X

Java Security Topics

  • Java
    August 26, 2013

JEP 131: PKCS#11 Crypto Provider for 64-bit Windows

JEP 131 (PKCS#11 Crypto Provider for 64-bit Windows) is another of the 11 new security features funded and targeted to JDK 8.

PKCS #11 is a standard that defines a platform-independent API to cryptographic tokens like smart cards and hardware security modules. Oracle's JDK currently supports PKCS #11 on Solaris (SPARC and x86), Linux (32-bit and 64-bit), and Windows (32-bit). PKCS #11 support is provided via a JCA provider which is simply a bridge to the native PKCS #11 library. This allows developers to use the standard Java Cryptography APIs and take advantage of the PKCS #11 functionality without having to change their applications. Support for Solaris is configured out-of-the-box, but some additional configuration is required on the other platforms.

JEP 131 adds PKCS #11 support for 64-bit Windows. To use the provider, additional  configuration is required that specifies the location of the
native PKCS #11 library along with additional directives as documented in the Java PKCS#11 Reference Guide.

A PKCS #11 provider can be configured statically in the java.security file, ex:

     security.provider.1=sun.security.pkcs11.SunPKCS11 pkcs11.cfg

or dynamically in code, ex:

    Provider p = new sun.security.pkcs11.SunPKCS11(“pkcs11.cfg”);
  Security.addProvider(p);

Early access binaries of JDK 8 can be downloaded at http://jdk8.java.net/download.html

Join the discussion

Comments ( 8 )
  • guest Monday, December 9, 2013

    Has this been added to Java 8 b118? I am trying to enable fips-140 encryption for Java 64 bit (Windows) using Mozilla's NSS library. I have everything working great with Java 7 32 bit but when I attempt to test Java 8 64 bit with the same application and configuration I get the following exception:

    java.security.ProviderException: Could not initialize NSS

    at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:212)

    at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:103)

    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)

    at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)

    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)

    at java.lang.reflect.Constructor.newInstance(Unknown Source)

    at sun.security.jca.ProviderConfig$2.run(Unknown Source)

    at sun.security.jca.ProviderConfig$2.run(Unknown Source)

    at java.security.AccessController.doPrivileged(Native Method)

    at sun.security.jca.ProviderConfig.doLoadProvider(Unknown Source)

    at sun.security.jca.ProviderConfig.getProvider(Unknown Source)

    at sun.security.jca.ProviderList.getProvider(Unknown Source)

    at sun.security.jca.ProviderList.getIndex(Unknown Source)

    at sun.security.jca.ProviderList.getProviderConfig(Unknown Source)

    at sun.security.jca.ProviderList.getProvider(Unknown Source)

    at java.security.Security.getProvider(Unknown Source)

    at sun.security.ssl.SunJSSE.<init>(Unknown Source)

    at sun.security.ssl.SunJSSE.<init>(Unknown Source)

    at com.sun.net.ssl.internal.ssl.Provider.<init>(Unknown Source)

    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)

    at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)

    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)

    at java.lang.reflect.Constructor.newInstance(Unknown Source)

    at sun.security.jca.ProviderConfig$2.run(Unknown Source)

    at sun.security.jca.ProviderConfig$2.run(Unknown Source)

    at java.security.AccessController.doPrivileged(Native Method)

    at sun.security.jca.ProviderConfig.doLoadProvider(Unknown Source)

    at sun.security.jca.ProviderConfig.getProvider(Unknown Source)

    at sun.security.jca.ProviderList.getProvider(Unknown Source)

    at sun.security.jca.ProviderList$ServiceList.tryGet(Unknown Source)

    at sun.security.jca.ProviderList$ServiceList.access$200(Unknown Source)

    at sun.security.jca.ProviderList$ServiceList$1.hasNext(Unknown Source)

    at javax.crypto.KeyGenerator.nextSpi(KeyGenerator.java:323)

    at javax.crypto.KeyGenerator.<init>(KeyGenerator.java:158)

    at javax.crypto.KeyGenerator.getInstance(KeyGenerator.java:208)

    at STSAESEncryption.generateKeyWithGenerator(STSAESEncryption.java:74)

    at Main.main(Main.java:24)

    Caused by: java.io.IOException: %1 is not a valid Win32 application.

