The ucrypto provider enables you to directly access user-level cryptographic primitives.
ucrypto is an alternative to the Cryptographic Framework. ucrypto provides user-level cryptographic support only, and is intended for use by applications with simple needs for pure cryptographic functionality. In particular, ucrypto is useful when programs cannot or should not use PKCS #11 or OpenSSL APIs. The faster path to cryptographic functionality through ucrypto can significantly improve the performance of applications.
ucrypto meets the requirements for FIPS 140-2 validation. The cryptographic library for ucrypto, libucrypto, includes all cryptographic algorithms supported by Oracle Solaris. pkcs11_softtoken is a consumer of libucrypto.
The ucrypto provider supports atomic and multi-part cryptographic operations with no locking and no session management. Atomic operations are performed using one function call. Each multi-part operation uses a series of three function calls to initialize, update zero or more times, and finalize each cryptographic operation.
For further information, review the libucrypto* man pages on the command line. The man pages list the algorithms and algorithm modes that each function supports.
Administrators can use the Service Management Facility (SMF) to disable the libucrypto mechanisms. Each mechanism is a property in the svc:/system/cryptosvc service. The properties are stated using the following format:
For example, to disable the deprecated CRYPTO_MD5 algorithm, type the following command:
# pfbash svccfg -s svc:/system/cryptosvc \ setprop policy/libucrypto/md5=disabled
disabled specifies that no functions of the algorithm are permitted.
enabled specifies that the algorithm is capable of performing all supported functions. For an encryption algorithm, both encryption and decryption are permitted. For signature algorithms, both signing and verification are permitted. Key or keypair generation for that algorithm is permitted.
deprecated means the algorithm should not be used to create any new cryptographic data. However, legacy data is still accessible. Decryption or verification is permitted. Encryption or signing is disabled. Key or keypair generation for that algorithm is not permitted.
For more information, see the setprop subcommand description in the svccfg(8) man page.