Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8261433

Better pkcs11 performance for libpkcs11:C_EncryptInit/libpkcs11:C_DecryptInit

    XMLWordPrintable

Details

    Backports

      Description

        For Ciphers running through the CKM_AES_GCM SunPKCS11 mechanism - two types of CK_GCM_PARAMS struct are used in order to deal with interoperability issues introduced with PKCS#11 v2.40. (JDK-8080462/JDK-8229243)

        CK_GCM_PARAMS_NO_IVBITS is attempted first. If that fails, then CK_GCM_PARAMS is attempted.

        This is a performance hit since only the 2nd struct is successful in both NSS and Solaris libpkcs11 where PKCS#11 spec version is 2.40 and above.

        e.g:
        /2: lseek(15, 0x0001B390, SEEK_SET) = 111504
        /2: read(15, "85 R m S12 Q18 =97B7 ] p".., 579) = 579
        /2@2: -> libpkcs11:C_EncryptInit(0x1005d6770, 0x1007a46a0, 0x1005fa840, 0x0)
        /2@2: -> libucrypto:crypto_encrypt_init(0xffffffff7f2eee08, 0xffffffff7f2eee20, 0x0, 0x1005d68b8)
        /2@2: <- libucrypto:crypto_encrypt_init() = 29
        /2@2: <- libpkcs11:C_EncryptInit() = 113
        /2@2: -> libpkcs11:C_EncryptInit(0x1005d6770, 0x1007a46a0, 0x1005fa840, 0x71)
        /2@2: -> libucrypto:crypto_encrypt_init(0xffffffff7f2eee08, 0xffffffff7f2eee20, 0x0, 0x1005d68b8)
        /2@2: <- libucrypto:crypto_encrypt_init() = 0
        /2@2: <- libpkcs11:C_EncryptInit() = 0

        Attachments

          Issue Links

            Activity

              People

                pkumaraswamy Prajwal Kumaraswamy
                coffeys Sean Coffey
                Votes:
                0 Vote for this issue
                Watchers:
                7 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved: