Hardware providers are automatically located and loaded. For more information, see driver.conf(4) man page.
When you have hardware that expects to plug in to the Cryptographic Framework, the hardware registers with the SPI in the kernel. The framework checks that the hardware driver is signed. Specifically, the framework checks that the object file of the driver is signed with a certificate that Oracle issues.
For example, the Sun Crypto Accelerator 6000 board (mca), the ncp driver for the cryptographic accelerator on the UltraSPARC T1 and T2 processors (ncp), the n2cp driver for the UltraSPARC T2 processors (n2cp), and the /dev/crypto driver for the T-Series systems plug hardware mechanisms into the framework.
For information about getting your provider signed, see the information about the elfsign command in User-Level Commands in the Cryptographic Framework.
To list available providers, you use the cryptoadm list commands with different options depending on the specific information you want to obtain.
Listing all the providers on the system.
The contents and format of the providers list varies for different Oracle Solaris releases and different platforms. Run the cryptoadm list command on your system to see the providers that your system supports. Only those mechanisms at the user level are available for direct use by regular users.
% cryptoadm list User-level providers: /* for applications */ Provider: /usr/lib/security/$ISA/pkcs11_kernel.so Provider: /usr/lib/security/$ISA/pkcs11_softtoken.so Provider: /usr/lib/security/$ISA/pkcs11_tpm.so Kernel software providers: /* for IPsec, kssl, Kerberos */ des aes arcfour blowfish camellia ecc sha1 sha2 md4 md5 rsa swrand n2rng/0 /* for hardware */ ncp/0 n2cp/0
Listing the providers and their mechanisms in the Cryptographic Framework.
You can view the strength and modes, such as ECB and CBC, of the available mechanisms. However, some of the listed mechanisms might be unavailable for use. See the next item for instructions about how to list which mechanisms can be used.
The following output is truncated for display purposes.
% cryptoadm list -m [provider=provider] User-level providers: ===================== Provider: /usr/lib/security/$ISA/pkcs11_kernel.so Mechanisms: CKM_DSA CKM_RSA_X_509 CKM_RSA_PKCS ... CKM_SHA256_HMAC_GENERAL CKM_SSL3_MD5_MAC Provider: /usr/lib/security/$ISA/pkcs11_softtoken.so Mechanisms: CKM_DES_CBC CKM_DES_CBC_PAD CKM_DES_ECB CKM_DES_KEY_GEN CKM_DES_MAC_GENERAL ... CKM_ECDSA_SHA1 CKM_ECDH1_DERIVE Provider: /usr/lib/security/$ISA/pkcs11_tpm.so /usr/lib/security/$ISA/pkcs11_tpm.so: no slots presented. Kernel providers: ========================== des: CKM_DES_ECB,CKM_DES_CBC,CKM_DES3_ECB,CKM_DES3_CBC aes: CKM_AES_ECB,CKM_AES_CBC,CKM_AES_CTR,CKM_AES_CCM, \ CKM_AES_GCM,CKM_AES_GMAC, CKM_AES_CFB128,CKM_AES_XTS,CKM_AES_XCBC_MAC arcfour: CKM_RC4 blowfish: CKM_BLOWFISH_ECB,CKM_BLOWFISH_CBC ecc: CKM_EC_KEY_PAIR_GEN,CKM_ECDH1_DERIVE,CKM_ECDSA, \ CKM_ECDSA_SHA1 sha1: CKM_SHA_1,CKM_SHA_1_HMAC,CKM_SHA_1_HMAC_GENERAL sha2: CKM_SHA224,CKM_SHA224_HMAC,...CKM_SHA512_256_HMAC_GENERAL md4: CKM_MD4 md5: CKM_MD5,CKM_MD5_HMAC,CKM_MD5_HMAC_GENERAL rsa: CKM_RSA_PKCS,CKM_RSA_X_509,CKM_MD5_RSA_PKCS, \ CKM_SHA1_RSA_PKCS,CKM_SHA224_RSA_PKCS, CKM_SHA256_RSA_PKCS,CKM_SHA384_RSA_PKCS,CKM_SHA512_RSA_PKCS swrand: No mechanisms presented. n2rng/0: No mechanisms presented. ncp/0: CKM_DSA,CKM_RSA_X_509,CKM_RSA_PKCS,CKM_RSA_PKCS_KEY_PAIR_GEN, CKM_DH_PKCS_KEY_PAIR_GEN,CKM_DH_PKCS_DERIVE,CKM_EC_KEY_PAIR_GEN, CKM_ECDH1_DERIVE,CKM_ECDSA n2cp/0: CKM_DES_CBC,CKM_DES_CBC_PAD,CKM_DES_ECB,CKM_DES3_CBC, \ ...CKM_SSL3_SHA1_MAC
Listing the available cryptographic mechanisms.
Policy determines which mechanisms are available for use. The administrator sets the policy. An administrator can choose to disable mechanisms from a particular provider. The –p option displays the list of mechanisms that are permitted by the policy that the administrator has set.
