Jar Verification with Custom Security Provider

Smith, Bill (Tridium) bsmith at tridium.com
Fri Oct 24 00:10:11 UTC 2014

Because of performance issues, we have a security provider that has a native
back end. All the core pieces are implemented (SHA1, SHA256, RSA, DSA,
etc.). However, when I add the new provider to the top of the list in
java.security and start an app with signed jars. My provider isn't used.
Digging through the openjdk code, it appears that JarVerifier refers to
ManifestEntryVerifier and SignatureFileVerifier which has it hard coded to
use the Sun security provider. Does anybody know a way around that? It seems
that this would make it impossible to be FIPS compliant with a certified
security provider, because the code signing verification would still be done
by Sun/SunRsa/SunEC. 


Bill Smith
Senior Software Engineer
Tridium, Inc.
(O) 804-527-3141

Notice: This email message, together with any attachments, contains
information of Tridium Incorporated, which may be confidential, proprietary,
copyrighted and/or legally privileged. This email is intended solely for the
use of the individual or entity named on the message. If you are not the
intended recipient, and have received this message in error, please
immediately return by email and then delete it.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5129 bytes
Desc: not available
URL: <http://mail.openjdk.java.net/pipermail/security-dev/attachments/20141024/d6c714fd/smime-0001.p7s>

More information about the security-dev mailing list