What is the Crypto Framework all about ?
The (Open)Solaris Cryptographic Framework provides cryptographic services to users and applications through commands, a user-level programming interface, a kernel programming interface, and user-level and kernel-level frameworks. The Solaris Cryptographic Framework provides these cryptographic services to applications and kernel modules in a manner seamless to the end user, and brings direct cryptographic services, like encryption and decryption for files, to the end user.
The user-level framework is responsible for providing cryptographic services to consumer applications and the end user commands. The kernel-level framework provides cryptographic services to kernel modules and device drivers. Both frameworks give developers and users access to software optimized cryptographic algorithms.
The programming interfaces are a front end to each of the frameworks. A library or a kernel module that provides cryptographic services can be plugged into one of the frameworks by the system administrator, making the plugin's cryptographic services available to applications or kernel modules. This flexibility allows the system administrator to plugin different cryptographic algorithm implementations or hardware accelerated cryptographic providers
Goals
The goal of the crypto framework is to provide the fastest available implementations (for SPARC, Intel, AMD and any future platforms) of the common cryptographic algorithms used in the network security protocols and data at rest security features of Solaris and layered software. In general the consumer of the crypto framework should never need to change their code to get an improved implementation.
The framework provides load balancing (between available hardware and software implementations of cryptographic algorithms) as well as being designed to achive a FIPS 140-2 certification.
The main API for userland consumers is PKCS#11. The Java JCE also has a bridge to PKCS#11 and Solaris ships with an OpenSSL ENGINE (plugin) to bridge to PKCS#11 as well.
A Key management API at a higher level than PKCS#11 is also provided in OpenSolaris via the KMF (Key Management Framework) project. This includes a C programming language API and a command line tool (pktool) that can be used for creating keys and certificates as well as managing PKCS#11 tokens.
Scope
This project covers extending the framework functionality, integrating faster crypto algorithm implementations, adding new crypto algorithms, and developing hardware crypto drivers.
Consumers in OpenSolaris
include IPsec/IKE, Kerberos, SASL, KMF, GLDv3 WiFi drivers, Lofi Crypto, ZFS Crypto, Java JCE, Mozilla NSS, OpenSSL ENGINE, SNMP.