Installing a new security Provider

Batchelor, Steve (steve.batchelor@intel.com)
Thu, 20 Aug 1998 10:10:33 -0700

From: "Batchelor, Steve" <steve.batchelor@intel.com>
To: "'java-security@java.sun.com'" <java-security@java.sun.com>
Subject: Installing a new security Provider
Date: Thu, 20 Aug 1998 10:10:33 -0700

Dear Java-Security Team:
We are attempting to install a security provider into the JCA/JCE
framework. Up until now we have had success in using the services of this
non-Sun security provider through the java.security and javax.crypto APIs.
This tells us that it has been installed/registered correctly so that the
Java security manager and class loader can find it.
The reason why we are using a non-Sun implemented provider is
because we have a need for a Provider that supports an asymmetric algorithm
that can be used for both signature generation and ciphering.
But the problem is this: we would like to programmatically generated
(issue and sign) certificates using a public/private key pair generated by
an asymmetric algorithm. This we understand is not possible with the
current version of the JDK (1.2Beta4) and JCE (1.2) and its providers, so we
have accepted the use of 'keytool' to issue key pairs and certificates. We
then like to use the asymmetric keys, generated by 'keytool' and associated
with the issued certificate, to encrypt (public key) and decrypt (private
key) simple clear text. This is again not possible as mentioned above as it
is currently not supported by the Sun implemented providers. So this is why
we are using a provider that supports both signaturing and ciphering using
an asymmetric key pair.
As mentioned earlier, we are using 'keytool' to issue and sign
certificates. But we are finding that 'keytool' refuses to recognize and
the non-Sun security provider that we can successfully use through the Java
APIs.
Further investigation using the book 'Java Security (Java 1.2)', by
Scott Oaks, has uncovered the following limitation of 'keytool'. On page
334, in the description of '-keyalg AlgorithmName' it says the following:
'Use the given algorithm to generate the key pair. For the default Sun
security provider, the name must be DSA, which is also the default value for
this option. Despite the presence of this option, you cannot really specify
another algorithm name, nor, for that matter, can you use a non-Sun DSA
provider. Internally, keytool expects the key generator to produce keys
that belong to a specific class in the sun package.' Is this still true?
If so then it appears impossible to use a non-Sun provider with 'keytool',
and thus impossible to perform public-key cryptography with the Java
security API's using a key pair associated with a certificate issued by
'keytool'.
Understanding our programmatic requirements and our current
'keytool' limitations, can you please suggest a work around if one exists?,
and/or, if this will be included in the JDK/JCE in the future in the form of
programmatic way to issue certificates and perform public-key cryptography
using the Cipher class?
Thanks,
Steve

Steve Batchelor
Java Technologies Group
Intel Architecture Lab
Intel Corporation
503-264-9421