changeset 3812:75216854fb53

6604496: Support for CKM_AES_CTR (counter mode) Summary: Enhanced SunPKCS11 provider to support AES/CTR/NoPadding transformation. Reviewed-by: vinnie
author valeriep
date Tue, 22 Feb 2011 12:01:35 -0800
parents b853414b8eef
children 84e339f1033b
files src/share/classes/sun/security/pkcs11/P11Cipher.java src/share/classes/sun/security/pkcs11/SunPKCS11.java src/share/classes/sun/security/pkcs11/wrapper/CK_AES_CTR_PARAMS.java src/share/classes/sun/security/pkcs11/wrapper/CK_MECHANISM.java src/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java src/share/native/sun/security/pkcs11/wrapper/p11_convert.c src/share/native/sun/security/pkcs11/wrapper/pkcs-11v2-20a3.h src/share/native/sun/security/pkcs11/wrapper/pkcs11wrapper.h test/sun/security/pkcs11/Cipher/TestSymmCiphers.java test/sun/security/pkcs11/Cipher/TestSymmCiphersNoPad.java
diffstat 10 files changed, 345 insertions(+), 34 deletions(-) [+]
line wrap: on
line diff
--- a/src/share/classes/sun/security/pkcs11/P11Cipher.java	Tue Feb 22 14:44:43 2011 +0000
+++ b/src/share/classes/sun/security/pkcs11/P11Cipher.java	Tue Feb 22 12:01:35 2011 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -42,14 +42,12 @@
  * Cipher implementation class. This class currently supports
  * DES, DESede, AES, ARCFOUR, and Blowfish.
  *
- * This class is designed to support ECB and CBC with NoPadding and
- * PKCS5Padding for both. It will use its own padding impl if the
- * native mechanism does not support padding.
+ * This class is designed to support ECB, CBC, CTR with NoPadding
+ * and ECB, CBC with PKCS5Padding. It will use its own padding impl
+ * if the native mechanism does not support padding.
  *
- * Note that PKCS#11 current only supports ECB and CBC. There are no
- * provisions for other modes such as CFB, OFB, PCBC, or CTR mode.
- * However, CTR could be implemented relatively easily (and efficiently)
- * on top of ECB mode in this class, if need be.
+ * Note that PKCS#11 currently only supports ECB, CBC, and CTR.
+ * There are no provisions for other modes such as CFB, OFB, and PCBC.
  *
  * @author  Andreas Sterbenz
  * @since   1.5
@@ -60,6 +58,8 @@
     private final static int MODE_ECB = 3;
     // mode constant for CBC mode
     private final static int MODE_CBC = 4;
+    // mode constant for CTR mode
+    private final static int MODE_CTR = 5;
 
     // padding constant for NoPadding
     private final static int PAD_NONE = 5;
@@ -157,7 +157,7 @@
     private byte[] padBuffer;
     private int padBufferLen;
 
-    // original IV, if in MODE_CBC
+    // original IV, if in MODE_CBC or MODE_CTR
     private byte[] iv;
 
