Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-2205522

PKCS11 should support "RSA" and "RSA/ECB/NoPadding" ciphers



      JDK 5.0/Weblogic/Solaris 10 fails to use T2000 onboard crypto accelerator for SSL operations.
      (The following description is from the duplicated bug 7015812)

      In the default configuration, the WLS/BEA/certicom algorithm currently uses these algorithms, and these aren't recognized by SunPKCS11, and thus can't be hardware-accelerated.

      From a discussion with Sean:

      Since I'm not able to see their code...sigh...I'm taking some guesses as to what is happening here.

      If they are using "RSA/ECB/NoPadding", the current PKCS11 impl does not support that. SunPKCS11 currently only supports PKCS1Padding. In the debug log you posted, there are two instances of "RSA", and two of "RSA/ECB/NoPadding".

      In JSSE, when we are doing client certificate verification, we use Signature.getInstance("NONEwithRSA"), which is what I'm guessing they might be doing with their call to Cipher "RSA/ECB/NoPadding".

      So, to use this with today's JDK, I think they (weblogic) would want to:

      1) specify "RSA/ECB/PKCS1Padding" where they were using "RSA".
      2) change their sig mechanism to use Signature "NONEwithRSA" instead of the Cipher "RSA/ECB/NoPadding".

      If we want to look at adding these mechanisms into our PKCS11 provider:

      We've already talked about adding "RSA" as an alias for "RSA/ECB/PKCS1Padding".

      For "RSA/ECB/NoPadding", in looking at the code for our JCE RSA impl and the PKCS11 specification, it sure looks like CKM_RSA_X_509 would be the equivalent mechanism of "RSA/ECB/NoPadding" but I haven't tested to confirm.

      According to the SunPKCS11 source:

       * RSA Cipher implementation class. We currently only support
       * PKCS#1 v1.5 padding on top of CKM_RSA_PKCS.


           // XXX RSA_X_509, RSA_OAEP not yet supported

      I don't know if that means that it's not supported in the Solaris provider or just in our provider. It's most likely the latter. Either way, Valerie probably knows more about this.

      If that's the case, then it shouldn't be too hard to implement, just adding some code in the PKCS11 provider and making the appropriate calls.
      *** (#1 of 1): 2011-01-28 16:42:30 PST ###@###.###


          Issue Links



              • Assignee:
                valeriep Valerie Peng
                wetmore Bradford Wetmore
              • Votes:
                0 Vote for this issue
                0 Start watching this issue


                • Created: