Changes

Class or Package

B ug/
C hange/

N ew F eature

Description and Examples

demo.pkcs.pkcs11.provider.RSASigningApplet

NF

An applet demo shows how to sign with a smart card inside an applet.

demo.pkcs.pkcs11.provider.ClientAuthenticationSocketDemo

NF

This demo in the isasilk-demo directory shows how to use smart cards for SSL an TLS client authentication using IAIK-SSL ( alias iSaSiLk).

demo.pkcs.pkcs11.provider.ClientAuthenticationSocketDemo

NF

This demo in the jsse_jdk14-demo directory shows how to use smart cards for SSL an TLS client authentication using SUN's JSSE version of JDK 1.4.

demo.pkcs.pkcs11.provider.ClientAuthenticationSocketDemo

NF

This demo in the jsse-demo directory shows how to use smart cards for SSL an TLS client authentication using SUN's JSSE version 1.0.3 (domestic) with the IAIK JSSE provider and IAIK-SSL with JDK 1.3.

demo.pkcs.pkcs11.provider.ImportPKCS12

NF

This demo allows to import private keys and certificates easily from PKCS#12 (*.p12, *.pfx) files into smart cards and other PKCS#11 tokens.

Class or Package

B ug/
C hange/

N ew F eature

Description and Examples

iaik.pkcs.pkcs11.provider.IAIKPkcs11

NF

Added method insertProviderAtForJDK14 that implements a workaround for a JDK 1.4.x

bug that prevents installing a JCE provider that implements SHA-1, MD5 or X.509 certificate

factories as first provider.

iaik.pkcs.pkcs11.provider.ciphers.PKCS11Cipher

B

Modified method engineGetKeySize(Key) to work with software keys also, not just with

keys of this PKCS#11 provider.

iaik.pkcs.pkcs11.provider.TokenManager

B

Fixed token manager to be able to handle tokens with multiple logical slots. Now it is

possible to create two provider instances with the same properties file, if these properties

do not specify a slot explicitely and the library provides more than one slot.

iaik.pkcs.pkcs11.provider.IAIKPkcs11

NF

Introduced a global property to enable and disable the software delegation feature.

iaik.pkcs.pkcs11.provider.IAIKPkcs11MultipleInstance.properties

C

Changed the name to iaik/pkcs/pkcs11/provider/IAIKPkcs11Global.properties and introduced

the software delegate enable/disable flag.

iaik.pkcs.pkcs11.provider.random.PKCS11RandomSpi

C

Now uses a software delegate, if the current token does not support random number generation.

iaik.pkcs.pkcs11.provider.random.PKCS11SeededRandomSpi

NF

Introduced this new random implementation that only uses the token for seed operations but

uses the software delegation for generating random bytes. This will improve performance in many

cases.

iaik.pkcs.pkcs11.provider.IAIKPkcs11

B

Fixed bug that caused property LOGIN_KEYSTORE_SESSION_ON_DEMAND to be read incorrectly.

Class or Package

B ug/
C hange/

N ew F eature

Description and Examples

iaik.apps.util.passphrase

NF

Added an alternative implementation of a PIN-dialog - PassphraseFrameDialog.

This uses a Frame rather than a Dialog, thus it is also visible in the taskbar.

iaik.apps.util.passphrase.PassphraseDialog

C

Modified PassphraseDialog to act as a pure JDialog without a frame. The dummy frame

caused trouble on some platforms.

iaik.pkcs.pkcs11.provider.IAIKPkcs11

C

Changed default for property LOGIN_KEYSTORE_SESSION_ON_DEMAND to false.

iaik.apps.util.passphrase.PassphrasePrompt

C

Added a new method setProtectedResourceInfo(). The current implementation passes

a TokenInfo to this method before prompting a PIN. This allows the dialog to

display detailed information about the token for which the user must enter a PIN.

B

Fixed several mistakes in the JavaDoc.

iaik.pkcs.pkcs11.provider.signatures.ExternalSha1DsaSignature

B

Fixed constructor.

iaik.pkcs.pkcs11.provider.signatures.ExternalSha1EcdsaSignature

B

Fixed constructor.

NF

Added a algorithm autodetect feature. If enabled, the provider will check, if a

certain requested algorithm is supported by the current token before reporting

it to the JCE.

Class or Package

B ug/
C hange/

N ew F eature

Description and Examples

iaik.pkcs.pkcs11.provider.TokenKeyStoreSpi

C

Improved alias handling and key import.

Aliases now map to object labels one-to-one if possible.

Aliases provided when setting new key or certificate entries now use the provided alias as given.

