print Print
Logo: Stiftung Secure Information and Communication Technologies SIC Stiftung Secure Information and Communication Technologies SIC

Changes

  • Version 1.5

     Release Date: 06 March 2015

     Fixes and enhancements, signed with new certificate

  • Version 1.4

     Release Date: 04 March 2013

     Fixes and enhancements

  • Version 1.3

     Release Date: 03 November 2011

     Fixes, enhancements, meets v2.20 of the PKCS#11 Standard

  • Version 1.2.6

     Release Date: 28 January 2009

     Enhancements and signed with new certificate.

  • Version 1.2.5

     Release Date: 21 July 2008

     Fixes and enhancements.

  • Version 1.2.4

     Release Date: 6 March 2007

     Update of included IAIK-JCE.

  • Version 1.2.3

     Release Date: 19 December 2006

     Fixes and enhancements.

  • Version 1.2.2

     Release Date: 19 April 2006

     Fixes.

  • Version 1.2.1

     Release Date: 22 February 2006

     Fixes and minor enhancements.

  • Version 1.2

     Release Date: 27 June 2005

     Fixes and major enhancements; e.g. transparent and automatic key import.

  • Version 1.1.9

     Release Date: 3 January 2005

     Fixes and minor enhancements.

  • Version 1.1.8

     Release Date: 5 October 2004

     Fixes and minor enhancements.

  • Version 1.1.7

     Release Date: 10 December 2003

     Fixes and minor enhancements.

  • Version 1.1.6

     Release Date: 3 September 2003

     Fixes and minor enhancements.

  • Version 1.1.5

     Release Date: 7 July 2003

     Fixes and minor enhancements.

  • Version 1.1.4

     Release Date: 6 June 2003

     Fixed a bug in hash engine. Several other fixes and minor enhancements.

  • Version 1.1.3

     Release Date: 4 June 2003

     Keystore now uses sessions only during keystore operations. Several other fixes and minor enhancements.

  • Version 1.1.2

     Release Date: 16 April 2003

     Added support for PIN change. Several other fixes and minor enhancements.

  • Version 1.1.1

     Release Date: 31 January 2003

     Enhancements in PKCS#11 session handling and PIN handling via key store. Several other enhancements.

  • Version 1.1

     Release Date: 18 December 2002

     Several enhancements.

  • Version 1.0

     Release Date: 23 September 2002

     Fixes and minor enhancements.

  • Version 1.0 Beta 3

     Release Date: 2 September 2002

     Fixes and minor enhancements.

  • Version 1.0 Beta 2

     Release Date: 1 August 2002

     New features, more demos.

  • Version 1.0 Beta 1

     Release Date: 19 July 2002

     First public release.

Version 1.0 Beta 2

 Class or Package

Bug/
 Change/

New Feature

 Description and Examples

demo.pkcs.pkcs11.provider.RSASigningApplet

NF

An applet demo shows how to sign with a smart card inside an applet.

demo.pkcs.pkcs11.provider.ClientAuthenticationSocketDemo

NF

This demo in the isasilk-demo directory shows how to use smart cards for SSL an TLS client authentication using IAIK-SSL ( alias iSaSiLk).

demo.pkcs.pkcs11.provider.ClientAuthenticationSocketDemo

NF

This demo in the jsse_jdk14-demo directory shows how to use smart cards for SSL an TLS client authentication using SUN's JSSE version of JDK 1.4.

demo.pkcs.pkcs11.provider.ClientAuthenticationSocketDemo

NF

This demo in the jsse-demo directory shows how to use smart cards for SSL an TLS client authentication using SUN's JSSE version 1.0.3 (domestic) with the IAIK JSSE provider and IAIK-SSL with JDK 1.3.

demo.pkcs.pkcs11.provider.ImportPKCS12

NF

This demo allows to import private keys and certificates easily from PKCS#12 (*.p12, *.pfx) files into smart cards and other PKCS#11 tokens.

Version 1.0 Beta 3

 Class or Package

Bug/
 Change/

New Feature

 Description and Examples

iaik.pkcs.pkcs11.provider.IAIKPkcs11

NF

Added method insertProviderAtForJDK14 that implements a workaround for a JDK 1.4.x

 bug that prevents installing a JCE provider that implements SHA-1, MD5 or X.509 certificate

 factories as first provider.

iaik.pkcs.pkcs11.provider.ciphers.PKCS11Cipher

B

Modified method engineGetKeySize(Key) to work with software keys also, not just with

 keys of this PKCS#11 provider.

iaik.pkcs.pkcs11.provider.TokenManager

B

Fixed token manager to be able to handle tokens with multiple logical slots. Now it is

 possible to create two provider instances with the same properties file, if these properties

 do not specify a slot explicitely and the library provides more than one slot.

iaik.pkcs.pkcs11.provider.IAIKPkcs11

NF

Introduced a global property to enable and disable the software delegation feature.

iaik.pkcs.pkcs11.provider.IAIKPkcs11MultipleInstance.properties

C

Changed the name to iaik/pkcs/pkcs11/provider/IAIKPkcs11Global.properties and introduced

 the software delegate enable/disable flag.

iaik.pkcs.pkcs11.provider.random.PKCS11RandomSpi

C

Now uses a software delegate, if the current token does not support random number generation.

iaik.pkcs.pkcs11.provider.random.PKCS11SeededRandomSpi

NF

Introduced this new random implementation that only uses the token for seed operations but

 uses the software delegation for generating random bytes. This will improve performance in many

 cases.

iaik.pkcs.pkcs11.provider.IAIKPkcs11

B

Fixed bug that caused property LOGIN_KEYSTORE_SESSION_ON_DEMAND to be read incorrectly.

