Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8221442

Update SunPKCS11 provider with PKCS11 v2.40 support

XMLWordPrintable

    • Icon: CSR CSR
    • Resolution: Approved
    • Icon: P3 P3
    • 13
    • security-libs
    • None
    • minimal
    • No risk as new header files are backward compatible with older versions.
    • Other
    • Implementation

      Summary

      PKCS#11 standard is updated to v2.40 (Base specification - http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/pkcs11-base-v2.40.html with other specifications listed under "Related Work" section on the same page) in April 2015 with errata published one year later in 2016. SunPKCS11 provider should update to v2.40 accordingly.

      Problem

      The implementation of SunPKCS11 is mostly based on PKCS#11 v2.20 release. It lacks support for some algorithms, attributes, etc., added through out the various releases of PKCS#11 standard.

      Solution

      Enhance SunPKCS11 provider with PKCS#11 v2.40 header files, add support for common algorithms, and recognize more PKCS#11 defined constants for mechanisms, attributes, key types, etc.

      Specification

      1) Update to use PKCS#11 v2.40 header files, e.g. remove v2.20 specific header file and update the content of other PKCS#11 header files.

      2) Add support for the following algorithms when the underlying PKCS#11 library supports the corresponding mechanism:

        Java Algorithm                     PKCS#11 Mechanism       

  MessageDigest.SHA-512/224          CKM_SHA512_224                     
  MessageDigest.SHA-512/256          CKM_SHA512_256
  MAC.HmacSHA512/224                 CKM_SHA512_224_HMAC
  MAC.HmacSHA512/256                 CKM_SHA512_256_HMAC
  Signature.RSASSA-PSS               CKM_RSA_PKCS_PSS
  Signature.SHA1withRSASSA-PSS       CKM_SHA1_RSA_PKCS_PSS
  Signature.SHA224withRSASSA-PSS     CKM_SHA224_RSA_PKCS_PSS
  Signature.SHA256withRSASSA-PSS     CKM_SHA256_RSA_PKCS_PSS
  Signature.SHA384withRSASSA-PSS     CKM_SHA384_RSA_PKCS_PSS
  Signature.SHA512withRSASSA-PSS     CKM_SHA512_RSA_PKCS_PSS
  Signature.SHA224withDSA            CKM_DSA_SHA224
  Signature.SHA256withDSA            CKM_DSA_SHA256
  Signature.SHA384withDSA            CKM_DSA_SHA384
  Signature.SHA512withDSA            CKM_DSA_SHA512
  Cipher.AES/GCM/NoPadding           CKM_AES_GCM

      3) Now recognizes the various PKCS#11 constants (mechanisms, attributes, key types, error codes) as defined in v2.40 header files and won't error out unexpectedly.

            valeriep Valerie Peng
            valeriep Valerie Peng
            Sean Mullan
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: