Go to main content

Managing Encryption and Certificates in Oracle® Solaris 11.4

Exit Print View

Updated: May 2020
 
 

Simple and Fast ucrypto Provider

The ucrypto provider enables you to directly access user-level cryptographic primitives.


Note -  Cryptographic primitives are well-established, low-level algorithms that function as basic building blocks in security systems. Primitives are designed to perform single tasks in a highly reliable fashion.

ucrypto is an alternative to the Cryptographic Framework. ucrypto provides user-level cryptographic support only, and is intended for use by applications with simple needs for pure cryptographic functionality. In particular, ucrypto is useful when programs cannot or should not use PKCS #11 or OpenSSL APIs. The faster path to cryptographic functionality through ucrypto can significantly improve the performance of applications.

ucrypto meets the requirements for FIPS 140-2 validation. The cryptographic library for ucrypto, libucrypto, includes all cryptographic algorithms supported by Oracle Solaris. pkcs11_softtoken is a consumer of libucrypto.

Operations Supported by the ucrypto Provider

The ucrypto provider supports atomic and multi-part cryptographic operations with no locking and no session management. Atomic operations are performed using one function call. Each multi-part operation uses a series of three function calls to initialize, update zero or more times, and finalize each cryptographic operation.


Note -  During multi-part operations, the context is maintained in the caller's address space. The caller has the responsibility to pass the untouched context between multi-part operations and to ensure that the context is not used by multiple threads at the same time.
Table 1  ucrypto Operations
Cryptographic Operation
Description
Function
Encryption
Performs atomic or multi-part encryption
crypto_encrypt()
Decryption
Performs atomic or multi-part decryption
crypto_decrypt()
Signing
Performs digital signature operations on atomic or multi-part data
crypto_sign()
Verification
Verifies a digital signature on atomic or multi-part data
crypto_verify()
Digest
Performs digest operations on atomic or multi-part data
crypto_digest()
Message authentication code (Mac) operations
Computes a message authentication code for atomic or multi-part data
crypto_mac()
Symmetric and asymmetric key generation
Generates keys for symmetric operations or key pairs for asymmetric operations
crypto_keygen()
Utility functions
Performs various tasks such as returning the ID number for a specified mechanism
crypto_util()

For further information, review the libucrypto* man pages on the command line. The man pages list the algorithms and algorithm modes that each function supports.

Disabling libucrypto Mechanisms

Administrators can use the Service Management Facility (SMF) to disable the libucrypto mechanisms. Each mechanism is a property in the svc:/system/cryptosvc service. The properties are stated using the following format:

policy/libucrypto/algorithm-name

For example, to disable the deprecated CRYPTO_MD5 algorithm, type the following command:

# pfbash svccfg -s svc:/system/cryptosvc \
      setprop policy/libucrypto/md5=disabled

    where:

  • disabled specifies that no functions of the algorithm are permitted.

  • enabled specifies that the algorithm is capable of performing all supported functions. For an encryption algorithm, both encryption and decryption are permitted. For signature algorithms, both signing and verification are permitted. Key or keypair generation for that algorithm is permitted.

  • deprecated means the algorithm should not be used to create any new cryptographic data. However, legacy data is still accessible. Decryption or verification is permitted. Encryption or signing is disabled. Key or keypair generation for that algorithm is not permitted.


Note -  Digests and MACs can only be enabled or disabled.

For more information, see the setprop subcommand description in the svccfg(8) man page.