Version 1.0

 Class or Package

Bug/
 Change/

New Feature

 Description and Examples

iaik.apps.util.passphrase

NF

Added an alternative implementation of a PIN-dialog - PassphraseFrameDialog.

 This uses a Frame rather than a Dialog, thus it is also visible in the taskbar.

iaik.apps.util.passphrase.PassphraseDialog

C

Modified PassphraseDialog to act as a pure JDialog without a frame. The dummy frame

 caused trouble on some platforms.

iaik.pkcs.pkcs11.provider.IAIKPkcs11

C

Changed default for property LOGIN_KEYSTORE_SESSION_ON_DEMAND to false.

iaik.apps.util.passphrase.PassphrasePrompt

C

Added a new method setProtectedResourceInfo(). The current implementation passes

 a TokenInfo to this method before prompting a PIN. This allows the dialog to

 display detailed information about the token for which the user must enter a PIN.

 

B

Fixed several mistakes in the JavaDoc.

iaik.pkcs.pkcs11.provider.signatures.ExternalSha1DsaSignature

B

Fixed constructor.

iaik.pkcs.pkcs11.provider.signatures.ExternalSha1EcdsaSignature

B

Fixed constructor.

 

NF

Added a algorithm autodetect feature. If enabled, the provider will check, if a

 certain requested algorithm is supported by the current token before reporting

 it to the JCE.

Version 1.1

 Class or Package

Bug/
 Change/

New Feature

 Description and Examples

iaik.pkcs.pkcs11.provider.TokenKeyStoreSpi

C

Improved alias handling and key import.

 Aliases now map to object labels one-to-one if possible.

 Aliases provided when setting new key or certificate entries now use the provided alias as given.

 The new objects get the alias as their PKCS#11 object label.

 When setting new private key entries with a user certificate, the keystore checks the mechanisms

 supported by the token and the key-usage flags in the user certificate. Using this information,

 it sets the private key attributes appropriately.

 Moreover, the key store now handles certificate chains for private key entries.

 The key store tries to construct a certificate chain when reading the certificates from the token.

iaik.pkcs.pkcs11.provider.hashes

NF

Added software delegation support for all hashes.

iaik.pkcs.pkcs11.provider.DelegateProvider

 iaik.pkcs.pkcs11.provider.IAIKPkcs11

NF

Added an advanced software delegation system.

 The application can set its own handler for getting software delegation engines.

iaik.pkcs.pkcs11.provider.random.PKCS11RandomNoSetSeedSpi

NF

Added random implementation that does not set any seed. Useful for tokens that do not support

 external seeding, but can generate random data nevertheless.

iaik.pkcs.pkcs11.provider.IAIKPkcs11.properties

C

Changed SECONDARY_PROVIDER to KEY_STORE_SUPPORT_PROVIDER, because it is just used in the keystore.

 Other classes use the new advanced delegation provider mechanism.

 Added DELEGATE_PROVIDER to configure a handler that provide software delegate implementations.

iaik.pkcs.pkcs11.provider.IAIKPkcs11.properties

NF

Added ALGORITHM_PROPERTIES entry to allow a separate algorithm list for each provider instance.

iaik.pkcs.pkcs11.provider.keyfactories

NF

Added software delegation support for all key factories.

iaik.pkcs.pkcs11.provider.IAIKPkcs11#insertProviderAtForJDK14(Provider, int)

B

Improved implementation to work in more JDKs that have the provider registration bug.

iaik.pkcs.pkcs11.provider.ciphers

 iaik.pkcs.pkcs11.provider.hashes

 iaik.pkcs.pkcs11.provider.signatures

 iaik.pkcs.pkcs11.provider.macs

B

Fixed engine classes to be reusable after final-operation.

iaik.apps.util.passphrase

NF

Added the class PassphraseHolder that makes passing the user-PIN from the application easier.

 Added the class PassphraseConsoleDialog that prompts the PIN from the console.

iaik.pkcs.pkcs11.provider.IAIKPkcs11

B

Fixed a problem with case-insensitivity of algorithm names.

