1. Developer's Guide
  2. Introduction to the Oracle Key Vault Client SDK
  3. Changes in This Release

1 Changes in This Release

This Oracle Key Vault release introduces new features that enhance the use of the Oracle Key Vault Client SDK.

Parent topic: Introduction to the Oracle Key Vault Client SDK

1.1 Changes for Oracle Key Vault Client SDK Release 21.6

Oracle Key Vault Client SDK release 21.6 introduces several new features.

Parent topic: Changes in This Release

1.1.1 Support for Sign and Signature Verify Operations

Starting release 21.6, Oracle Key Vault C and Java SDKs now provide Sign and Verify capability.

You can use either RESTful services utility commands, okvutil, or C and Java SDK to perform sign and signature verify operations.

C SDK APIs

  • KMIP cryptographic operations are as follows:
    • okvSign
    • okvSignVerify
  • Cryptographic utility operations are as follows:
    • okvCryptoContextGetCryptoAlgo
    • okvCryptoContextGetHashingAlgo
    • okvCryptoContextGetDigitalSignAlgo
    • okvCryptoContextSetHashingAlgo
    • okvCryptoContextSetCryptoAlgo
    • okvCryptoContextSetDigitalSignAlgo
    • okvCryptoResponseGetSignatureData
    • okvCryptoResponseGetRecoveredData
    • okvCryptoResponseGetValidity
    • okvSignResponseCreate
    • okvSignVerifyResponseCreate
    • okvSignResponseFree
    • okvSignVerifyResponseFree

Java SDK APIs

  • KMIP cryptographic operations are as follows:
    • okvSign
    • okvSignVerify
  • Cryptographic utility operations are as follows:
    • getCryptoAlgo
    • getHashingAlgo
    • getDigitalSignAlgo
    • setCryptoAlgo
    • setHashingAlgo
    • setDigitalSignAlgo
    • getSignatureData
    • getRecoveredData
    • getValidity

Related Topics

Parent topic: Changes for Oracle Key Vault Client SDK Release 21.6

1.1.2 Ability to Control the Extraction of Private Keys from Oracle Key Vault

Starting in Oracle Key Vault release 21.6, to strengthen the protection of private keys, you can now restrict these keys from leaving Oracle Key Vault.

This restriction applies to the key material of the private keys, but not its metadata. If your site requires that private keys never leave Oracle Key Vault, then you can configure these keys to remain within Oracle Key Vault during operations. In this case, the Sign operation can be leveraged to use these keys without them ever leaving Oracle Key Vault itself.

You can use the Oracle Key Vault management console, RESTful services utility commands, the C SDK APIs, and Java SDK APIs to control the retrieval (extraction) of private keys from Oracle Key Vault, .

Related Topics

Parent topic: Changes for Oracle Key Vault Client SDK Release 21.6

1.2 Changes for Oracle Key Vault Client SDK Release 21.5

Oracle Key Vault Client SDK release 21.5 introduces no new features.

Parent topic: Changes in This Release

1.3 Changes for Oracle Key Vault Client SDK Release 21.4

Oracle Key Vault Client SDK release 21.4 introduces several new features.

Parent topic: Changes in This Release

1.3.1 C and Java SDK APIs for Cryptographic Operations

Oracle Key Vault Client SDK release 21.4 adds the support for cryptographic operations.

Oracle Key Vault release 21.4 adds support for performing encryption and decryption cryptographic operations within Oracle Key Vault.

You can use either RESTful services utility commands or C and Java SDK to perform encryption and decryption operations.

C SDK APIs

  • KMIP cryptographic operations are as follows:
    • okvDecrypt
    • okvEncrypt
  • Attribute operations are as follows:
    • okvAttrAddExtractable
    • okvAttrAddNeverExtractable
    • okvAttrGetExtractable
    • okvAttrGetNeverExtractable
  • Cryptographic utility operations are as follows:
    • okvCryptoContextCreate
    • okvCryptoContextFree
    • okvCryptoContextGetAuthEncryptionAdditionalData
    • okvCryptoContextGetAuthEncryptionTag
    • okvCryptoContextGetBlockCipherMode
    • okvCryptoContextGetIV
    • okvCryptoContextGetPadding
    • okvCryptoContextGetRandomIV
    • okvCryptoContextSetAuthEncryptionAdditionalData
    • okvCryptoContextSetAuthEncryptionTag
    • okvCryptoContextSetBlockCipherMode
    • okvCryptoContextSetIV
    • okvCryptoContextSetPadding
    • okvCryptoContextSetRandomIV
    • okvCryptoResponseGetAuthEncryptionTag
    • okvCryptoResponseGetDecryptedData
    • okvCryptoResponseGetEncryptedData
    • okvCryptoResponseGetIV
    • okvDecryptResponseCreate
    • okvDecryptResponseFree
    • okvEncryptResponseCreate
    • okvEncryptResponseFree

Java SDK APIs

  • KMIP cryptographic operations are as follows:
    • okvDecrypt
    • okvEncrypt
  • Attribute operations are as follows:
    • okvAttrAddExtractable
    • okvAttrAddNeverExtractable
    • okvAttrGetExtractable
    • okvAttrGetNeverExtractable
  • Cryptographic utility operations are as follows:
    • okvCryptoContextCreate

Related Topics

Parent topic: Changes for Oracle Key Vault Client SDK Release 21.4

1.3.2 Client Endpoint File Updated When A KMIP Server Operation Is Executed Using SDK

The client endpoint file okvclient.ora is now updated when a KMIP server operation is executed using the SDK.

