000027719 - How to statically register only the Crypto-J JsafeJCE JCE provider without the Sun provider

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000027719
Applies ToCrypto-J 5.0
JCE Provider
IssueHow to statically register only the Crypto-J JsafeJCE JCE provider without the Sun provider

When registering only JsafeJCE with no other providers, JsafeJCE does not show up as an available provider.  For example, with the Sun provider in 2nd position, the following test code will show the details of both the JsafeJCE and Sun providers; without the Sun provider in 2nd position, neither provider will show up:


import java.security.Provider;
import java.security.Provider.Service;
import java.security.Security;
import java.util.Enumeration;
import java.util.Set;


public class SecurityProviders {
    public static void main(String[] args) {
  System.out.printf("Security Provider Info: ");
        for (Provider provider : Security.getProviders()) {
            System.out.printf("provider: %s (%s)%n", provider, provider.getClass());
            Set<Service> services = provider.getServices();
            for (Service service : services) {
                System.out.printf("  service: %s, algorithm: %s, class: %s%n", service.getType(), service.getAlgorithm(), service.getClassName());
            }
            Enumeration<?> names = provider.propertyNames();
            while (names.hasMoreElements()) {
                Object name = names.nextElement();
                System.out.printf("  property '%s': '%s'%n", name, provider.get(name));
            }
            System.out.println();
        }
  System.out.printf("End Security Provider Info");
    }
}

Cause

According to the Sun's security guidelines, a JCE provider should do Self-Integrity Check of the Jar file to ensure that it is not tampered with.

http://download.oracle.com/javase/1.5.0/docs/guide/security/jce/HowToImplAJCEProvider.html#MutualAuth

"Providers that provide implementations for JCE services must be digitally signed and should be signed with a certificate issued by "trusted" Certification Authorities. Currently, the following two Certification Authorities are considered "trusted":

Sun Microsystems' JCE Code Signing CA, and

IBM JCE Code Signing CA."

Inside our code, we have to verify this signature and so we need Sun's provider on the list.

Resolution

However, since it a recommendation (should as opposed to must), this jar verification can be turned off with the "com.rsa.cryptoj.jce.no.verify.jar" security property.


If the java.security file is used to register the providers, you can set this property to true before registering the security provider:


com.rsa.cryptoj.jce.no.verify.jar=true


security.provider.1=com.rsa.jsafe.provider.JsafeJCE


This will bypass the jar verification step.  The test code in the symtom description above can be used to verify that this works.

Legacy Article IDa54174

Attachments

    Outcomes