I'm presently along the way of approaching having a PKCS#11 library with minimal functions so that my legacy HSM has the capacity to offer the Oracle database 11g transparent data file encryption (TDE). I don't want to develop the entire PKCS#11 library with the functions since all I want would be to support Oracle database. Additionally, coding all functions will require too lengthy an improvement effort and it might be an overkill by doing this.
Does anybody have ideas regarding which PKCS#11 functions does "Oracle Database 11g Release 2 (11.2)" utilizes for supporting TDE with HSM?
Most most likely a minimum of the next:
- C_Secure or
- C_Decrypt or
You should use OpenSC pkcs11-spy to sniff on Oracle to determine what functions it really uses with what type of parameters.
The next response is as cited from Oracle Forum:
I checked the 11.2 code and you have to implement these characteristics to be used with TDE:
C_Initialize C_GetFunctionList C_GetInfo C_GetSlotList C_OpenSession C_Login C_CloseSession C_Finalize C_GenerateKey C_FindObjectsInit C_FindObjects C_FindObjectsFinal C_EncryptInit C_Encrypt C_DecryptInit C_Decrypt C_CloseSession
It's also suggested to implement
C_GenerateKeyPair so you can use it by wallet manager to produce a certificate request
I made use of OpenSC's pkcs11-spy, and discover that Oracle 11g R2 Wallet Manager would also call: C_GenerateKeyPairs, C_SignInit, and C_Sign throughout the certificate request process.