1 Changes in This Release
This Oracle Key Vault release introduces new features that enhance the use of the Oracle Key Vault Client SDK.
- Changes for Oracle Key Vault Client SDK Release 21.6
Oracle Key Vault Client SDK release 21.6 introduces several new features. - Changes for Oracle Key Vault Client SDK Release 21.5
Oracle Key Vault Client SDK release 21.5 introduces no new features. - Changes for Oracle Key Vault Client SDK Release 21.4
Oracle Key Vault Client SDK release 21.4 introduces several new features. - Changes for Oracle Key Vault Client SDK Release 21.3
Oracle Key Vault Client SDK release 21.3 introduces no new features. - Changes for Oracle Key Vault Client SDK Release 21.2
Oracle Key Vault Client SDK release 21.2 introduces several new features.
Parent topic: Introduction to the Oracle Key Vault Client SDK
1.1 Changes for Oracle Key Vault Client SDK Release 21.6
Oracle Key Vault Client SDK release 21.6 introduces several new features.
- Support for Sign and Signature Verify Operations
Starting release 21.6, Oracle Key Vault C and Java SDKs now provide Sign and Verify capability. - Ability to Control the Extraction of Private Keys from Oracle Key Vault
Starting in Oracle Key Vault release 21.6, to strengthen the protection of private keys, you can now restrict these keys from leaving Oracle Key Vault.
Parent topic: Changes in This Release
1.1.1 Support for Sign and Signature Verify Operations
Starting release 21.6, Oracle Key Vault C and Java SDKs now provide Sign and Verify capability.
You can use either RESTful services utility commands, okvutil, or C and Java SDK to perform sign and signature verify operations.
C SDK APIs
- KMIP cryptographic operations are as follows:
okvSign
okvSignVerify
- Cryptographic utility operations are as follows:
okvCryptoContextGetCryptoAlgo
okvCryptoContextGetHashingAlgo
okvCryptoContextGetDigitalSignAlgo
okvCryptoContextSetHashingAlgo
okvCryptoContextSetCryptoAlgo
okvCryptoContextSetDigitalSignAlgo
okvCryptoResponseGetSignatureData
okvCryptoResponseGetRecoveredData
okvCryptoResponseGetValidity
okvSignResponseCreate
okvSignVerifyResponseCreate
okvSignResponseFree
okvSignVerifyResponseFree
Java SDK APIs
- KMIP cryptographic operations are as follows:
okvSign
okvSignVerify
- Cryptographic utility operations are as follows:
getCryptoAlgo
getHashingAlgo
getDigitalSignAlgo
setCryptoAlgo
setHashingAlgo
setDigitalSignAlgo
getSignatureData
getRecoveredData
getValidity
1.1.2 Ability to Control the Extraction of Private Keys from Oracle Key Vault
Starting in Oracle Key Vault release 21.6, to strengthen the protection of private keys, you can now restrict these keys from leaving Oracle Key Vault.
This restriction applies to the key material of the private keys, but not its metadata. If your site requires that private keys never leave Oracle Key Vault, then you can configure these keys to remain within Oracle Key Vault during operations. In this case, the Sign operation can be leveraged to use these keys without them ever leaving Oracle Key Vault itself.
You can use the Oracle Key Vault management console, RESTful services utility commands, the C SDK APIs, and Java SDK APIs to control the retrieval (extraction) of private keys from Oracle Key Vault, .
1.2 Changes for Oracle Key Vault Client SDK Release 21.5
Oracle Key Vault Client SDK release 21.5 introduces no new features.
Parent topic: Changes in This Release
1.3 Changes for Oracle Key Vault Client SDK Release 21.4
Oracle Key Vault Client SDK release 21.4 introduces several new features.
- C and Java SDK APIs for Cryptographic Operations
Oracle Key Vault Client SDK release 21.4 adds the support for cryptographic operations. - Client Endpoint File Updated When A KMIP Server Operation Is Executed Using SDK
The client endpoint fileokvclient.ora
is now updated when a KMIP server operation is executed using the SDK. - Ability to Control the Extraction of Symmetric Encryption Keys from Oracle Key Vault
Starting in Oracle Key Vault release 21.4, to strengthen the protection of symmetric encryption keys, you now can restrict these keys from leaving Oracle Key Vault.
