Because of performance issues, we have a security provider that has a native
back end. All the core pieces are implemented (SHA1, SHA256, RSA, DSA,
etc.). However, when I add the new provider to the top of the list in
java.security and start an app with signed jars. My provider isn't used.
Digging through the openjdk code, it appears that JarVerifier refers to
ManifestEntryVerifier and SignatureFileVerifier which has it hard coded to
use the Sun security provider. Does anybody know a way around that? It seems
that this would make it impossible to be FIPS compliant with a certified
security provider, because the code signing verification would still be done
by Sun/SunRsa/SunEC. 

Bill


Bill Smith
Senior Software Engineer
Tridium, Inc.
(O) 804-527-3141

Notice: This email message, together with any attachments, contains
information of Tridium Incorporated, which may be confidential, proprietary,
copyrighted and/or legally privileged. This email is intended solely for the
use of the individual or entity named on the message. If you are not the
intended recipient, and have received this message in error, please
immediately return by email and then delete it.


Attachment: smime.p7s
Description: S/MIME cryptographic signature

Reply via email to