs_store.sh.
• Fix links in documentation.
• Fix OpenSuse Leap CI Builds.
• Fix improper handling chunks across IV multi part handling.
• Fix memory leak.

1.9.1

[1.9.1] - 2024-09-23

Fixed

• configure:
  • Change mistaken += to =.
  • use user supplied --prefix even when p11kit is detected.
• Remove warning about unable to find FAPI when it's is not-compiled in and not chosen as the beckend.
• Fix memory leaks in tpm_create_transient_primary_from_template.
• Fix NULL pointer dereference in db.c on uses of CKA_ALLOWED_MECHANISMS.
• Fix offset miscalculation in FAPI backend that was corrupting data.
• Support CKM_ECDH1_DERIVE via C_DeriveKey.
• Fix usages of tpm2-ptool for its wrapped tpm2_ptool in tests.
• Fix failing db upgrades on double conversion to int.
• Fix db lock file due to missing parenthesis and order of operations.
• documentation:
  • Fix use of objects where tokens was meant.

Changed

• --enable-fapi to --with-fapi. Note this is not a major version bump as its internal to builders only. However --enable-fapi left in place for backwards compat.

1.9.1-rc0

[1.9.1-rc0] - 2024-09-09

Fixed

• configure:
  • Change mistaken += to =.
  • use user supplied --prefix even when p11kit is detected.
• Remove warning about unable to find FAPI when it's is not-compiled in and not chosen as the beckend.
• Fix memory leaks in tpm_create_transient_primary_from_template.
• Fix NULL pointer dereference in db.c on uses of CKA_ALLOWED_MECHANISMS.
• Fix offset miscalculation in FAPI backend that was corrupting data.
• Support CKM_ECDH1_DERIVE via C_DeriveKey.
• Fix usages of tpm2-ptool for its wrapped tpm2_ptool in tests.
• Fix failing db upgrades on double conversion to int.
• Fix db lock file due to missing parenthesis and order of operations.
• documentation:
  • Fix use of objects where tokens was meant.

Changed

• --enable-fapi to --with-fapi. Note this is not a major version bump as its internal to builders only. However --enable-fapi left in place for backwards compat.

1.9.0 (Known to be broken)

WARNING If possible skip this update.

Details on Why:

The major takeaway is that a bug in the C code path for updating the DB Schema from version 7 to 8, had a null pointer bug. This was fixed in 1.9.1, but as distros are updating their library versions, this bug is becoming more prevalent. I would urge folks to skip 1.9.0 and upgrade to 1.9.1 if possible. Also, the tpm2_ptool path doesn't have this problem, but another problem was discovered in tpm2_ptool where it couldn't handle the older hex encoded list of CKA_ALLOWED_MECHANISMS when performing the db update. At some point, the hex encoded buffer went away and proper sequence (list) of YAML integers was used. However, the DB Code on the C path wouldn't actually apply the change, this was fixed in release 1.10.0-rc01.10.0-rc0.

[1.9.0] - 2023-01-31

Fixed

• Fix autoconf invocation on a release tarball not being a git repo for VERSION. VERSION file now generated and packaged as part of the release tarball from the git version information.
• Fix TPM2_PKCS11_OWNER_AUTH not being used when a persistent SRK is needed in the C_InitToken path.
• During an upgrade of the database to version 4, the config key 'persistent' is added instead of 'transient', causing KeyError when using the upgraded database.
• Leave the original db on upgrade failure, a bug caused the original db to be unlinked not the upgraded db.
• A bug prevented the use of CreateLoaded if the TPM supports the command.
• A bug when creating keys through the PKCS11 interface (not tpm2-ptool), the attributes for CKA_ALLOWED_MECHANISMS were encoded as a hex string and not a sequence of ints within the YAML. Correcting this will trigger a db upgrade to 8

Added

• Env varibale PKCS11_SQL_LOCK to allow setting a lock directory, eg for temprary directory so lock files do not persist across reboots.