The new objects get the alias as their PKCS#11 object label.

When setting new private key entries with a user certificate, the keystore checks the mechanisms

supported by the token and the key-usage flags in the user certificate. Using this information,

it sets the private key attributes appropriately.

Moreover, the key store now handles certificate chains for private key entries.

The key store tries to construct a certificate chain when reading the certificates from the token.

iaik.pkcs.pkcs11.provider.hashes

NF

Added software delegation support for all hashes.

iaik.pkcs.pkcs11.provider.DelegateProvider

iaik.pkcs.pkcs11.provider.IAIKPkcs11

NF

Added an advanced software delegation system.

The application can set its own handler for getting software delegation engines.

iaik.pkcs.pkcs11.provider.random.PKCS11RandomNoSetSeedSpi

NF

Added random implementation that does not set any seed. Useful for tokens that do not support

external seeding, but can generate random data nevertheless.

iaik.pkcs.pkcs11.provider.IAIKPkcs11.properties

C

Changed SECONDARY_PROVIDER to KEY_STORE_SUPPORT_PROVIDER, because it is just used in the keystore.

Other classes use the new advanced delegation provider mechanism.

Added DELEGATE_PROVIDER to configure a handler that provide software delegate implementations.

iaik.pkcs.pkcs11.provider.IAIKPkcs11.properties

NF

Added ALGORITHM_PROPERTIES entry to allow a separate algorithm list for each provider instance.

iaik.pkcs.pkcs11.provider.keyfactories

NF

Added software delegation support for all key factories.

iaik.pkcs.pkcs11.provider.IAIKPkcs11#insertProviderAtForJDK14(Provider, int)

B

Improved implementation to work in more JDKs that have the provider registration bug.

iaik.pkcs.pkcs11.provider.ciphers

iaik.pkcs.pkcs11.provider.hashes

iaik.pkcs.pkcs11.provider.signatures

iaik.pkcs.pkcs11.provider.macs

B

Fixed engine classes to be reusable after final-operation.

iaik.apps.util.passphrase

NF

Added the class PassphraseHolder that makes passing the user-PIN from the application easier.

Added the class PassphraseConsoleDialog that prompts the PIN from the console.

iaik.pkcs.pkcs11.provider.IAIKPkcs11

B

Fixed a problem with case-insensitivity of algorithm names.

Class or Package

B ug/
C hange/

N ew F eature

Description and Examples

iaik.pkcs.pkcs11.provider.TokenKeyStoreSpi

C

Changed key-usage handling for import of new keys. Now the key-usage keyEncipherment

in the user certificate also sets the Decrypt flag in the new PKCS#11 key object.

iaik.pkcs.pkcs11.provider.key.IAIKPKCS11Key

NF

Added constants for key type names that can be used for the unwrapping functionality of the

PKCS11Cipher class (see other change).

iaik.pkcs.pkcs11.provider.cipher.PKCS11Cipher

B

Improved the unwrapping functionality to handle the key type parameter correctly.

iaik.pkcs.pkcs11.provider.cipher.RSACipher

B

Fixed a bug in the initialization. This bug ocurred in some JSSE samples.

iaik.pkcs.pkcs11.provider.TokenKeyStoreSpi

NF

If the application provides a password (or PIN) when calling the load(InputStream, char[]) method,

the keystore will use this to do a user-login; it will not prompt the password or PIN using an

own dialog.

iaik.pkcs.pkcs11.provider.TokenManager

all engine classes

NF

Improved handling of PKCS#11 sessions. Sessions are cached in the TokenManager. The engine classes give back sessions to the TokenManager if they do not use them currently. This can lower the number of open PKCS#11 sessions dramatically.

Class or Package

B ug/
C hange/

N ew F eature

Description and Examples

iaik.pkcs.pkcs11.provider.key.IAIKPKCS11PublicKey

iaik.pkcs.pkcs11.provider.key.IAIKPKCS11PrivateKey

B

Fixed a type cast that may lead to an endless loop when compiled with certain compilers.

iaik.pkcs.pkcs11.provider.IAIKPkcs11

B

Fixed a problem in the JDK 1.4 bug workaround method insertProviderAtForJDK14().

iaik.pkcs.pkcs11.provider.keyfactories.DsaKeyFactory

B

Fixed a bug in the method for private key generation.

iaik.pkcs.pkcs11.provider.keyfactories.EcDsaKeyFactory

NF

New factory to create PKCS#11 ECDSA keys from X.509 encoded public key and

PKCS#8 encoded private keys, which use ANSI X9.62 encoding internally.

iaik.pkcs.pkcs11.provider.TokenKeyStoreSpi

NF

The store-method changes the user PIN of the token.

iaik.pkcs.pkcs11.provider.TokenManager

all engine classes

NF

Using the protected authentication path for PIN entry can now be disabled using

the provider properties.

iaik.apps.util.passphrase

NF

Added interface NewPassphrasePrompt, class NewPassphraseDialog and class NewPassphraseHolder for changing the PIN.

