After three years of waiting, the 3.0.0 release is finally here! It brings support for OpenSSL 3.x, Post-Quantum Cryptography (PQC), new commands, updated grammar for wrapped keys, new wrapping methods, better integration with libpkcs11shim, support for new token types (including Kryoptic), a major overhaul of the with_xxx wrapper scripts, a distribution build subsystem leveraging Docker, and many other improvements. Please refer to the manual and the change log for details.
Note that the toolkit is now built with OpenSSL 3.x (libcrypto >= 3.0.0), and support for OpenSSL 1.1.1 has been dropped. Support for older platforms (AIX, Solaris) has also been deprecated, and will be removed from the source base (unless a contributor with access to those platforms volunteers).
On the PQC front, the three NIST/PKCS#11 v3.2 algorithms ML-KEM (FIPS 203), ML-DSA (FIPS 204) and SLH-DSA (FIPS 205) are now supported. p11keygen can generate mlkem, mldsa and slhdsa key pairs, and p11req/p11mkcert can produce CSRs and self-signed certificates for ML-DSA and SLH-DSA keys. Key generation and object inspection work with any OpenSSL 3.x; public key export, CSR and certificate creation require libcrypto >= 3.5.0. PQC support is enabled by default and can be turned off with --disable-pqc.
The with_xxx wrapper scripts have also been thoroughly reworked. They now share a single, POSIX /bin/sh implementation (with_pkcs11_common), automatically locate the vendor library (including the Homebrew prefix on macOS), and gain new options: -c/-e to create or edit a .pkcs11rc configuration file, -n for interactive slot selection, and -s/-S to trace PKCS#11 calls through libpkcs11shim. The .pkcs11rc lookup now supports vendor-specific files (.pkcs11rc.<vendor>). Two new wrappers are provided, with_aws (AWS CloudHSM) and with_kryoptic (Kryoptic).
We hope you enjoy the new release, and we look forward to your feedback and contributions!
[3.0.0] - 2026-06-30
Added
- support for Post-Quantum Cryptography (PQC): the three NIST/PKCS#11 v3.2 algorithms ML-KEM (FIPS 203), ML-DSA (FIPS 204) and SLH-DSA (FIPS 205) are now supported.
p11keygencan generatemlkem,mldsaandslhdsakey pairs; the parameter set is selected through-bfor ML-KEM (512,768,1024) and ML-DSA (44,65,87), and through-qfor SLH-DSA ({sha2,shake}-{128,192,256}{s,f}, e.g.sha2-128sorshake-256f).p11ls,p11od,p11catandp11moredisplay and export the new key types, andp11req/p11mkcertcan produce CSRs and self-signed certificates for ML-DSA and SLH-DSA keys. PQC support is enabled by default and can be turned off at compile time with--disable-pqc; key generation and object inspection only require any OpenSSL 3.x, while public key export, CSR and certificate creation additionally requirelibcrypto >= 3.5.0(when older, those operations are disabled while key generation and inspection remain available).bash/zshcompletion has been extended to the new key types and parameter sets - new boolean attributes
CKA_ENCAPSULATEandCKA_DECAPSULATE, and new template attributesCKA_ENCAPSULATE_TEMPLATEandCKA_DECAPSULATE_TEMPLATE, used by key encapsulation mechanism (KEM) keys.p11lsreports the matchingncp/dcpcapability flags andnct/dcttemplate flags, andp11slotinfolists thencp(Encapsulation) anddcp(Decapsulation) mechanism abbreviations - new command
p11init, to initialize a token (C_InitToken) and/or its user/crypto officer PIN (C_InitPIN), or to reset (reinitialize) an existing token. The SO PIN and user PIN must be passed as arguments (-O/-P, thePKCS11PASSWORDenvironment variable is not honoured), the:::exec:convention is supported, slots are addressed by index, a batch mode is available (-B), and reinitializing an already initialized token requires the explicit-Rflag (with an interactive confirmation unless in batch mode) - support public key extraction for libraries with non-compliant
CKA_EC_POINTimplementations (with no OCTET STRING encapsulation) - support for Docker builds
- support for Windows 64-bit cross-compilation via MinGW-w64 (
buildx/Dockerfile.mingw64) - OpenSSL 3 provider-based signing support for RSA, DSA, ECDSA and EdDSA
- Docker build support for local source builds (
buildx.sh --local-source) - Docker build support for additional PKCS#11 headers injection (
