Re: JEP Review Request: SHA-3 Hash Algorithm

Thu, 03 Mar 2016 13:06:12 -0800 

On 2/29/2016 3:44 PM, Valerie Peng wrote:



Thanks for the comments, there are only < 3 months left for this to be 
implemented.
Besides just assigning the mech numbers, we need the underlying PKCS11 
library (Solaris or NSS) to support SHA-3.
Once we have that, enhancing SunPKCS11 provider is fairly trivial and 
can be done via an RFE.
I think it makes more sense to not include PKCS11 into this JEP unless 
SHA-3 is already supported by the underlying PKCS11 library.
It's not like we won't support SHA-3 in SunPKCS11 provider ever, it's 
just done at a later time, may be very soon but that depends on how 
fast SHA-3 support will be added to the native PKCS11 library.



I don't actually think you need to wait for Solaris/NSS to implement 
support in their PKCS11 DLL to implement support in the Java libraries.



I chatted with the OASIS PKCS11 folks and there's a draft document with 
the mechanism assignments.    Looking at the PKCS11 code, what you would 
need to do is provide a mapping between the java algorithm name and the 
specific PKCS11 mechanism values.  Those changes are all in 
SunPKCS11.java and PKCS11Constants.java.



                m(CKM_SHA_1));
        d(MD, "SHA-256",        P11Digest,
                m(CKM_SHA256));
        d(MD, "SHA-384",        P11Digest,
                m(CKM_SHA384));
        d(MD, "SHA-512",        P11Digest,
                m(CKM_SHA512));


It would seem trivial to add

     d(MD, "SHA3-256", P11Digest, m(CKM_SHA3_256);
    /// and the rest

to SunPKCS11 and

   public static final long CKM_SHA3_256 =  0x??????;
    // and the rest...


to PKCS11Constants.    PKCS11Constants already has a bunch of values 
that aren't used by any of the SunPKCS11 libraries for example.




Doing this would allow other PKCS11 DLLs to work with the SunPKCS11 
provider even before you implement the SHA3 support in the underlying 
Solaris/NSS crypto libraries.



If you're willing to do the update, I'm willing to do the grunt work of 
merging in the new constants and mappings.



Later, Mike







Regards,
Valerie

On 2/23/2016 3:57 PM, Michael StJohns wrote:

On 2/17/2016 7:49 PM, Valerie Peng wrote:

Please review this drafted JEP for adding SHA-3 Hash Algorithm 
support to JDK 9:


https://bugs.openjdk.java.net/browse/JDK-8064399

Thanks,
Valerie



This looks pretty good.  However, I wouldn't throw PKCS11 to the side 
of the road.



https://wiki.oasis-open.org/pkcs11/Meetingminutes/Minutes13012016 
suggests that PKCS11 will have the mechanism numbers probably before 
you get this approved and implemented.  If you ask, they may be 
willing to assign the mechanism numbers prior to the release of the 
document, and that's really all that's necessary.


Mike

























					Reply via email to