Go to main content

Managing Encryption and Certificates in Oracle® Solaris 11.4

Exit Print View

Updated: May 2021
 
 

Listing Available Providers

Hardware providers are automatically located and loaded. For more information, see the driver.conf(5) man page.

When you have hardware that expects to plug in to the Cryptographic Framework, the hardware registers with the SPI in the kernel. The framework checks that the hardware driver is signed. Specifically, the framework checks that the object file of the driver is signed with a certificate that Oracle issues.

For information about getting your provider signed, see the information about the elfsign command in User-Level Commands in the Cryptographic Framework.

    To list available providers, you use the cryptoadm list commands with different options depending on the specific information you want to obtain.

  • Listing all the providers on the system.

    The contents and format of the providers list varies for different Oracle Solaris releases and different hardware platforms. Run the cryptoadm list command on your system to see the providers that your system supports. Only those mechanisms at the user level are available for direct use by regular users.

    $ cryptoadm list
    User-level providers:/* for applications */
    Provider: /usr/lib/security/$ISA/pkcs11_softtoken.so
    
    Kernel providers:/* for IPsec, Kerberos */
            des
            aes
            arcfour
            blowfish
            camellia
            ecc
            sha1
            sha2
            sha3
            md5
            rsa
            swrand
    n2rng/0 /* for hardware */
  • Listing the providers and their mechanisms in the Cryptographic Framework.

    You can view the strength and modes, such as ECB and CBC, of the available mechanisms. However, some of the listed mechanisms might be unavailable for use. See the next item for instructions about how to list which mechanisms can be used.

    The following output is truncated for display purposes.

    $ cryptoadm list -m [provider=provider]
    User-level providers:
    =====================
    
    Provider: /usr/lib/security/$ISA/pkcs11_softtoken.so
    Mechanisms:
    CKM_CAMELLIA_CBC
    CKM_CAMELLIA_CBC_PAD
    CKM_CAMELLIA_CTR
    CKM_CAMELLIA_ECB
    CKM_CAMELLIA_KEY_GEN
    CKM_DES_CBC
    ...
    CKM_ECDSA_SHA1
    CKM_ECDH1_DERIVE
    
    Kernel providers:
    ==========================
    des: CKM_DES_ECB,CKM_DES_CBC,CKM_DES3_ECB,CKM_DES3_CBC
    aes: CKM_AES_ECB,CKM_AES_CBC,CKM_AES_CTR,...CKM_AES_CFB8
    arcfour: CKM_RC4
    blowfish: CKM_BLOWFISH_ECB,CKM_BLOWFISH_CBC
    camellia: CKM_CAMELLIA_CBC,CKM_CAMELLIA_CTR,CKM_CAMELLIA_CTS,CKM_CAMELLIA_ECB
    ecc: CKM_EC_KEY_PAIR_GEN,CKM_ECDH1_DERIVE,CKM_ECDSA, \
         CKM_ECDSA_SHA1
    sha1: CKM_SHA_1,CKM_SHA_1_HMAC,CKM_SHA_1_HMAC_GENERAL
    sha2: CKM_SHA224,CKM_SHA224_HMAC,...CKM_SHA512_256_HMAC_GENERAL
    sha3: CKM_SHA3_224,CKM_SHA3_224_HMAC,CKM_SHA3_256,...CKM_SHA3_512_HMAC
    md5: CKM_MD5,CKM_MD5_HMAC,CKM_MD5_HMAC_GENERAL
    rsa: CKM_RSA_PKCS,CKM_RSA_X_509,...CKM_SHA512_RSA_PKCS
    swrand: No mechanisms presented.
    n2rng/0: No mechanisms presented.
  • Listing the available cryptographic mechanisms.

    Policy determines which mechanisms are available for use. The administrator sets the policy. An administrator can choose to disable mechanisms from a particular provider. The –p option displays the list of mechanisms that are permitted by the policy that the administrator has set.

    $ cryptoadm list -p [provider=provider]
    User-level providers:
    =====================
    /usr/lib/security/$ISA/pkcs11_softtoken.so: \
         all mechanisms are enabled, random is enabled.
    Kernel providers:
    ==========================
    des: all mechanisms are enabled.
    aes: all mechanisms are enabled.
    arcfour: all mechanisms are enabled.
    blowfish: all mechanisms are enabled.
    camellia: all mechanisms are enabled.
    ecc: all mechanisms are enabled.
    sha1: all mechanisms are enabled.
    sha2: all mechanisms are enabled.
    sha3: all mechanisms are enabled.
    md5: all mechanisms are enabled.
    rsa: all mechanisms are enabled.
    swrand: random is enabled.
    n2rng/0: all mechanisms are enabled. random is enabled.