% cryptoadm list -p [provider=provider] User-level providers: ===================== /usr/lib/security/$ISA/pkcs11_kernel.so: \ all mechanisms are enabled.random is enabled. /usr/lib/security/$ISA/pkcs11_softtoken.so: \ all mechanisms are enabled, random is enabled. /usr/lib/security/$ISA/pkcs11_tpm.so: all mechanisms are enabled.
Kernel providers: ========================== des: all mechanisms are enabled. aes: all mechanisms are enabled. arcfour: all mechanisms are enabled. blowfish: all mechanisms are enabled. ecc: all mechanisms are enabled. sha1: all mechanisms are enabled. sha2: all mechanisms are enabled. md4: all mechanisms are enabled. md5: all mechanisms are enabled. rsa: all mechanisms are enabled. swrand: random is enabled. n2rng/0: all mechanisms are enabled. random is enabled. ncp/0: all mechanisms are enabled. n2cp/0: all mechanisms are enabled.
The following examples show additional specific uses of the cryptoadm list command.
Example 3-11 Listing Cryptographic Information of a Specific ProviderSpecifying the provider in the cryptoadm options command limits the output only to information that is applicable to the provider.
# cryptoadm enable provider=dca/0 random # cryptoadm list -p provider=dca/0 dca/0: all mechanisms are enabled, except CKM_MD5, CKM_MD5_HMAC,... random is enabled.
The following output shows only the mechanisms are enabled. The random generator continues to be disabled.
# cryptoadm list -p provider=dca/0 dca/0: all mechanisms are enabled, except CKM_MD5,CKM_MD5_HMAC,.... # cryptoadm enable provider=dca/0 mechanism=all # cryptoadm list -p provider=dca/0 dca/0: all mechanisms are enabled. random is disabled.
The following output shows every feature and mechanism on the board is enabled.
# cryptoadm list -p provider=dca/0 dca/0: all mechanisms ar enabled, except CKM_DES_ECB,CKM_DES3_ECB. random is disabled. # cryptoadm enable provider=dca/0 all # cryptoadm list -p provider=dca/0 dca/0: all mechanisms are enabled. random is enabled.Example 3-12 Finding User-Level Cryptographic Mechanisms Only
In the following example, all mechanisms that the user-level library, pkcs11_softtoken, offers are listed.
% cryptoadm list -m provider=/usr/lib/security/\ $ISA/pkcs11_softtoken.so Mechanisms: CKM_DES_CBC CKM_DES_CBC_PAD CKM_DES_ECB CKM_DES_KEY_GEN CKM_DES_MAC_GENERAL CKM_DES_MAC … CKM_ECDSA CKM_ECDSA_SHA1 CKM_ECDH1_DERIVEExample 3-13 Determining Which Cryptographic Mechanisms Perform Which Functions
Mechanisms perform specific cryptographic functions, such as signing or key generation. The –v –m options display every mechanism and its functions.
In this instance, the administrator wants to determine for which functions the CKM_ECDSA* mechanisms can be used.
% cryptoadm list -vm User-level providers: ===================== Provider: /usr/lib/security/$ISA/pkcs11_kernel.so Number of slots: 3 Slot #2 Description: ncp/0 Crypto Accel Asym 1.0 ... CKM_ECDSA 163 571 X . . . X . X . . . . . . . ... Provider: /usr/lib/security/$ISA/pkcs11_softtoken.so ... CKM_ECDSA 112 571 . . . . X . X . . . . . . . . CKM_ECDSA_SHA1 112 571 . . . . X . X . . . . . . . . ... Kernel providers: ================= ... ecc: CKM_EC_KEY_PAIR_GEN,CKM_ECDH1_DERIVE,CKM_ECDSA,CKM_ECDSA_SHA1 ...
The listing indicates that these mechanisms are available from the following user-level providers:
CKM_ECDSA and CKM_ECDSA_SHA1 – As software implementation in /usr/lib/security/$ISA/pkcs11_softtoken.so library
CKM_ECDSA – Accelerated by ncp/0 Crypto Accel Asym 1.0 in /usr/lib/security/$ISA/pkcs11_kernel.so library
Each item in an entry represents a piece of information about the mechanism. For these ECC mechanisms, the listing indicates the following:
Minimum length – 112 bytes
Maximum length – 571 bytes
Hardware – Is or is not available on hardware.
Encrypt – Is not used to encrypt data.
Decrypt – Is not used to decrypt data.
Digest – Is not used to create message digests.
Sign – Is used to sign data.
Sign + Recover – Is not used to sign data, where the data can be recovered from the signature.
Verify – Is used to verify signed data.
Verify + Recover– Is not used to verify data that can be recovered from the signature.
Key generation – Is not used to generate a private key.
Pair generation – Is not used to generate a key pair.
Wrap – Is not used to wrap. that is, encrypt, an existing key.
Unwrap – Is not used to unwrap a wrapped key.
Derive – Is not used to derive a new key from a base key.
EC Caps – Absent EC capabilities that are not covered by previous items