This section highlights information for existing customers about new cryptographic services in this release.
The Cryptographic Framework is based on the latest version of the PKCS #11 Cryptographic Token Interface Standard, PKCS #11 v2.40. Several new cryptographic algorithms and security standards have been revised and published in this upgrade. For more information, see the OASIS PKCS #11 Technical Committee website: https://www.oasis-open.org/committees/pkcs11/.
ucrypto is a simple and fast cryptographic interface to user-level cryptographic primitives. ucrypto is useful for applications with simple needs for pure cryptographic functionality. In particular, ucrypto is useful when programs cannot or should not use PKCS #11 or OpenSSL APIs. The faster path to cryptographic functionality through ucrypto can significantly improve the performance of applications. For more information, see Simple and Fast ucrypto Provider
An enhanced elfsign command makes it more difficult for attackers get at your data. elfsign also separates the signature cryptographic algorithm calculation from the data range algorithm, making it easier for you to add and maintain new algorithms.
For more information, see Elfsign Enhancements.
As of this Oracle Solaris release, token labels are configurable. You can simultaneously create a new token, set its PIN, and assign a label to it with a single pktool inittoken command. You can also use the same command to change the labels of existing tokens. However, to change the PINs of existing tokens, you continue to use the pktool setpin command.
Although the pktool setpin command remains a valid command to create a token, you cannot set the label name using this method. Instead, the default label name is used, which is Sun Software PKCS #11 softtoken.
If you are running applications or scripts that use pktool setpin to create tokens, you must revise them to include pktool inittoken to configure token labels as well. For examples of the use of the pktool inittoken command, see How to Create a PKCS #11 Keystore.
The cryptoadm command creates a new BE, thus retains the original BE. For more information, see Enabling FIPS 140-2 Mode in Oracle Solaris.