JEP 131: PKCS#11 Crypto Provider for 64-bit Windows

JEP 131 (PKCS#11 Crypto Provider for 64-bit Windows) is another of the 11 new security features funded and targeted to JDK 8.

PKCS #11 is a standard that defines a platform-independent API to cryptographic tokens like smart cards and hardware security modules. Oracle's JDK currently supports PKCS #11 on Solaris (SPARC and x86), Linux (32-bit and 64-bit), and Windows (32-bit). PKCS #11 support is provided via a JCA provider which is simply a bridge to the native PKCS #11 library. This allows developers to use the standard Java Cryptography APIs and take advantage of the PKCS #11 functionality without having to change their applications. Support for Solaris is configured out-of-the-box, but some additional configuration is required on the other platforms.

JEP 131 adds PKCS #11 support for 64-bit Windows. To use the provider, additional  configuration is required that specifies the location of the native PKCS #11 library along with additional directives as documented in the Java PKCS#11 Reference Guide.

A PKCS #11 provider can be configured statically in the java.security file, ex:

     security.provider.1=sun.security.pkcs11.SunPKCS11 pkcs11.cfg

or dynamically in code, ex:

    Provider p = new sun.security.pkcs11.SunPKCS11(“pkcs11.cfg”);
    Security.addProvider(p);

Early access binaries of JDK 8 can be downloaded at http://jdk8.java.net/download.html

Comments:

Has this been added to Java 8 b118? I am trying to enable fips-140 encryption for Java 64 bit (Windows) using Mozilla's NSS library. I have everything working great with Java 7 32 bit but when I attempt to test Java 8 64 bit with the same application and configuration I get the following exception:

java.security.ProviderException: Could not initialize NSS
at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:212)
at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:103)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
at java.lang.reflect.Constructor.newInstance(Unknown Source)
at sun.security.jca.ProviderConfig$2.run(Unknown Source)
at sun.security.jca.ProviderConfig$2.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.jca.ProviderConfig.doLoadProvider(Unknown Source)
at sun.security.jca.ProviderConfig.getProvider(Unknown Source)
at sun.security.jca.ProviderList.getProvider(Unknown Source)
at sun.security.jca.ProviderList.getIndex(Unknown Source)
at sun.security.jca.ProviderList.getProviderConfig(Unknown Source)
at sun.security.jca.ProviderList.getProvider(Unknown Source)
at java.security.Security.getProvider(Unknown Source)
at sun.security.ssl.SunJSSE.<init>(Unknown Source)
at sun.security.ssl.SunJSSE.<init>(Unknown Source)
at com.sun.net.ssl.internal.ssl.Provider.<init>(Unknown Source)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
at java.lang.reflect.Constructor.newInstance(Unknown Source)
at sun.security.jca.ProviderConfig$2.run(Unknown Source)
at sun.security.jca.ProviderConfig$2.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.jca.ProviderConfig.doLoadProvider(Unknown Source)
at sun.security.jca.ProviderConfig.getProvider(Unknown Source)
at sun.security.jca.ProviderList.getProvider(Unknown Source)
at sun.security.jca.ProviderList$ServiceList.tryGet(Unknown Source)
at sun.security.jca.ProviderList$ServiceList.access$200(Unknown Source)
at sun.security.jca.ProviderList$ServiceList$1.hasNext(Unknown Source)
at javax.crypto.KeyGenerator.nextSpi(KeyGenerator.java:323)
at javax.crypto.KeyGenerator.<init>(KeyGenerator.java:158)
at javax.crypto.KeyGenerator.getInstance(KeyGenerator.java:208)
at STSAESEncryption.generateKeyWithGenerator(STSAESEncryption.java:74)
at Main.main(Main.java:24)
Caused by: java.io.IOException: %1 is not a valid Win32 application.

at sun.security.pkcs11.Secmod.nssLoadLibrary(Native Method)
at sun.security.pkcs11.Secmod.initialize(Secmod.java:210)
at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:207)
... 36 more

Posted by guest on December 09, 2013 at 08:15 AM EST #

It looks like something isn't running in 64bit. Did you get it working in non-FIPS mode?

Posted by guest on December 09, 2013 at 03:36 PM EST #

No it does not work in non-FIPS mode either.

I build NSS per instructions here: https://developer.mozilla.org/en-US/docs/NSS_Sources_Building_Testing

I used the USE_64 variable and NSS was built in the directory: nss\dist\WINNT6.1_64_DBG.OBJ\lib
So I am assuming that NSS was built in 64 bit.

My Java version is:
java version "1.8.0-ea"
Java(TM) SE Runtime Environment (build 1.8.0-ea-b118)
Java HotSpot(TM) 64-Bit Server VM (build 25.0-b60, mixed mode)

Therefore Java is 64 bit.
Am I missing something else that I should be checking?

Thanks,
Jon

Posted by guest on December 10, 2013 at 01:46 PM EST #

If you moved to java 64 bits version I guess you need a PKCS #11 module (pkcs11module.dll) compiled for 64 bits OS.

Posted by guest on April 10, 2014 at 06:21 PM EDT #

Post a Comment:
  • HTML Syntax: NOT allowed
About

Sean Mullan

Search

Top Tags
Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today