views:

399

answers:

3

Sun's PKCS11 JCE security provider is lacking some functionality we need.
So I wrote an enhanced version of it using the original sources.

Unfortunately the JCE infrastructure rejects the new provider
"JCE cannot authenticate the provider"
because it is not properly signed.

javax.crypto.JceSecurity.verifyProviderJar(...) throws.
(it calls javax.crypto.JarVerifier.verify())

Any suggestions how to sign the new provider to make it work with JCE?

+1  A: 

You need at least to add the security provider to the /path/to/jre/lib/security/java.security properties file. For more details see http://java.sun.com/javase/6/docs/technotes/guides/security/overview/jsoverview.html.

BalusC
We do not use the config file. We add the provider at runtime using 'Security.addProvider(myProvider)'
3D-Grabber
Then you really need to sign it. You can do that with `jarsigner`. There is no other way.
BalusC
You mean, if we add it to the `java.security` config file we don't need to sign it?
3D-Grabber
No. If you need to sign it, changing the security properties will make no difference.
erickson
+2  A: 

The process is described in the document, "How to Implement a Provider."

It involves emailing Sun some information (including the CSR you generated for your signing key), then faxing a confirmation document. Getting your signed certificate back from Sun can take a week or more, so plan ahead. I'm not sure if recent layoffs at Sun may have impacted this turn-around time.

You only need to sign your provider if it provides services that are restricted by some (repressive) governments, like Cipher. I assume with the message you're getting, that you are trying to provide some of those services.

If you provide any of these services, there's no way around it: You need a code-signing certificate issued by Sun. (One from IBM might work too; if I recall correctly, their code-signing CA is supported, but I don't know anything about their issuing process.)

erickson
+2  A: 

You have to sign the JAR with "JCE Code Signing CA". In all current Java distributions, only 2 CAs (Sun and IBM) are built-in (hard-coded) and there is no way to add your own. We tried to work with Sun to sign our provider and it's almost impossible. They wouldn't issue intermediate CA cert, which means you have to go through the trouble every time you make a change.

Why don't you just user your own library? You use standard API for interoperability between different JCEs. But that's not realistic for CryptoKi/SmartCard stuff right now, you almost always need to write some custom code to interact with vendor specific API. You can even make your code mimic JCE API to minimize code changes.

ZZ Coder
I've gotten two certificates from Sun, with no trouble at all. They were very helpful and responsive.
erickson
Do you mean you get "JCE Code Signing Certificate" from Sun? They use a special CA root for JCE "JCE Code Signing CA". So regular code signing cert doesn't work.
ZZ Coder
Yes, I mean the cert that you need to sign a JCE provider.
erickson
Oh, I guess our definition of trouble is different :) Getting regular code signing cert is quite easy. That's no trouble. However, Sun required us to get export license to use strong cryptography from Dept. of Commerce to issue a JCE signing cert. That's way too much trouble for us.
ZZ Coder
That's weird. We didn't have to do that either time (we are in the US). The signature is required to prevent *import* of a provider into repressive countries, not to control export from the US.
erickson