     // number of bytes buffered internally by the native mechanism and padBuffer
@@ -213,6 +213,8 @@
                         ("CBC mode not supported with stream ciphers");
             }
             result = MODE_CBC;
+        } else if (mode.equals("CTR")) {
+            result = MODE_CTR;
         } else {
             throw new NoSuchAlgorithmException("Unsupported mode " + mode);
         }
@@ -228,6 +230,10 @@
         if (padding.equals("NOPADDING")) {
             paddingType = PAD_NONE;
         } else if (padding.equals("PKCS5PADDING")) {
+            if (this.blockMode == MODE_CTR) {
+                throw new NoSuchPaddingException
+                    ("PKCS#5 padding not supported with CTR mode");
+            }
             paddingType = PAD_PKCS5;
             if (mechanism != CKM_DES_CBC_PAD && mechanism != CKM_DES3_CBC_PAD &&
                     mechanism != CKM_AES_CBC_PAD) {
@@ -348,11 +354,14 @@
                             ("IV not used in ECB mode");
                 }
             }
-        } else { // MODE_CBC
+        } else { // MODE_CBC or MODE_CTR
             if (iv == null) {
                 if (encrypt == false) {
-                    throw new InvalidAlgorithmParameterException
-                            ("IV must be specified for decryption in CBC mode");
+                    String exMsg =
+                        (blockMode == MODE_CBC ?
+                         "IV must be specified for decryption in CBC mode" :
+                         "IV must be specified for decryption in CTR mode");
+                    throw new InvalidAlgorithmParameterException(exMsg);
                 }
                 // generate random IV
                 if (random == null) {
@@ -410,13 +419,15 @@
         if (session == null) {
             session = token.getOpSession();
         }
+        CK_MECHANISM mechParams = (blockMode == MODE_CTR?
+            new CK_MECHANISM(mechanism, new CK_AES_CTR_PARAMS(iv)) :
+            new CK_MECHANISM(mechanism, iv));
+
         try {
             if (encrypt) {
-                token.p11.C_EncryptInit(session.id(),
-                        new CK_MECHANISM(mechanism, iv), p11Key.keyID);
+                token.p11.C_EncryptInit(session.id(), mechParams, p11Key.keyID);
             } else {
-                token.p11.C_DecryptInit(session.id(),
-                        new CK_MECHANISM(mechanism, iv), p11Key.keyID);
+                token.p11.C_DecryptInit(session.id(), mechParams, p11Key.keyID);
             }
         } catch (PKCS11Exception ex) {
             // release session when initialization failed
--- a/src/share/classes/sun/security/pkcs11/SunPKCS11.java	Tue Feb 22 14:44:43 2011 +0000
+++ b/src/share/classes/sun/security/pkcs11/SunPKCS11.java	Tue Feb 22 12:01:35 2011 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -621,6 +621,8 @@
                 m(CKM_AES_CBC_PAD, CKM_AES_CBC));
         d(CIP, "AES/ECB",                       P11Cipher,      s("AES"),
                 m(CKM_AES_ECB));
+        d(CIP, "AES/CTR/NoPadding",             P11Cipher,
+                m(CKM_AES_CTR));
         d(CIP, "Blowfish/CBC",                  P11Cipher,
                 m(CKM_BLOWFISH_CBC));
 
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/src/share/classes/sun/security/pkcs11/wrapper/CK_AES_CTR_PARAMS.java	Tue Feb 22 12:01:35 2011 -0800
@@ -0,0 +1,66 @@
+/*
+ * Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.pkcs11.wrapper;
+
+/**
+ * This class represents the necessary parameters required by
+ * the CKM_AES_CTR mechanism as defined in CK_AES_CTR_PARAMS structure.<p>
+ * <B>PKCS#11 structure:</B>
+ * <PRE>
+ * typedef struct CK_AES_CTR_PARAMS {
+ *   CK_ULONG ulCounterBits;
+ *   CK_BYTE cb[16];
+ * } CK_AES_CTR_PARAMS;
+ * </PRE>
+ *
+ * @author Yu-Ching Valerie Peng
+ * @since   1.7
+ */
+public class CK_AES_CTR_PARAMS {
+
+    private final long ulCounterBits;
+    private final byte cb[];
+
+    public CK_AES_CTR_PARAMS(byte[] cb) {
+        ulCounterBits = 128;
+        this.cb = cb.clone();
+    }
+
+    public String toString() {
+        StringBuffer buffer = new StringBuffer();
+
+        buffer.append(Constants.INDENT);
+        buffer.append("ulCounterBits: ");
+        buffer.append(ulCounterBits);
+        buffer.append(Constants.NEWLINE);
+
+        buffer.append(Constants.INDENT);
+        buffer.append("cb: ");
+        buffer.append(Functions.toHexString(cb));
+
+        return buffer.toString();
+    }
+}
--- a/src/share/classes/sun/security/pkcs11/wrapper/CK_MECHANISM.java	Tue Feb 22 14:44:43 2011 +0000
+++ b/src/share/classes/sun/security/pkcs11/wrapper/CK_MECHANISM.java	Tue Feb 22 12:01:35 2011 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved.
  */
 
