JDK-8037742 : Re-enabling PKCS11 HMAC mechanisms in Solaris
  • Type: Enhancement
  • Component: security-libs
  • Sub-Component: javax.crypto:pkcs11
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • OS: solaris
  • CPU: x86,sparc
  • Submitted: 2014-03-18
  • Updated: 2014-06-12
  • Resolved: 2014-06-03
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 9
9 b17Fixed
Related Reports
Relates :  
Relates :  
Relates :  
Description
The following mechanisms are disabled in the sunpkcs11-solaris.cfg file:

# the following mechanisms are disabled due to performance issues
# (Solaris bug 6337157)
  CKM_DSA_SHA1
  CKM_MD5_RSA_PKCS
  CKM_SHA1_RSA_PKCS
  CKM_SHA256_RSA_PKCS
  CKM_SHA384_RSA_PKCS
  CKM_SHA512_RSA_PKCS

We should investigate whether these performance issues are still a concern, and consider re-enabling these for JDK 9.
Comments
Originally filed because of poor T1 performance, T3 still produce low numbers. Signing performance was 286 ops/sec for native libraries while 3468 ops/sec for SunJCE. On T4 the performance with native libraries the performance is the same as SunJCE, roughly 5200 ops/sec. Currently Solaris 11 ucrypto supports the above RSA HMAC algorithms. Because the Ucrypto provider is before SunPKCS11 on the providers list, the disabling is ineffective. While this is a degradation for S11 using JDK 8 on T3 and below, it is not a problem on new and currently shipping sparc hardware. Looking toward the future, I believe it is ok to re-enable for JDK9, but unwise to backport the change as we risk hurting performance on established T3. JDK8 should be left as is as it is a good transition release between S10/S11-T3/T4 hardware. T3 and older hardware will be replaced and it is not right to perpetuate the disabled mechanism for a dying hardware line in future JDK releases.
29-05-2014