Which PKCS#11 function does Oracle Database 11g makes use of?

I am currently in the process of coming up with a PKCS#11 library with minimal functions such that my legacy HSM is able to support the Oracle database 11g transparent data encryption (TDE). I do not want to come up with the complete PKCS#11 library with all the functions since all I need is to support Oracle database. In addition, coding all functions will take too long a development effort and it would 开发者_开发技巧be an overkill in doing so.

Does anybody have any ideas as to which PKCS#11 functions does "Oracle Database 11g Release 2 (11.2)" makes use of for supporting TDE with HSM?

Most probably at least the following:

• C_GetFunctionList
• C_Initialize
• C_GetSlotList
• C_OpenSession
• C_Login
• C_FindObjectsInit
• C_FindObjects
• C_FindObjectsFinal
• C_EncryptInit
• C_Encrypt or
• C_EncryptUpdate
• C_EncryptFinal
• C_DecryptInit
• C_Decrypt or
• C_DecryptUpdate
• C_DecryptFinal

You can use OpenSC pkcs11-spy to sniff on Oracle to see which functions it actually uses and with what kind of parameters.

The following answer is as quoted from Oracle Forum:

I checked the 11.2 code and you need to implement these functions for use with TDE:

C_Initialize
C_GetFunctionList
C_GetInfo
C_GetSlotList
C_OpenSession
C_Login
C_CloseSession
C_Finalize
C_GenerateKey
C_FindObjectsInit
C_FindObjects
C_FindObjectsFinal
C_EncryptInit
C_Encrypt
C_DecryptInit
C_Decrypt
C_CloseSession

It is also recommended to implement C_GenerateKeyPair so it can be used by wallet manager to create a certificate request

I used OpenSC's pkcs11-spy, and find out that Oracle 11g R2 Wallet Manager would also call: C_GenerateKeyPairs, C_SignInit, and C_Sign during the certificate request process.

Oscar