Added the class NewPassphraseConsoleDialog that prompts the new PIN from the console.

iaik.pkcs.pkcs11.provider.signatures.DsaSignature

iaik.pkcs.pkcs11.provider.signatures.ExternalSha1DsaSignature

iaik.pkcs.pkcs11.provider.signatures.InternalSha1DsaSignature

iaik.pkcs.pkcs11.provider.signatures.EcDsaSignature

iaik.pkcs.pkcs11.provider.signatures.ExternalSha1EcDsaSignature

iaik.pkcs.pkcs11.provider.signatures.InternalSha1EcDsaSignature

B

Fixed bug of wrong encoding of signature value.

iaik.pkcs.pkcs11.provider.IAIKPkcs112

iaik.pkcs.pkcs11.provider.IAIKPkcs113

iaik.pkcs.pkcs11.provider.IAIKPkcs114

NF

Added these subclasses of IAIKPkcs11 provider. They can be used in situations where each provider must be of a different class name.

This can be used for a static configuration of providers with VM 1.4.x, which do not accept the same provider class to be registered more than once.

iaik.pkcs.pkcs11.provider.LoginManager

iaik.pkcs.pkcs11.provider.DefaultLoginManager

iaik.pkcs.pkcs11.provider.IAIKPkcs11

C/NF

Introduced new interface LoginManager to separate login, PIN change and logout from provider core.

This allows users to easily implement own login and PIN management handlers.

All user dialog related functionality has been moved to DefaultLoginManager. This includes configured PIN dialogs and prompt messages.

As a consequence, the provider itself does no longer include any language specific stuff. This is all in (the easily replaceable) login manager.

If you have used custom settings for login related stuff, you can use the same properties file entries in the new file called iaik/pkcs/pkcs11/provider/DefaultLoginManager.properties. If you used the API, you can find the same methods now in the DefaultLoginManager class as before in the provider itself.

iaik.pkcs.pkcs11.provider.IAIKPkcs11.properties

NF

Added MODULE_INITIALIZATION_PARAMETERS entry to allow passing parameters to the PKCS#11 module during initialization.

This can be used to access the crypto module of Mozilla and Netscape and use the private keys and certificates.

iaik.pkcs.pkcs11.provider.keyfactories.RSAKeyFactory

iaik.pkcs.pkcs11.provider.keyfactories.DSAKeyFactory

iaik.pkcs.pkcs11.provider.keyfactories.ECDSAKeyFactory

iaik.pkcs.pkcs11.provider.keyfactories.DhKeyFactory

NF

Added support for X.509 encoded of public keys and PKCS#8 encoded private keys.

iaik.pkcs.pkcs11.provider.IAIKPkcs11.properties

NF

Added USER_PIN entry to allow configuration of a fixed user PIN to login to the PKCS#11 module.

iaik.pkcs.pkcs11.provider.signatures.SignatureInputStream

iaik.pkcs.pkcs11.provider.signatures.SignatureOutputStream

NF

Added these classes which provide stream signing features for input and output stream respectively.

iaik.apps.util.passphrase

B/NF

Added NewPassphraseFrameDialog. Improved dialogs to work on several platforms.

Class or Package

B ug/
C hange/

N ew F eature

Description and Examples

iaik.pkcs.pkcs11.provider.TokenKeyStoreSpi

NF

Now, the keystore uses sessions only during keystore operations.

This enables use of the provider for module implementation which

support only a single session.

iaik.pkcs.pkcs11.provider.TokenManager

B/C

The token manager now sets the CKF_OS_LOCKING_OK flag when initializing

the PKCS#11 module. This ensures that modules which do not allow

multi-threaded access otherwise work correctly.

iaik.pkcs.pkcs11.provider.*.properties

NF/C

Moved all default properties from the package iaik.pkcs.pkcs11.provider

to the package iaik.pkcs.pkcs11.provider.default. This only applies

to the default properties which are included in the provider's jar file. The

properties files that an application developer provides still have the same names;

e.g. iaik.pkcs.pkcs11.provider.IAIKPkcs11.properties. There is no need

to change anything in an existing application. The advantage is, that it does not

matter in which position the application's properties are in the classpath.

