PKCS 11 v2.20

Crypto Framework support for v2.20

Background

The current OpenSolaris PKCS #11 implementation for libpkcs11,
pkcs11_softtoken, and pkcs11_kernel (and thus drv/crypto ioctls), is
PKCS #11 v2.20.  libpkcs11 (aka userland framework library) supports
loading any PKCS #11 v2.x module.  Since the PKCS #11 API compatibility
requirements are very strict we can do this.  Solaris 10 FCS shipped with
PKCS#11 v2.11 support.

Milestones

• snv_17
     - SHA2 (SHA256/384/512) integrated for kernel consumers
• snv_25
     - SHA2 hash code has been integrated already and is available for
       kcf consumers. Added to pkcs11_softtoken in snv_25
     - Blowfish suuport brought to pkcs11_softtoken for userland consumers.
• snv_28
     - TLS_PRF (Transport Layer Security Pseudo-Random Function) support.

Future Projects

Below are a list of projects to enhance v2.20 support, they are
currently not a high priority:

- Growing C_GetSlotList
Not started yet.  We used to have this functionality in pkcs11_kernel,
but since we supported v2.11 of PKCS#11 it was actually a bug and we
removed it, so this should be pretty easy for pkcs11_kernel.  libpkcs11
needs to take MetaSlot into account.  We have postponded making this
change just now until we better understand how MetaSlot could use this.

- CKU_CONTEXT_SPECIFIC, CKA_CHECK_VALUE
No consumers (ie: NSS, Java, JES Webserver) need this functionality.
The decision is to wait when/if adoption of this becomes about.