JDK-8265008 : Add ChaCha20 and Poly1305 support to SunPKCS11 provider
  • Type: CSR
  • Component: security-libs
  • Sub-Component: javax.crypto:pkcs11
  • Priority: P3
  • Status: Closed
  • Resolution: Approved
  • Fix Versions: 17
  • Submitted: 2021-04-09
  • Updated: 2022-01-07
  • Resolved: 2021-04-21
Related Reports
CSR :  
JDK-8255410 - Add ChaCha20 and Poly1305 support to SunPKCS11 provider
Description
Summary
-------

Update "PKCS#11 Reference Guide" with the support for ChaCha20-Poly1305 cipher and ChaCha20 key. Add ChaCha20 as standard `SecretKeyFactory` name in "Java Security Standard Algorithm Names" doc. 

Problem
-------

SunPKCS#11 provider is enhanced to support ChaCha20-Poly1305 cipher and ChaCha20 key. The "PKCS#11 Reference Guide" and "Java Security Standard Algorithm Names" docs should be updated accordingly.

Solution
--------
Update table 5-3 "Java Algorithms Supported by the SunPKCS11 Provider" of PKCS#11 Reference Guide and "`SecretKeyFactory` Algorithms" section of Java Security Standard Algorithm Names.

Specification
-------------
1) Add the following rows to the Table 5-3 "Java Algorithms Supported by the SunPKCS11 Provider" of PKCS#11 Reference Guide. (Please see https://docs.oracle.com/en/java/javase/16/security/pkcs11-reference-guide1.html#GUID-D3EF9023-7DDC-435D-9186-D2FD05674777 for the relevant guide for jdk 16)

<table>
<tr><th>Java Algorithm</th> <th>PKCS#11 Mechanisms</th></tr>
<tr><td>Cipher.ChaCha20-Poly1305</td><td>CKM_CHACHA20_POLY1305</td></tr>
<tr><td>KeyGenerator.ChaCha20</td><td>CKM_CHACHA20_KEY_GEN</td></tr>
<tr><td>SecretKeyFactory.ChaCha20</td> <td>CKM_CHACHA20_POLY1305</td></tr> 
</table>

2) Add the following row to "`SecretKeyFactory` Algorithms" section of Java Security Standard Algorithm Names.

<table>
<tr><th>Algorithm Name</th> <th>Description</th></tr>
<tr><td>ChaCha20</td><td>Constructs secret keys for use with the ChaCha20 and ChaCha20-Poly1305 algorithms.</td></tr> 
</table>
Comments
Moving to Approved.
21-04-2021
The scope should be "SE" since a new standard algorithm is being defined.
15-04-2021
Moving to Provisional.
15-04-2021
I asked Raymond to include links to PKCS#11 spec for details on the mechanisms listed in the table under the paragraphs for "SunPKCS11 Provider Supported Algorithms". (https://bugs.openjdk.java.net/browse/JDK-8265006)
15-04-2021
I think that would be fine to just point to the the PKCS#11 v3.0 mech spec.
14-04-2021
[~jnimeh] [~mullan] Thanks for catching it. I fixed the errors in #2. As for the link to OASIS mech spec for ChaCha20 and ChaCha20-Poly1305, no other mechanisms include such link. Instead of adding a mechanism-specific link, maybe it's better to just point to the PKCS#11 v3.0 mechanism spec which is more a general thing and does not have to be covered under this CSR?
14-04-2021
For the standard algorithm names, I think you only need one row for this section as follows: <table> <tr><th>Algorithm Name</th> <th>Description</th></tr> <tr><td>ChaCha20</td><td>Constructs secret keys for use with the ChaCha20 and ChaCha20-Poly1305 algorithms.</td></tr> </table> You shouldn't mention the PKCS names, as that is specific to PKCS11.
13-04-2021
For #2 in the specification section, since the description calls out the SecretKeyFactory section specifically does the KeyGenerator.ChaCha20 entry belong in that table? In the KeyGenerator section there already is a ChaCha20 entry so it seems redundant to have it here. Other nits: Backtick `SecretKeyFactory` when referred to as a class name so it comes out in monospace. Should we add a reference to the OASIS PKCS#11 document in the ChaCha20 section? https://docs.oasis-open.org/pkcs11/pkcs11-curr/v3.0/os/pkcs11-curr-v3.0-os.html#_Toc30061577
13-04-2021