Prepare for release 2.7.0

[bukka]

Summary by CodeRabbit

• New Features

  • Release 2.7.0 published with user-facing improvements and updates.

• Bug Fixes

  • Numerous fixes across build, docs, tests, and runtime behaviors improving stability and compatibility.

• Chores

  • Version bumped to 2.7.0
  • Updates to CI, documentation, and test infrastructure; comprehensive NEWS entry added.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @NEWS:
- Line 3: Update the release date in the NEWS entry that currently reads
"SoftHSM 2.7.0 - 2025-01-12" to the correct date "SoftHSM 2.7.0 - 2026-01-12";
locate the header string "SoftHSM 2.7.0 - 2025-01-12" in the NEWS file and
replace the year 2025 with 2026.

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between eba7ac6 and f404ae8.

📒 Files selected for processing (3)

• CMakeLists.txt
• NEWS
• configure.ac

🧰 Additional context used

🧠 Learnings (4)

📓 Common learnings

Learnt from: bukka
Repo: softhsm/SoftHSMv2 PR: 815
File: src/lib/SoftHSM.cpp:6543-6546
Timestamp: 2025-09-11T16:54:00.370Z
Learning: SoftHSM PR #815 (pkcs11.h 3.1.0 update, CK_RSA_AES_KEY_WRAP_PARAMS fix): Maintainer bukka prefers to keep scope minimal (header sync and param rename only); broader OAEP parameter enforcement or backend plumbing is out of scope for this PR and should be handled in a follow-up issue.

Learnt from: antoinelochet
Repo: softhsm/SoftHSMv2 PR: 809
File: src/lib/SoftHSM.cpp:5550-5596
Timestamp: 2025-10-27T16:44:57.865Z
Learning: SoftHSM ML‑DSA additional context: avoid transient malloc in SoftHSM::{AsymSignInit, AsymVerifyInit}; let Session::setParameters deep‑copy SIGN_ADDITIONAL_CONTEXT by allocating one buffer for struct + context bytes and fixing the stored pointer; Session::resetOp frees m_pParameters so both struct and context are released.

📚 Learning: 2025-09-11T16:54:00.370Z

Learnt from: bukka
Repo: softhsm/SoftHSMv2 PR: 815
File: src/lib/SoftHSM.cpp:6543-6546
Timestamp: 2025-09-11T16:54:00.370Z
Learning: SoftHSM PR #815 (pkcs11.h 3.1.0 update, CK_RSA_AES_KEY_WRAP_PARAMS fix): Maintainer bukka prefers to keep scope minimal (header sync and param rename only); broader OAEP parameter enforcement or backend plumbing is out of scope for this PR and should be handled in a follow-up issue.

Applied to files:

• NEWS
• configure.ac

📚 Learning: 2025-11-11T19:42:46.886Z

Learnt from: JoaoHenrique12
Repo: softhsm/SoftHSMv2 PR: 823
File: src/lib/SoftHSM.cpp:58-58
Timestamp: 2025-11-11T19:42:46.886Z
Learning: SoftHSM include policy: Algorithm key/parameter headers (e.g., SLHParameters, SLH*Key) are included unconditionally in SoftHSM.cpp/SoftHSM.h; feature gating is handled in mechanism tables and CryptoFactory (WITH_*). Avoid wrapping such includes in WITH_* guards.

Applied to files:

• NEWS

📚 Learning: 2025-10-27T16:44:57.865Z

Learnt from: antoinelochet
Repo: softhsm/SoftHSMv2 PR: 809
File: src/lib/SoftHSM.cpp:5550-5596
Timestamp: 2025-10-27T16:44:57.865Z
Learning: SoftHSM ML‑DSA additional context: avoid transient malloc in SoftHSM::{AsymSignInit, AsymVerifyInit}; let Session::setParameters deep‑copy SIGN_ADDITIONAL_CONTEXT by allocating one buffer for struct + context bytes and fixing the stored pointer; Session::resetOp frees m_pParameters so both struct and context are released.

Applied to files:

• NEWS

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (8)

• GitHub Check: Windows (x64, botan)
• GitHub Check: macOS (openssl)
• GitHub Check: Linux with Botan
• GitHub Check: Windows (x86, openssl)
• GitHub Check: Linux with OpenSSL 3.0
• GitHub Check: Windows (x64, openssl)
• GitHub Check: macOS (botan)
• GitHub Check: Linux with OpenSSL 1.1.1

🔇 Additional comments (4)

configure.ac (2)

10-11: LGTM! Version macros correctly updated for 2.7.0 release.

The version bump is consistent with the changes in CMakeLists.txt and the new release notes in NEWS.

---

21-23: Verify whether library version info should be updated.

