0

Is there any way I can make 64 bit java support PKCS11 module?

PKCS11 module is supported on 32 bit Java and it also works fine. My signing process always runs out of memory when I use the 32 bit Java. I currently have 128gb ram so I would like to allocate more than 4gb for my signing process which isn't possible on 32 bit version.

Ace
  • 700
  • 7
  • 37
  • comparing https://docs.oracle.com/javase/7/docs/technotes/guides/security/p11guide.html#Requirements and https://docs.oracle.com/javase/8/docs/technotes/guides/security/p11guide.html#Requirements you should try java 8 – zapl May 18 '16 at 08:27
  • See here: http://stackoverflow.com/questions/8056818/accessing-hardware-pkcs11-token-on-a-64-bit-machine – erikvimz May 18 '16 at 08:27
  • 2
    Why do you run out of memory? Is the signing process really that memory intensive? – Kayaman May 18 '16 at 08:31
  • @Kayaman Yes the preocess is memory intensive. – Ace May 18 '16 at 08:35
  • @zapl I am using Jboss 7.1.1, I can not move to Java 8. – Ace May 18 '16 at 08:36
  • 1
    You can potentially patch jboss 7: https://developer.jboss.org/thread/223739 , upgrade to wildfly 8, 9 or 10, or try if you can make the mentioned alternative work for you: http://stackoverflow.com/questions/27373124/64-bit-alternative-to-sunpkcs11-implementation – zapl May 18 '16 at 08:53
  • ***Why***is it memory-intensive? It shouldn't be. Post some code. – user207421 May 21 '16 at 09:49
  • 64 bit Java has supported PKCS#11 with 64-bit driver for as long as I can remember on Linux systems. Maybe you are thinking of Oracle Java on Windows? In that case you will need to use Java 8. – Markus Jul 17 '16 at 19:24
  • @Markus Right now using Java 8 isn't an option, was looking for way to get it working with Java 7 itself. – Ace Jul 19 '16 at 06:22

1 Answers1

0

First of all, you should be looking at why the memory process is that intensive. It could be that you are able to factor out the hashing from the operation with the private key (padding, modular exponentiation, encoding). That the signing process takes so much memory indicates that something is wrong. It could be as simple as calling Signature#update instead of Signature#doFinal directly.

As for the 32 bit .dll, no you cannot just load that into a 64 bit application such as the JVM. For instance, take a look here to see that this would not work. There are of course ways around it; create a separate 64 bit process, connect to that using your own SignatureSpi class in your own Java provider (which requires to be signed using a key provided by Oracle). Needless to say, that's a lot of work for fixing something that should just work.

It's of course a shame to go through all this trouble while you have a very high end system without a valid upgrade strategy, using a deprecated version of Java. You should focus on fixing that first. You should also wonder why you cannot get a 64 bit PKCS#11 .dll for your situation.

Community
  • 1
  • 1
Maarten Bodewes
  • 90,524
  • 13
  • 150
  • 263