 /* Copyright  (c) 2002 Graz University of Technology. All rights reserved.
@@ -48,6 +48,7 @@
 package sun.security.pkcs11.wrapper;
 
 import java.math.BigInteger;
+import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
 
 /**
  * class CK_MECHANISM specifies a particular mechanism and any parameters it
@@ -127,6 +128,10 @@
         init(mechanism, params);
     }
 
+    public CK_MECHANISM(long mechanism, CK_AES_CTR_PARAMS params) {
+        init(mechanism, params);
+    }
+
     private void init(long mechanism, Object pParameter) {
         this.mechanism = mechanism;
         this.pParameter = pParameter;
--- a/src/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java	Tue Feb 22 14:44:43 2011 +0000
+++ b/src/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java	Tue Feb 22 12:01:35 2011 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved.
  */
 
 /* Copyright  (c) 2002 Graz University of Technology. All rights reserved.
@@ -47,8 +47,6 @@
 
 package sun.security.pkcs11.wrapper;
 
-
-
 /**
  * This interface holds constants of the PKCS#11 v2.11 standard.
  * This is mainly the content of the 'pkcs11t.h' header file.
@@ -306,6 +304,10 @@
 
     public static final long  CKK_VENDOR_DEFINED  = 0x80000000L;
 
+    // new for v2.20 amendment 3
+    //public static final long  CKK_CAMELLIA          = 0x00000025L;
+    //public static final long  CKK_ARIA              = 0x00000026L;
+
     // pseudo key type ANY (for template manager)
     public static final long  PCKK_ANY            = 0x7FFFFF22L;
 
@@ -690,6 +692,34 @@
 
     public static final long  CKM_VENDOR_DEFINED             = 0x80000000L;
 
+    // new for v2.20 amendment 3
+    public static final long  CKM_SHA224                     = 0x00000255L;
+    public static final long  CKM_SHA224_HMAC                = 0x00000256L;
+    public static final long  CKM_SHA224_HMAC_GENERAL        = 0x00000257L;
+    public static final long  CKM_SHA224_KEY_DERIVATION      = 0x00000396L;
+    public static final long  CKM_SHA224_RSA_PKCS            = 0x00000046L;
+    public static final long  CKM_SHA224_RSA_PKCS_PSS        = 0x00000047L;
+    public static final long  CKM_AES_CTR                    = 0x00001086L;
+    /*
+    public static final long  CKM_CAMELLIA_KEY_GEN           = 0x00000550L;
+    public static final long  CKM_CAMELLIA_ECB               = 0x00000551L;
+    public static final long  CKM_CAMELLIA_CBC               = 0x00000552L;
+    public static final long  CKM_CAMELLIA_MAC               = 0x00000553L;
+    public static final long  CKM_CAMELLIA_MAC_GENERAL       = 0x00000554L;
+    public static final long  CKM_CAMELLIA_CBC_PAD           = 0x00000555L;
+    public static final long  CKM_CAMELLIA_ECB_ENCRYPT_DATA  = 0x00000556L;
+    public static final long  CKM_CAMELLIA_CBC_ENCRYPT_DATA  = 0x00000557L;
+    public static final long  CKM_CAMELLIA_CTR               = 0x00000558L;
+    public static final long  CKM_ARIA_KEY_GEN               = 0x00000560L;
+    public static final long  CKM_ARIA_ECB                   = 0x00000561L;
+    public static final long  CKM_ARIA_CBC                   = 0x00000562L;
+    public static final long  CKM_ARIA_MAC                   = 0x00000563L;
+    public static final long  CKM_ARIA_MAC_GENERAL           = 0x00000564L;
+    public static final long  CKM_ARIA_CBC_PAD               = 0x00000565L;
+    public static final long  CKM_ARIA_ECB_ENCRYPT_DATA      = 0x00000566L;
+    public static final long  CKM_ARIA_CBC_ENCRYPT_DATA      = 0x00000567L;
+    */
+
     // NSS private
     public static final long  CKM_NSS_TLS_PRF_GENERAL        = 0x80000373L;
 