The release notes indicate several new mechanisms were added (RSA_AES_KEY_WRAP, ECDSA with hashing, etc.). According to the versioning rules in lines 16-19, if the PKCS#11 interface was extended with new mechanisms, SOFTHSM_VERSION_CURRENT and SOFTHSM_VERSION_AGE should be incremented, and SOFTHSM_VERSION_REVISION should be reset to 0.

Please confirm whether the library's public interface has changed and whether the version info needs updating accordingly.

CMakeLists.txt (1)

65-68: LGTM! Version correctly updated to 2.7.0.

The version variables are properly synchronized with the configure.ac changes.

NEWS (1)

5-44: Release notes content looks comprehensive.

The release notes properly document the user-visible changes with appropriate issue references. The formatting is consistent with historical entries in the NEWS file.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @NEWS:
- Line 34: Fix the typo in the release notes entry for Issue #578 by changing
"flushig" to "flushing" in the NEWS content line that currently reads "* Issue
#578: Added flushig files before unlocking".

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f404ae8 and 82a2fb1.

📒 Files selected for processing (3)

• CMakeLists.txt
• NEWS
• configure.ac

🚧 Files skipped from review as they are similar to previous changes (1)

• configure.ac

🧰 Additional context used

🧠 Learnings (4)

📓 Common learnings

Learnt from: bukka
Repo: softhsm/SoftHSMv2 PR: 815
File: src/lib/SoftHSM.cpp:6543-6546
Timestamp: 2025-09-11T16:54:00.370Z
Learning: SoftHSM PR #815 (pkcs11.h 3.1.0 update, CK_RSA_AES_KEY_WRAP_PARAMS fix): Maintainer bukka prefers to keep scope minimal (header sync and param rename only); broader OAEP parameter enforcement or backend plumbing is out of scope for this PR and should be handled in a follow-up issue.

Learnt from: antoinelochet
Repo: softhsm/SoftHSMv2 PR: 809
File: src/lib/SoftHSM.cpp:5550-5596
Timestamp: 2025-10-27T16:44:57.865Z
Learning: SoftHSM ML‑DSA additional context: avoid transient malloc in SoftHSM::{AsymSignInit, AsymVerifyInit}; let Session::setParameters deep‑copy SIGN_ADDITIONAL_CONTEXT by allocating one buffer for struct + context bytes and fixing the stored pointer; Session::resetOp frees m_pParameters so both struct and context are released.

📚 Learning: 2025-09-11T16:54:00.370Z

Learnt from: bukka
Repo: softhsm/SoftHSMv2 PR: 815
File: src/lib/SoftHSM.cpp:6543-6546
Timestamp: 2025-09-11T16:54:00.370Z
Learning: SoftHSM PR #815 (pkcs11.h 3.1.0 update, CK_RSA_AES_KEY_WRAP_PARAMS fix): Maintainer bukka prefers to keep scope minimal (header sync and param rename only); broader OAEP parameter enforcement or backend plumbing is out of scope for this PR and should be handled in a follow-up issue.

Applied to files:

• NEWS

📚 Learning: 2025-11-11T19:42:46.886Z

Learnt from: JoaoHenrique12
Repo: softhsm/SoftHSMv2 PR: 823
File: src/lib/SoftHSM.cpp:58-58
Timestamp: 2025-11-11T19:42:46.886Z
Learning: SoftHSM include policy: Algorithm key/parameter headers (e.g., SLHParameters, SLH*Key) are included unconditionally in SoftHSM.cpp/SoftHSM.h; feature gating is handled in mechanism tables and CryptoFactory (WITH_*). Avoid wrapping such includes in WITH_* guards.

Applied to files:

• NEWS

📚 Learning: 2025-10-27T16:44:57.865Z

Learnt from: antoinelochet
Repo: softhsm/SoftHSMv2 PR: 809
File: src/lib/SoftHSM.cpp:5550-5596
Timestamp: 2025-10-27T16:44:57.865Z
Learning: SoftHSM ML‑DSA additional context: avoid transient malloc in SoftHSM::{AsymSignInit, AsymVerifyInit}; let Session::setParameters deep‑copy SIGN_ADDITIONAL_CONTEXT by allocating one buffer for struct + context bytes and fixing the stored pointer; Session::resetOp frees m_pParameters so both struct and context are released.

Applied to files:

• NEWS

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)

• GitHub Check: Windows (x64, openssl)
• GitHub Check: macOS (botan)
• GitHub Check: Windows (x86, openssl)
• GitHub Check: Linux with OpenSSL 3.0
• GitHub Check: Windows (x64, botan)

🔇 Additional comments (2)

CMakeLists.txt (1)

65-68: LGTM! Version bump is consistent.

The version update from 2.6.1 to 2.7.0 is correctly applied across VERSION, VERSION_MINOR, and VERSION_PATCH variables.

NEWS (1)

3-3: The NEWS file already correctly shows SoftHSM 2.7.0 - 2026-01-12. No change needed.

