[Java] Newb question concerning XML-Sec JCE requirements

[Anderson Jonathan <an...@bah.com>]

Hi everyone,
	Apologies in advance for what is probably a rather naive question.  Current
distributions of Apache XML-Security contain no third party JCE, but all of
the documentation points to using the latest versions of the Bouncy Castle
JCE as the provider for XML-Security.  I am dealing with clients that are
hyper-sensitive to non-U.S. crypto implementations, and so I pose the
question:

	If I am using J2SE 1.4.2 (1.4.2_03, to be precise), does the default Sun
provider that ships with 1.4.2 provide everything I need to use XML-Security
to both sign and encrypt?  I was initially suspicious of the SunJCE
supporting SHA1withRSA (I am primarily concerned with XML-DSIG), but it
appears to me that 1.4.2 SunJCE supports it just fine.

	I would sincerely be grateful if someone could either confirm that the
1.4.2 SunJCE supports all of the Apache XML-Security use cases OR provide me
with a list of use cases that require a third party JCE such as Bouncy
Castle.

	Regards,
	-Jon

RE: [Java] Newb question concerning XML-Sec JCE requirements

[Anderson Jonathan <an...@bah.com>]

Sean, you've been a huge help.  Last round of questions, I promise.  In the
context of the J2SE 1.4.2_03 distro:

rt.jar (Sun JCA provider part 1/2)
(SHA1 hash algorithm)

sunrsaasign.jar (Sun JCA provider part 2/2)
(SHA1withRSA signature algorithm - assumed PKCS#1 impl as opposed to NIST
X9.42 impl)

sunjce_provider.jar (Sun JCE provider)

1) Am I missing any other jars that comprise the umbrella "Sun JCA/JCE"
provider?

2) What is the relationship between sunrsasign.jar and the other two jars?
That is:
   -Does the SHA1withRSA signature implementation delegate to the JCA SHA1
hash implementation (sun.security.provider.SHA) in rt.jar, or does it
implement SHA1 again in sunrsasign.jar specifically in the context of
SHA1withRSA?
   -What jar contains the implementation of the RSA encryption algorithm as
defined in PKCS#1?  Is it implemented in sunrsasign.jar specifically in the
context of SHA1withRSA (I cannot use it outright as a standalone JCE
javax.crypto.Cipher, and only as a JCA java.security.Signature)?

3) Are the implementations in the umbrella "Sun JCA/JCE" provider FIPS-140
certified by NIST?  I only ask this because I see some FIPS-140 certificates
issued to Sun concerning software crypto modules.  I'm anticipating a "no"
to this one, given how much Phaos touts their FIPS-140 compliance.

	-Jon

-----Original Message-----
From: Sean Mullan [mailto:Sean.Mullan@Sun.COM]
Sent: Friday, January 23, 2004 2:04 PM
To: security-dev@xml.apache.org
Subject: Re: [Java] Newb question concerning XML-Sec JCE requirements


Anderson Jonathan wrote:
> Many, many thanks Sean.  You just settled quite a few discussions in my
> shop.

You're welcome.

>
> A follow up question:
>
> Slides presented at JavaOne referred to JSR 105 and 106 being included in
> J2SE 1.5.  What does this imply, exactly?

105/106 were originally targeted for J2SE 1.5 but since then the release has
been scaled back and this was one of the things that was dropped.

> Are JSR 105 and 106 built around an SPI model like JCA/JCE are?

Yes, vendors will be able to plug in their own implementations.

> Will there be a "reference implementation"
> of 105/106 included in the J2SE 1.5 distro?

There will be an RI but it won't be included in 1.5.

> Or will we still need a 3rd
> party XML-Security toolkit like Apache XML-Security alongside J2SE 1.5,
> assuming that the toolkit has rolled out 105/106 compliance?

The choice of a 105/106 provider will be up to you, just as you choose
to use different JCA/JCE providers.

I am sorry I can't give you much more details about the RI at this time.
I hope to have more information about the 105 RI that I can share with you
soon.

Thanks,
Sean

Re: [Java] Newb question concerning XML-Sec JCE requirements

[Sean Mullan <Se...@Sun.COM>]

Anderson Jonathan wrote:
> Many, many thanks Sean.  You just settled quite a few discussions in my
> shop.

You're welcome.

> 
> A follow up question:
> 
> Slides presented at JavaOne referred to JSR 105 and 106 being included in
> J2SE 1.5.  What does this imply, exactly?  

105/106 were originally targeted for J2SE 1.5 but since then the release has
been scaled back and this was one of the things that was dropped.

> Are JSR 105 and 106 built around an SPI model like JCA/JCE are?  

Yes, vendors will be able to plug in their own implementations.

> Will there be a "reference implementation"
> of 105/106 included in the J2SE 1.5 distro?  

There will be an RI but it won't be included in 1.5.

> Or will we still need a 3rd
> party XML-Security toolkit like Apache XML-Security alongside J2SE 1.5,
> assuming that the toolkit has rolled out 105/106 compliance?

The choice of a 105/106 provider will be up to you, just as you choose
to use different JCA/JCE providers.

I am sorry I can't give you much more details about the RI at this time.
I hope to have more information about the 105 RI that I can share with you
soon.

