JCE

Last Updated: March 28, 2025 13:59

Java Cryptography Extension (JCE)

Downloads

The Java SDK supports Java 8, 11, and 17.

Download Unified JCE and Java SDK here (with all dependencies)

SHA256 sum:
```
3a2da4a7551a17950829dbc339faaa43de1febe4639ecc79b67eb3d1ea1dff1c
```

Download Using Maven

<dependency>
<groupId>com.fortanix</groupId>
<artifactId>sdkms-jce-provider</artifactId>
<version>4.37.2554</version>
</dependency>

Alternatively, add the following dependency to the build.gradle file:

compile "com.fortanix:sdkms-jce-provider:4.37.2554"

Maven

Additionally, add the pom.xml if you need to use it in Spring Boot 3.0.

<dependency>
       <groupId>org.springframework.boot</groupId>
       <artifactId>spring-boot-starter</artifactId>
       <exclusions>
	   <exclusion>
	       <groupId>org.springframework.boot</groupId>
	       <artifactId>spring-boot-starter-logging</artifactId>
	   </exclusion>
       </exclusions>
</dependency>
<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-log4j2</artifactId>
</dependency>

Operating System (OS) Compatibility Matrix

For details on the JCE client OS compatibility matrix, refer to Clients: Compatibility Matrix.

Change Details

4.9.2091

Support for Java 11 (OpenJDK 11).
Fixed multipart encryption for Galois/Counter Mode (GCM)/ Cipher block chaining - message authentication code (CCM) mode of encryption.

Refactored the JCE code to address naming standards, packaging of classes, and duplication. The following classes have been renamed:
Modified classes:

client/jce/src/main/java/com/fortanix/sdkms/jce/provider/util/ProviderUtil.java
change-log: enums ECGenSpec, DigestAlgorithms & ECKeySizeSpec
have been moved to their own separate public classes (ref new classes introduced section)

New classes added:

client/jce/src/main/java/com/fortanix/sdkms/jce/provider/constants/DigestAlgorithms.java
client/jce/src/main/java/com/fortanix/sdkms/jce/provider/constants/ECGenSpec.java
client/jce/src/main/java/com/fortanix/sdkms/jce/provider/constants/ECKeySizeSpec.java
change-log: public enums extracted from ProviderUtil class

client/jce/src/main/java/com/fortanix/sdkms/jce/provider/keys/sym/desede/SdkmsDesede.java
change-log: separate class for desede instead of relying on des classes

client/jce/src/main/java/com/fortanix/sdkms/jce/provider/service/SdkmsCommonService.java
change-log: common code has been moved to this class to reduce duplication

Renamed classes:

SdkmsCertificate.java → SdkmsCertificateService.java {same package}
client/jce/src/main/java/com/fortanix/sdkms/jce/provider/service/SdkmsCertificateService.java

service/SdkmsSignature.java → signatures/SdkmsSignatureService.java {package changed}
client/jce/src/main/java/com/fortanix/sdkms/jce/provider/signatures/SdkmsSignatureService.java

Package change:

client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → agreement } /ECDHKeyAgreement.java

client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → ciphers } /AESCipher.java
client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → ciphers } /CipherCore.java
client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → ciphers } /DESCipher.java
client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → ciphers } /RSACipher.java
client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { service → ciphers } /SdkmsCipher.java
client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → ciphers } /TripleDESCipher.java

client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → config } /Configuration.java

client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → constants } /AccessControlKeys.java
client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → constants } /AlgorithmParameters.java
client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { util → constants } /ProviderConstants.java

client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → digests } /MessageDigestImpl.java
client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { service → digests } /SdkmsDigest.java

client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → keys } /SdkmsCipherKey.java
client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → keys } /SdkmsKey.java
client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → keys } /SdkmsSecretKey.java

client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → keys/asym/dsa } /DSAKeyPairGenerator.java
client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → keys/asym/dsa } /DSAPrivateKeyImpl.java
client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → keys/asym/dsa } /DSAPublicKeyImpl.java
client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { service → keys/asym/dsa } /SdkmsDsa.java

client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → keys/asym/elliptic } /ECKeyFactory.java
client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → keys/asym/elliptic } /ECKeyPairGenerator.java
client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → keys/asym/elliptic } /ECPrivateKeyImpl.java
client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → keys/asym/elliptic } /ECPublicKeyImpl.java
client/jce/src/main/java/com/fortanix/sdkms/jce/provider/{ service → keys/asym/elliptic } /SdKmsEc.java

client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → keys/asym/rsa } /RSAKeyFactory.java
client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → keys/asym/rsa } /RSAKeyPairGenerator.java
client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → keys/asym/rsa } /RSAPrivateKeyImpl.java
client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → keys/asym/rsa } /RSAPublicKeyImpl.java
client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { service → keys/asym/rsa } /SdKmsRsa.java

client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → keys/sym/aes } /AESKeyGenerator.java
client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → keys/sym/aes } /AESSecretKeyFactory.java
client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → keys/sym/aes } /SdkmsAESKey.java
client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { service → keys/sym/aes } /SdkmsAes.java

client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → keys/sym/des } /DESKeyGenerator.java
client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → keys/sym/des } /DESSecretKeyFactory.java
client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → keys/sym/des } /SdkmsDESKey.java
client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { service → keys/sym/des } /SdkmsDes.java

