Installing SunJCE on Android?

Question

The company I work for is wary of Android app development because the default cryptography library, Bouncy Castle, is not FIPS-140 certified. Nothing I can do to change their minds or policies.

I'm wondering what options I have for installing (or at least bundling) SunJCE with my app.

For one, I can't find where I would download the latest version of this jar. I tried grabbing the jce jar from my desktop and setting it as an internal jar in my Android project and received this amusing, if ominous, message:

Attempt to include a core class (java.* or javax.*) in something other than a core library. It is likely that you have attempted to include in an application the core library (or a part thereof) from a desktop virtual machine. This will most assuredly not work. At a minimum, it jeopardizes the compatibility of your app with future versions of the platform. It is also often of questionable legality.

If you really intend to build a core library -- which is only appropriate as part of creating a full virtual machine distribution, as opposed to compiling an application -- then use the "--core-library" option to suppress this error message.

If you go ahead and use "--core-library" but are in fact building an application, then be forewarned that your application will still fail to build or run, at some point. Please be prepared for angry customers who find, for example, that your application ceases to function once they upgrade their operating system. You will be to blame for this problem.

If you are legitimately using some code that happens to be in a core package, then the easiest safe alternative you have is to repackage that code. That is, move the classes in question into your own package namespace. This means that they will never be in conflict with core system classes. If you find that you cannot do this, then that is an indication that the path you are on will ultimately lead to pain, suffering, grief, and lamentation.

I'm not one for pain, suffering, grief, OR lamentation, so I'd like to know the proper way to go about this task, provided it's something I should attempt at all.

Answer 1

You are not going to be able to import java.* or javax.* classes, due to the compiler error you encountered. Following their instructions should work, but changing the packages for something the size of JCE may be significant, and I don't know if the result would still qualify as FIPS-140. Plus, if JCE is implemented in pure Java, it may be slow on Android. And unless the JCE is from the GPL'd version of Java, or some other open source implementation, the licensing issue the error message hints at is relevant.

There are other FIPS-140 encryption libraries available, such as NSS, that have Java bindings, and others that you could probably write Java bindings for. It is possible you could get one of those working with the NDK to run on Android.