Version 1.1.1

 Class or Package

Bug/
 Change/

New Feature

 Description and Examples

iaik.pkcs.pkcs11.provider.TokenKeyStoreSpi

C

Changed key-usage handling for import of new keys. Now the key-usage keyEncipherment

 in the user certificate also sets the Decrypt flag in the new PKCS#11 key object.

iaik.pkcs.pkcs11.provider.key.IAIKPKCS11Key

NF

Added constants for key type names that can be used for the unwrapping functionality of the

 PKCS11Cipher class (see other change).

iaik.pkcs.pkcs11.provider.cipher.PKCS11Cipher

B

Improved the unwrapping functionality to handle the key type parameter correctly.

iaik.pkcs.pkcs11.provider.cipher.RSACipher

B

Fixed a bug in the initialization. This bug ocurred in some JSSE samples.

iaik.pkcs.pkcs11.provider.TokenKeyStoreSpi

NF

If the application provides a password (or PIN) when calling the load(InputStream, char[]) method,

 the keystore will use this to do a user-login; it will not prompt the password or PIN using an

 own dialog.

iaik.pkcs.pkcs11.provider.TokenManager

 all engine classes

NF

Improved handling of PKCS#11 sessions. Sessions are cached in the TokenManager. The engine classes give back sessions to the TokenManager if they do not use them currently. This can lower the number of open PKCS#11 sessions dramatically.

Version 1.1.2

 Class or Package

Bug/
 Change/

New Feature

 Description and Examples

iaik.pkcs.pkcs11.provider.key.IAIKPKCS11PublicKey

 iaik.pkcs.pkcs11.provider.key.IAIKPKCS11PrivateKey

B

Fixed a type cast that may lead to an endless loop when compiled with certain compilers.

iaik.pkcs.pkcs11.provider.IAIKPkcs11

B

Fixed a problem in the JDK 1.4 bug workaround method insertProviderAtForJDK14().

iaik.pkcs.pkcs11.provider.keyfactories.DsaKeyFactory

B

Fixed a bug in the method for private key generation.

iaik.pkcs.pkcs11.provider.keyfactories.EcDsaKeyFactory

NF

New factory to create PKCS#11 ECDSA keys from X.509 encoded public key and

 PKCS#8 encoded private keys, which use ANSI X9.62 encoding internally.

iaik.pkcs.pkcs11.provider.TokenKeyStoreSpi

NF

The store-method changes the user PIN of the token.

iaik.pkcs.pkcs11.provider.TokenManager

 all engine classes

NF

Using the protected authentication path for PIN entry can now be disabled using

 the provider properties.

iaik.apps.util.passphrase

NF

Added interface NewPassphrasePrompt, class NewPassphraseDialog and class NewPassphraseHolder for changing the PIN.

 Added the class NewPassphraseConsoleDialog that prompts the new PIN from the console.

iaik.pkcs.pkcs11.provider.signatures.DsaSignature

 iaik.pkcs.pkcs11.provider.signatures.ExternalSha1DsaSignature

 iaik.pkcs.pkcs11.provider.signatures.InternalSha1DsaSignature

 iaik.pkcs.pkcs11.provider.signatures.EcDsaSignature

 iaik.pkcs.pkcs11.provider.signatures.ExternalSha1EcDsaSignature

 iaik.pkcs.pkcs11.provider.signatures.InternalSha1EcDsaSignature

B

Fixed bug of wrong encoding of signature value.

iaik.pkcs.pkcs11.provider.IAIKPkcs112

 iaik.pkcs.pkcs11.provider.IAIKPkcs113

 iaik.pkcs.pkcs11.provider.IAIKPkcs114

NF

Added these subclasses of IAIKPkcs11 provider. They can be used in situations where each provider must be of a different class name.

 This can be used for a static configuration of providers with VM 1.4.x, which do not accept the same provider class to be registered more than once.

iaik.pkcs.pkcs11.provider.LoginManager

 iaik.pkcs.pkcs11.provider.DefaultLoginManager

 iaik.pkcs.pkcs11.provider.IAIKPkcs11

C/NF

Introduced new interface LoginManager to separate login, PIN change and logout from provider core.

 This allows users to easily implement own login and PIN management handlers.

 All user dialog related functionality has been moved to DefaultLoginManager. This includes configured PIN dialogs and prompt messages.

 As a consequence, the provider itself does no longer include any language specific stuff. This is all in (the easily replaceable) login manager.

 If you have used custom settings for login related stuff, you can use the same properties file entries in the new file called iaik/pkcs/pkcs11/provider/DefaultLoginManager.properties. If you used the API, you can find the same methods now in the DefaultLoginManager class as before in the provider itself.

iaik.pkcs.pkcs11.provider.IAIKPkcs11.properties

NF

Added MODULE_INITIALIZATION_PARAMETERS entry to allow passing parameters to the PKCS#11 module during initialization.

 This can be used to access the crypto module of Mozilla and Netscape and use the private keys and certificates.

iaik.pkcs.pkcs11.provider.keyfactories.RSAKeyFactory

 iaik.pkcs.pkcs11.provider.keyfactories.DSAKeyFactory

 iaik.pkcs.pkcs11.provider.keyfactories.ECDSAKeyFactory

 iaik.pkcs.pkcs11.provider.keyfactories.DhKeyFactory

NF

Added support for X.509 encoded of public keys and PKCS#8 encoded private keys.

iaik.pkcs.pkcs11.provider.IAIKPkcs11.properties

NF

Added USER_PIN entry to allow configuration of a fixed user PIN to login to the PKCS#11 module.

iaik.pkcs.pkcs11.provider.signatures.SignatureInputStream

 iaik.pkcs.pkcs11.provider.signatures.SignatureOutputStream

NF

Added these classes which provide stream signing features for input and output stream respectively.

iaik.apps.util.passphrase

B/NF

Added NewPassphraseFrameDialog. Improved dialogs to work on several platforms.