client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → keys/sym/desede } /DESedeKeyGenerator.java
client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → keys/sym/desede } /DESedeSecretKeyFactory.java
client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → keys/sym/desede } /SdkmsDESedeKey.java

client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → keystore } /KeyStore.java
client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → keystore } /LocalKeyStore.java
client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → keystore } /SdkmsKeyStore.java

client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → macs } /HmacCore.java
client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → macs } /KeyGeneratorCore.java
client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → macs } /SdkmsHmacKey.java
client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { service → macs } /SdkmsMac.java

client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → paddings } /IPadding.java
client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → paddings } /NoPadding.java
client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → paddings } /PKCS5Padding.java

client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → signatures } /DSASignature.java
client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → signatures } /ECDSASignature.java
client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → signatures } /Ed25519Signature.java
client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → signatures } /RSASignature.java

client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → spec } /SecurityObjectKeySpec.java
client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → spec } /SecurityObjectParameterSpec.java

3.19.1352

Improved Fortanix Data Security Manager (DSM) implementation of Java Cryptographic Key and Key Pair interfaces to support initialization using the Name of the key, besides Key ID.
- Old constructor (Deprecated from 3.19 onwards):
```
SdkmsAESKey key = new SdkmsAESKey("<Key-UUID>", 128, null)
```
- New constructor: Initialize by Key ID
```
SdkmsAESKey key = new SdkmsAESKey(new SobjectDescriptor().kid("<Key-UUID>"))
```
- New constructor: Initialize by Key Name, for example:
```
SdkmsAESKey key = new SdkmsAESKey(new SobjectDescriptor().name("MyKeyName"))
```
- Above changes apply to other Key implementations: SdkmsDESKey, SdkmsDESedeKey, RSAPrivateKeyImpl, RSAPublicKeyImpl, ECPrivateKeyImpl, ECPublicKeyImpl, SDKMSKmacKey
- No changes in the KeyGenerator, KeyPairGenerator, Cipher, Signatureusage.
Optimized to Cipher implementation, which eliminates extra API requests, thus improving client-side throughput by two times.
Added support for Multipart Cipher operations for AES GCM mode. This is supported for Fortanix DSM server version 3.19 or higher only.
NOTE
- AES GCM Cipher will still behave as Non-Multipart Cipher for DSM server version < 3.19. in Non -Multipart mode, Cipher.update() returns empty and Cipher.final() will return the full cipher bytes.
- With Fortanix DSM version >= 3.19 and JCE Client version >=3.19, AES GCM Cipher will behave as Multipart by default.
WARNING
- If AES GCM Cipher is being used before 3.19, an upgrade of both server and client to 3.19 will break the behavior due to the change from Non-Multipart to Multipart implementation. If Non-Multipart behavior is still desired, then add this environment variable to force Non-Multipart behavior for AES GCM Cipher:
  - export FORTANIX_CIPHER_SINGLEPART_ONLY=true
Added support for Elliptic Curve Ed25519 for ECDSA operations.
Fortanix DSM JCE provider is published to Maven from this release onwards. See the section Maven for updated install instructions.
Added support for using Local Sun implementation for MessageDigest operations using env variable export FORTANIX_USE_LOCAL_DIGEST=true . This optimizes signing operations of large files and is helpful in jar signing use-cases.
Added support for importing public key by default as a transient key (which are not persisted in Fortanix DSM and lives only during a session lifetime) using env variable export FORTANIX_PUBKEY_IMPORT_TRANSIENT=true. This is helpful in jar signing use-cases, where jarsigner requires to use the public key in a temporary manner.
Added support for Fortanix DSM JCE initialization with API Endpoint and API Key in provider constructor. Thus, reducing the requirement of using the env variable for the same. This is helpful in environments, where setting the env variable is not possible. For example: initialize(<apiEndpoint>, <apiKey>).

3.21.1992

Connection Pooling

Fortanix DSM version 3.21 and above supports a new feature called Connection Pooling.

Connection pooling allows restriction and reuse of connections with a maximum limit specified.
This allows setting some safe limits on each JCE application so that no single application
can overwhelm the server.

With JCE Connection Pooling

The environment variable FORTANIX_CONN_MAX is set to the maximum number of connections from that instance of the JCE application.

Without JCE Connection Pooling

When the environment variable FORTANIX_CONN_MAX is not exported or is set to `0`, JCE will behave without any connection pooling/limit. This is similar to JCE behavior prior to version 3.21.

Scenarios

FORTANIX_CONN_MAX = 0.
- Existing behavior: number of sockets is equal to the number of concurrent threads.
FORTANIX_CONN_MAX = X, Concurrent threads less than X.
- Behavior: Less than X sockets open at a time.
- Observation: The sockets are also being reused.
FORTANIX_CONN_MAX = X, Concurrent threads greater than X.
- Behavior: Maximum X sockets open with reuse.
- Observation: higher latency, which is expected since threads are now waiting for connections to get free.

JCE logging

With the 3.21 release, by default the logging option is disabled, and in order to enable it export the following environment variables:

To enable debug logs, set the environment variable:
```
export FORTANIX_LOG_DEBUG=true
```
To enable only API logs, set the environment variable:
```
export FORTANIX_LOG_API=true
```
To set a file location for local logs, set the environment variable:
```
export FORTANIX_LOG_FOLDER="/path/to/logfile-folder"
```
This will create a log file /path/to/logfile-folder/sdkms-jce.log.

Java Cryptography Extension (JCE)

Downloads

Download Using Maven

Maven

JCE Provider Documentation

Java SDK Documentation

Installation