Managing Encryption and Certificates in Oracle® Solaris 11.2

Exit Print View

 
Updated: September 2014
 
 

Listing Available Providers

Hardware providers are automatically located and loaded. For more information, see driver.conf(4) man page.

When you have hardware that expects to plug in to the Cryptographic Framework, the hardware registers with the SPI in the kernel. The framework checks that the hardware driver is signed. Specifically, the framework checks that the object file of the driver is signed with a certificate that Oracle issues.

For example, the Sun Crypto Accelerator 6000 board (mca), the ncp driver for the cryptographic accelerator on the UltraSPARC T1 and T2 processors (ncp), the n2cp driver for the UltraSPARC T2 processors (n2cp), and the /dev/crypto driver for the T-Series systems plug hardware mechanisms into the framework.

For information about getting your provider signed, see the information about the elfsign command in User-Level Commands in the Cryptographic Framework.

To list available providers, you use the cryptoadm list commands with different options depending on the specific information you want to obtain.

  • Listing all the providers on the system.

    The contents and format of the providers list varies for different Oracle Solaris releases and different platforms. Run the cryptoadm list command on your system to see the providers that your system supports. Only those mechanisms at the user level are available for direct use by regular users.

    % cryptoadm list
User-level providers:  /* for applications */
Provider: /usr/lib/security/$ISA/pkcs11_kernel.so
Provider: /usr/lib/security/$ISA/pkcs11_softtoken.so
Provider: /usr/lib/security/$ISA/pkcs11_tpm.so

Kernel software providers:  /* for IPsec, kssl, Kerberos */
des
aes
arcfour
blowfish
camellia
ecc
sha1
sha2
md4
md5
rsa
swrand
n2rng/0 /* for hardware */
ncp/0
n2cp/0

  • Listing the providers and their mechanisms in the Cryptographic Framework.

    You can view the strength and modes, such as ECB and CBC, of the available mechanisms. However, some of the listed mechanisms might be unavailable for use. See the next item for instructions about how to list which mechanisms can be used.

    The following output is truncated for display purposes.

    % cryptoadm list -m [provider=provider]
User-level providers:
=====================

Provider: /usr/lib/security/$ISA/pkcs11_kernel.so

Mechanisms:
CKM_DSA
CKM_RSA_X_509
CKM_RSA_PKCS
...
CKM_SHA256_HMAC_GENERAL
CKM_SSL3_MD5_MAC

Provider: /usr/lib/security/$ISA/pkcs11_softtoken.so
Mechanisms:
CKM_DES_CBC
CKM_DES_CBC_PAD
CKM_DES_ECB
CKM_DES_KEY_GEN
CKM_DES_MAC_GENERAL
...
CKM_ECDSA_SHA1
CKM_ECDH1_DERIVE

Provider: /usr/lib/security/$ISA/pkcs11_tpm.so
/usr/lib/security/$ISA/pkcs11_tpm.so: no slots presented.

Kernel providers:
==========================
des: CKM_DES_ECB,CKM_DES_CBC,CKM_DES3_ECB,CKM_DES3_CBC
aes: CKM_AES_ECB,CKM_AES_CBC,CKM_AES_CTR,CKM_AES_CCM, \
     CKM_AES_GCM,CKM_AES_GMAC,
CKM_AES_CFB128,CKM_AES_XTS,CKM_AES_XCBC_MAC
arcfour: CKM_RC4
blowfish: CKM_BLOWFISH_ECB,CKM_BLOWFISH_CBC
ecc: CKM_EC_KEY_PAIR_GEN,CKM_ECDH1_DERIVE,CKM_ECDSA, \
     CKM_ECDSA_SHA1
sha1: CKM_SHA_1,CKM_SHA_1_HMAC,CKM_SHA_1_HMAC_GENERAL
sha2: CKM_SHA224,CKM_SHA224_HMAC,...CKM_SHA512_256_HMAC_GENERAL

md4: CKM_MD4
md5: CKM_MD5,CKM_MD5_HMAC,CKM_MD5_HMAC_GENERAL
rsa: CKM_RSA_PKCS,CKM_RSA_X_509,CKM_MD5_RSA_PKCS, \
     CKM_SHA1_RSA_PKCS,CKM_SHA224_RSA_PKCS,
CKM_SHA256_RSA_PKCS,CKM_SHA384_RSA_PKCS,CKM_SHA512_RSA_PKCS
swrand: No mechanisms presented.
n2rng/0: No mechanisms presented.
ncp/0: CKM_DSA,CKM_RSA_X_509,CKM_RSA_PKCS,CKM_RSA_PKCS_KEY_PAIR_GEN,
CKM_DH_PKCS_KEY_PAIR_GEN,CKM_DH_PKCS_DERIVE,CKM_EC_KEY_PAIR_GEN,
CKM_ECDH1_DERIVE,CKM_ECDSA
n2cp/0: CKM_DES_CBC,CKM_DES_CBC_PAD,CKM_DES_ECB,CKM_DES3_CBC, \
     ...CKM_SSL3_SHA1_MAC

  • Listing the available cryptographic mechanisms.

    Policy determines which mechanisms are available for use. The administrator sets the policy. An administrator can choose to disable mechanisms from a particular provider. The –p option displays the list of mechanisms that are permitted by the policy that the administrator has set.

