Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8234425

Update SunPKCS11 provider with PKCS11 v2.40 support

XMLWordPrintable

    • Icon: CSR CSR
    • Resolution: Approved
    • Icon: P3 P3
    • openjdk8u
    • security-libs
    • None
    • minimal
    • No risk as new header files are backward compatible with older versions.
    • Other
    • Implementation

      Summary

      PKCS#11 standard is updated to v2.40 (Base specification - http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/pkcs11-base-v2.40.html with other specifications listed under "Related Work" section on the same page) in April 2015 with errata published one year later in 2016. SunPKCS11 provider should update to v2.40 accordingly.

      Problem

      The implementation of SunPKCS11 is mostly based on PKCS#11 v2.20 release. It lacks support for some algorithms, attributes, etc., added through out the various releases of PKCS#11 standard.

      Solution

      Enhance SunPKCS11 provider with PKCS#11 v2.40 header files, add support for common algorithms, and recognize more PKCS#11 defined constants for mechanisms, attributes, key types, etc.

      Specification

      1) Update to use PKCS#11 v2.40 header files, e.g. remove v2.20 specific header file and update the content of other PKCS#11 header files.

      2) Add support for the following algorithms when the underlying PKCS#11 library supports the corresponding mechanism:

        Java Algorithm                     PKCS#11 Mechanism       
      
        MessageDigest.SHA-512/224          CKM_SHA512_224                     
        MessageDigest.SHA-512/256          CKM_SHA512_256
        MAC.HmacSHA512/224                 CKM_SHA512_224_HMAC
        MAC.HmacSHA512/256                 CKM_SHA512_256_HMAC
        Signature.RSASSA-PSS               CKM_RSA_PKCS_PSS
        Signature.SHA1withRSASSA-PSS       CKM_SHA1_RSA_PKCS_PSS
        Signature.SHA224withRSASSA-PSS     CKM_SHA224_RSA_PKCS_PSS
        Signature.SHA256withRSASSA-PSS     CKM_SHA256_RSA_PKCS_PSS
        Signature.SHA384withRSASSA-PSS     CKM_SHA384_RSA_PKCS_PSS
        Signature.SHA512withRSASSA-PSS     CKM_SHA512_RSA_PKCS_PSS
        Signature.SHA224withDSA            CKM_DSA_SHA224
        Signature.SHA256withDSA            CKM_DSA_SHA256
        Signature.SHA384withDSA            CKM_DSA_SHA384
        Signature.SHA512withDSA            CKM_DSA_SHA512
        Cipher.AES/GCM/NoPadding           CKM_AES_GCM

      3) Now recognizes the various PKCS#11 constants (mechanisms, attributes, key types, error codes) as defined in v2.40 header files and won't error out unexpectedly.

      Differences with JDK CSR JDK-8221442: none

            mbalao Martin Balao Alonso
            valeriep Valerie Peng
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: