PKCS11 testing with SoftHSM2 #805
Commits on Aug 28, 2023
Commits on Aug 29, 2023
-
-
- Fixed license headers for newly generated test key files
- removed conditional check for X448 and X25519 certificate/chains now that we have signed certs for those test key files
-
-
-
-
Commits on Aug 30, 2023
-
-
- moved softhsmimport to impl/src/test/scripts/softhsm and refactored…
… to support 'import' and 'configure' subcommands
-
-
-
-
-
-
- PKCS11 Certificate access adjustment on JVMs that don't support a d…
…iscovered algorithm
-
- PKCS11 Certificate access adjustment on JVMs that don't support a d…
…iscovered algorithm
-
- PKCS11 Certificate access adjustment on JVMs that don't support a d…
…iscovered algorithm
Commits on Sep 1, 2023
-
- Added new Curve#contains method and leveraged that to clean up code considerably in EcdhKeyAlgorithm.java
-
- Moved Curve#contains method to AbstractCurve since we don't necessa…
…rily want to make that available before ED curve calculations are ready
-
- Updated Pkcs11Test to account for nested ProviderExceptions that we…
… can't control across JVM versions w/ SoftHSM
-
- renamed Keys#associate to Keys#wrap to be a little clearer on what'…
…s happening - Updated README.md to document how to account for ECDH-ES and PKCS11 PrivateKeys
-
- renamed Keys#associate to Keys#wrap to be a little clearer on what'…
…s happening - Updated README.md to document how to account for ECDH-ES and PKCS11 PrivateKeys
-
- renamed Keys#associate to Keys#wrap to be a little clearer on what'…
…s happening - Updated README.md to document how to account for ECDH-ES and PKCS11 PrivateKeys
-
- Updated softhsm script to ensure EC key import used the pkcs11-tool…
… `--usage-derive` flag to allow testing PKCS11 keys with ECDH-ES key algorithms
-
- Renamed CryptoAlgorithm#generateKey to #generateCek to be more expl…
…icit in its purpose. - Introduced new CryptoAlgorithm#nonPkcs11Provider to ensure PKCS11 provider won't be used when required key material is required (i.e. for ephemeral key(pair) KeyAlgorithms). - Ensured CryptoAlgorithm#generateCek ignored applying a PKCS11 provider since required key material wouldn't be available otherwise.
Commits on Sep 2, 2023
-
- Renamed CryptoAlgorithm#generateKey to #generateCek to be more expl…
…icit in its purpose. - Introduced new CryptoAlgorithm#nonPkcs11Provider to ensure PKCS11 provider won't be used when required key material is required (i.e. for ephemeral key(pair) KeyAlgorithms). - Ensured CryptoAlgorithm#generateCek ignored applying a PKCS11 provider since required key material wouldn't be available otherwise. - Ensured DefaultJwtBuilder and DefaultJwtParser would use the provider for the KeyAlgorithm, but not for the AeadAlgorithm (unless using direct encryption)
-
- Adjusted test case to ensure deterministic outcomes
- Consolidated unsigned byte array length calculation for non-negative integers (used in a few places) to a new Bytes#uintLength method. Refactored other classes to use this new method to eliminate code duplication
-
- Adjusted test case to ensure deterministic outcomes
- Consolidated unsigned byte array length calculation for non-negative integers (used in a few places) to a new Bytes#uintLength method. Refactored other classes to use this new method to eliminate code duplication
-
- Added tests for JWS MAC algorithms (HS256, HS384, HS512) with PKCS1…
…1 secret keys - Explicitly prevented Password instances in DefaultMacAlgorithm - Fixed the EdwardsCurve#keyBitLength implementation to accurately reflect RFC key sizes and not encoded byte array sizes. - OptionalMethodInvoker now supports static invocations in addition to the existing instance invocation support.