I'm presently along the way of approaching having a PKCS#11 library with minimal functions so that my legacy HSM has the capacity to offer the Oracle database 11g transparent data file encryption (TDE). I don't want to develop the entire PKCS#11 library with the functions since all I want would be to support Oracle database. Additionally, coding all functions will require too lengthy an improvement effort and it might be an overkill by doing this.

Does anybody have ideas regarding which PKCS#11 functions does "Oracle Database 11g Release 2 (11.2)" utilizes for supporting TDE with HSM?

Most most likely a minimum of the next:

  • C_GetFunctionList
  • C_Initialize
  • C_GetSlotList
  • C_OpenSession
  • C_Login
  • C_FindObjectsInit
  • C_FindObjects
  • C_FindObjectsFinal
  • C_EncryptInit
  • C_Secure or
  • C_EncryptUpdate
  • C_EncryptFinal
  • C_DecryptInit
  • C_Decrypt or
  • C_DecryptUpdate
  • C_DecryptFinal

You should use OpenSC pkcs11-spy to sniff on Oracle to determine what functions it really uses with what type of parameters.

The next response is as cited from Oracle Forum:

I checked the 11.2 code and you have to implement these characteristics to be used with TDE:

C_Initialize
C_GetFunctionList
C_GetInfo
C_GetSlotList
C_OpenSession
C_Login
C_CloseSession
C_Finalize
C_GenerateKey
C_FindObjectsInit
C_FindObjects
C_FindObjectsFinal
C_EncryptInit
C_Encrypt
C_DecryptInit
C_Decrypt
C_CloseSession

It's also suggested to implement C_GenerateKeyPair so you can use it by wallet manager to produce a certificate request

I made use of OpenSC's pkcs11-spy, and discover that Oracle 11g R2 Wallet Manager would also call: C_GenerateKeyPairs, C_SignInit, and C_Sign throughout the certificate request process.

Oscar