[java] config.xml and JCA/JCE provider issues

Fri, 20 Aug 2004 05:45:12 -0700 

Hi,

Recently, we have run into a serious issue with the Apache XML Security Java implementation due to the way it uses its own mechanism (config.xml) to find JCA/JCE providers for different XML DSig or Enc algorithm URIs instead of using the standard J2SE mechanism [1].

The issue involves finding an appropriate  hardware or software based
provider. In JDK 5 (1.5), we have added support for crypto tokens via a
PKCS#11 provider [2]. In order to find an appropriate hardware or
software based provider, it was necessary to delay the selection of the
provider for some JCA objects until the key is passed in [3].
Unfortunately, this solution doesn't work with the Apache implementation
because it instantiates specific providers as configured by the
config.xml file. The config.xml solution will only work with software
keys. It will not work with hardware keys.

Another more general issue is that this configuration overrides the J2SE provider configuration, so developers cannot reuse existing configurations and need to learn and reconfigure a new one.

I understand that part of the problem and the original need for
config.xml was that different providers used different algorithm names
for some of the XML DSig and Enc algorithms, so it was not possible to
instantiate JCA/JCE objects that would work across all providers. But I
believe that most of those problems have been addressed and standard
algorithm names have been added to the JCA/JCE reference guides [4, 5].

To avoid these issues, Vishal Mahajan and I would like to propose changing the XMLSec implementation to find JCA/JCE providers using the single-argument getInstance(algName) methods. This is a solution that
requires no configuration and is designed to work with software and
hardware based JCA/JCE providers w/o changing code. The current config.xml is still useful for mapping non-cryptographic algorithm URIs or proprietary/non-standard algorithm URIs, but shouldn't be used to map URIs to well-known, standard JCA/JCE algorithms.

Comments?

[1]:
http://java.sun.com/j2se/1.4.2/docs/guide/security/CryptoSpec.html#ProviderImplReq

[2]:http://java.sun.com/j2se/1.5.0/docs/guide/security/p11guide.html
[3]:http://java.sun.com/j2se/1.5.0/docs/guide/security/p11guide.html#DelayedSelect
[4]:http://java.sun.com/j2se/1.5.0/docs/guide/security/CryptoSpec.html#AppA
[5]:http://java.sun.com/j2se/1.5.0/docs/guide/security/jce/JCERefGuide.html#AppA

--Sean

Reply via email to