Version 1.1.3

 Class or Package

Bug/
 Change/

New Feature

 Description and Examples

iaik.pkcs.pkcs11.provider.TokenKeyStoreSpi

NF

Now, the keystore uses sessions only during keystore operations.

 This enables use of the provider for module implementation which

 support only a single session.

iaik.pkcs.pkcs11.provider.TokenManager

B/C

The token manager now sets the CKF_OS_LOCKING_OK flag when initializing

 the PKCS#11 module. This ensures that modules which do not allow

 multi-threaded access otherwise work correctly.

iaik.pkcs.pkcs11.provider.*.properties

NF/C

Moved all default properties from the package iaik.pkcs.pkcs11.provider

 to the package iaik.pkcs.pkcs11.provider.default. This only applies

 to the default properties which are included in the provider's jar file. The

 properties files that an application developer provides still have the same names;

 e.g. iaik.pkcs.pkcs11.provider.IAIKPkcs11.properties. There is no need

 to change anything in an existing application. The advantage is, that it does not

 matter in which position the application's properties are in the classpath.

Version 1.1.4

 Class or Package

Bug/
 Change/

New Feature

 Description and Examples

iaik.pkcs.pkcs11.provider.hashes

B

Fixed a bug that can cause an exception containing error code CKR_OPERATION_ACTIVE

 if the application calls reset() as first operation of a hash engine.

Version 1.1.5

 Class or Package

Bug/
 Change/

New Feature

 Description and Examples

iaik.pkcs.pkcs11.provider.hashes

NF

Added property MULTI_THREAD_INIT which tells the provider how to

 initialize the PKCS#11 module; with flag CKF_OS_LOCKING_OK or without

 initialization arguments (NULL_PTR).

iaik.pkcs.pkcs11.provider.keys

NF

Improved session handling for session key objects. Now the sessions of session keys

 are reused. This reduces the number of sessions required during runtime even if

 there are several session keys.

iaik.pkcs.pkcs11.provider.signatures.SignatureUtil

B

Fixed a bug that may cause certain DSA and ECDSA signature values to be encoded

 incorrectly. As a result a PKCS#11 module would be unable to verify the signature

 value.

iaik.pkcs.pkcs11.provider.ciphers.PKCS11Cipher

 iaik.pkcs.pkcs11.provider.ciphers.RSACipher

B

Fixed a bug that may cause an error with block ciphers under certain

 circumstances.

iaik.pkcs.pkcs11.provider.ciphers.RSACipher

NF

The RSA cipher also supports JCE update methods.

 Now, the JCE update methods buffer the incoming data and delay the processing

 until the doFinal method is called. This cipher does no longer use any PKCS#11

 update functions, because most PKCS#11 modules do not support these functions

 in this context.

Version 1.1.6

 Class or Package

Bug/
 Change/

New Feature

 Description and Examples

iaik.pkcs.pkcs11.provider.TokenKeyStoreSPI

B

With certain modules, which use the same label for corresponding private key and

 public key, the keystore used the label as alias for the public key, if the module

 reported this key before the private key in the search operation.

iaik.pkcs.pkcs11.provider.TokenKeyStoreSPI

C

Changed some lines in the setKeyEntry method. These changes ensure that

 attributes of an existing private key are only set if really necessary. This situation

 may occur when importing a certificate or a certificate chain to a previously generated

 private key.

iaik.pkcs.pkcs11.provider.TokenKeyStoreSPI

B

If the application generates a key-pair on the token and imports a certificate chain

 right after that, without calling any other keystore method in between, the private

 key will appear twice on the token (a workaround would have been to call e.g.

 tokenKeyStore.aliases() before calling setKeyEntry).

iaik.pkcs.pkcs11.provider.cipher.PKCS11Cipher

B

Changed pkcs11Init(int, Key, AlgorithmParameters, SecureRandom) to

 accept null as AlgorithmParameters in general.

Version 1.1.7

 Class or Package

Bug/
 Change/

New Feature

 Description and Examples

iaik.pkcs.pkcs11.provider.TokenKeyStoreSPI

B

Under certain circumstances deleting keystore entries might not delete

 the actual underlying PKCS#11 object; i.e. deleteEntry(String) did not

 always work as expected. The session handling has also been improved to

 ensure that an already closed session is never reused.

iaik.apps.util.passphrase.PassphraseDialog

 iaik.apps.util.passphrase.PassphraseFrameDialog

B

Moved the call to hide() to avoid an IAIKPkcs11AuthenticationCanceledException

 in some cases even if the OK button has been pressed.

Version 1.1.8

 Class or Package

Bug/
 Change/

New Feature

 Description and Examples

iaik.pkcs.pkcs11.provider.TokenKeyStoreSPI

C

Changed exception handling to pass all runtime exceptions directly through

 to the application.

iaik.pkcs.pkcs11.provider.TokenManager

C

TokenManager now throws an exception with a more meaningful message text

 if the required PKCS11_NATIVE_MODULE property has not been set.

iaik.pkcs.pkcs11.provider.IAIKPkcs11

C

Changed handling of entries in the underlying Hashtable of the provider.