Likely an incorrect or invalid review comment.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Fix typo in release notes.

"flushig" should be "flushing".

✏️ Proposed fix

-* Issue #578: Added flushig files before unlocking
+* Issue #578: Added flushing files before unlocking

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	* Issue #578: Added flushig files before unlocking
	* Issue #578: Added flushing files before unlocking

🤖 Prompt for AI Agents

In @NEWS at line 34, Fix the typo in the release notes entry for Issue #578 by
changing "flushig" to "flushing" in the NEWS content line that currently reads
"* Issue #578: Added flushig files before unlocking".

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

NEWS (1)

3-44: Polish the 2.7.0 NEWS entry (date, bullet markers, a couple typos).

• The header date is 2026-01-12, which is in the future relative to this PR (created 2026-01-10); confirm that’s intended.
• Consider using * consistently (instead of #) for bullet items, and fix “flushig” → “flushing” + the “extend / RSA-OAEP check” wrap.

Proposed minimal diff

-SoftHSM 2.7.0 - 2026-01-12
+SoftHSM 2.7.0 - 2026-01-12

 * Various other build, docs, CI and test fixes
-# Issue #671: Added allowed mechanism check to AsymEncryptInit and extend
-  RSA-OAEP check
-# Issue #648: Fixed C_GetMechanismInfo to fail on non-allowed mechanisms
-# Issue #816: Add support to import RSA PSS in softhsm2-util
-# Issue #604: Updated pkcs11 header to version 3.2.0
-# Issue #794: Added RSA_AES_KEY_WRAP support
-# Issue #683: Added support for ECDSA with hashing
-# Issue #781: Added --disable-openssl-engines configure option to disable
-  OpenSSL engines
-# Issue #612: Added support to import certificate to softhsm2-util
-# Issue #643: Fixed growing memory in C_DecryptUpdate
-# Issue #690: Replaced CKR_GENERAL_ERROR with CKR_ENCRYPTED_DATA_INVALID
-  or CKR_ENCRYPTED_DATA_LEN_RANGE upon decryption failure
-# Issue #733: Added GitHub Actions CI
-# Issue #681: Fixed refresh of OSToken by passing isToken=true to
-  Generation::create()
-# Issue #677: Fixed memory leak in SoftHSM::UnwrapKeySym.
-# Issue #611: Added --show-config parameter to softhsm2-util
-# Issue #674: Fixed broken if statement in UnwrapKey
-# Issue #664: Fixed crash in AES GCM without additional authenticated data
-# Issue #646: Fixed "Transaction in database is already active." bug
+* Issue #671: Added allowed mechanism check to AsymEncryptInit and extended RSA-OAEP check
+* Issue #648: Fixed C_GetMechanismInfo to fail on non-allowed mechanisms
+* Issue #816: Add support to import RSA-PSS in softhsm2-util
+* Issue #604: Updated pkcs11 header to version 3.2.0
+* Issue #794: Added RSA_AES_KEY_WRAP support
+* Issue #683: Added support for ECDSA with hashing
+* Issue #781: Added --disable-openssl-engines configure option to disable OpenSSL engines
+* Issue #612: Added support to import certificate to softhsm2-util
+* Issue #643: Fixed growing memory in C_DecryptUpdate
+* Issue #690: Replaced CKR_GENERAL_ERROR with CKR_ENCRYPTED_DATA_INVALID or CKR_ENCRYPTED_DATA_LEN_RANGE upon decryption failure
+* Issue #733: Added GitHub Actions CI
+* Issue #681: Fixed refresh of OSToken by passing isToken=true to Generation::create()
+* Issue #677: Fixed memory leak in SoftHSM::UnwrapKeySym.
+* Issue #611: Added --show-config parameter to softhsm2-util
+* Issue #674: Fixed broken if statement in UnwrapKey
+* Issue #664: Fixed crash in AES GCM without additional authenticated data
+* Issue #646: Fixed "Transaction in database is already active." bug
 * Issue #644: Refactored CMake for Windows (amendment in #717)
 * Issue #717: Enabled DB backend for Windows
 * Issue #600: Implemented CKM_XXX_CBC_PAD wrapping and unwrapping mechanisms
 * Issue #592: Fixed issue #585 by resetting en/decrypt op on input validation
 * Issue #591: Enforced attributes becoming read-only once set to CK_TRUE on
   CKA_WRAP_WITH_TRUSTED and CKA_SENSITIVE
 * Issue #571: Added misc derivations
-* Issue #578: Added flushig files before unlocking
+* Issue #578: Added flushing files before unlocking
 * Issue #577: Reduced the level of the log message when SoftHSM is already
   initialized
 * Issue #576: Fixed race condition between C_FindObjects and object creation
   (issue #573)
 * Issue #560: Added "objectstore.umask" configuration option for file/directory
   creation
 * Issue #522: Fixed advertised min and max mechanism sizes according to final
   PKCS#11 3.0 specification.
 * Issue #548: Fixed engines clean up after OpenSSL has already shut down

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 82a2fb1 and 99f5d90.

