PKCS#11 provider differences
This release contains the Oracle PKCS#11 provider, SunPKCS11, instead of the IBMPKCS11Impl provider.
Some features that were available in the IBMPKCS11Impl provider are not available in the SunPKCS11 provider. Differences between these providers might require code changes to your applications.
Differences in behavior
- Dynamic configuration
- In version 8 of the SDK, you could create an instance of the IBMPKCS11Impl class and then use
that instance to configure the provider dynamically. For example, you could specify a configuration
file when you created the
instance.
Provider p = new com.ibm.crypto.pkcs11impl.provider.IBMPKCS11Impl("D:\\pkcs11impl\\luna.cfg");Or you could create the instance and then specify the configuration file later by using the Init() method.
com.ibm.crypto.pkcs11impl.provider.IBMPKCS11Impl p = new com.ibm.crypto.pkcs11impl.provider.IBMPKCS11Impl(); p.Init("D:\\pkcs11impl\\luna.cfg ", "password".toCharArray());The SunPKCS11 provider does not have a SunPKCS11 class or an Init() method. To dynamically configure this provider, you must create an instance of the Provider class and then use its configure() method to specify the PKCS#11 configuration file.
Provider p = java.security.Security.getProvider(“SunPKCS11”); P = p.configure(“/opt/bar/cfg/pkcs11.cfg”);For more information, see SunPKCS11 Configuration.
- Token objects
- The IBMPKCS11Impl provider allowed multiple token objects with the same label whereas the SunPKCS11 provider does not. A load failure can occur if there are multiple token objects with the same label.
- Algorithms
- Algorithms that are available in the IBMPKCS11Impl provider might not be available, or might have different names, in the SunPKCS11 provider. For a detailed list, see Differences between IBM and Oracle PKCS#11 algorithms.
Equivalent classes
The following table lists the IBMPKCS11Impl provider classes and the equivalent SunPKCS11
provider classes.
| IBMPKCS11Impl provider class | Equivalent SunPKCS11 provider class |
|---|---|
| com.ibm.crypto.pkcs11impl.provider.GeneralPKCS11KeyGenerator | javax.crypto.KeyGenerator.getInstance(algorithm, providerName) |
|
com.ibm.crypto.pkcs11impl.provider.DHPKCS11KeyFactory
com.ibm.crypto.pkcs11impl.provider.DSAPKCS11KeyFactory
com.ibm.crypto.pkcs11impl.provider.RSAPKCS11KeyFactory
|
java.security.KeyFactory.getInstance(algorithm, providerName)
where algorithm is "DH" or "DSA" or "RSA" |
| com.ibm.crypto.pkcs11impl.provider.GeneralPKCS11KeyFactory | java.security.KeyFactory.getInstance(algorithm, providerName) |
| com.ibm.crypto.pkcs11impl.provider.DHPKCS11KeyAgreement | javax.crypto.KeyAgreement.getInstance("DiffieHellman", myProvider) |
|
com.ibm.crypto.pkcs11impl.provider.DHPKCS11KeyPairGenerator
com.ibm.crypto.pkcs11impl.provider.DSAPKCS11KeyPairGenerator
com.ibm.crypto.pkcs11impl.provider.RSAPKCS11KeyPairGenerator
|
java.security.KeyPairGenerator = new KeyPairGenerator(algorithm,
providerName)
where algorithm is "DH" or "DSA" or "RSA" |
| com.ibm.crypto.pkcs11impl.provider.DHPKCS11ParameterGenerator | No Oracle equivalent |
|
com.ibm.crypto.pkcs11impl.provider.GeneralHashing
MD2
|
java.security.MessageDigest.getInstance(algorithm, providerName) |
| com.ibm.crypto.pkcs11impl.provider.GeneralPKCS11Cipher | javax.crypto.Cipher.getInstance(algorithm, providerName) |
| com.ibm.crypto.pkcs11impl.provider.GeneralPKCS11Hmac | javax.crypto.Mac.getInstance(algorithm, providerName)
where algorithm is "HmacMD5" or "HmacSHA1" |
| com.ibm.crypto.pkcs11impl.provider.GeneralPKCS11KeyParameterSpec | java.security.spec.AlgorithmParameterSpec |
| com.ibm.crypto.pkcs11impl.provider.GeneralPKCS11Parameters | java.security.AlgorithmParameters.getInstance(algorithm,providerName) |
| com.ibm.crypto.pkcs11impl.provider.IBMPKCS11Impl | java.security.AuthProvider
|
| com.ibm.crypto.pkcs11impl.provider.PKCS11DSAKeyPairParameterSpec | No Oracle equivalent |
| com.ibm.crypto.pkcs11impl.provider.PKCS11Key | java.security.Key |
| com.ibm.crypto.pkcs11impl.provider.PKCS11RSAKeyPairParameterSpec | java.security.spec.RSAKeyGenParameterSpec(keysize, exponent) |
| com.ibm.crypto.pkcs11impl.provider.PKCS11RSAPrivateKey | (RSAPrivateKey) java.security.interfaces.KeyPair.getPrivate() |
| com.ibm.crypto.pkcs11impl.provider.PKCS11RSAPublicKey | (RSAPublicKey) java.security.interfaces.KeyPair.getPublic() |
| com.ibm.crypto.pkcs11impl.provider.PKCS11SecretKey | (SecretKey) javax.crypto.KeyGenerator.generateKey() |
|
com.ibm.crypto.pkcs11impl.provider.PKCS11SHA1withDSASingle
com.ibm.crypto.pkcs11impl.provider.PKCS11SSLHashingwithDSA
com.ibm.crypto.pkcs11impl.provider.PKCS11SSLHashingwithRSA
|
java.security.Signature.getInstance(algorithm)
where algorithm is "SHA1withECDSA" or "DSA" or "MD5withRSA" |
| com.ibm.crypto.pkcs11impl.provider.SecureRandom | java.security.SecureRandom |