Class or Package

B ug/
C hange/

N ew F eature

Description and Examples

iaik.pkcs.pkcs11.provider.hashes

B

Fixed a bug that can cause an exception containing error code CKR_OPERATION_ACTIVE

if the application calls reset() as first operation of a hash engine.

Class or Package

B ug/
C hange/

N ew F eature

Description and Examples

iaik.pkcs.pkcs11.provider.hashes

NF

Added property MULTI_THREAD_INIT which tells the provider how to

initialize the PKCS#11 module; with flag CKF_OS_LOCKING_OK or without

initialization arguments (NULL_PTR).

iaik.pkcs.pkcs11.provider.keys

NF

Improved session handling for session key objects. Now the sessions of session keys

are reused. This reduces the number of sessions required during runtime even if

there are several session keys.

iaik.pkcs.pkcs11.provider.signatures.SignatureUtil

B

Fixed a bug that may cause certain DSA and ECDSA signature values to be encoded

incorrectly. As a result a PKCS#11 module would be unable to verify the signature

value.

iaik.pkcs.pkcs11.provider.ciphers.PKCS11Cipher

iaik.pkcs.pkcs11.provider.ciphers.RSACipher

B

Fixed a bug that may cause an error with block ciphers under certain

circumstances.

iaik.pkcs.pkcs11.provider.ciphers.RSACipher

NF

The RSA cipher also supports JCE update methods.

Now, the JCE update methods buffer the incoming data and delay the processing

until the doFinal method is called. This cipher does no longer use any PKCS#11

update functions, because most PKCS#11 modules do not support these functions

in this context.

Class or Package

B ug/
C hange/

N ew F eature

Description and Examples

iaik.pkcs.pkcs11.provider.TokenKeyStoreSPI

B

With certain modules, which use the same label for corresponding private key and

public key, the keystore used the label as alias for the public key, if the module

reported this key before the private key in the search operation.

iaik.pkcs.pkcs11.provider.TokenKeyStoreSPI

C

Changed some lines in the setKeyEntry method. These changes ensure that

attributes of an existing private key are only set if really necessary. This situation

may occur when importing a certificate or a certificate chain to a previously generated

private key.

iaik.pkcs.pkcs11.provider.TokenKeyStoreSPI

B

If the application generates a key-pair on the token and imports a certificate chain

right after that, without calling any other keystore method in between, the private

key will appear twice on the token (a workaround would have been to call e.g.

tokenKeyStore.aliases() before calling setKeyEntry).

iaik.pkcs.pkcs11.provider.cipher.PKCS11Cipher

B

Changed pkcs11Init(int, Key, AlgorithmParameters, SecureRandom) to

accept null as AlgorithmParameters in general.

Class or Package

B ug/
C hange/

N ew F eature

Description and Examples

iaik.pkcs.pkcs11.provider.TokenKeyStoreSPI

B

Under certain circumstances deleting keystore entries might not delete

the actual underlying PKCS#11 object; i.e. deleteEntry(String) did not

always work as expected. The session handling has also been improved to

ensure that an already closed session is never reused.

iaik.apps.util.passphrase.PassphraseDialog

iaik.apps.util.passphrase.PassphraseFrameDialog

B

Moved the call to hide() to avoid an IAIKPkcs11AuthenticationCanceledException

in some cases even if the OK button has been pressed.

Class or Package

B ug/
C hange/

N ew F eature

Description and Examples

iaik.pkcs.pkcs11.provider.TokenKeyStoreSPI

C

Changed exception handling to pass all runtime exceptions directly through

to the application.

iaik.pkcs.pkcs11.provider.TokenManager

C

TokenManager now throws an exception with a more meaningful message text

if the required PKCS11_NATIVE_MODULE property has not been set.

iaik.pkcs.pkcs11.provider.IAIKPkcs11

C

Changed handling of entries in the underlying Hashtable of the provider.

This was neccessary to work around a bug in Java 5 RC (Bug ID 5097015).

iaik.pkcs.pkcs11.provider.keyagreements.DhKeyAgreement

B

Fixed a bug which caused an exception claiming an incorrect key even

if the provided key is correct.

iaik.pkcs.pkcs11.provider.keys.IAIKPKCS11Key

NF

Added a destroy method to allow simple destruction of no longer

used keys. This is especially useful for session keys to save resources.

iaik.pkcs.pkcs11.provider.keypairgenerators.X942DhKeyPairGenerator

B

Fixed a bug which can cause an exception indicating CKR_TEMPLATE_INCONSISTENT.