Thanks,
Sean

> 
> 	Thanks again,
> 	-Jon
> 
> -----Original Message-----
> From: Sean Mullan [mailto:Sean.Mullan@Sun.COM]
> Sent: Friday, January 23, 2004 1:24 PM
> To: security-dev@xml.apache.org
> Subject: Re: [Java] Newb question concerning XML-Sec JCE requirements
> 
> 
> Anderson Jonathan wrote:
> 
>>Hi everyone,
>>	Apologies in advance for what is probably a rather naive question.
> 
> Current
> 
>>distributions of Apache XML-Security contain no third party JCE, but all
> 
> of
> 
>>the documentation points to using the latest versions of the Bouncy Castle
>>JCE as the provider for XML-Security.  I am dealing with clients that are
>>hyper-sensitive to non-U.S. crypto implementations, and so I pose the
>>question:
>>
>>	If I am using J2SE 1.4.2 (1.4.2_03, to be precise), does the default Sun
>>provider that ships with 1.4.2 provide everything I need to use
> 
> XML-Security
> 
>>to both sign and encrypt?  I was initially suspicious of the SunJCE
>>supporting SHA1withRSA (I am primarily concerned with XML-DSIG), but it
>>appears to me that 1.4.2 SunJCE supports it just fine.
>>
>>	I would sincerely be grateful if someone could either confirm that the
>>1.4.2 SunJCE supports all of the Apache XML-Security use cases OR provide
> 
> me
> 
>>with a list of use cases that require a third party JCE such as Bouncy
>>Castle.
> 
> 
> Sun's JCA/JCE provider in 1.4.2 should have everything you need for XML DSig
> and has
> almost everything you need for XML Enc. These are the exceptions:
> 
> - we don't support the XML Encryption Block Encryption Padding algorithm
> (ISO10126)
>    This will be fixed in 1.5, which a beta version will be available soon.
> As a
>    workaround you might be to do the padding/unpadding yourself.
> 
> - we don't support the XML Encryption RSA and RSA-OAEP key transport
> algorithms.
>    Both of these will be supported in 1.5 (beta available soon).
> 
> --Sean
> 
> 
> 
> 
> 
> 

RE: [Java] Newb question concerning XML-Sec JCE requirements

[Anderson Jonathan <an...@bah.com>]

Many, many thanks Sean.  You just settled quite a few discussions in my
shop.

A follow up question:

Slides presented at JavaOne referred to JSR 105 and 106 being included in
J2SE 1.5.  What does this imply, exactly?  Are JSR 105 and 106 built around
an SPI model like JCA/JCE are?  Will there be a "reference implementation"
of 105/106 included in the J2SE 1.5 distro?  Or will we still need a 3rd
party XML-Security toolkit like Apache XML-Security alongside J2SE 1.5,
assuming that the toolkit has rolled out 105/106 compliance?

	Thanks again,
	-Jon

-----Original Message-----
From: Sean Mullan [mailto:Sean.Mullan@Sun.COM]
Sent: Friday, January 23, 2004 1:24 PM
To: security-dev@xml.apache.org
Subject: Re: [Java] Newb question concerning XML-Sec JCE requirements


Anderson Jonathan wrote:
> Hi everyone,
> 	Apologies in advance for what is probably a rather naive question.
Current
> distributions of Apache XML-Security contain no third party JCE, but all
of
> the documentation points to using the latest versions of the Bouncy Castle
> JCE as the provider for XML-Security.  I am dealing with clients that are
> hyper-sensitive to non-U.S. crypto implementations, and so I pose the
> question:
>
> 	If I am using J2SE 1.4.2 (1.4.2_03, to be precise), does the default Sun
> provider that ships with 1.4.2 provide everything I need to use
XML-Security
> to both sign and encrypt?  I was initially suspicious of the SunJCE
> supporting SHA1withRSA (I am primarily concerned with XML-DSIG), but it
> appears to me that 1.4.2 SunJCE supports it just fine.
>
> 	I would sincerely be grateful if someone could either confirm that the
> 1.4.2 SunJCE supports all of the Apache XML-Security use cases OR provide
me
> with a list of use cases that require a third party JCE such as Bouncy
> Castle.

Sun's JCA/JCE provider in 1.4.2 should have everything you need for XML DSig
and has
almost everything you need for XML Enc. These are the exceptions:

- we don't support the XML Encryption Block Encryption Padding algorithm
(ISO10126)
   This will be fixed in 1.5, which a beta version will be available soon.
As a
   workaround you might be to do the padding/unpadding yourself.

- we don't support the XML Encryption RSA and RSA-OAEP key transport
algorithms.
   Both of these will be supported in 1.5 (beta available soon).

--Sean

Re: [Java] Newb question concerning XML-Sec JCE requirements

[Sean Mullan <Se...@Sun.COM>]

Anderson Jonathan wrote:
> Hi everyone,
> 	Apologies in advance for what is probably a rather naive question.  Current
> distributions of Apache XML-Security contain no third party JCE, but all of
> the documentation points to using the latest versions of the Bouncy Castle
> JCE as the provider for XML-Security.  I am dealing with clients that are
> hyper-sensitive to non-U.S. crypto implementations, and so I pose the
> question:
> 
> 	If I am using J2SE 1.4.2 (1.4.2_03, to be precise), does the default Sun
> provider that ships with 1.4.2 provide everything I need to use XML-Security
> to both sign and encrypt?  I was initially suspicious of the SunJCE
> supporting SHA1withRSA (I am primarily concerned with XML-DSIG), but it
> appears to me that 1.4.2 SunJCE supports it just fine.
> 
> 	I would sincerely be grateful if someone could either confirm that the
> 1.4.2 SunJCE supports all of the Apache XML-Security use cases OR provide me
> with a list of use cases that require a third party JCE such as Bouncy
> Castle.

Sun's JCA/JCE provider in 1.4.2 should have everything you need for XML DSig and has
almost everything you need for XML Enc. These are the exceptions:

- we don't support the XML Encryption Block Encryption Padding algorithm (ISO10126)
   This will be fixed in 1.5, which a beta version will be available soon. As a
   workaround you might be to do the padding/unpadding yourself.

- we don't support the XML Encryption RSA and RSA-OAEP key transport algorithms.
   Both of these will be supported in 1.5 (beta available soon).

--Sean