1.9.0-rc0

[1.9.0-rc0] - 2023-01-23

Fixed

• Fix autoconf invocation on a release tarball not being a git repo for VERSION. VERSION file now generated and packaged as part of the release tarball from the git version information.
• Fix TPM2_PKCS11_OWNER_AUTH not being used when a persistent SRK is needed in the C_InitToken path.
• During an upgrade of the database to version 4, the config key 'persistent' is added instead of 'transient', causing KeyError when using the upgraded database.
• Leave the original db on upgrade failure, a bug caused the original db to be unlinked not the upgraded db.
• A bug prevented the use of CreateLoaded if the TPM supports the command.
• A bug when creating keys through the PKCS11 interface (not tpm2-ptool), the attributes for CKA_ALLOWED_MECHANISMS were encoded as a hex string and not a sequence of ints within the YAML. Correcting this will trigger a db upgrade to 8

Added

• Env varibale PKCS11_SQL_LOCK to allow setting a lock directory, eg for temprary directory so lock files do not persist across reboots.

1.8.0

[1.8.0 ] - 2022-03-21

Fixed

• Fix GetRandom Memory Leak
• Fix some spelling mistakes
• Fix unit test test_parser
• Fix importing of RSA private key through pkcs11 interface should fail.
• Fix ECDSA signature length calculation.
• Fix memory leak of tokens.
• Fix suspicious sizeof usage in _str_padded_copy
• Fix encoding errors when importing a certificate into the pkcs11 store.
• Fix try/finally scope issues in tpm2_ptool.
• Fix, an OOB access in db upgrade path.
• Fix ECDSA length calculation that was causing issues with Mutual TLS in Firefox and Chrome.

Changed

• remove unused macro set_safe_rc

Added

• Add support for OpenSSL 3. Note that calls through engine are no longer supported on OpenSSL3.
• Add tpm2_ptool export commandlet for exporting token keys into PEM and TPM blob format.

1.8.0-rc0

[1.8.0-rc0 ] - 2022-03-15

Fixed

• Fix GetRandom Memory Leak
• Fix some spelling mistakes
• Fix unit test test_parser
• Fix importing of RSA private key through pkcs11 interface should fail.
• Fix ECDSA signature length calculation.
• Fix memory leak of tokens.
• Fix suspicious sizeof usage in _str_padded_copy
• Fix encoding errors when importing a certificate into the pkcs11 store.
• Fix try/finally scope issues in tpm2_ptool.
• Fix, an OOB access in db upgrade path.
• Fix ECDSA length calculation that was causing issues with Mutual TLS in Firefox and Chrome.

Changed

• remove unused macro set_safe_rc

Added

• Add support for OpenSSL 3. Note that calls through engine are no longer supported on OpenSSL3.
• Add tpm2_ptool export commandlet for exporting token keys into PEM and TPM blob format.

1.7.0

1.7.0 - 2021-09-27

• DB Schema Change from 5 to 7.
  • Backup your DB before upgrading
• Fixed compilation issues with GCC11.
• Fixed errors on releases due to newer compilers from failing by only adding -Werror for non-release builds.
• Fixed error message when the DB is too new in tpm2_ptool.
• Added support for tpm2_ptool import with ssh-keygen format keys. Note: Requires cryptography >= 3.0.
• Changed default long level from error to warning.
• Added better error message for FAPI backend errors along with docs/FAPI.md document.
• Changed tpm2_ptool make --algorithm optional.
• Fixed error message of wrong attribute name on expected attribute check to be false.
• Added support for ECDSA 256, 384 and 512.
• Fixed a bug in the Python code DB upgrade path from 4 to 5 where it didn't add AES mode CTR to
  CKA_ALLOWED_MECHANISMS.
• Added tpm2_ptool support for ECC key size 192.
• Added support passwordless login for tokens, ie not setting CKF_LOGIN_REQUIRED.
• Fixed Running integration tests when Java version has the -ea, like on Debian 11 and OpenJDK 17.
• Added support for HMAC keys using tpm2_ptool and the C_Sign and C_Verify interfaces.
  The following interfaces in ptool have support:
  • addkey: previous working versions of tpm2-tools will support this.
  • link: previous working versions of tpm2-tools will support this.
  • import: requires tpm2-tools 5.2+ for support.
• Fixed leaking of temp file descriptors in tpm2_ptool.
• Fixed wrong free in tpm code, should use Esys_Free.
• Fixed a space formatting issue in tpm2_ptool verify.
• Fixed leaked file descriptor in tpm2_ptool.
• Fixed a few suspicious sizeof usages in str_padded_copy
• Fixed a memory leak of the token list on a failure condition in initialization.