Parent topic: Changes in This Release
1.3.1 C and Java SDK APIs for Cryptographic Operations
Oracle Key Vault Client SDK release 21.4 adds the support for cryptographic operations.
Oracle Key Vault release 21.4 adds support for performing encryption and decryption cryptographic operations within Oracle Key Vault.
You can use either RESTful services utility commands or C and Java SDK to perform encryption and decryption operations.
C SDK APIs
- KMIP cryptographic operations are as follows:
okvDecrypt
okvEncrypt
- Attribute operations are as follows:
okvAttrAddExtractable
okvAttrAddNeverExtractable
okvAttrGetExtractable
okvAttrGetNeverExtractable
- Cryptographic utility operations are as follows:
okvCryptoContextCreate
okvCryptoContextFree
okvCryptoContextGetAuthEncryptionAdditionalData
okvCryptoContextGetAuthEncryptionTag
okvCryptoContextGetBlockCipherMode
okvCryptoContextGetIV
okvCryptoContextGetPadding
okvCryptoContextGetRandomIV
okvCryptoContextSetAuthEncryptionAdditionalData
okvCryptoContextSetAuthEncryptionTag
okvCryptoContextSetBlockCipherMode
okvCryptoContextSetIV
okvCryptoContextSetPadding
okvCryptoContextSetRandomIV
okvCryptoResponseGetAuthEncryptionTag
okvCryptoResponseGetDecryptedData
okvCryptoResponseGetEncryptedData
okvCryptoResponseGetIV
okvDecryptResponseCreate
okvDecryptResponseFree
okvEncryptResponseCreate
okvEncryptResponseFree
Java SDK APIs
- KMIP cryptographic operations are as follows:
okvDecrypt
okvEncrypt
- Attribute operations are as follows:
okvAttrAddExtractable
okvAttrAddNeverExtractable
okvAttrGetExtractable
okvAttrGetNeverExtractable
- Cryptographic utility operations are as follows:
okvCryptoContextCreate
1.3.2 Client Endpoint File Updated When A KMIP Server Operation Is Executed Using SDK
The client endpoint file okvclient.ora
is now updated when
a KMIP server operation is executed using the SDK.
Prior to Oracle Key Vault release 21.4, the client endpoint file
okvclient.ora
was not updated
whenever a KMIP server operation was performed using
the SDK. Now, the client endpoint file
okvclient.ora
will be updated if
there are any new endpoint updates whenever a KMIP
server operation is performed using the Oracle Key
Vault client SDK.
Parent topic: Changes for Oracle Key Vault Client SDK Release 21.4
1.3.3 Ability to Control the Extraction of Symmetric Encryption Keys from Oracle Key Vault
Starting in Oracle Key Vault release 21.4, to strengthen the protection of symmetric encryption keys, you now can restrict these keys from leaving Oracle Key Vault.
This restriction applies to the key material of the symmetric keys, but not its metadata. For example, Transparent Database Encryption (TDE) master encryption keys are stored in Oracle Key Vault. When an endpoint needs to decrypt the key, the PKCS#11 library fetches the TDE master encryption key from Oracle Key Vault to perform the decryption. If your site requires that symmetric keys never leave Oracle Key Vault, then you can configure these keys to remain within Oracle Key Vault during operations. In this case, the PKCS#11 library will send the encrypted data encryption key to Oracle Key Vault. Decryption is then performed within Oracle Key Vault and afterward, the plaintext data encryption key is returned to the PKCS#11 library. The Oracle Key Vault PKCS#11 library performs the encryption and decryption operation within Oracle Key Vault if the TDE master key is restricted to leave Oracle Key Vault, or if it cannot be extracted from Oracle Key Vault.