    at sun.security.pkcs11.Secmod.nssLoadLibrary(Native Method)

    at sun.security.pkcs11.Secmod.initialize(Secmod.java:210)

    at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:207)

    ... 36 more


  • guest Monday, December 9, 2013

    Has this been added to Java 8 b118? I am trying to enable fips-140 encryption for Java 64 bit (Windows) using Mozilla's NSS library. I have everything working great with Java 7 32 bit but when I attempt to test Java 8 64 bit with the same application and configuration I get the following exception:

    java.security.ProviderException: Could not initialize NSS

    at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:212)

    at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:103)

    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)

    at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)

    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)

    at java.lang.reflect.Constructor.newInstance(Unknown Source)

    at sun.security.jca.ProviderConfig$2.run(Unknown Source)

    at sun.security.jca.ProviderConfig$2.run(Unknown Source)

    at java.security.AccessController.doPrivileged(Native Method)

    at sun.security.jca.ProviderConfig.doLoadProvider(Unknown Source)

    at sun.security.jca.ProviderConfig.getProvider(Unknown Source)

    at sun.security.jca.ProviderList.getProvider(Unknown Source)

    at sun.security.jca.ProviderList.getIndex(Unknown Source)

    at sun.security.jca.ProviderList.getProviderConfig(Unknown Source)

    at sun.security.jca.ProviderList.getProvider(Unknown Source)

    at java.security.Security.getProvider(Unknown Source)

    at sun.security.ssl.SunJSSE.<init>(Unknown Source)

    at sun.security.ssl.SunJSSE.<init>(Unknown Source)

    at com.sun.net.ssl.internal.ssl.Provider.<init>(Unknown Source)

    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)

    at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)

    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)

    at java.lang.reflect.Constructor.newInstance(Unknown Source)

    at sun.security.jca.ProviderConfig$2.run(Unknown Source)

    at sun.security.jca.ProviderConfig$2.run(Unknown Source)

    at java.security.AccessController.doPrivileged(Native Method)

    at sun.security.jca.ProviderConfig.doLoadProvider(Unknown Source)

    at sun.security.jca.ProviderConfig.getProvider(Unknown Source)

    at sun.security.jca.ProviderList.getProvider(Unknown Source)

    at sun.security.jca.ProviderList$ServiceList.tryGet(Unknown Source)

    at sun.security.jca.ProviderList$ServiceList.access$200(Unknown Source)

    at sun.security.jca.ProviderList$ServiceList$1.hasNext(Unknown Source)

    at javax.crypto.KeyGenerator.nextSpi(KeyGenerator.java:323)

    at javax.crypto.KeyGenerator.<init>(KeyGenerator.java:158)

    at javax.crypto.KeyGenerator.getInstance(KeyGenerator.java:208)

    at STSAESEncryption.generateKeyWithGenerator(STSAESEncryption.java:74)

    at Main.main(Main.java:24)

    Caused by: java.io.IOException: %1 is not a valid Win32 application.

    at sun.security.pkcs11.Secmod.nssLoadLibrary(Native Method)

    at sun.security.pkcs11.Secmod.initialize(Secmod.java:210)

    at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:207)

    ... 36 more


  • guest Monday, December 9, 2013

    Has this been added to Java 8 b118? I am trying to enable fips-140 encryption for Java 64 bit (Windows) using Mozilla's NSS library. I have everything working great with Java 7 32 bit but when I attempt to test Java 8 64 bit with the same application and configuration I get the following exception:

    java.security.ProviderException: Could not initialize NSS

    at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:212)

    at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:103)

    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)

    at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)

    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)

    at java.lang.reflect.Constructor.newInstance(Unknown Source)

    at sun.security.jca.ProviderConfig$2.run(Unknown Source)

    at sun.security.jca.ProviderConfig$2.run(Unknown Source)

    at java.security.AccessController.doPrivileged(Native Method)

    at sun.security.jca.ProviderConfig.doLoadProvider(Unknown Source)

    at sun.security.jca.ProviderConfig.getProvider(Unknown Source)

    at sun.security.jca.ProviderList.getProvider(Unknown Source)

    at sun.security.jca.ProviderList.getIndex(Unknown Source)

    at sun.security.jca.ProviderList.getProviderConfig(Unknown Source)

    at sun.security.jca.ProviderList.getProvider(Unknown Source)

    at java.security.Security.getProvider(Unknown Source)

    at sun.security.ssl.SunJSSE.<init>(Unknown Source)

    at sun.security.ssl.SunJSSE.<init>(Unknown Source)

    at com.sun.net.ssl.internal.ssl.Provider.<init>(Unknown Source)