buildx.sh --extra-header) p11reqandp11mkcertnow support RSA-PSS signature (add-a pssarguments to select it)p11keygencan now generate RSA keys with a custom public exponent, through the new-e <exponent>option (default65537)p11kcvbeefed up, to support multiple MACing algorithms, as well as displaying the value ofCKA_CHECK_VALUE- support for wrapping keys in JOSE Web Key format (JWK, RFC 7178)
- new option
--enable-duplicate, to override duplicate label protection when creating or importing a key (must be enabled at compile time) - search templates: it is now possible to add other attributes in a search, to filter out on more than one attribute
- support for PKCS#11 v3.0
CKM_AES_KEY_WRAP_KWPmechanism as an RFC5649 implementation; selectable viarfc5649(flavour=CKM_AES_KEY_WRAP_KWP)in wrapping algorithm strings - the
# wrapping algorithm:informational header of a wrapped-key file now reports the concrete inner and outer mechanisms for envelope wraps (e.g.Envelope (inner=PKCS#11 v3.0 CKM_AES_KEY_WRAP_KWP (RFC5649), outer=PKCS#1 OAEP)) instead of a bareEnvelopelabel, making it possible to see which RFC5649 mechanism was actually used when a token advertises several. This is a comment-only change; it does not alter the machine-readableWrapping-Algorithm:line and is fully backwards-compatible withp11unwrap. - shell completion for all
p11*tools, for bothbashandzsh. Completion covers command options, key types, elliptic curves, wrapping algorithms, SAN prefixes and file paths; when a library is provided (via-lorPKCS11LIB) it also completes live slot indexes and token labels, and when a PIN is also provided (via-porPKCS11PASSWORD) it completes existing PKCS#11 object names. Completion files are installed under$(datadir)/bash-completion/completions/and$(datadir)/zsh/site-functions/, and are auto-loaded on demand by the completion framework (no sourcing required). p11slotinfo: new-Loption, which lists all slots holding an initialized token in a machine-readableindex:labelformat. It runs non-interactively and performs no login; it is primarily intended to drive shell completion.
Changed
- build now requires OpenSSL 3.0.0 or above (
libcrypto >= 3.0.0) - Docker build files refactored to better support local repository builds, corporate proxies and static OpenSSL 3 fallback on older targets
with_xxxwrapper scripts refactored: all common logic now lives in a single, POSIX/bin/shfile (with_pkcs11_common) sourced by every wrapper, removing the previouszshdependency. New options are available across all wrappers:-n(no slot / interactive selection),-sand-S dest(SHIM tracing),-c(create a commented.pkcs11rctemplate),-e(open.pkcs11rcin$VISUAL/$EDITOR) and-h(usage help). Library auto-detection now probes common system locations and the Homebrew prefix (HOMEBREW_PREFIX), and can be overridden withPKCS11LIB. The.pkcs11rclookup walks up from the current directory to$HOME, honours a vendor-specific.pkcs11rc.<vendor>file in priority over the generic one, and exposes$_p11_vendorso a shared.pkcs11rccan dispatch per vendor. New wrapperswith_aws(AWS CloudHSM) andwith_kryoptic(Kryoptic) are provided, andwith_utimaconow auto-detects the R3 client library (falling back to R2). The previousSPY/pkcs11-spy.somechanism is replaced bySHIM/libpkcs11shim
Fixed
- small fix on with_xxx wrappers, replacing space with underscore in reply code
p11rmcan now delete all objects of a given class: the labelscert,pubk,prvk,seckanddataare accepted as shortcuts for the corresponding object class (the command was already documented to support this)- memory leak fixed in
p11reqandp11mkcert: theX509andX509_REQstructures were not released after use - AES key wrap mechanism auto-selection: the
compare_mech_type()qsort comparator computed*(b) - *(a)onCK_MECHANISM_TYPE(unsigned long) values and truncated the result toint. For vendor-defined mechanisms (e.g.CKM_VENDOR_DEFINED-based value>= 0x80000000) this overflowed, which is undefined behaviour and produced an incorrect, non-total ordering. On the affected platforms it sorted standard mechanisms after vendor-specific ones, contrary to the documented "standard mechanism preferred" behaviour (impacting both therfc3394andrfc5649auto-pick lists). Replaced with a well-defined ascending comparison(a>b)-(a<b), so standard mechanisms (CKM_AES_KEY_WRAP,CKM_AES_KEY_WRAP_PAD,CKM_AES_KEY_WRAP_KWP) are now reliably attempted before vendor-specific variants on all platforms. Output is unchanged for the common single-mechanism case; the byte-compatible RFC3394/RFC5649 result is also unchanged when multiple mechanisms are advertised.