Cryptography in Solaris
By Darren Moffat-Oracle on Nov 08, 2004
The Solaris Cryptographic Framework has been my main project for the past 4 years at Sun. Solaris 10 will be the first release where we have public interfaces to cryptography APIs in userland and in the kernel. To find out more about the Solaris Cryptographic Framework have a look at the docs.sun.com guide. It has support for automatic failover between hardware and software and includes implementations of common cryptographic algorithms, some of them optimized for SPARCv9 and AMD64.
One of my favourite things about the Solaris Cryptographic Framework is the ability to specify system wide policy about what algorithms applications that use the framework are allowed to use. For example disabling the software DES from userland and kernel is as simple as this:
# cryptoadm disable provider=des mechanism=CKM_DES_ECB,CKM_DES_CBC,CKM_DES3_ECB,CKM_DES3_CBC # cryptoadm disable provider='/usr/lib/security/$ISA/pkcs11_softtoken.so' mechanism=CKM_DES_ECB,CKM_DES_CBC,CKM_DES3_ECB,CKM_DES3_CBC
Where "des" is the name of the kernel provider and "pkcs11_softtoken.so" is the userland provider.