Release Notes
Product Description
CADP for C
CADP for C provides C/C++ based APIs for performing cryptographic and key management operations using CipherTrust Manager. It communicates with the CipherTrust Manager over KMIP and NAE interfaces to manage the stored objects.
CipherTrust Manager
With the CipherTrust Manager, organizations can leverage a range of disparate software and hardware-based encryption products, while gaining the efficiency and security benefits of having all keys stored on a centralized, hardened security appliance.
The CipherTrust Manager offers robust capabilities for managing cryptographic keys across their lifecycle, including key generation, key import and export, key rotation, and much more. The CipherTrust Manager can be integrated through open APIs with virtually any off-the-shelf encryption product, including database encryption, laptop and device encryption, file and storage level encryption, and more.
Release Description
This release of CADP for C includes the new features and enhancements listed below.
Features and Enhancements for CADP CAPI
-
Upgraded OpenSSL
The OpenSSL version 1.1.1g used by CADP CAPI 8.12.1 is affected with vulnerability CVE-2022-0778. Therefore, the OpenSSL version 1.1.1g is upgraded to 1.1.1n to address the vulnerability.
-
Added domain support.
-
Added support for versioned key in FPE in the local and persistent mode.
-
Added support for Charset range in FPE in the Local and Persistent mode.
-
Added support to preserve special characters.
-
Added support to use Charset through FPE/AES command line.
-
The old log levels (LOW, MEDIUM, HIGH) are changed to ERROR, WARN (default), and INFO respectively.
Features for CADP PKCS#11
-
Upgraded OpenSSL version 1.0.2j to 1.0.2zd to address the vulnerability issue.
-
Key creation, deletion, and import.
-
Key wrap and unwrap.
-
Single and multipart encryption and decryption.
-
Sign and verify certificates.
-
Support for custom attributes.
-
Support for Digest and HMAC algorithms.
-
Ability to modify key states.
-
Support for symmetric key caching.
-
Added log levels named NONE, ERROR, WARN, INFO, and DEBUG.
Compatibility Information
CADP for C Version 8.13.0 is compatible with CipherTrust Manager 2.11.1 LTS and higher versions.
Resolved and Known Issues
This section lists the issues fixed in this release. Also, the section lists the issues known to exist in the product at the time of release. The following table defines the severity of the issues listed in this section.
| Severity | Classification | Definition |
|---|---|---|
| C | Critical | No reasonable workaround exists. |
| H | High | Reasonable workaround exists. |
| M | Medium | Medium level priority problems. |
| L | Low | Lowest level priority problems. |
Resolved Issues
CADP CAPI
| Issue | Severity | Synopsis |
|---|---|---|
| CADP-7641 CADP-5953 |
C | Summary: Upgrade the OpenSSL version to 1.1.1n. |
Known Issues
CADP CAPI
| Issue | Severity | Synopsis |
|---|---|---|
| CADP-4910 | M | Problem: If connetion_idle_timeout is set to 0, the batch connections do not expire after _expiredTimeDiff, which is set to 240sec. |
| CADP-1041 | M | Problem: Crypto operations can be done with Restricted Key in local mode. |
CADP PKCS#11
| Issue | Severity | Synopsis |
|---|---|---|
| CADP-7828 | M | Problem: Encryption with header v1.5 and v1.5base64 gives the same output. |
| CADP-8776 | H | Problem: When the C_FindObjects call is made by providing a specific CKA_CLASS, the same key handle is returned for the Private Key and Public Key. |
| CADP-8157 | H | Problem: The C_FindObjects API does not return Key Handle of a Pre-Active versioned key. |
| CADP-7961 | M | Problem: C_DestroyObject does not delete all versions when provided a base key handle. |
| CADP-1192 | M | Problem: Setting CKA_SIGN and CKA_VERIFY when importing an AES key does not work. |
Limitations
CADP CAPI
-
Korean algorithm ARIA is not supported in local encryption mode.
-
ECIES is not supported in batching.
CADP PKCS#11
-
SHA1 and MD5 algorithms are not supported.
-
Key alias is not supported.
-
Opaque objects are not supported.
-
GCM algorithm is not supported.
-
Wrapping and unwrapping is only supported for symmetric keys.
-
Import of versioned keys is not supported.
-
RSA Data Protection Manager (DPM) header format with multipart encrypt and decrypt is not supported.
-
RSA DPM header format is not supported for versioned keys.
