Summary

PKCS#11 standard is updated to v2.40 (Base specification - http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/pkcs11-base-v2.40.html with other specifications listed under "Related Work" section on the same page) in April 2015 with errata published one year later in 2016. SunPKCS11 provider should update to v2.40 accordingly.

Problem

The implementation of SunPKCS11 is mostly based on PKCS#11 v2.20 release. It lacks support for some algorithms, attributes, etc., added through out the various releases of PKCS#11 standard.

Solution

Enhance SunPKCS11 provider with PKCS#11 v2.40 header files, add support for common algorithms, and recognize more PKCS#11 defined constants for mechanisms, attributes, key types, etc.

Specification

1. Update to use PKCS#11 v2.40 header files, e.g. remove v2.20 specific header file and update the content of other PKCS#11 header files.

2. Add support for the following algorithms when the underlying PKCS#11 library supports the corresponding mechanism:

   Java Algorithm PKCS#11 Mechanism

   MessageDigest.SHA-512/224 CKM_SHA512_224
   MessageDigest.SHA-512/256 CKM_SHA512_256 MAC.HmacSHA512/224 CKM_SHA512_224_HMAC MAC.HmacSHA512/256 CKM_SHA512_256_HMAC Signature.RSASSA-PSS CKM_RSA_PKCS_PSS Signature.SHA1withRSASSA-PSS CKM_SHA1_RSA_PKCS_PSS Signature.SHA224withRSASSA-PSS CKM_SHA224_RSA_PKCS_PSS Signature.SHA256withRSASSA-PSS CKM_SHA256_RSA_PKCS_PSS Signature.SHA384withRSASSA-PSS CKM_SHA384_RSA_PKCS_PSS Signature.SHA512withRSASSA-PSS CKM_SHA512_RSA_PKCS_PSS Signature.SHA224withDSA CKM_DSA_SHA224 Signature.SHA256withDSA CKM_DSA_SHA256 Signature.SHA384withDSA CKM_DSA_SHA384 Signature.SHA512withDSA CKM_DSA_SHA512 Cipher.AES/GCM/NoPadding CKM_AES_GCM

3. Now recognizes the various PKCS#11 constants (mechanisms, attributes, key types, error codes) as defined in v2.40 header files and won't error out unexpectedly.

Differences with JDK CSR [JDK-8221442]: none