@@ -881,7 +911,8 @@
 
     /* The following MGFs are defined */
     public static final long  CKG_MGF1_SHA1       =  0x00000001L;
-
+    // new for v2.20 amendment 3
+    public static final long  CKG_MGF1_SHA224     = 0x00000005L;
 
     /* The following encoding parameter sources are defined */
     public static final long  CKZ_DATA_SPECIFIED   = 0x00000001L;
--- a/src/share/native/sun/security/pkcs11/wrapper/p11_convert.c	Tue Feb 22 14:44:43 2011 +0000
+++ b/src/share/native/sun/security/pkcs11/wrapper/p11_convert.c	Tue Feb 22 12:01:35 2011 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2009, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved.
  */
 
 /* Copyright  (c) 2002 Graz University of Technology. All rights reserved.
@@ -695,6 +695,46 @@
 }
 
 /*
+ * converts the Java CK_AES_CTR_PARAMS object to a CK_AES_CTR_PARAMS structure
+ *
+ * @param env - used to call JNI funktions to get the Java classes and objects
+ * @param jParam - the Java CK_AES_CTR_PARAMS object to convert
+ * @param ckpParam - pointer to the new CK_AES_CTR_PARAMS structure
+ */
+void jAesCtrParamsToCKAesCtrParam(JNIEnv *env, jobject jParam,
+                                  CK_AES_CTR_PARAMS_PTR ckpParam) {
+    jclass jAesCtrParamsClass;
+    jfieldID fieldID;
+    jlong jCounterBits;
+    jobject jCb;
+    CK_BYTE_PTR ckBytes;
+    CK_ULONG ckTemp;
+
+    /* get ulCounterBits */
+    jAesCtrParamsClass = (*env)->FindClass(env, CLASS_AES_CTR_PARAMS);
+    if (jAesCtrParamsClass == NULL) { return; }
+    fieldID = (*env)->GetFieldID(env, jAesCtrParamsClass, "ulCounterBits", "J");
+    if (fieldID == NULL) { return; }
+    jCounterBits = (*env)->GetLongField(env, jParam, fieldID);
+
+    /* get cb */
+    fieldID = (*env)->GetFieldID(env, jAesCtrParamsClass, "cb", "[B");
+    if (fieldID == NULL) { return; }
+    jCb = (*env)->GetObjectField(env, jParam, fieldID);
+
+    /* populate java values */
+    ckpParam->ulCounterBits = jLongToCKULong(jCounterBits);
+    jByteArrayToCKByteArray(env, jCb, &ckBytes, &ckTemp);
+    if ((*env)->ExceptionCheck(env)) { return; }
+    if (ckTemp != 16) {
+        TRACE1("ERROR: WRONG CTR IV LENGTH %d", ckTemp);
+    } else {
+        memcpy(ckpParam->cb, ckBytes, ckTemp);
+        free(ckBytes);
+    }
+}
+
+/*
  * converts a Java CK_MECHANISM object into a CK_MECHANISM structure
  *
  * @param env - used to call JNI funktions to get the values out of the Java object
@@ -937,12 +977,10 @@
 {
     /* get all Java mechanism parameter classes */
     jclass jVersionClass, jSsl3MasterKeyDeriveParamsClass, jSsl3KeyMatParamsClass;
-    jclass jTlsPrfParamsClass, jRsaPkcsOaepParamsClass, jPbeParamsClass;
-    jclass jPkcs5Pbkd2ParamsClass, jRsaPkcsPssParamsClass;
+    jclass jTlsPrfParamsClass, jAesCtrParamsClass, jRsaPkcsOaepParamsClass;
+    jclass jPbeParamsClass, jPkcs5Pbkd2ParamsClass, jRsaPkcsPssParamsClass;
     jclass jEcdh1DeriveParamsClass, jEcdh2DeriveParamsClass;
     jclass jX942Dh1DeriveParamsClass, jX942Dh2DeriveParamsClass;
-
-    /* get all Java mechanism parameter classes */
     TRACE0("\nDEBUG: jMechanismParameterToCKMechanismParameter");
 