Class or Package

B ug/
C hange/

N ew F eature

Description and Examples

pkcs11wrapper shared library

B

Fixed a bug which may cause the Java VM to halt or crash if the application

tries to use several PKCS#11 modules which do not exist.

iaik.pkcs.pkcs11.provider.TokenManager

NF

logout(null) is now allowed and will just logout the user from the token

using any session.

iaik.pkcs.pkcs11.provider.DefaultLoginManager

C

logout(TokenManager, null) will only use a read-only session as dummy session

for the logout operation.

iaik.pkcs.pkcs11.provider.TokenKeyStore

iaik.pkcs.pkcs11.provider.TokenKeyStoreSPI

C

Since the session management of the key store has been improved, the key store

object does not cache an own session after the return of public methods.

Thus, the TokenKeyStore.logout() and TokenKeyStoreSPI.logoutSession()

methods have been adapted to always force a logout. This ensures the expected behavior;

i.e. that a logout is actually performed in all cases.

demos

NF

Added a GetInfo demo which provides information about a module.

This makes it easier to configure a PKCS#11 Provider instance and to track problems.

iaik.pkcs.pkcs11.provider.ciphers.BlockCipher

iaik.pkcs.pkcs11.provider.ciphers.RsaCipher

C

Changed default mode and padding from lower case writing to default names as listed

in the JCE spcifications; e.g. "ECB" instead of "ecb", and "PKCS1Padding" instead of

"pkcs1padding". This may cause problems with delegate software providers otherwise.

iaik.pkcs.pkcs11.provider.TokenKeyStore

iaik.pkcs.pkcs11.provider.TokenKeyStoreSPI

C

Changed method setKeyEntry to use different KeySpecs

for DESede and DES keys to get better compatibility with other secret key factories.

With factories of some JCE providers, the application may get a

java.security.spec.InvalidKeySpecException: Inappropriate key specification

exception without this change. As a work around, the application may configure an alternative

provider using the KEY_STORE_SUPPORT_PROVIDER option.

iaik.pkcs.pkcs11.provider.TokenKeyStoreSPI

B

If the application queries a PKCS#11 keystore when there is no token present in the

associated slot, the keystore can throw an IAIKPkcs11TokenUnavailableException.

According to the documentation, it should simply show an empty keystore.

iaik.pkcs.pkcs11.provider.ciphers.BlockCipher

NF

If the application uses a block cipher for encryption but does not provide an IV,

the implmenentation will generate one automatically and return it on request to

the application; e.g. using Cipher.getIV() or via

Cipher.getParameters().

iaik.pkcs.pkcs11.provider.TokenManager

iaik.pkcs.pkcs11.provider.TokenKeyStoreSPI

NF

If login/logout operations are performed using the loginUser or

logout methods of the TokenManager, it notifies the key stores

that their contents may be no longer valid.

N/A

C

Added a lib-signed directory containing the signed provider

JAR files. Moreover, the signed and unsigned version of the provider have

the same file name now. There is

lib/iaikPkcs11Provider.jar and lib/iaik_jce.jar

, which are the unsigned versions, and there are

lib-signed/iaikPkcs11Provider.jar and lib-signed/iaik_jce.jar

, which are the signed versions. This should make deployment easier.

iaik.pkcs.pkcs11.provider.hashes.Sha256

iaik.pkcs.pkcs11.provider.hashes.Sha384

iaik.pkcs.pkcs11.provider.hashes.Sha512

NF

Added SHA-256/384/512 hash (FIPS PUB 180-2) algorithms from PKCS#11 v 2.20.

iaik.pkcs.pkcs11.provider.macs.Sha256HMac

iaik.pkcs.pkcs11.provider.macs.Sha384HMac

iaik.pkcs.pkcs11.provider.macs.Sha512HMac

NF

Added HMACs based on SHA-256/384/512 hash (FIPS PUB 180-2) algorithms.

iaik.pkcs.pkcs11.provider.keygenerators.Sha256KeyDerivation

iaik.pkcs.pkcs11.provider.keygenerators.Sha384KeyDerivation

iaik.pkcs.pkcs11.provider.keygenerators.Sha512KeyDerivation

NF

Added key derivation functions based on SHA-256/384/512 hash (FIPS PUB 180-2) algorithms.

iaik.pkcs.pkcs11.provider.signatures

NF

Added RSA PKCS#1 v1.5 and v2.1 PSS signature schemes based on SHA-256/384/512 hash

(FIPS PUB 180-2) algorithms, external and internal hashing versions.

