JDK-8221442 : Update SunPKCS11 provider with PKCS11 v2.40 support
  • Type: CSR
  • Component: security-libs
  • Sub-Component: javax.crypto:pkcs11
  • Priority: P3
  • Status: Closed
  • Resolution: Approved
  • Fix Versions: 13
  • Submitted: 2019-03-26
  • Updated: 2019-06-05
  • Resolved: 2019-06-05
Related Reports
CSR :  

PKCS#11 standard is updated to v2.40 (Base specification - http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/pkcs11-base-v2.40.html with other specifications listed under "Related Work" section on the same page) in April 2015 with errata published one year later in 2016. SunPKCS11 provider should update to v2.40 accordingly. 

The implementation of SunPKCS11 is mostly based on PKCS#11 v2.20 release. It lacks support for some algorithms, attributes, etc., added through out the various releases of PKCS#11 standard.

Enhance SunPKCS11 provider with PKCS#11 v2.40 header files, add support for common algorithms, and recognize more PKCS#11 defined constants for mechanisms, attributes, key types, etc.

1) Update to use PKCS#11 v2.40 header files, e.g. remove v2.20 specific header file and update the content of other PKCS#11 header files. 

2) Add support for the following algorithms when the underlying PKCS#11 library supports the corresponding mechanism:

      Java Algorithm                     PKCS#11 Mechanism       

      MessageDigest.SHA-512/224          CKM_SHA512_224                     
      MessageDigest.SHA-512/256          CKM_SHA512_256
      MAC.HmacSHA512/224                 CKM_SHA512_224_HMAC
      MAC.HmacSHA512/256                 CKM_SHA512_256_HMAC
      Signature.RSASSA-PSS               CKM_RSA_PKCS_PSS
      Signature.SHA1withRSASSA-PSS       CKM_SHA1_RSA_PKCS_PSS
      Signature.SHA224withRSASSA-PSS     CKM_SHA224_RSA_PKCS_PSS
      Signature.SHA256withRSASSA-PSS     CKM_SHA256_RSA_PKCS_PSS
      Signature.SHA384withRSASSA-PSS     CKM_SHA384_RSA_PKCS_PSS
      Signature.SHA512withRSASSA-PSS     CKM_SHA512_RSA_PKCS_PSS
      Signature.SHA224withDSA            CKM_DSA_SHA224
      Signature.SHA256withDSA            CKM_DSA_SHA256
      Signature.SHA384withDSA            CKM_DSA_SHA384
      Signature.SHA512withDSA            CKM_DSA_SHA512
      Cipher.AES/GCM/NoPadding           CKM_AES_GCM

3) Now recognizes the various PKCS#11 constants (mechanisms, attributes, key types, error codes) as defined in v2.40 header files and won't error out unexpectedly. 
Moving to Approved.

The PKCS#11 Reference Guide is here: https://docs.oracle.com/en/java/javase/12/security/pkcs11-reference-guide1.html#GUID-30E98B63-4910-40A1-A6DD-663EAF466991 The "SunPKCS11 Provider Supported Algorithms" section will be updated with the list of new supported algorithms.

No javadoc update. We didn't mention PKCS#11 version in any of the public APIs. However, security guide for PKCS11 provider needs to be updated per this RFE.

Is there a doc/spec update that should occur with this change? Moving to Provisional until that question is answered.