JDK-8256082 : Add SHA3 support to SunPKCS11 provider
  • Type: CSR
  • Component: security-libs
  • Sub-Component: javax.crypto:pkcs11
  • Priority: P3
  • Status: Closed
  • Resolution: Approved
  • Fix Versions: 16
  • Submitted: 2020-11-10
  • Updated: 2020-12-04
  • Resolved: 2020-12-04
Related Reports
CSR :  
JDK-8242332 - Add SHA3 support to SunPKCS11 provider
Description
Summary
-------

Enhance SunPKCS11 provider to support various SHA-3 related crypto algorithms when supported by underlying native PKCS11 library.

Problem
-------

With PKCS#11 v3.0, additional mechanisms are added including SHA-3 message digests and other crypto algorithms utilizing SHA-3. SunPKCS11 provider should be enhanced accordingly.

Solution
--------
Enhance SunPKCS11 provider to support the SHA-3 related crypto services. For completeness, this RFE also adds support for Hmac key generator for all supported message digest algorithms.

 - Message Digest: SHA3-224, SHA3-256, SHA3-384, SHA3-512
 - Mac: HmacSHA3-224, HmacSHA3-256, HmacSHA3-384, HmacSHA3-512
 - Signature: SHA3-224withDSA, SHA3-256withDSA, SHA3-384withDSA, SHA3-512withDSA, SHA3-224withDSAinP1363Format, SHA3-256withDSAinP1363Format, SHA3-384withDSAinP1363Format, SHA3-512withDSAinP1363Format, SHA3-224withECDSA, SHA3-256withECDSA, SHA3-384withECDSA, SHA3-512withECDSA, SHA3-224withECDSAinP1363Format, SHA3-256withECDSAinP1363Format, SHA3-384withECDSAinP1363Format, SHA3-512withECDSAinP1363Format, SHA3-224withRSA, SHA3-256withRSA, SHA3-384withRSA, SHA3-512withRSA, SHA3-224withRSASSA-PSS, SHA3-256withRSASSA-PSS, SHA3-384withRSASSA-PSS, SHA3-512withRSASSA-PSS.
 - KeyGenerator: HmacMD5, HmacSHA1, HmacSHA224, HmacSHA256, HmacSHA384, HmacSHA512, HmacSHA512/224, HmacSHA512/256, HmacSHA3-224, HmacSHA3-256, HmacSHA3-384, HmacSHA3-512.