Class or Package

B ug/
C hange/

N ew F eature

Description and Examples

iaik.pkcs.pkcs11.provider.IAIKPkcs11

iaik.pkcs.pkcs11.provider.TokenManager

NF

We introduced a new configuration property which tells the provider

what to do if a CKR_CRYPTOKI_ALREADY_INITIALIZED error occurs upon

initialization of the PKCS#11 module.

The new property is called MODULE_ALREADY_INITIALIZED.

Per default, it is set to ignore which tells the provider

to ignore this error an go ahead as if no error happened. This is

especially useful for applets.

iaik.pkcs.pkcs11.provider.keys.IAIKPKCS11Key

B

Unwrapping of an AES key may cause a CKR_TEMPLATE_INCOMPLETE error

due to a missing key-type attribute for this algorithm.

iaik.pkcs.pkcs11.provider.keys.IAIKPKCS11Key

B

Calling destroy() may only work correctly for session objects

but may throw an exception for token objects.

iaik.pkcs.pkcs11.provider

NF

The new interface KeyHandler is used by crypto engine

implementations of this provider to allow automatic key convserion.

By calling the setAutoConversion(boolean) method of the

DefaultKeyHandler, such automatic key conversion can be

enabled easily.

iaik.pkcs.pkcs11.provider.ciphers

NF

Applications can feed pure software keys to a PKCS#11 cipher.

The cipher will convert the keys automatically to PKCS#11 keys.

iaik.pkcs.pkcs11.provider.keyagreements

NF

Applications can feed pure software keys to a PKCS#11 key agreement.

The PKCS#11 provider will convert the keys automatically to PKCS#11 keys.

iaik.pkcs.pkcs11.provider.keygenerators

NF

Applications can use PKCS#11 key generators without special

AlgorithmParameterSpec objects, just in the same way

as a software provider.

The PKCS#11 provider will use default values for the operation.

iaik.pkcs.pkcs11.provider.keypairgenerators

NF

Applications can use PKCS#11 key-pair generators without special

AlgorithmParameterSpec objects, just in the same way

as a software provider.

The PKCS#11 provider will use default values for the operation.

iaik.pkcs.pkcs11.provider.macs

NF

Applications can feed pure software keys to a PKCS#11 MACs.

The MAC will convert the keys automatically to PKCS#11 keys.

iaik.pkcs.pkcs11.provider.signatures

NF

Applications can feed pure software keys to a PKCS#11 signature object.

The PKCS#11 provider will convert the keys automatically to PKCS#11 keys.

iaik.pkcs.pkcs11.provider.TokenManager

NF

Added method isRemovable() to check if the token in the

slot is a fixed or a removable token; e.g. HSM or smart card.

iaik.pkcs.pkcs11.provider.IAIKPkcs11

NF

Added a KeyHandler which allows the application to control the handling

of keys which are passed to cipher, MAC, signature and key agreement

objects. The DefaultKeyHandler allows automatic conversion of software

keys to PKCS#11 keys.

iaik.pkcs.pkcs11.provider.keyfactories

NF

The key factories support automatic conversion of software keys to

PKCS#11 keys. This is achieved through the new KeyHandler

feature.

iaik.pkcs.pkcs11.provider.keys.IAIKPKCS11Key

NF

New auto destroy feature which allows to mark such key objects.

This is controlled through setAutoDestroy(boolean) and

getAutoDestroy(). If this flag is true,

the finalize() method of this object will destroy the

underlying PKCS#11 object.

iaik.pkcs.pkcs11.provider.ciphers.RsaCipher

NF

Added support for decryption with public key. This feature uses signature

verification with message recovery of PKCS#11.

Class or Package

B ug/
C hange/

N ew F eature

Description and Examples

iaik.pkcs.pkcs11.provider.DefaultKeyHandler

B

Fixed a bug in the constructor which may cause incorrect handling of

autoconversion configuration property.

iaik.pkcs.pkcs11.provider.IAIKPkcs11.properties

NF

As alternative format for SLOT_ID, added means to specify

the configured slot via its index in the list of all available slots.

demo.pkcs.pkcs11.provider.GetSlotList

NF

Added this helper program which displays information about all available

slots. The output helps developers to configure the slot for the provider.

demo.pkcs.pkcs11.provider.TokenManager

B

Improved finalize method to work correctly even if called concurrently from

several threads.

demo.pkcs.pkcs11.provider.TokenKeyStoreSpi

B

The operation which searches for a key which corresponds to a given key

now finishes the find operation as cleanly.