 This was neccessary to work around a bug in Java 5 RC (Bug ID 5097015).

iaik.pkcs.pkcs11.provider.keyagreements.DhKeyAgreement

B

Fixed a bug which caused an exception claiming an incorrect key even

 if the provided key is correct.

iaik.pkcs.pkcs11.provider.keys.IAIKPKCS11Key

NF

Added a destroy method to allow simple destruction of no longer

 used keys. This is especially useful for session keys to save resources.

iaik.pkcs.pkcs11.provider.keypairgenerators.X942DhKeyPairGenerator

B

Fixed a bug which can cause an exception indicating CKR_TEMPLATE_INCONSISTENT.

Version 1.1.9

 Class or Package

Bug/
 Change/

New Feature

 Description and Examples

pkcs11wrapper shared library

B

Fixed a bug which may cause the Java VM to halt or crash if the application

 tries to use several PKCS#11 modules which do not exist.

iaik.pkcs.pkcs11.provider.TokenManager

NF

logout(null) is now allowed and will just logout the user from the token

 using any session.

iaik.pkcs.pkcs11.provider.DefaultLoginManager

C

logout(TokenManager, null) will only use a read-only session as dummy session

 for the logout operation.

iaik.pkcs.pkcs11.provider.TokenKeyStore

 iaik.pkcs.pkcs11.provider.TokenKeyStoreSPI

C

Since the session management of the key store has been improved, the key store

 object does not cache an own session after the return of public methods.

 Thus, the TokenKeyStore.logout() and TokenKeyStoreSPI.logoutSession()

 methods have been adapted to always force a logout. This ensures the expected behavior;

 i.e. that a logout is actually performed in all cases.

demos

NF

Added a GetInfo demo which provides information about a module.

 This makes it easier to configure a PKCS#11 Provider instance and to track problems.

iaik.pkcs.pkcs11.provider.ciphers.BlockCipher

 iaik.pkcs.pkcs11.provider.ciphers.RsaCipher

C

Changed default mode and padding from lower case writing to default names as listed

 in the JCE spcifications; e.g. "ECB" instead of "ecb", and "PKCS1Padding" instead of

 "pkcs1padding". This may cause problems with delegate software providers otherwise.

iaik.pkcs.pkcs11.provider.TokenKeyStore

 iaik.pkcs.pkcs11.provider.TokenKeyStoreSPI

C

Changed method setKeyEntry to use different KeySpecs

 for DESede and DES keys to get better compatibility with other secret key factories.

 With factories of some JCE providers, the application may get a

 java.security.spec.InvalidKeySpecException: Inappropriate key specification

 exception without this change. As a work around, the application may configure an alternative

 provider using the KEY_STORE_SUPPORT_PROVIDER option.

iaik.pkcs.pkcs11.provider.TokenKeyStoreSPI

B

If the application queries a PKCS#11 keystore when there is no token present in the

 associated slot, the keystore can throw an IAIKPkcs11TokenUnavailableException.

 According to the documentation, it should simply show an empty keystore.

iaik.pkcs.pkcs11.provider.ciphers.BlockCipher

NF

If the application uses a block cipher for encryption but does not provide an IV,

 the implmenentation will generate one automatically and return it on request to

 the application; e.g. using Cipher.getIV() or via

 Cipher.getParameters().

iaik.pkcs.pkcs11.provider.TokenManager

 iaik.pkcs.pkcs11.provider.TokenKeyStoreSPI

NF

If login/logout operations are performed using the loginUser or

 logout methods of the TokenManager, it notifies the key stores

 that their contents may be no longer valid.

N/A

C

Added a lib-signed directory containing the signed provider

 JAR files. Moreover, the signed and unsigned version of the provider have

 the same file name now. There is

 lib/iaikPkcs11Provider.jar and lib/iaik_jce.jar

 , which are the unsigned versions, and there are

 lib-signed/iaikPkcs11Provider.jar and lib-signed/iaik_jce.jar

 , which are the signed versions. This should make deployment easier.

iaik.pkcs.pkcs11.provider.hashes.Sha256

 iaik.pkcs.pkcs11.provider.hashes.Sha384

 iaik.pkcs.pkcs11.provider.hashes.Sha512

NF

Added SHA-256/384/512 hash (FIPS PUB 180-2) algorithms from PKCS#11 v 2.20.

iaik.pkcs.pkcs11.provider.macs.Sha256HMac

 iaik.pkcs.pkcs11.provider.macs.Sha384HMac

 iaik.pkcs.pkcs11.provider.macs.Sha512HMac

NF

Added HMACs based on SHA-256/384/512 hash (FIPS PUB 180-2) algorithms.

iaik.pkcs.pkcs11.provider.keygenerators.Sha256KeyDerivation

 iaik.pkcs.pkcs11.provider.keygenerators.Sha384KeyDerivation

 iaik.pkcs.pkcs11.provider.keygenerators.Sha512KeyDerivation

NF

Added key derivation functions based on SHA-256/384/512 hash (FIPS PUB 180-2) algorithms.

iaik.pkcs.pkcs11.provider.signatures

NF

Added RSA PKCS#1 v1.5 and v2.1 PSS signature schemes based on SHA-256/384/512 hash

 (FIPS PUB 180-2) algorithms, external and internal hashing versions.