    % cryptoadm list -p [provider=provider]
User-level providers:
=====================
/usr/lib/security/$ISA/pkcs11_kernel.so: \
     all mechanisms are enabled.random is enabled.
/usr/lib/security/$ISA/pkcs11_softtoken.so: \
     all mechanisms are enabled, random is enabled.
/usr/lib/security/$ISA/pkcs11_tpm.so: all mechanisms are enabled.
    Kernel providers:
==========================
des: all mechanisms are enabled.
aes: all mechanisms are enabled.
arcfour: all mechanisms are enabled.
blowfish: all mechanisms are enabled.
ecc: all mechanisms are enabled.
sha1: all mechanisms are enabled.
sha2: all mechanisms are enabled.
md4: all mechanisms are enabled.
md5: all mechanisms are enabled.
rsa: all mechanisms are enabled.
swrand: random is enabled.
n2rng/0: all mechanisms are enabled. random is enabled.
ncp/0: all mechanisms are enabled.
n2cp/0: all mechanisms are enabled.

The following examples show additional specific uses of the cryptoadm list command.

Example 3-11  Listing Cryptographic Information of a Specific Provider

Specifying the provider in the cryptoadm options command limits the output only to information that is applicable to the provider.

# cryptoadm enable provider=dca/0 random
# cryptoadm list -p provider=dca/0
dca/0: all mechanisms are enabled, except CKM_MD5, CKM_MD5_HMAC,...
random is enabled.

The following output shows only the mechanisms are enabled. The random generator continues to be disabled.

# cryptoadm list -p provider=dca/0
dca/0: all mechanisms are enabled, except CKM_MD5,CKM_MD5_HMAC,....

# cryptoadm enable provider=dca/0 mechanism=all
# cryptoadm list -p provider=dca/0
dca/0: all mechanisms are enabled. random is disabled.

The following output shows every feature and mechanism on the board is enabled.

# cryptoadm list -p provider=dca/0
dca/0: all mechanisms ar enabled, except CKM_DES_ECB,CKM_DES3_ECB.
random is disabled.

# cryptoadm enable provider=dca/0 all
# cryptoadm list -p provider=dca/0
dca/0: all mechanisms are enabled. random is enabled.
Example 3-12  Finding User-Level Cryptographic Mechanisms Only

In the following example, all mechanisms that the user-level library, pkcs11_softtoken, offers are listed.

% cryptoadm list -m provider=/usr/lib/security/\
   $ISA/pkcs11_softtoken.so
Mechanisms:
CKM_DES_CBC
CKM_DES_CBC_PAD
CKM_DES_ECB
CKM_DES_KEY_GEN
CKM_DES_MAC_GENERAL
CKM_DES_MAC
…
CKM_ECDSA
CKM_ECDSA_SHA1
CKM_ECDH1_DERIVE
Example 3-13  Determining Which Cryptographic Mechanisms Perform Which Functions

Mechanisms perform specific cryptographic functions, such as signing or key generation. The –v –m options display every mechanism and its functions.

In this instance, the administrator wants to determine for which functions the CKM_ECDSA* mechanisms can be used. 

% cryptoadm list -vm
User-level providers:
=====================
Provider: /usr/lib/security/$ISA/pkcs11_kernel.so
Number of slots: 3
Slot #2
Description: ncp/0 Crypto Accel Asym 1.0
...
CKM_ECDSA                    163  571  X  .  .  .  X  .  X  .  .  .  .  .  .  .
...

Provider: /usr/lib/security/$ISA/pkcs11_softtoken.so
...
CKM_ECDSA       112 571  .  .  .  .  X  .  X  .  .  .  .  .  .  .  .
CKM_ECDSA_SHA1  112 571  .  .  .  .  X  .  X  .  .  .  .  .  .  .  .
...
Kernel providers:
=================
...
ecc: CKM_EC_KEY_PAIR_GEN,CKM_ECDH1_DERIVE,CKM_ECDSA,CKM_ECDSA_SHA1
...

    The listing indicates that these mechanisms are available from the following user-level providers:

  • CKM_ECDSA and CKM_ECDSA_SHA1 – As software implementation in /usr/lib/security/$ISA/pkcs11_softtoken.so library

  • CKM_ECDSA – Accelerated by ncp/0 Crypto Accel Asym 1.0 in /usr/lib/security/$ISA/pkcs11_kernel.so library

    Each item in an entry represents a piece of information about the mechanism. For these ECC mechanisms, the listing indicates the following:

  • Minimum length – 112 bytes

  • Maximum length – 571 bytes

  • Hardware – Is or is not available on hardware.

  • Encrypt – Is not used to encrypt data.

  • Decrypt – Is not used to decrypt data.

  • Digest – Is not used to create message digests.

  • Sign – Is used to sign data.

  • Sign + Recover – Is not used to sign data, where the data can be recovered from the signature.

  • Verify – Is used to verify signed data.

  • Verify + Recover– Is not used to verify data that can be recovered from the signature.

  • Key generation – Is not used to generate a private key.

  • Pair generation – Is not used to generate a key pair.

  • Wrap – Is not used to wrap. that is, encrypt, an existing key.

  • Unwrap – Is not used to unwrap a wrapped key.

  • Derive – Is not used to derive a new key from a base key.

  • EC Caps – Absent EC capabilities that are not covered by previous items

Copyright © 2002, 2014, Oracle and/or its affiliates. All rights reserved. Legal Notices
Previous
Next