Class or Package

B ug/
C hange/

N ew F eature

Description and Examples

iaik.pkcs.pkcs11.provider.ciphers

iaik.pkcs.pkcs11.provider.hashes

iaik.pkcs.pkcs11.provider.keyagreements

iaik.pkcs.pkcs11.provider.macs

iaik.pkcs.pkcs11.provider.sigantures

B

Fixed a bug in the finalize method that may lead to active sessions in

the session pool if the application drops engine objects without

finishing the active crypto operation.

Class or Package

B ug/
C hange/

N ew F eature

Description and Examples

iaik.pkcs.pkcs11.provider.DefaultKeyHandler

B

For the automatic conversion of public keys that are used for encryption,

the conversion method has set the sensitiv-flag in the key creation

template. Public keys do not have this attribute. This flag was removed

from the template.

iaik.pkcs.pkcs11.provider.TokenKeyStore

iaik.pkcs.pkcs11.provider.TokenKeyStoreSpi

C

Improved the method that reads the keys and certificates from the token.

The old implementation used two find operations, whereas the new one

only uses a single one without template. This speeds up reading the

keystore contents from the token.

iaik.pkcs.pkcs11.provider.ciphers.PKCS11Cipher

iaik.pkcs.pkcs11.provider.keygenerators.PKCS11KeyGenerators

iaik.pkcs.pkcs11.provider.keypairgenerators.PKCS11KeyPairGenerators

iaik.pkcs.pkcs11.provider.signature.PKCS11Signature

B

If the provider is configured to check for supported token mechanisms

(i.e. CHECK_MECHANISM_SUPPORTED = true) and the used mechanism requires

special PKCS#11 parameters, the provider may report the mechanism as

unsupported though the token supports it. This can happen e.g.

with PSS sigantures if the hash is calculated in software.

iaik.pkcs.pkcs11.provider.ciphers.PKCS11Cipher

NF

Improved exception handling for key unwrapping.

iaik.pkcs.pkcs11.provider.IAIKPkcs11

NF

Added static method getModule which supports getting a list

of available slots and tokens. With this list, the application can

select the slot at runtime and instantiate the provider thereafter.

Have a look at the "Slot Selection" section in the usage documentation.

iaik.pkcs.pkcs11.provider.DefaultKeyHandler

C

For automatically converting keys,

the key handler now uses javax.crypto.spec.DESKeySpec for DES keys

and for DESede (Triple-DES) keys, is uses javax.crypto.spec.DESedeKeySpec

instead of javax.crypto.spec.SecretKeySpec.

The SecretKeyFactories of SunJCE do not support

javax.crypto.spec.SecretKeySpec for DES and DESede keys.

iaik.pkcs.pkcs11.provider.TokenKeyStoreSpi

B

If an existing key on a token was inserted again into the same token

using setKeyEntry(), but under a different alias, the resulting copy of

the key may have had a different label/alias than the one specified.

iaik.pkcs.pkcs11.provider.ciphers.PKCS11Cipher

C

If an application unwrapped a key and that unwrapped key was a session key,

this key locked its session exclusively. This could lead to many open sessions.

We improved that to enable reusing such sessions.

Class or Package

B ug/
C hange/

N ew F eature

Description and Examples

n/a

C

Updated included version of IAIK-JCE.

Class or Package

B ug/
C hange/

N ew F eature

Description and Examples

iaik.pkcs.pkcs11.provider.DefaultKeyHandler

NF

Extended ECDSA key generator to take key length of 384 and 521 bit.

iaik.pkcs.pkcs11.provider.signatures

NF

Added signature algorithms SHA224/ECDSA, SHA256/ECDSA, SHA384/ECDSA, SHA512/ECDSA.

These algorithms calculate the hash in software and the signature on the token with

the provided hash using mechanism CKM_ECDSA.

iaik.pkcs.pkcs11.provider.signatures.PKCS11BufferingSignature

B

Reset data buffer after sign/verify-operation to enable correct

reuse of signature engine without initialization.

iaik.pkcs.pkcs11.provider.TokenManager

NF

Enable specification of absolute path to native IAIK PKCS#11 wrapper library with

property key PKCS11_WRAPPER_PATH.