To control whether symmetric encryption keys can be retrieved (extracted) from Oracle Key Vault, you can use the Oracle Key Vault management console, RESTful services utility commands, the C SDK APIs, and Java SDK APIs.
New APIs for the C SDK to manage extractable attribute:
okvAttrAddExtractable
okvAttrAddNeverExtractable
okvAttrGetExtractable
okvAttrGetNeverExtractable
New APIs for the Java SDK to manage extractable attribute:
okvAttrAddExtractable
okvAttrAddNeverExtractable
okvAttrGetExtractable
okvAttrGetNeverExtractable
1.4 Changes for Oracle Key Vault Client SDK Release 21.3
Oracle Key Vault Client SDK release 21.3 introduces no new features.
Parent topic: Changes in This Release
1.5 Changes for Oracle Key Vault Client SDK Release 21.2
Oracle Key Vault Client SDK release 21.2 introduces several new features.
- New C and Java SDK APIs for Certificates, Certificate Requests, Private Keys, and Public Keys
In Oracle Key Vault release 21.2, new APIs enable you to perform operations such as registering and fetching objects, and adding attributes to those objects (for example, length, type, ID, subject, issuer, and algorithm).
Parent topic: Changes in This Release
1.5.1 New C and Java SDK APIs for Certificates, Certificate Requests, Private Keys, and Public Keys
In Oracle Key Vault release 21.2, new APIs enable you to perform operations such as registering and fetching objects, and adding attributes to those objects (for example, length, type, ID, subject, issuer, and algorithm).
C SDK APIs
Registration and fetch operations are as follows:
-
okvGetCertificate
-
okvGetCertificateRequest
-
okvGetPrivateKey
-
okvGetPublicKey
-
okvRegCertificate
-
okvRegCertificateRequest
-
okvRegPrivateKey
-
okvRegPublicKey
Attribute operations are as follows:
-
okvAttrAddCertLen
-
okvAttrAddCertType
-
okvAttrAddDigitalSignAlgo
-
okvAttrAddX509CertId
-
okvAttrAddX509CertIss
-
okvAttrAddX509CertIssAltName
-
okvAttrAddX509CertSubj
-
okvAttrAddX509CertSubjAltName
-
okvAttrGetCertLen
-
okvAttrGetCertType
-
okvAttrGetDigitalSignAlgo
-
okvAttrGetX509CertId
-
okvAttrGetX509CertIdIssuerLen
-
okvAttrGetX509CertIdSerialNoLen
-
okvAttrGetX509CertIss
-
okvAttrGetX509CertIssAltName
-
okvAttrGetX509CertIssAltNameLen
-
okvAttrGetX509CertIssDNLen
-
okvAttrGetX509CertSubj
-
okvAttrGetX509CertSubjAltName
-
okvAttrGetX509CertSubjAltNameLen
-
okvAttrGetX509CertSubjDNLen
Java SDK APIs
Registration and fetch operations are as follows:
-
okvGetCertificate
-
okvGetCertificateRequest
-
okvGetPrivateKey
-
okvGetPublicKey
-
okvRegCertificate
-
okvRegCertificateRequest
-
okvRegPrivateKey
-
okvRegPublicKey
Attribute operations are as follows:
-
okvAttrAddArchiveDate
-
okvAttrAddCertLen
-
okvAttrAddCertType
-
okvAttrAddDigitalSignAlgo
-
okvAttrAddInitialDate
-
okvAttrAddLastChangeDate
-
okvAttrAddState
-
okvAttrAddX509CertId
-
okvAttrAddX509CertIss
-
okvAttrAddX509CertIssAltName
-
okvAttrAddX509CertSubj
-
okvAttrAddX509CertSubjAltName
-
okvAttrGetCertLen
-
okvAttrGetCertType
-
okvAttrGetDigitalSignAlgo
-
okvAttrGetX509CertId
-
okvAttrGetX509CertIss
-
okvAttrGetX509CertIssAltName
-
okvAttrGetX509CertSubj
-
okvAttrGetX509CertSubjAltName
Related Topics
Parent topic: Changes for Oracle Key Vault Client SDK Release 21.2