How to sign a custom JCE security provider

views:

399

answers:

+2 Q:

How to sign a custom JCE security provider

Sun's PKCS11 JCE security provider is lacking some functionality we need.
So I wrote an enhanced version of it using the original sources.

Unfortunately the JCE infrastructure rejects the new provider
"JCE cannot authenticate the provider"
because it is not properly signed.

javax.crypto.JceSecurity.verifyProviderJar(...) throws.
(it calls javax.crypto.JarVerifier.verify())

Any suggestions how to sign the new provider to make it work with JCE?

+1 A:

You need at least to add the security provider to the /path/to/jre/lib/security/java.security properties file. For more details see http://java.sun.com/javase/6/docs/technotes/guides/security/overview/jsoverview.html.

BalusC 2009-11-18 15:37:42

We do not use the config file. We add the provider at runtime using 'Security.addProvider(myProvider)'

3D-Grabber 2009-11-18 15:57:15

Then you really need to sign it. You can do that with `jarsigner`. There is no other way.

BalusC 2009-11-18 16:15:17

You mean, if we add it to the `java.security` config file we don't need to sign it?

3D-Grabber 2009-11-18 16:56:32

No. If you need to sign it, changing the security properties will make no difference.

erickson 2009-11-18 17:51:53

+2 A:

The process is described in the document, "How to Implement a Provider."

It involves emailing Sun some information (including the CSR you generated for your signing key), then faxing a confirmation document. Getting your signed certificate back from Sun can take a week or more, so plan ahead. I'm not sure if recent layoffs at Sun may have impacted this turn-around time.

You only need to sign your provider if it provides services that are restricted by some (repressive) governments, like Cipher. I assume with the message you're getting, that you are trying to provide some of those services.

If you provide any of these services, there's no way around it: You need a code-signing certificate issued by Sun. (One from IBM might work too; if I recall correctly, their code-signing CA is supported, but I don't know anything about their issuing process.)

erickson 2009-11-18 16:19:42

+2 A:

You have to sign the JAR with "JCE Code Signing CA". In all current Java distributions, only 2 CAs (Sun and IBM) are built-in (hard-coded) and there is no way to add your own. We tried to work with Sun to sign our provider and it's almost impossible. They wouldn't issue intermediate CA cert, which means you have to go through the trouble every time you make a change.

Why don't you just user your own library? You use standard API for interoperability between different JCEs. But that's not realistic for CryptoKi/SmartCard stuff right now, you almost always need to write some custom code to interact with vendor specific API. You can even make your code mimic JCE API to minimize code changes.

ZZ Coder 2009-11-18 17:07:13

I've gotten two certificates from Sun, with no trouble at all. They were very helpful and responsive.

erickson 2009-11-18 17:33:10

Do you mean you get "JCE Code Signing Certificate" from Sun? They use a special CA root for JCE "JCE Code Signing CA". So regular code signing cert doesn't work.

ZZ Coder 2009-11-18 18:21:45

Yes, I mean the cert that you need to sign a JCE provider.

erickson 2009-11-19 00:41:18

Oh, I guess our definition of trouble is different :) Getting regular code signing cert is quite easy. That's no trouble. However, Sun required us to get export license to use strong cryptography from Dept. of Commerce to issue a JCE signing cert. That's way too much trouble for us.

ZZ Coder 2009-11-19 01:12:56

That's weird. We didn't have to do that either time (we are in the US). The signature is required to prevent *import* of a provider into repressive countries, not to control export from the US.

erickson 2009-11-19 08:01:38

ansaurus

tags:

views:

answers:

How to sign a custom JCE security provider

related questions