Version 1.2

 Class or Package

Bug/
 Change/

New Feature

 Description and Examples

iaik.pkcs.pkcs11.provider.IAIKPkcs11

 iaik.pkcs.pkcs11.provider.TokenManager

NF

We introduced a new configuration property which tells the provider

 what to do if a CKR_CRYPTOKI_ALREADY_INITIALIZED error occurs upon

 initialization of the PKCS#11 module.

 The new property is called MODULE_ALREADY_INITIALIZED.

 Per default, it is set to ignore which tells the provider

 to ignore this error an go ahead as if no error happened. This is

 especially useful for applets.

iaik.pkcs.pkcs11.provider.keys.IAIKPKCS11Key

B

Unwrapping of an AES key may cause a CKR_TEMPLATE_INCOMPLETE error

 due to a missing key-type attribute for this algorithm.

iaik.pkcs.pkcs11.provider.keys.IAIKPKCS11Key

B

Calling destroy() may only work correctly for session objects

 but may throw an exception for token objects.

iaik.pkcs.pkcs11.provider

NF

The new interface KeyHandler is used by crypto engine

 implementations of this provider to allow automatic key convserion.

 By calling the setAutoConversion(boolean) method of the

 DefaultKeyHandler, such automatic key conversion can be

 enabled easily.

iaik.pkcs.pkcs11.provider.ciphers

NF

Applications can feed pure software keys to a PKCS#11 cipher.

 The cipher will convert the keys automatically to PKCS#11 keys.

iaik.pkcs.pkcs11.provider.keyagreements

NF

Applications can feed pure software keys to a PKCS#11 key agreement.

 The PKCS#11 provider will convert the keys automatically to PKCS#11 keys.

iaik.pkcs.pkcs11.provider.keygenerators

NF

Applications can use PKCS#11 key generators without special

 AlgorithmParameterSpec objects, just in the same way

 as a software provider.

 The PKCS#11 provider will use default values for the operation.

iaik.pkcs.pkcs11.provider.keypairgenerators

NF

Applications can use PKCS#11 key-pair generators without special

 AlgorithmParameterSpec objects, just in the same way

 as a software provider.

 The PKCS#11 provider will use default values for the operation.

iaik.pkcs.pkcs11.provider.macs

NF

Applications can feed pure software keys to a PKCS#11 MACs.

 The MAC will convert the keys automatically to PKCS#11 keys.

iaik.pkcs.pkcs11.provider.signatures

NF

Applications can feed pure software keys to a PKCS#11 signature object.

 The PKCS#11 provider will convert the keys automatically to PKCS#11 keys.

iaik.pkcs.pkcs11.provider.TokenManager

NF

Added method isRemovable() to check if the token in the

 slot is a fixed or a removable token; e.g. HSM or smart card.

iaik.pkcs.pkcs11.provider.IAIKPkcs11

NF

Added a KeyHandler which allows the application to control the handling

 of keys which are passed to cipher, MAC, signature and key agreement

 objects. The DefaultKeyHandler allows automatic conversion of software

 keys to PKCS#11 keys.

iaik.pkcs.pkcs11.provider.keyfactories

NF

The key factories support automatic conversion of software keys to

 PKCS#11 keys. This is achieved through the new KeyHandler

 feature.

iaik.pkcs.pkcs11.provider.keys.IAIKPKCS11Key

NF

New auto destroy feature which allows to mark such key objects.

 This is controlled through setAutoDestroy(boolean) and

 getAutoDestroy(). If this flag is true,

 the finalize() method of this object will destroy the

 underlying PKCS#11 object.

iaik.pkcs.pkcs11.provider.ciphers.RsaCipher

NF

Added support for decryption with public key. This feature uses signature

 verification with message recovery of PKCS#11.

Version 1.2.1

 Class or Package

Bug/
 Change/

New Feature

 Description and Examples

iaik.pkcs.pkcs11.provider.DefaultKeyHandler

B

Fixed a bug in the constructor which may cause incorrect handling of

 autoconversion configuration property.

iaik.pkcs.pkcs11.provider.IAIKPkcs11.properties

NF

As alternative format for SLOT_ID, added means to specify

 the configured slot via its index in the list of all available slots.

demo.pkcs.pkcs11.provider.GetSlotList

NF

Added this helper program which displays information about all available

 slots. The output helps developers to configure the slot for the provider.

demo.pkcs.pkcs11.provider.TokenManager

B

Improved finalize method to work correctly even if called concurrently from

 several threads.

demo.pkcs.pkcs11.provider.TokenKeyStoreSpi

B

The operation which searches for a key which corresponds to a given key

 now finishes the find operation as cleanly.

Version 1.2.2

 Class or Package

Bug/
 Change/

New Feature

 Description and Examples

iaik.pkcs.pkcs11.provider.ciphers

 iaik.pkcs.pkcs11.provider.hashes

 iaik.pkcs.pkcs11.provider.keyagreements

 iaik.pkcs.pkcs11.provider.macs

 iaik.pkcs.pkcs11.provider.sigantures

B

Fixed a bug in the finalize method that may lead to active sessions in

 the session pool if the application drops engine objects without

 finishing the active crypto operation.