Class or Package

B ug/
C hange/

N ew F eature

Description and Examples

*

NF

jar files signed with new certificate.

iaik.pkcs.pkcs11.provider.DefaultDelegateProvider

C

SecureRandom no longer returns null with FallbackSoftwareProvider

if algorithmName is null

iaik.pkcs.pkcs11.provider.TokenKeyStore

NF

New method to manually update keystore, e.g. when using the FastPKCS11KeyStore and the card has been changed.

iaik.pkcs.pkcs11.provider.TokenKeyStoreFastSpi

NF

New faster keystore implementation, that doesn't check if the token has been changed or removed

or if an external tool added, deleted or changed token entries.

iaik.pkcs.pkcs11.provider.TokenKeyStoreSpi

C

One key with two different related certificateChains is added to the keystore twice

(one entry for each certificateChain).

iaik.pkcs.pkcs11.provider.TokenManager

NF

New method getTokenKeystore(String name) for using the FastPKCS11KeyStore with the TokenManager.

Class or Package

B ug/
C hange/

N ew F eature

Description and Examples

iaik.pkcs.pkcs11.provider.ciphers.RsaCipher

NF

Add SSL mode with RSA which is needed for SSL cipher suites of IBM JDK, internally calls ECB

iaik.pkcs.pkcs11.provider.ciphers.PKCS11Cipher

NF

Support key wrapping algorithm TlsRsaPremasterSecret

iaik.pkcs.pkcs11.provider.keyagreements.PKCS11KeyAgreement

C

Return InvalidKeyException instead of NullPointerException if provided key is not a PKCS#11 provider key

iaik.pkcs.pkcs11.provider.macs

B

Fixed a bug where mac-engines open sessions but never close them again.

iaik.pkcs.pkcs11.provider.signatures

NF

Add mode RSAforSSL which is needed for SSL cipher suites of IBM JDK

iaik.pkcs.pkcs11.provider.signatures

B

Return correct algorithm name if a software key is used with a delegation provider

iaik.pkcs.pkcs11.provider.TokenKeyStoreSpi

B

removed endless loop that occured in case of an exception when reading all token objects

iaik.pkcs.pkcs11.provider.TokenManager

B

correctly clear cached slots when finalizing

iaik.pkcs.pkcs11.provider

NF

Provider instances can now be discarded.

iaik.pkcs.pkcs11.provider

NF

Multiple fallback-providers can be handled now. Necessary if a single provider is not capable of all cryptographic operations needed.

iaik.pkcs.pkcs11.provider

NF

Added new engines which allow using the SSL mechanisms specified in PKCS#11 2.0 and newer.

iaik.pkcs.pkcs11.provider

NF

Added new engines which allow using a bunch of PKCS#11 v2.20 mechanisms.

iaik.pkcs.pkcs11.provider

NF

IAIK Eccelerate™ (if available) is used for JDK1.5 and newer, and provider then supports

ECPrivateKey and ECPublicKey of java.security.interfaces and ECPublicKeySpec and ECPrivateKeySpec of

java.security.spec package.

demo.pkcs.pkcs11.provider

C

Restructured and rewritten examples. They are easier to find as well as more readable and intuitive now.

Class or Package

B ug/ C hange/
N ew F eature

Description and Examples

iaik.pkcs.pkcs11.provider

B

Character array objects (e.g. object labels and PINs) are now interpreted and saved using UTF8 encoding as given in the PKCS#11 specification. Convert labels or PINs that contain special characters, e.g. by using the provided demos in the utils package of the examples. To continue using the old encoding, the property USE_UTF8_ENCODING (Constants.USE_UTF8_ENCODING) must be set to "false".

iaik.pkcs.pkcs11.provider

NF

The provider now offers Security Officer (SO) login for key creation engines.

iaik.pkcs.pkcs11.provider

C

Key creation engine specs are now easier to use. Parameters which are invariant for common use cases got removed from the main interface. That are the tokenmanager, the session type, and the session r/w behaviour. Of course these can still be accessed through newly created methods

iaik.pkcs.pkcs11.provider

NF

The provider now propagates its dynamic initialization properties to the default login manager, the default delegate provider and the default key handler.

iaik.pkcs.pkcs11.provider

B

Replaced incorrect imports of sun.security.pkcs11.wrapper.PKCS11Constants with iaik.pkcs.pkcs11.wrapper.PKCS11Constants.

iaik.pkcs.pkcs11.provider.TokenManager

C

Login/logout methods are now more intuitive to use.

iaik.pkcs.pkcs11.provider.TokenManager

B

Improved slot handling, to correctly count used slots.

iaik.pkcs.pkcs11.provider.ciphers

NF

A new spec iaik.pkcs.pkcs11.provider.ciphers.PKCS11UnwrapKeySpec is available for symmetric and asymmetric ciphers now. The new specs allow using the unwrap template offered by the C_UnwrapKey function of the PKCS11 standard.