JDK-6604496 : Support for CKM_AES_CTR (counter mode)
  • Type: Enhancement
  • Component: security-libs
  • Sub-Component: javax.crypto:pkcs11
  • Affected Version: 7
  • Priority: P3
  • Status: Closed
  • Resolution: Fixed
  • OS: generic
  • CPU: generic
  • Submitted: 2007-09-13
  • Updated: 2012-10-22
  • Resolved: 2011-04-23
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
7 b134Fixed
Related Reports
Relates :  
The SunPKCS11 provider does not support CKM_AES_CTR. This should be fixed.

That may require JCE API changes (a new Spec class) since counter mode is currently not fully supported by the JCE APIs. The SunJCE provider uses IvParameterSpec to pass the initial counter value and assumes a counter size equal to the block size, but PKCS #11 v2.20 Amendment 3 allows arbitrary, user specified counter sizes and RFC 3686 (AES for IPsec) uses a 32-bit bit counter. PKCS#11 also specifies that an error is produced if the counter overflows.

EVALUATION Release note wording suggestion: SunPKCS11 provider now supports AES encryption with Counter mode (CTR), i.e. Cipher.getInstance("AES/CTR/NoPadding") calls, when the underlying PKCS11 library supports CKM_AES_CTR mechanism.

EVALUATION Add CKM_AES_CTR mechanism support with IvParameterSpec first which should meet current need. We'll add the additional parameter class to fully support the non-128-bit-counter when it's really needed.