|
Integrate Java Cryptography
with Windows
Reduce security management overhead and improve certificate validity checking
by Brian Boyter
July 2002 Issue
Public Key cryptography requires a place to store digital certificates and private keys. The Java Security Architecture achieves platform-independence by storing the keys and certificates in a file (the keystore).
Microsoft Windows stores keys and certificates in the Windows registry and file system. This means that users running secure Java programs on Windows systems must export and import keys and certificates between the Java and Microsoft key and certificate stores. The good news is that you can "trick" Java applications into using the Microsoft certificate and key stores through the use of Microsoft native functions.
By interfacing your Java applications to the Windows key/certificate stores you sacrifice platform independence but you gain four advantages: reduced management and support cost, easier for the user, better certificate revocation checking, and better key and certificate management tools.
A Java program must interface to the Windows cryptography through four different classes:
- TrustManager Provider: This class interfaces to the Windows certificate store and implements the security policy.
- KeyManager Provider: This class interfaces to the Windows private key store.
- RSA Signature Provider: Digital signatures require access to the private key store. If the Java program can't read the private key (for example, if the private key is stored on a cryptographic smart card), the signature operation must be performed in Windows.
- RSA Cipher Provider: Decryption of RSA-encrypted data such as secure sockets layer (SSL) symmetric encryption keys) requires access to the private key store. If the Java program can't read the private key (for example, if the private key is stored on a cryptographic smart card), the RSA decryption operation must be done in Windows.
I'll document the development of a TrustManager Provider, KeyManager Provider, RSA Signature Provider, and RSA Cipher Provider that are integrated with the Windows platform. The TrustManager and KeyManager are all you need to build a working Windows-enabled Java Secure Socket Extension (JSSE) application. The JSSE example programs—EchoServer and EchoClient—demonstrate this. You cannot override JSSE's built-in RSA Cipher Provider so JSSE will work only if the private keys can be exported from the Windows key store.
If you are writing a Java application that uses RSA signatures or RSA encryption, then you can use the Windows-enabled RSA Signature Provider and Cipher Provider. These do not require the private key to be exported from the Windows key store. You can use each provider independently of the other three.
Back to top
|