Version 1.2.3

 Class or Package

Bug/
 Change/

New Feature

 Description and Examples

iaik.pkcs.pkcs11.provider.DefaultKeyHandler

B

For the automatic conversion of public keys that are used for encryption,

 the conversion method has set the sensitiv-flag in the key creation

 template. Public keys do not have this attribute. This flag was removed

 from the template.

iaik.pkcs.pkcs11.provider.TokenKeyStore

 iaik.pkcs.pkcs11.provider.TokenKeyStoreSpi

C

Improved the method that reads the keys and certificates from the token.

 The old implementation used two find operations, whereas the new one

 only uses a single one without template. This speeds up reading the

 keystore contents from the token.

iaik.pkcs.pkcs11.provider.ciphers.PKCS11Cipher

 iaik.pkcs.pkcs11.provider.keygenerators.PKCS11KeyGenerators

 iaik.pkcs.pkcs11.provider.keypairgenerators.PKCS11KeyPairGenerators

 iaik.pkcs.pkcs11.provider.signature.PKCS11Signature

B

If the provider is configured to check for supported token mechanisms

 (i.e. CHECK_MECHANISM_SUPPORTED = true) and the used mechanism requires

 special PKCS#11 parameters, the provider may report the mechanism as

 unsupported though the token supports it. This can happen e.g.

 with PSS sigantures if the hash is calculated in software.

iaik.pkcs.pkcs11.provider.ciphers.PKCS11Cipher

NF

Improved exception handling for key unwrapping.

iaik.pkcs.pkcs11.provider.IAIKPkcs11

NF

Added static method getModule which supports getting a list

 of available slots and tokens. With this list, the application can

 select the slot at runtime and instantiate the provider thereafter.

 Have a look at the "Slot Selection" section in the usage documentation.

iaik.pkcs.pkcs11.provider.DefaultKeyHandler

C

For automatically converting keys,

 the key handler now uses javax.crypto.spec.DESKeySpec for DES keys

 and for DESede (Triple-DES) keys, is uses javax.crypto.spec.DESedeKeySpec

 instead of javax.crypto.spec.SecretKeySpec.

 The SecretKeyFactories of SunJCE do not support

 javax.crypto.spec.SecretKeySpec for DES and DESede keys.

iaik.pkcs.pkcs11.provider.TokenKeyStoreSpi

B

If an existing key on a token was inserted again into the same token

 using setKeyEntry(), but under a different alias, the resulting copy of

 the key may have had a different label/alias than the one specified.

iaik.pkcs.pkcs11.provider.ciphers.PKCS11Cipher

C

If an application unwrapped a key and that unwrapped key was a session key,

 this key locked its session exclusively. This could lead to many open sessions.

 We improved that to enable reusing such sessions.

Version 1.2.4

 Class or Package

Bug/
 Change/

New Feature

 Description and Examples

n/a

C

Updated included version of IAIK-JCE.

Version 1.2.5

 Class or Package

Bug/
 Change/

New Feature

 Description and Examples

iaik.pkcs.pkcs11.provider.DefaultKeyHandler

NF

Extended ECDSA key generator to take key length of 384 and 521 bit.

iaik.pkcs.pkcs11.provider.signatures

NF

Added signature algorithms SHA224/ECDSA, SHA256/ECDSA, SHA384/ECDSA, SHA512/ECDSA.

 These algorithms calculate the hash in software and the signature on the token with

 the provided hash using mechanism CKM_ECDSA.

iaik.pkcs.pkcs11.provider.signatures.PKCS11BufferingSignature

B

Reset data buffer after sign/verify-operation to enable correct

 reuse of signature engine without initialization.

iaik.pkcs.pkcs11.provider.TokenManager

NF

Enable specification of absolute path to native IAIK PKCS#11 wrapper library with

 property key PKCS11_WRAPPER_PATH.

Version 1.2.6

 Class or Package

Bug/
 Change/

New Feature

 Description and Examples

*

NF

jar files signed with new certificate.

iaik.pkcs.pkcs11.provider.DefaultDelegateProvider

C

SecureRandom no longer returns null with FallbackSoftwareProvider

 if algorithmName is null

iaik.pkcs.pkcs11.provider.TokenKeyStore

NF

New method to manually update keystore, e.g. when using the FastPKCS11KeyStore and the card has been changed.

iaik.pkcs.pkcs11.provider.TokenKeyStoreFastSpi

NF

New faster keystore implementation, that doesn't check if the token has been changed or removed

 or if an external tool added, deleted or changed token entries.

iaik.pkcs.pkcs11.provider.TokenKeyStoreSpi

C

One key with two different related certificateChains is added to the keystore twice

 (one entry for each certificateChain).

iaik.pkcs.pkcs11.provider.TokenManager

NF

New method getTokenKeystore(String name) for using the FastPKCS11KeyStore with the TokenManager.