     /* most common cases, i.e. NULL/byte[]/long, are already handled by
@@ -1046,6 +1084,33 @@
         return;
     }
 
+    jAesCtrParamsClass = (*env)->FindClass(env, CLASS_AES_CTR_PARAMS);
+    if (jAesCtrParamsClass == NULL) { return; }
+    if ((*env)->IsInstanceOf(env, jParam, jAesCtrParamsClass)) {
+        /*
+         * CK_AES_CTR_PARAMS
+         */
+        CK_AES_CTR_PARAMS_PTR ckpParam;
+
+        ckpParam = (CK_AES_CTR_PARAMS_PTR) malloc(sizeof(CK_AES_CTR_PARAMS));
+        if (ckpParam == NULL) {
+            JNU_ThrowOutOfMemoryError(env, 0);
+            return;
+        }
+
+        /* convert jParameter to CKParameter */
+        jAesCtrParamsToCKAesCtrParam(env, jParam, ckpParam);
+        if ((*env)->ExceptionCheck(env)) {
+            free(ckpParam);
+            return;
+        }
+
+        /* get length and pointer of parameter */
+        *ckpLength = sizeof(CK_AES_CTR_PARAMS);
+        *ckpParamPtr = ckpParam;
+        return;
+    }
+
     jRsaPkcsOaepParamsClass = (*env)->FindClass(env, CLASS_RSA_PKCS_OAEP_PARAMS);
     if (jRsaPkcsOaepParamsClass == NULL) { return; }
     if ((*env)->IsInstanceOf(env, jParam, jRsaPkcsOaepParamsClass)) {
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/src/share/native/sun/security/pkcs11/wrapper/pkcs-11v2-20a3.h	Tue Feb 22 12:01:35 2011 -0800
@@ -0,0 +1,124 @@
+/* pkcs-11v2-20a3.h include file for the PKCS #11 Version 2.20 Amendment 3
+   document. */
+
+/* $Revision: 1.4 $ */
+
+/* License to copy and use this software is granted provided that it is
+ * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface
+ * (Cryptoki) Version 2.20 Amendment 3" in all material mentioning or
+ * referencing this software.
+
+ * RSA Security Inc. makes no representations concerning either the
+ * merchantability of this software or the suitability of this software for
+ * any particular purpose. It is provided "as is" without express or implied
+ * warranty of any kind.
+ */
+
+/* This file is preferably included after inclusion of pkcs11.h */
+
+#ifndef _PKCS_11V2_20A3_H_
+#define _PKCS_11V2_20A3_H_ 1
+
+/* Are the definitions of this file already included in pkcs11t.h ? */
+#ifndef CKK_CAMELLIA
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* Key types */
+
+/* Camellia is new for PKCS #11 v2.20 amendment 3 */
+#define CKK_CAMELLIA                   0x00000025
+/* ARIA is new for PKCS #11 v2.20 amendment 3 */
+#define CKK_ARIA                       0x00000026
+
+
+/* Mask-generating functions */
+
+/* SHA-224 is new for PKCS #11 v2.20 amendment 3 */
+#define CKG_MGF1_SHA224                0x00000005
+
+
+/* Mechanism Identifiers */
+
+/* SHA-224 is new for PKCS #11 v2.20 amendment 3 */
+#define CKM_SHA224                     0x00000255
+#define CKM_SHA224_HMAC                0x00000256
+#define CKM_SHA224_HMAC_GENERAL        0x00000257
+
+/* SHA-224 key derivation is new for PKCS #11 v2.20 amendment 3 */
+#define CKM_SHA224_KEY_DERIVATION      0x00000396
