JEP Review Request: SHA-3 Hash Algorithm

Michael StJohns mstjohns at comcast.net
Thu Mar 3 21:04:53 UTC 2016 

On 2/29/2016 3:44 PM, Valerie Peng wrote:
>
> Thanks for the comments, there are only < 3 months left for this to be 
> implemented.
> Besides just assigning the mech numbers, we need the underlying PKCS11 
> library (Solaris or NSS) to support SHA-3.
> Once we have that, enhancing SunPKCS11 provider is fairly trivial and 
> can be done via an RFE.
> I think it makes more sense to not include PKCS11 into this JEP unless 
> SHA-3 is already supported by the underlying PKCS11 library.
> It's not like we won't support SHA-3 in SunPKCS11 provider ever, it's 
> just done at a later time, may be very soon but that depends on how 
> fast SHA-3 support will be added to the native PKCS11 library.

I don't actually think you need to wait for Solaris/NSS to implement 
support in their PKCS11 DLL to implement support in the Java libraries.

I chatted with the OASIS PKCS11 folks and there's a draft document with 
the mechanism assignments.    Looking at the PKCS11 code, what you would 
need to do is provide a mapping between the java algorithm name and the 
specific PKCS11 mechanism values.  Those changes are all in 
SunPKCS11.java and PKCS11Constants.java.

>                 m(CKM_SHA_1));
>         d(MD, "SHA-256",        P11Digest,
>                 m(CKM_SHA256));
>         d(MD, "SHA-384",        P11Digest,
>                 m(CKM_SHA384));
>         d(MD, "SHA-512",        P11Digest,
>                 m(CKM_SHA512));

It would seem trivial to add

      d(MD, "SHA3-256", P11Digest, m(CKM_SHA3_256);
     /// and the rest

to SunPKCS11 and

    public static final long CKM_SHA3_256 =  0x??????;
     // and the rest...

to PKCS11Constants.    PKCS11Constants already has a bunch of values 
that aren't used by any of the SunPKCS11 libraries for example.


Doing this would allow other PKCS11 DLLs to work with the SunPKCS11 
provider even before you implement the SHA3 support in the underlying 
Solaris/NSS crypto libraries.

If you're willing to do the update, I'm willing to do the grunt work of 
merging in the new constants and mappings.


Later, Mike





>
> Regards,
> Valerie
>
> On 2/23/2016 3:57 PM, Michael StJohns wrote:
>> On 2/17/2016 7:49 PM, Valerie Peng wrote:
>>> Please review this drafted JEP for adding SHA-3 Hash Algorithm 
>>> support to JDK 9:
>>>
>>> https://bugs.openjdk.java.net/browse/JDK-8064399
>>>
>>> Thanks,
>>> Valerie
>>
>> This looks pretty good.  However, I wouldn't throw PKCS11 to the side 
>> of the road.
>>
>> https://wiki.oasis-open.org/pkcs11/Meetingminutes/Minutes13012016 
>> suggests that PKCS11 will have the mechanism numbers probably before 
>> you get this approved and implemented.  If you ask, they may be 
>> willing to assign the mechanism numbers prior to the release of the 
>> document, and that's really all that's necessary.
>>
>> Mike
>>

More information about the security-dev mailing list