Specification
-------------

1) Update the table 5.3 "Java Algorithms Supported by the SunPKCS11 Provider" of "PKCS#11 Reference Guide" with the following changes (new additions are highlighted in bold):
<table> 
<tr><th>Java Algorithm</th>                                                      <th>PKCS#11 Mechanisms</th></tr>
<tr><td><b>MessageDigest.SHA3-224</b></td>                      <td><b>CKM_SHA3_224</b></td></tr>
<tr><td><b>MessageDigest.SHA3-256</b></td>                      <td><b>CKM_SHA3_256</b></td></tr>
<tr><td><b>MessageDigest.SHA3-384</b></td>                      <td><b>CKM_SHA3_384</b></td></tr>
<tr><td><b>MessageDigest.SHA3-512</b></td>                      <td><b>CKM_SHA3_512</b></td></tr>
<tr><td><b>Mac.SHA3-224</b></td>                                        <td><b>CKM_SHA3_224_HMAC</b></td></tr>
<tr><td><b>Mac.SHA3-256</b></td>                                        <td><b>CKM_SHA3_256_HMAC</b></td></tr>
<tr><td><b>Mac.SHA3-384</b></td>                                        <td><b>CKM_SHA3_384_HMAC</b></td></tr>
<tr><td><b>Mac.SHA3-512</b></td>                                        <td><b>CKM_SHA3_512_HMAC</b></td></tr>
<tr><td><b>Signature.SHA3-224withDSA</b></td>                                    <td><b>CKM_DSA_SHA3_224</b></td></tr>
<tr><td><b>Signature.SHA3-256withDSA</b></td>                                    <td><b>CKM_DSA_SHA3_256</b></td></tr>
<tr><td><b>Signature.SHA3-384withDSA</b></td>                                    <td><b>CKM_DSA_SHA3_384</b></td></tr>
<tr><td><b>Signature.SHA3-512withDSA</b></td>                                    <td><b>CKM_DSA_SHA3_512</b></td></tr>
<tr><td><b>Signature.SHA224withDSAinP1363Format</b></td>               <td><b>CKM_DSA_SHA224</b></td></tr>
<tr><td><b>Signature.SHA256withDSAinP1363Format</b></td>               <td><b>CKM_DSA_SHA256</b></td></tr>
<tr><td><b>Signature.SHA384withDSAinP1363Format</b></td>               <td><b>CKM_DSA_SHA384</b></td></tr>
<tr><td><b>Signature.SHA512withDSAinP1363Format</b></td>               <td><b>CKM_DSA_SHA512</b></td></tr>
<tr><td><b>Signature.SHA3-224withDSAinP1363Format</b></td>            <td><b>CKM_DSA_SHA3_224</b></td></tr>
<tr><td><b>Signature.SHA3-256withDSAinP1363Format</b></td>            <td><b>CKM_DSA_SHA3_256</b></td></tr>
<tr><td><b>Signature.SHA3-384withDSAinP1363Format</b></td>            <td><b>CKM_DSA_SHA3_384</b></td></tr>
<tr><td><b>Signature.SHA3-512withDSAinP1363Format</b></td>            <td><b>CKM_DSA_SHA3_512</b></td></tr>
<tr><td><b>Signature.SHA224withECDSA</b></td>                                   <td><b> CKM_ECDSA_SHA224,</b> CKM_ECDSA</td></tr>
<tr><td><b>Signature.SHA256withECDSA</b></td>                                   <td><b>CKM_ECDSA_SHA256,</b> CKM_ECDSA</td></tr>
<tr><td><b>Signature.SHA384withECDSA</b></td>                                   <td><b>CKM_ECDSA_SHA384,</b> CKM_ECDSA</td></tr>
<tr><td><b>Signature.SHA512withECDSA</b></td>                                   <td><b>CKM_ECDSA_SHA512,</b> CKM_ECDSA</td></tr>
<tr><td><b>Signature.SHA3-224withECDSA</b></td>                                <td><b>CKM_ECDSA_SHA3_224, CKM_ECDSA</b></td></tr>
<tr><td><b>Signature.SHA3-256withECDSA</b></td>                                <td><b>CKM_ECDSA_SHA3_256, CKM_ECDSA</b></td></tr>
<tr><td><b>Signature.SHA3-384withECDSA</b></td>                                <td><b>CKM_ECDSA_SHA3_384, CKM_ECDSA</b></td></tr>
<tr><td><b>Signature.SHA3-512withECDSA</b></td>                                <td><b>CKM_ECDSA_SHA3_512, CKM_ECDSA</b></td></tr>
<tr><td><b>Signature.SHA224withECDSAinP1363Format</b></td>           <td><b>CKM_ECDSA_SHA224,</b> CKM_ECDSA</td></tr>
<tr><td><b>Signature.SHA256withECDSAinP1363Format</b></td>           <td><b>CKM_ECDSA_SHA256,</b> CKM_ECDSA</td></tr>
<tr><td><b>Signature.SHA384withECDSAinP1363Format</b></td>           <td><b>CKM_ECDSA_SHA384,</b> CKM_ECDSA</td></tr>