+
+/* SHA-224 RSA mechanisms are new for PKCS #11 v2.20 amendment 3 */
+#define CKM_SHA224_RSA_PKCS            0x00000046
+#define CKM_SHA224_RSA_PKCS_PSS        0x00000047
+
+/* AES counter mode is new for PKCS #11 v2.20 amendment 3 */
+#define CKM_AES_CTR                    0x00001086
+
+/* Camellia is new for PKCS #11 v2.20 amendment 3 */
+#define CKM_CAMELLIA_KEY_GEN           0x00000550
+#define CKM_CAMELLIA_ECB               0x00000551
+#define CKM_CAMELLIA_CBC               0x00000552
+#define CKM_CAMELLIA_MAC               0x00000553
+#define CKM_CAMELLIA_MAC_GENERAL       0x00000554
+#define CKM_CAMELLIA_CBC_PAD           0x00000555
+#define CKM_CAMELLIA_ECB_ENCRYPT_DATA  0x00000556
+#define CKM_CAMELLIA_CBC_ENCRYPT_DATA  0x00000557
+#define CKM_CAMELLIA_CTR               0x00000558
+
+/* ARIA is new for PKCS #11 v2.20 amendment 3 */
+#define CKM_ARIA_KEY_GEN               0x00000560
+#define CKM_ARIA_ECB                   0x00000561
+#define CKM_ARIA_CBC                   0x00000562
+#define CKM_ARIA_MAC                   0x00000563
+#define CKM_ARIA_MAC_GENERAL           0x00000564
+#define CKM_ARIA_CBC_PAD               0x00000565
+#define CKM_ARIA_ECB_ENCRYPT_DATA      0x00000566
+#define CKM_ARIA_CBC_ENCRYPT_DATA      0x00000567
+
+
+/* Mechanism parameters */
+
+/* CK_AES_CTR_PARAMS is new for PKCS #11 v2.20 amendment 3 */
+typedef struct CK_AES_CTR_PARAMS {
+    CK_ULONG ulCounterBits;
+    CK_BYTE cb[16];
+} CK_AES_CTR_PARAMS;
+
+typedef CK_AES_CTR_PARAMS CK_PTR CK_AES_CTR_PARAMS_PTR;
+
+/* CK_CAMELLIA_CTR_PARAMS is new for PKCS #11 v2.20 amendment 3 */
+typedef struct CK_CAMELLIA_CTR_PARAMS {
+    CK_ULONG ulCounterBits;
+    CK_BYTE cb[16];
+} CK_CAMELLIA_CTR_PARAMS;
+
+typedef CK_CAMELLIA_CTR_PARAMS CK_PTR CK_CAMELLIA_CTR_PARAMS_PTR;
+
+/* CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS is new for PKCS #11 v2.20 amendment 3 */
+typedef struct CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS {
+    CK_BYTE      iv[16];
+    CK_BYTE_PTR  pData;
+    CK_ULONG     length;
+} CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS;
+
+typedef CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS CK_PTR CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS_PTR;
+
+/* CK_ARIA_CBC_ENCRYPT_DATA_PARAMS is new for PKCS #11 v2.20 amendment 3 */
+typedef struct CK_ARIA_CBC_ENCRYPT_DATA_PARAMS {
+    CK_BYTE      iv[16];
+    CK_BYTE_PTR  pData;
+    CK_ULONG     length;
+} CK_ARIA_CBC_ENCRYPT_DATA_PARAMS;
+
+typedef CK_ARIA_CBC_ENCRYPT_DATA_PARAMS CK_PTR CK_ARIA_CBC_ENCRYPT_DATA_PARAMS_PTR;
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
+
+#endif
--- a/src/share/native/sun/security/pkcs11/wrapper/pkcs11wrapper.h	Tue Feb 22 14:44:43 2011 +0000
+++ b/src/share/native/sun/security/pkcs11/wrapper/pkcs11wrapper.h	Tue Feb 22 12:01:35 2011 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2009, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved.
  */
 