    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)

    at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)

    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)

    at java.lang.reflect.Constructor.newInstance(Unknown Source)

    at sun.security.jca.ProviderConfig$2.run(Unknown Source)

    at sun.security.jca.ProviderConfig$2.run(Unknown Source)

    at java.security.AccessController.doPrivileged(Native Method)

    at sun.security.jca.ProviderConfig.doLoadProvider(Unknown Source)

    at sun.security.jca.ProviderConfig.getProvider(Unknown Source)

    at sun.security.jca.ProviderList.getProvider(Unknown Source)

    at sun.security.jca.ProviderList$ServiceList.tryGet(Unknown Source)

    at sun.security.jca.ProviderList$ServiceList.access$200(Unknown Source)

    at sun.security.jca.ProviderList$ServiceList$1.hasNext(Unknown Source)

    at javax.crypto.KeyGenerator.nextSpi(KeyGenerator.java:323)

    at javax.crypto.KeyGenerator.<init>(KeyGenerator.java:158)

    at javax.crypto.KeyGenerator.getInstance(KeyGenerator.java:208)

    at STSAESEncryption.generateKeyWithGenerator(STSAESEncryption.java:74)

    at Main.main(Main.java:24)

    Caused by: java.io.IOException: %1 is not a valid Win32 application.

    at sun.security.pkcs11.Secmod.nssLoadLibrary(Native Method)

    at sun.security.pkcs11.Secmod.initialize(Secmod.java:210)

    at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:207)

    ... 36 more


  • guest Monday, December 9, 2013

    It looks like something isn't running in 64bit. Did you get it working in non-FIPS mode?


  • guest Tuesday, December 10, 2013

    No it does not work in non-FIPS mode either.

    I build NSS per instructions here: https://developer.mozilla.org/en-US/docs/NSS_Sources_Building_Testing

    I used the USE_64 variable and NSS was built in the directory: nss\dist\WINNT6.1_64_DBG.OBJ\lib

    So I am assuming that NSS was built in 64 bit.

    My Java version is:

    java version "1.8.0-ea"

    Java(TM) SE Runtime Environment (build 1.8.0-ea-b118)

    Java HotSpot(TM) 64-Bit Server VM (build 25.0-b60, mixed mode)

    Therefore Java is 64 bit.

    Am I missing something else that I should be checking?

    Thanks,

    Jon


  • guest Thursday, April 10, 2014

    If you moved to java 64 bits version I guess you need a PKCS #11 module (pkcs11module.dll) compiled for 64 bits OS.


  • guest Thursday, July 3, 2014

    Any progress/update to the issue posted by guest on December 09, 2013? I am experiencing the same problem trying to enable FIPS 140-2 mode encryption with JDK 8 on Windows 64.


  • vince Saturday, February 21, 2015

    I tried this on windows 7(64-bit) jdk1.8.0_11 -- it does not work for me.

    -- sample code - dynamically adding the SunPKCS11 provider ---

    String pkcs11ConfigSettings = "name = " + "TestSmartCard" + "\n" + "library = " + "C:/jdk1.8.0_11/jre/bin/j2pkcs11.dll";

    byte[] pkcs11ConfigBytes = pkcs11ConfigSettings.getBytes();

    ByteArrayInputStream confStream = new ByteArrayInputStream(pkcs11ConfigBytes);

    Provider p = new sun.security.pkcs11.SunPKCS11(confStream);

    --- exception ---

    java.security.ProviderException: Initialization failed

    at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:376)

    at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:103)

    at scpoc.SmartCard.main(SmartCard.java:28)

    Caused by: java.io.IOException: The specified procedure could not be found.

    at sun.security.pkcs11.wrapper.PKCS11.connect(Native Method)

    at sun.security.pkcs11.wrapper.PKCS11.<init>(PKCS11.java:138)

    at sun.security.pkcs11.wrapper.PKCS11.getInstance(PKCS11.java:151)

    at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:313)

    --


Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.