<tr><td><b>Signature.SHA512withECDSAinP1363Format</b></td>           <td><b>CKM_ECDSA_SHA512,</b> CKM_ECDSA</td></tr>
<tr><td><b>Signature.SHA3-224withECDSAinP1363Format</b></td>        <td><b>CKM_ECDSA_SHA3_224, CKM_ECDSA</b></td></tr>
<tr><td><b>Signature.SHA3-256withECDSAinP1363Format</b></td>        <td><b>CKM_ECDSA_SHA3_256, CKM_ECDSA</b></td></tr>
<tr><td><b>Signature.SHA3-384withECDSAinP1363Format</b></td>        <td><b>CKM_ECDSA_SHA3_384, CKM_ECDSA</b></td></tr>
<tr><td><b>Signature.SHA3-512withECDSAinP1363Format</b></td>        <td><b>CKM_ECDSA_SHA3_512, CKM_ECDSA</b></td></tr>
<tr><td><b>Signature.SHA3-224withRSA</b></td>                      <td><b>CKM_SHA3_224_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509</b></td></tr>
<tr><td><b>Signature.SHA3-256withRSA</b></td>                      <td><b>CKM_SHA3_256_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509</b></td></tr>
<tr><td><b>Signature.SHA3-384withRSA</b></td>                      <td><b>CKM_SHA3_384_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509</b></td></tr>
<tr><td><b>Signature.SHA3-512withRSA</b></td>                      <td><b>CKM_SHA3_512_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509</b></td></tr>
<tr><td><b>Signature.SHA3-224withRSASSA-PSS</b></td>        <td><b>CKM_SHA3_224_RSA_PKCS_PSS</b></td></tr>
<tr><td><b>Signature.SHA3-256withRSASSA-PSS</b></td>        <td><b>CKM_SHA3_256_RSA_PKCS_PSS</b></td></tr>
<tr><td><b>Signature.SHA3-384withRSASSA-PSS</b></td>        <td><b>CKM_SHA3_384_RSA_PKCS_PSS</b></td></tr>
<tr><td><b>Signature.SHA3-512withRSASSA-PSS</b></td>        <td><b>CKM_SHA3_512_RSA_PKCS_PSS</b></td></tr>
<tr><td><b>KeyGenerator.HmacMD5</b></td>                             <td><b>CKM_GENERIC_SECRET_KEY_GEN</b></td></tr>
<tr><td><b>KeyGenerator.HmacSHA1</b></td>                            <td><b>CKM_SHA_1_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN</b></td></tr>
<tr><td><b>KeyGenerator.HmacSHA224</b></td>                        <td><b>CKM_SHA224_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN</b></td></tr>
<tr><td><b>KeyGenerator.HmacSHA256</b></td>                        <td><b>CKM_SHA256_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN</b></td></tr>
<tr><td><b>KeyGenerator.HmacSHA384</b></td>                        <td><b>CKM_SHA384_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN</b></td></tr>
<tr><td><b>KeyGenerator.HmacSHA512</b></td>                        <td><b>CKM_SHA512_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN</b></td></tr>
<tr><td><b>KeyGenerator.HmacSHA512/224</b></td>                 <td><b>CKM_SHA512_224_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN</b></td></tr>
<tr><td><b>KeyGenerator.HmacSHA512/256</b></td>                 <td><b>CKM_SHA512_256_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN</b></td></tr>
<tr><td><b>KeyGenerator.HmacSHA3-224</b></td>                     <td><b>CKM_SHA3_224_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN</b></td></tr>
<tr><td><b>KeyGenerator.HmacSHA3-256</b></td>                     <td><b>CKM_SHA3_256_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN</b></td></tr>
<tr><td><b>KeyGenerator.HmacSHA3-384</b></td>                     <td><b>CKM_SHA3_384_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN</b></td></tr>
<tr><td><b>KeyGenerator.HmacSHA3-512</b></td>                     <td><b>CKM_SHA3_512_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN</b></td></tr>
</table>
Comments
Moving to Approved.
04-12-2020
Updated the JCK CSR with the required info.
02-12-2020
There is no API changes, just filing the CSR to document the additional algorithm support. The changes are at the provider level. So, I used "Other" as interface kind instead of JDK-API.
02-12-2020
I assume this is a change to a JDK-API rather than a Java SE API; if not, please correct before Finalizing. Moving to Provisional.
13-11-2020