Architecture
- Cryptographic Service Providers
-
The Java™ Cryptography Architecture introduced the notion of a Cryptographic Service Provider. This term refers to a package (or a set of packages) that supplies a concrete implementation of a subset of the cryptography aspects of the Security API.
For example, the SDK provides the following types service: key factories, keystore creation and management, algorithm parameter management, algorithm parameter generation, and certificate factories. The SDK also enables a provider to supply a random number generation (RNG) algorithm.
As previously noted, a program can request a particular type of object (such as a
Signature
object) for a particular service (such as the DSA signature algorithm) and get an implementation from one of the installed providers. Alternatively, the program can request the objects from a specific provider. (Each provider has a name used to refer to it.)The SDK contains a number of new providers, includingIBMJCE
. TheIBMJCE
provider package includes:- An implementation of the Digital Signature Algorithm (DSA), described in NIST FIPS 186-2.
- An implementation of the MD2, MD5 (RFC 1321), SHA-1 (FIPS 180-2), SHA-256, SHA-384, SHA-512 message digest algorithms.
- A DSA key pair generator for generating a pair of public and private keys suitable for the DSA algorithm.
- A DSA algorithm parameter generator.
- A DSA algorithm parameter manager.
- A DSA key factory providing bidirectional conversions between (opaque) DSA private and public key objects and their underlying key material.
- An implementation of the proprietary IBMSecureRandom random number generation algorithm.
- A keystore implementation for the proprietary keystore type named
JKS
.
Each SDK installation has one or more provider packages installed. New providers can be added statically or dynamically (see the Provider and Security classes). The Java Cryptography Architecture offers a set of APIs that allow users to query which providers are installed and what services they support.
Clients can configure their runtime environment with different providers, and specify a preference order for each of them. The preference order is the order in which providers are searched for requested services when no specific provider is requested.
- Key Management
-
A database called a keystore can be used to manage a repository of keys and certificates. A keystore is available to applications that need it for authentication or signing purposes.
Applications can access a keystore via an implementation of the
KeyStore
class, which is in thejava.security
package. A defaultKeyStore
implementation, called JKS, is provided. It implements the keystore as a file, using a proprietary keystore type (format).Applications can choose different types of keystore implementations from different providers, using the
getInstance
factory method supplied in theKeyStore
class.See the Key Management section for more information.