-
Enhancement
-
Resolution: Fixed
-
P3
-
7
-
b134
-
generic
-
generic
-
Verified
The SunPKCS11 provider does not support CKM_AES_CTR. This should be fixed.
That may require JCE API changes (a new Spec class) since counter mode is currently not fully supported by the JCE APIs. The SunJCE provider uses IvParameterSpec to pass the initial counter value and assumes a counter size equal to the block size, but PKCS #11 v2.20 Amendment 3 allows arbitrary, user specified counter sizes and RFC 3686 (AES for IPsec) uses a 32-bit bit counter. PKCS#11 also specifies that an error is produced if the counter overflows.
That may require JCE API changes (a new Spec class) since counter mode is currently not fully supported by the JCE APIs. The SunJCE provider uses IvParameterSpec to pass the initial counter value and assumes a counter size equal to the block size, but PKCS #11 v2.20 Amendment 3 allows arbitrary, user specified counter sizes and RFC 3686 (AES for IPsec) uses a 32-bit bit counter. PKCS#11 also specifies that an error is produced if the counter overflows.
- relates to
-
JDK-8001284 Buffer problems with SunPKCS11-Solaris and CKM_AES_CTR
- Closed