Link to home
Start Free TrialLog in
Avatar of Harrris
HarrrisFlag for Cyprus

asked on

Java Security and Bouncy Castle provider

Hello,

I'm using Bouncy Castle provider in Java to use RSA Encryption.
According to the documentation, to use a third-party security provider in Java,
I have to place the required file (eg. bcprov-jdk14-112.jar) in the
Program Files\Java\jre1.6.0_01\lib\ext directory, and add the following line
in the C:\Program Files\Java\jre1.6.0_01\lib\security\java.security file:
security.provider.6=org.bouncycastle.jce.provider.BouncyCastleProvider

Is there any way to use the provider without having to copy the file to
the Program Files\Java\jre1.6.0_01\lib\ext directory and without
changing the java.security file ? For example, is it possible to put
the bcprov-jdk14-112.jar file in the same directory as the source code
of a program and use some code in my program to load the library ?

I want to do this, because I need to run the program on machines where I don't
have permission to access the Java directory. Also, is there any way to compile
the code so the compiled program can run on machines without the provider
installed ?

Thanks in Advance
Avatar of MicheleMarcon
MicheleMarcon
Flag of Italy image

Did you try System.setProperty("security.provider.6","org.bouncycastle.jce.provider.BouncyCastleProvider")

And  add the .jar to the path?
Avatar of CEHJ
>>Also, is there any way to compilethe code so the compiled program can run on machines without the provider
installed ?

You should be able to solve all your problems by distributing your app via Java Web Start. See its docs
ASKER CERTIFIED SOLUTION
Avatar of mbodewes
mbodewes
Flag of Netherlands image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Ah, forgot the last part of your question: of course you can use the SunJCE provider in case the BC provider is not there: just use reflection to check if the BouncyCastleProvider exists, and only add the provider if this is the case. Java JCE will happily use the aforementioned method to find the first provider that provides the required interface, unless you specifically tell it to use the BC provider.
Avatar of Harrris

ASKER

I'm really confused about how security providers are used in Java....
(I'm experienced in programming but new in Java)

I know I can use "BouncyCastleProvider bcProv = new BouncyCastleProvider();"
to add the provider, but my question is how do I load the provider's jar file/library ?
is the "import org.bouncycastle.jce.provider.BouncyCastleProvider;" line relative to this ?
this means I need a file called org.bouncycastle.jce.provider.BouncyCastleProvider ?
The file I have for the provider is called bcprov-jdk16-138.jar
when I use that line I get an error like: Cannot find symbol: class BouncyCastleProvider

Acoording to the documentation to use a provider you
have to place the provider's file (eg. bcprov-jdk14-112.jar) in the
Program Files\Java\jre1.6.0_01\lib\ext directory, and add the following line
in the C:\Program Files\Java\jre1.6.0_01\lib\security\java.security file:
security.provider.6=org.bouncycastle.jce.provider.BouncyCastleProvider

I did this, and it works. The strange think is, after that, I removed the provider's file from the java directory, and I removed that line from java.security file, and it still works! but the problem is that I want to run the program on machines where I don't have access to the java directory.

> Ah, forgot the last part of your question: of course you can use the SunJCE provider in case the BC provider is not there ....
So is SunJCE Provider included by default in all machines when you install java ?

Can you please give me a more detailed example ?
Also, how can I tell the security class that I always want to use a specific provider for all algorithms ?
>>but the problem is that I want to run the program on machines where I don't have access to the java directory.

I mentioned above what to do about that
The loading of jar files has to do with the classpath. In Java, classes are located by so called class loaders, one of which is the default class loader. This class loader first checks the (jar) files of the Java platform, then the classes in the current directory (using the packaging names). You might want to check some tutorials on class path issues.

For the solution to work, the jar file of the provider has to be in the class path. This is the bcprov-jdk16-138.jar you were talking about. There are several ways to do this, and CEHJ is pointing to a specific method to get the provider in the classpath automatically by providing your application and bcprov-jdk16-138.jar through Java Web Start.

Once the classloader is able to find the jar file then it can use the class files within them. One will be the org/bouncycastle/jce/provider/BouncyCastleProvider.class file (you can look at the contents of JAR files by using your favourite archiver, they're just glorified ZIP files). Now you can add the provider to the list within the Security class. Ways to add things to the class path: create a CLASSPATH variable on the machines (using active directory maybe), use java -cp or use webstart (webstart is designed for deploying applications over the intraweb).

The SunJCE Provider is indeed installed by default, and it can do RSA signatures and encryption without any problem. Actually, for most cryptographic operations except Elliptic Curves, all the most used cryptographic algorithms are supported. You might want to check out the jurisdiction files on the Sun java download page to enhance the number of bits you can use with RSA encryption though. You can check all the default providers installed with java by looking at the java.security file localed somewhere in the Java installation folder.

As you might have noticed, Java security is not really that great a place to /start/ Java development. It depends on too many deeply specific Java techniques.