📒 Files selected for processing (3)

• CMakeLists.txt
• NEWS
• configure.ac

🧰 Additional context used

🧠 Learnings (4)

📓 Common learnings

Learnt from: bukka
Repo: softhsm/SoftHSMv2 PR: 815
File: src/lib/SoftHSM.cpp:6543-6546
Timestamp: 2025-09-11T16:54:00.370Z
Learning: SoftHSM PR #815 (pkcs11.h 3.1.0 update, CK_RSA_AES_KEY_WRAP_PARAMS fix): Maintainer bukka prefers to keep scope minimal (header sync and param rename only); broader OAEP parameter enforcement or backend plumbing is out of scope for this PR and should be handled in a follow-up issue.

Learnt from: antoinelochet
Repo: softhsm/SoftHSMv2 PR: 809
File: src/lib/SoftHSM.cpp:5550-5596
Timestamp: 2025-10-27T16:44:57.865Z
Learning: SoftHSM ML‑DSA additional context: avoid transient malloc in SoftHSM::{AsymSignInit, AsymVerifyInit}; let Session::setParameters deep‑copy SIGN_ADDITIONAL_CONTEXT by allocating one buffer for struct + context bytes and fixing the stored pointer; Session::resetOp frees m_pParameters so both struct and context are released.

📚 Learning: 2025-09-11T16:54:00.370Z

Learnt from: bukka
Repo: softhsm/SoftHSMv2 PR: 815
File: src/lib/SoftHSM.cpp:6543-6546
Timestamp: 2025-09-11T16:54:00.370Z
Learning: SoftHSM PR #815 (pkcs11.h 3.1.0 update, CK_RSA_AES_KEY_WRAP_PARAMS fix): Maintainer bukka prefers to keep scope minimal (header sync and param rename only); broader OAEP parameter enforcement or backend plumbing is out of scope for this PR and should be handled in a follow-up issue.

Applied to files:

• NEWS
• configure.ac

📚 Learning: 2025-11-11T19:42:46.886Z

Learnt from: JoaoHenrique12
Repo: softhsm/SoftHSMv2 PR: 823
File: src/lib/SoftHSM.cpp:58-58
Timestamp: 2025-11-11T19:42:46.886Z
Learning: SoftHSM include policy: Algorithm key/parameter headers (e.g., SLHParameters, SLH*Key) are included unconditionally in SoftHSM.cpp/SoftHSM.h; feature gating is handled in mechanism tables and CryptoFactory (WITH_*). Avoid wrapping such includes in WITH_* guards.

Applied to files:

• NEWS

📚 Learning: 2025-10-27T16:44:57.865Z

Learnt from: antoinelochet
Repo: softhsm/SoftHSMv2 PR: 809
File: src/lib/SoftHSM.cpp:5550-5596
Timestamp: 2025-10-27T16:44:57.865Z
Learning: SoftHSM ML‑DSA additional context: avoid transient malloc in SoftHSM::{AsymSignInit, AsymVerifyInit}; let Session::setParameters deep‑copy SIGN_ADDITIONAL_CONTEXT by allocating one buffer for struct + context bytes and fixing the stored pointer; Session::resetOp frees m_pParameters so both struct and context are released.

Applied to files:

• NEWS

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (8)

• GitHub Check: Windows (x64, openssl)
• GitHub Check: Windows (x86, openssl)
• GitHub Check: macOS (botan)
• GitHub Check: macOS (openssl)
• GitHub Check: Linux with Botan
• GitHub Check: Linux with OpenSSL 3.0
• GitHub Check: Windows (x64, botan)
• GitHub Check: Linux with OpenSSL 1.1.1

🔇 Additional comments (2)

CMakeLists.txt (1)

65-68: Version bump in CMakeLists is consistent and low-risk.

configure.ac (1)

9-11: Libtool versioning appears correct for this release.

Program version 2.7.0 is consistent across configure.ac and CMakeLists.txt. The SOFTHSM_VERSION_CURRENT/AGE/REVISION (2:5:1) remaining unchanged aligns with the minimal scope of this release—header synchronization and parameter definition updates per PKCS#11 3.1.0 without ABI-breaking changes. No stale 2.6.1 references remain.

[jschlyter]

Do you want #837 in the release as well, or save it for later?

[bukka]

Do you want #837 in the release as well, or save it for later?

If you approve it, I can put it there (should not be really risky as it's non default) but it doesn't necessarily need to be there. :)

[bukka]

Thinking about #837, I will actually leave it for the next release as I might play with the format a bit (e.g. adding ms and possibly tweak it a bit as well).