 /* Copyright  (c) 2002 Graz University of Technology. All rights reserved.
@@ -153,6 +153,7 @@
 #include "p11_md.h"
 
 #include "pkcs11.h"
+#include "pkcs-11v2-20a3.h"
 #include <jni.h>
 #include <jni_util.h>
 
@@ -272,6 +273,7 @@
 #define CLASS_SSL3_MASTER_KEY_DERIVE_PARAMS "sun/security/pkcs11/wrapper/CK_SSL3_MASTER_KEY_DERIVE_PARAMS"
 #define CLASS_SSL3_KEY_MAT_PARAMS "sun/security/pkcs11/wrapper/CK_SSL3_KEY_MAT_PARAMS"
 #define CLASS_TLS_PRF_PARAMS "sun/security/pkcs11/wrapper/CK_TLS_PRF_PARAMS"
+#define CLASS_AES_CTR_PARAMS "sun/security/pkcs11/wrapper/CK_AES_CTR_PARAMS"
 
 /* function to convert a PKCS#11 return value other than CK_OK into a Java Exception
  * or to throw a PKCS11RuntimeException
--- a/test/sun/security/pkcs11/Cipher/TestSymmCiphers.java	Tue Feb 22 14:44:43 2011 +0000
+++ b/test/sun/security/pkcs11/Cipher/TestSymmCiphers.java	Tue Feb 22 12:01:35 2011 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2008, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2008, 2011, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -23,7 +23,7 @@
 
 /**
  * @test %I% %E%
- * @bug 4898461
+ * @bug 4898461 6604496
  * @summary basic test for symmetric ciphers with padding
  * @author Valerie Peng
  * @library ..
@@ -70,9 +70,13 @@
         new CI("DES/ECB/PKCS5Padding", "DES", 6400),
         new CI("DESede/ECB/PKCS5Padding", "DESede", 400),
         new CI("AES/ECB/PKCS5Padding", "AES", 64),
+
         new CI("DES", "DES", 6400),
         new CI("DESede", "DESede", 408),
-        new CI("AES", "AES", 128)
+        new CI("AES", "AES", 128),
+
+        new CI("AES/CTR/NoPadding", "AES", 3200)
+
     };
     private static StringBuffer debugBuf = new StringBuffer();
 
--- a/test/sun/security/pkcs11/Cipher/TestSymmCiphersNoPad.java	Tue Feb 22 14:44:43 2011 +0000
+++ b/test/sun/security/pkcs11/Cipher/TestSymmCiphersNoPad.java	Tue Feb 22 12:01:35 2011 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2007, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2007, 2011, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -23,7 +23,7 @@
 
 /**
  * @test
- * @bug 4898484
+ * @bug 4898484 6604496
  * @summary basic test for symmetric ciphers with no padding
  * @author Valerie Peng
  * @library ..
@@ -59,7 +59,8 @@
         new CI("DES/CBC/NoPadding", "DES", 400),
         new CI("DESede/CBC/NoPadding", "DESede", 160),
         new CI("AES/CBC/NoPadding", "AES", 4800),
-        new CI("Blowfish/CBC/NoPadding", "Blowfish", 24)
+        new CI("Blowfish/CBC/NoPadding", "Blowfish", 24),
+        new CI("AES/CTR/NoPadding", "AES", 1600)
     };
 
     private static StringBuffer debugBuf;