The following examples show additional specific uses of the cryptoadm list command.

Example 13  Listing Cryptographic Information of a Specific Provider

Specifying the provider in the cryptoadmoptions command limits the output only to information that is applicable to the provider.

$ cryptoadm list -p provider=/usr/lib/security/\$ISA/pkcs11_softtoken.so
/usr/lib/security/$ISA/pkcs11_softtoken.so: all mechanisms are enabled, except CKM_DES_CMC, CKM_DES_ECB,...random is disabled.

The following output shows that only the mechanisms have been enabled. The random generator continues to be disabled.

$ cryptoadm enable provider=/usr/lib/security/\$ISA/pkcs11_softtoken.so mechanism=all
$ cryptoadm list -p provider=/usr/lib/security/\$ISA/pkcs11_softtoken.so
/usr/lib/security/$ISA/pkcs11_softtoken.so: all mechanisms are enabled. random is disabled.

The following output shows that every feature and mechanism on the board has been enabled.

$ cryptoadm list -p provider=/usr/lib/security/\$ISA/pkcs11_softtoken.so
/usr/lib/security/$ISA/pkcs11_softtoken.so: all mechanisms ar enabled, except CKM_DES_ECB,CKM_DES3_ECB. random is disabled.
$ cryptoadm enable provider=/usr/lib/security/\$ISA/pkcs11_softtoken.so all
$ cryptoadm list -p provider=/usr/lib/security/\$ISA/pkcs11_softtoken.so
/usr/lib/security/$ISA/pkcs11_softtoken.so: all mechanisms are enabled. random is enabled.
Example 14  Finding User-Level Cryptographic Mechanisms Only

In the following example, all mechanisms that the user-level library, pkcs11_softtoken, offers are listed.

$ cryptoadm list -m provider=/usr/lib/security/\$ISA/pkcs11_softtoken.so
Mechanisms:
CKM_CAMELLIA_CBC
CKM_CAMELLIA_CBC_PAD
CKM_CAMELLIA_CTR
CKM_CAMELLIA_ECB
CKM_CAMELLIA_KEY_GEN
CKM_DES_CBC
…
CKM_ECDSA
CKM_ECDSA_SHA1
CKM_ECDH1_DERIVE
Example 15  Determining Which Cryptographic Mechanisms Perform Which Functions

Mechanisms perform specific cryptographic functions, such as signing or key generation. The –v –m options display every mechanism and its functions.

In this example, the administrator wants to determine the functions for which the CKM_ECDSA* mechanisms can be used.

$ cryptoadm list -vm
...

Provider: /usr/lib/security/$ISA/pkcs11_softtoken.so
Description: Sun Crypto Softtoken
Manufacturer: Oracle Corporation
PKCS#11 Version: 2.40
...
Mechanisms:
                                             E D     S   V   P       E E
                                             n e D   i V e K a   U D x C
                                             c c i   g e r e i   n e t
                                             r r g S + r + y r W w r e C
                                             y y e i R i R G G r r i n a
                                           H p p s g e f e e e a a v s p
Mechanism Name         Minimum    Maximum  W t t t n c y c n n p p e n s
---------------------- ------- ----------  - - - - - - - - - - - - - - -
...
CKM_ECDSA_SHA1             112        571  . . . . X . X . . . . . . . .
CKM_ECDH1_DERIVE           112        571  . . . . . . . . . . . . X . .
...
Kernel providers:
=================
...
ecc: CKM_EC_KEY_PAIR_GEN,CKM_ECDH1_DERIVE,CKM_ECDSA,CKM_ECDSA_SHA1
...

    Each item in an entry represents a piece of information about the mechanism. For these ECC mechanisms, the listing indicates the following:

  • Minimum length – 112 bytes

  • Maximum length – 571 bytes

  • Hardware – Is or is not available on hardware.

  • Encrypt – Is not used to encrypt data.

  • Decrypt – Is not used to decrypt data.

  • Digest – Is not used to create message digests.

  • Sign – Is used to sign data.

  • Sign + Recover – Is not used to sign data, where the data can be recovered from the signature.

  • Verify – Is used to verify signed data.

  • Verify + Recover – Is not used to verify data that can be recovered from the signature.

  • Key generation – Is not used to generate a private key.

  • Pair generation – Is not used to generate a key pair.

  • Wrap – Is not used to wrap. that is, encrypt, an existing key.

  • Unwrap – Is not used to unwrap a wrapped key.

  • Derive – Is not used to derive a new key from a base key.

  • EC Caps – Absent EC capabilities that are not covered by previous items