Sean, you've been a huge help. Last round of questions, I promise. In the
context of the J2SE 1.4.2_03 distro:
rt.jar (Sun JCA provider part 1/2)
(SHA1 hash algorithm)
sunrsaasign.jar (Sun JCA provider part 2/2)
(SHA1withRSA signature algorithm - assumed PKCS#1 impl as opposed to NIST
X9.42 impl)
sunjce_provider.jar (Sun JCE provider)
1) Am I missing any other jars that comprise the umbrella "Sun JCA/JCE"
provider?
2) What is the relationship between sunrsasign.jar and the other two jars?
That is:
-Does the SHA1withRSA signature implementation delegate to the JCA SHA1
hash implementation (sun.security.provider.SHA) in rt.jar, or does it
implement SHA1 again in sunrsasign.jar specifically in the context of
SHA1withRSA?
-What jar contains the implementation of the RSA encryption algorithm as
defined in PKCS#1? Is it implemented in sunrsasign.jar specifically in the
context of SHA1withRSA (I cannot use it outright as a standalone JCE
javax.crypto.Cipher, and only as a JCA java.security.Signature)?
3) Are the implementations in the umbrella "Sun JCA/JCE" provider FIPS-140
certified by NIST? I only ask this because I see some FIPS-140 certificates
issued to Sun concerning software crypto modules. I'm anticipating a "no"
to this one, given how much Phaos touts their FIPS-140 compliance.
-Jon
-----Original Message-----
From: Sean Mullan [mailto:[EMAIL PROTECTED]
Sent: Friday, January 23, 2004 2:04 PM
To: [EMAIL PROTECTED]
Subject: Re: [Java] Newb question concerning XML-Sec JCE requirements
Anderson Jonathan wrote:
> Many, many thanks Sean. You just settled quite a few discussions in my
> shop.
You're welcome.
>
> A follow up question:
>
> Slides presented at JavaOne referred to JSR 105 and 106 being included in
> J2SE 1.5. What does this imply, exactly?
105/106 were originally targeted for J2SE 1.5 but since then the release has
been scaled back and this was one of the things that was dropped.
> Are JSR 105 and 106 built around an SPI model like JCA/JCE are?
Yes, vendors will be able to plug in their own implementations.
> Will there be a "reference implementation"
> of 105/106 included in the J2SE 1.5 distro?
There will be an RI but it won't be included in 1.5.
> Or will we still need a 3rd
> party XML-Security toolkit like Apache XML-Security alongside J2SE 1.5,
> assuming that the toolkit has rolled out 105/106 compliance?
The choice of a 105/106 provider will be up to you, just as you choose
to use different JCA/JCE providers.
I am sorry I can't give you much more details about the RI at this time.
I hope to have more information about the 105 RI that I can share with you
soon.
Thanks,
Sean