Prior to Oracle Key Vault release 21.4, the client endpoint file okvclient.ora was not updated whenever a KMIP server operation was performed using the SDK. Now, the client endpoint file okvclient.ora will be updated if there are any new endpoint updates whenever a KMIP server operation is performed using the Oracle Key Vault client SDK.

Parent topic: Changes for Oracle Key Vault Client SDK Release 21.4

1.3.3 Ability to Control the Extraction of Symmetric Encryption Keys from Oracle Key Vault

Starting in Oracle Key Vault release 21.4, to strengthen the protection of symmetric encryption keys, you now can restrict these keys from leaving Oracle Key Vault.

This restriction applies to the key material of the symmetric keys, but not its metadata. For example, Transparent Database Encryption (TDE) master encryption keys are stored in Oracle Key Vault. When an endpoint needs to decrypt the key, the PKCS#11 library fetches the TDE master encryption key from Oracle Key Vault to perform the decryption. If your site requires that symmetric keys never leave Oracle Key Vault, then you can configure these keys to remain within Oracle Key Vault during operations. In this case, the PKCS#11 library will send the encrypted data encryption key to Oracle Key Vault. Decryption is then performed within Oracle Key Vault and afterward, the plaintext data encryption key is returned to the PKCS#11 library. The Oracle Key Vault PKCS#11 library performs the encryption and decryption operation within Oracle Key Vault if the TDE master key is restricted to leave Oracle Key Vault, or if it cannot be extracted from Oracle Key Vault.

To control whether symmetric encryption keys can be retrieved (extracted) from Oracle Key Vault, you can use the Oracle Key Vault management console, RESTful services utility commands, the C SDK APIs, and Java SDK APIs.

New APIs for the C SDK to manage extractable attribute:

  • okvAttrAddExtractable
  • okvAttrAddNeverExtractable
  • okvAttrGetExtractable
  • okvAttrGetNeverExtractable

New APIs for the Java SDK to manage extractable attribute:

  • okvAttrAddExtractable
  • okvAttrAddNeverExtractable
  • okvAttrGetExtractable
  • okvAttrGetNeverExtractable

Related Topics

Parent topic: Changes for Oracle Key Vault Client SDK Release 21.4

1.4 Changes for Oracle Key Vault Client SDK Release 21.3

Oracle Key Vault Client SDK release 21.3 introduces no new features.

Parent topic: Changes in This Release

1.5 Changes for Oracle Key Vault Client SDK Release 21.2

Oracle Key Vault Client SDK release 21.2 introduces several new features.

Parent topic: Changes in This Release

1.5.1 New C and Java SDK APIs for Certificates, Certificate Requests, Private Keys, and Public Keys

In Oracle Key Vault release 21.2, new APIs enable you to perform operations such as registering and fetching objects, and adding attributes to those objects (for example, length, type, ID, subject, issuer, and algorithm).

C SDK APIs

Registration and fetch operations are as follows:

  • okvGetCertificate

  • okvGetCertificateRequest

  • okvGetPrivateKey

  • okvGetPublicKey

  • okvRegCertificate

  • okvRegCertificateRequest

  • okvRegPrivateKey

  • okvRegPublicKey

Attribute operations are as follows:

  • okvAttrAddCertLen

  • okvAttrAddCertType

  • okvAttrAddDigitalSignAlgo

  • okvAttrAddX509CertId

  • okvAttrAddX509CertIss

  • okvAttrAddX509CertIssAltName

  • okvAttrAddX509CertSubj

  • okvAttrAddX509CertSubjAltName

  • okvAttrGetCertLen

  • okvAttrGetCertType

  • okvAttrGetDigitalSignAlgo

  • okvAttrGetX509CertId

  • okvAttrGetX509CertIdIssuerLen

  • okvAttrGetX509CertIdSerialNoLen

  • okvAttrGetX509CertIss

  • okvAttrGetX509CertIssAltName

  • okvAttrGetX509CertIssAltNameLen

  • okvAttrGetX509CertIssDNLen

  • okvAttrGetX509CertSubj

  • okvAttrGetX509CertSubjAltName

  • okvAttrGetX509CertSubjAltNameLen

  • okvAttrGetX509CertSubjDNLen

Java SDK APIs

Registration and fetch operations are as follows:

  • okvGetCertificate

  • okvGetCertificateRequest

  • okvGetPrivateKey

  • okvGetPublicKey

  • okvRegCertificate

  • okvRegCertificateRequest

  • okvRegPrivateKey

  • okvRegPublicKey

Attribute operations are as follows:

  • okvAttrAddArchiveDate

  • okvAttrAddCertLen

  • okvAttrAddCertType

  • okvAttrAddDigitalSignAlgo

  • okvAttrAddInitialDate

  • okvAttrAddLastChangeDate

  • okvAttrAddState

  • okvAttrAddX509CertId

  • okvAttrAddX509CertIss

  • okvAttrAddX509CertIssAltName

  • okvAttrAddX509CertSubj

  • okvAttrAddX509CertSubjAltName

  • okvAttrGetCertLen

  • okvAttrGetCertType

  • okvAttrGetDigitalSignAlgo

  • okvAttrGetX509CertId

  • okvAttrGetX509CertIss

  • okvAttrGetX509CertIssAltName

  • okvAttrGetX509CertSubj

  • okvAttrGetX509CertSubjAltName

Related Topics

Parent topic: Changes for Oracle Key Vault Client SDK Release 21.2