Version 1.3

 Class or Package

Bug/
 Change/

New Feature

 Description and Examples

iaik.pkcs.pkcs11.provider.ciphers.RsaCipher

NF

Add SSL mode with RSA which is needed for SSL cipher suites of IBM JDK, internally calls ECB

iaik.pkcs.pkcs11.provider.ciphers.PKCS11Cipher

NF

Support key wrapping algorithm TlsRsaPremasterSecret

iaik.pkcs.pkcs11.provider.keyagreements.PKCS11KeyAgreement

C

Return InvalidKeyException instead of NullPointerException if provided key is not a PKCS#11 provider key

iaik.pkcs.pkcs11.provider.macs

B

Fixed a bug where mac-engines open sessions but never close them again.

iaik.pkcs.pkcs11.provider.signatures

NF

Add mode RSAforSSL which is needed for SSL cipher suites of IBM JDK

iaik.pkcs.pkcs11.provider.signatures

B

Return correct algorithm name if a software key is used with a delegation provider

iaik.pkcs.pkcs11.provider.TokenKeyStoreSpi

B

removed endless loop that occured in case of an exception when reading all token objects

iaik.pkcs.pkcs11.provider.TokenManager

B

correctly clear cached slots when finalizing

iaik.pkcs.pkcs11.provider

NF

Provider instances can now be discarded.

iaik.pkcs.pkcs11.provider

NF

Multiple fallback-providers can be handled now. Necessary if a single provider is not capable of all cryptographic operations needed.

iaik.pkcs.pkcs11.provider

NF

Added new engines which allow using the SSL mechanisms specified in PKCS#11 2.0 and newer.

iaik.pkcs.pkcs11.provider

NF

Added new engines which allow using a bunch of PKCS#11 v2.20 mechanisms.

iaik.pkcs.pkcs11.provider

NF

IAIK ECCelerateâ„¢ (if available) is used for JDK1.5 and newer, and provider then supports

 ECPrivateKey and ECPublicKey of java.security.interfaces and ECPublicKeySpec and ECPrivateKeySpec of

 java.security.spec package.

demo.pkcs.pkcs11.provider

C

Restructured and rewritten examples. They are easier to find as well as more readable and intuitive now.

Version 1.4

Class or Package

Bug/Change/
NewFeature

Description and Examples

iaik.pkcs.pkcs11.provider

B

Character array objects (e.g. object labels and PINs) are now interpreted and saved using UTF8 encoding as given in the PKCS#11 specification. Convert labels or PINs that contain special characters, e.g. by using the provided demos in the utils package of the examples. To continue using the old encoding, the property USE_UTF8_ENCODING (Constants.USE_UTF8_ENCODING) must be set to "false".

iaik.pkcs.pkcs11.provider

NF

The provider now offers Security Officer (SO) login for key creation engines.

iaik.pkcs.pkcs11.provider

C

Key creation engine specs are now easier to use. Parameters which are invariant for common use cases got removed from the main interface. That are the tokenmanager, the session type, and the session r/w behaviour. Of course these can still be accessed through newly created methods

iaik.pkcs.pkcs11.provider

NF

The provider now propagates its dynamic initialization properties to the default login manager, the default delegate provider and the default key handler.

iaik.pkcs.pkcs11.provider

B

Replaced incorrect imports of sun.security.pkcs11.wrapper.PKCS11Constants with iaik.pkcs.pkcs11.wrapper.PKCS11Constants.

iaik.pkcs.pkcs11.provider.TokenManager

C

Login/logout methods are now more intuitive to use.

iaik.pkcs.pkcs11.provider.TokenManager

B

Improved slot handling, to correctly count used slots.

iaik.pkcs.pkcs11.provider.ciphers

NF

A new spec iaik.pkcs.pkcs11.provider.ciphers.PKCS11UnwrapKeySpec is available for symmetric and asymmetric ciphers now. The new specs allow using the unwrap template offered by the C_UnwrapKey function of the PKCS11 standard.

  Version 1.5

 

Class or Package

 Bug/ Change/
 New Feature

Description and Examples

iaik.pkcs.pkcs11.provider

N

Support signature RipeMd160withECDSA, calculating the RipeMd160 hash externally.

iaik.pkcs.pkcs11.provider

C

Added some missing algorithm aliases: NONEwithRSAPss, RawPSS, NONEwithDSA, NONEwithECDSA.

iaik.pkcs.pkcs11.provider.ciphers.RsaCipher

C

Also support SHA256, SHA384 and SHA512 for RSA cipher with OAEP padding (e.g. OAEPWithSHA512AndMGF1Padding). If given hash algorithm is ShaX, also uses this algorithm in the message generation function. Otherwise, defaults to SHA1 for the mgf1. Added PKCS11OAEPParameterSpec for more detailed settings.

iaik.pkcs.pkcs11.provider.keyagreements.EcDhKeyAgreement

C

Allow ECDH key agreement also without specific ECDH parameters, which will result in CKD_NULL as default key derivation funtion.

iaik.pkcs.pkcs11.provider.DefaultDelegateProvider

C

Allow extraction of delegate provider properties.

iaik.pkcs.pkcs11.provider.DefaultLoginManager

C

Fall back to command line if no windows are available to prompt for the user pin graphically.

iaik.pkcs.pkcs11.provider.TokenKeyStoreSpi

B

Correclty DER-encode serial numbers in X.509 certificates objects

iaik.pkcs.pkcs11.provider.TokenKeyStoreSpi

B

Allow import of keys of type EC (previously only accepted key type ECDSA).

 

print Print