Because of performance issues, we have a security provider that has a native back end. All the core pieces are implemented (SHA1, SHA256, RSA, DSA, etc.). However, when I add the new provider to the top of the list in java.security and start an app with signed jars. My provider isn't used. Digging through the openjdk code, it appears that JarVerifier refers to ManifestEntryVerifier and SignatureFileVerifier which has it hard coded to use the Sun security provider. Does anybody know a way around that? It seems that this would make it impossible to be FIPS compliant with a certified security provider, because the code signing verification would still be done by Sun/SunRsa/SunEC.
Bill Bill Smith Senior Software Engineer Tridium, Inc. (O) 804-527-3141 Notice: This email message, together with any attachments, contains information of Tridium Incorporated, which may be confidential, proprietary, copyrighted and/or legally privileged. This email is intended solely for the use of the individual or entity named on the message. If you are not the intended recipient, and have received this message in error, please immediately return by email and then delete it.
smime.p7s
Description: S/MIME cryptographic signature