I am currently in the process of coming up with a PKCS#11 library with minimal functions such that my legacy HSM is able to support the Oracle database 11g transparent data encryption (TDE). I do not want to come up with the complete PKCS#11 library with all the functions since all I need is to support Oracle database. In addition, coding all functions will take too long a development effort and it would 开发者_开发技巧be an overkill in doing so.
Does anybody have any ideas as to which PKCS#11 functions does "Oracle Database 11g Release 2 (11.2)" makes use of for supporting TDE with HSM?
Most probably at least the following:
- C_GetFunctionList
- C_Initialize
- C_GetSlotList
- C_OpenSession
- C_Login
- C_FindObjectsInit
- C_FindObjects
- C_FindObjectsFinal
- C_EncryptInit
- C_Encrypt or
- C_EncryptUpdate
- C_EncryptFinal
- C_DecryptInit
- C_Decrypt or
- C_DecryptUpdate
- C_DecryptFinal
You can use OpenSC pkcs11-spy to sniff on Oracle to see which functions it actually uses and with what kind of parameters.
The following answer is as quoted from Oracle Forum:
I checked the 11.2 code and you need to implement these functions for use with TDE:
C_Initialize
C_GetFunctionList
C_GetInfo
C_GetSlotList
C_OpenSession
C_Login
C_CloseSession
C_Finalize
C_GenerateKey
C_FindObjectsInit
C_FindObjects
C_FindObjectsFinal
C_EncryptInit
C_Encrypt
C_DecryptInit
C_Decrypt
C_CloseSession
It is also recommended to implement C_GenerateKeyPair so it can be used by wallet manager to create a certificate request
I used OpenSC's pkcs11-spy, and find out that Oracle 11g R2 Wallet Manager would also call: C_GenerateKeyPairs, C_SignInit, and C_Sign during the certificate request process.
Oscar
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论