Java Cryptography Extension (JCE)
Downloads
The Java SDK supports Java 8, 11, and 17.
-
Download Unified JCE and Java SDK here (with all dependencies)
SHA256 sum:cdd606b78b77a0016753899d436cad406b2b586b0134785fc979cfe1b53e132e
Download Using Maven
<dependency>
<groupId>com.fortanix</groupId>
<artifactId>sdkms-jce-provider</artifactId>
<version>5.7.2954</version>
</dependency>Alternatively, add the following dependency to the build.gradle file:
compile "com.fortanix:sdkms-jce-provider:5.7.2954"Maven
Additionally, add the pom.xml if you need to use it in Spring Boot 3.0.
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter</artifactId>
<exclusions>
<exclusion>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-logging</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-log4j2</artifactId>
</dependency>JCE Provider Documentation
Java SDK Documentation
Installation
For more information, refer to Java Cryptography Extension (JCE) Provider.
Operating System (OS) Compatibility Matrix
For more information on the JCE client OS compatibility matrix, refer to Compatibility Matrix.
Change Details
4.9.2091
- Support for Java 11 (OpenJDK 11).
- Fixed multipart encryption for Galois/Counter Mode (GCM)/ Cipher block chaining - message authentication code (CCM) mode of encryption.
-
Refactored the JCE code to address naming standards, packaging of classes, and duplication. The following classes have been renamed:
Modified classes:client/jce/src/main/java/com/fortanix/sdkms/jce/provider/util/ProviderUtil.java change-log: enums ECGenSpec, DigestAlgorithms & ECKeySizeSpec have been moved to their own separate public classes (ref new classes introduced section)New classes added:
client/jce/src/main/java/com/fortanix/sdkms/jce/provider/constants/DigestAlgorithms.java client/jce/src/main/java/com/fortanix/sdkms/jce/provider/constants/ECGenSpec.java client/jce/src/main/java/com/fortanix/sdkms/jce/provider/constants/ECKeySizeSpec.java change-log: public enums extracted from ProviderUtil class client/jce/src/main/java/com/fortanix/sdkms/jce/provider/keys/sym/desede/SdkmsDesede.java change-log: separate class for desede instead of relying on des classes client/jce/src/main/java/com/fortanix/sdkms/jce/provider/service/SdkmsCommonService.java change-log: common code has been moved to this class to reduce duplicationRenamed classes:
SdkmsCertificate.java → SdkmsCertificateService.java {same package} client/jce/src/main/java/com/fortanix/sdkms/jce/provider/service/SdkmsCertificateService.java service/SdkmsSignature.java → signatures/SdkmsSignatureService.java {package changed} client/jce/src/main/java/com/fortanix/sdkms/jce/provider/signatures/SdkmsSignatureService.javaPackage change:
client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → agreement } /ECDHKeyAgreement.java client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → ciphers } /AESCipher.java client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → ciphers } /CipherCore.java client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → ciphers } /DESCipher.java client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → ciphers } /RSACipher.java client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { service → ciphers } /SdkmsCipher.java client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → ciphers } /TripleDESCipher.java client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → config } /Configuration.java client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → constants } /AccessControlKeys.java client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → constants } /AlgorithmParameters.java client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { util → constants } /ProviderConstants.java client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → digests } /MessageDigestImpl.java client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { service → digests } /SdkmsDigest.java client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → keys } /SdkmsCipherKey.java client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → keys } /SdkmsKey.java client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → keys } /SdkmsSecretKey.java client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → keys/asym/dsa } /DSAKeyPairGenerator.java client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → keys/asym/dsa } /DSAPrivateKeyImpl.java client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → keys/asym/dsa } /DSAPublicKeyImpl.java client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { service → keys/asym/dsa } /SdkmsDsa.java client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → keys/asym/elliptic } /ECKeyFactory.java client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → keys/asym/elliptic } /ECKeyPairGenerator.java client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → keys/asym/elliptic } /ECPrivateKeyImpl.java client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → keys/asym/elliptic } /ECPublicKeyImpl.java client/jce/src/main/java/com/fortanix/sdkms/jce/provider/{ service → keys/asym/elliptic } /SdKmsEc.java client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → keys/asym/rsa } /RSAKeyFactory.java client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → keys/asym/rsa } /RSAKeyPairGenerator.java client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → keys/asym/rsa } /RSAPrivateKeyImpl.java client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → keys/asym/rsa } /RSAPublicKeyImpl.java client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { service → keys/asym/rsa } /SdKmsRsa.java client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → keys/sym/aes } /AESKeyGenerator.java client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → keys/sym/aes } /AESSecretKeyFactory.java client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → keys/sym/aes } /SdkmsAESKey.java client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { service → keys/sym/aes } /SdkmsAes.java client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → keys/sym/des } /DESKeyGenerator.java client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → keys/sym/des } /DESSecretKeyFactory.java client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → keys/sym/des } /SdkmsDESKey.java client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { service → keys/sym/des } /SdkmsDes.java client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → keys/sym/desede } /DESedeKeyGenerator.java client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → keys/sym/desede } /DESedeSecretKeyFactory.java client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → keys/sym/desede } /SdkmsDESedeKey.java client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → keystore } /KeyStore.java client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → keystore } /LocalKeyStore.java client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → keystore } /SdkmsKeyStore.java client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → macs } /HmacCore.java client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → macs } /KeyGeneratorCore.java client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → macs } /SdkmsHmacKey.java client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { service → macs } /SdkmsMac.java client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → paddings } /IPadding.java client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → paddings } /NoPadding.java client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → paddings } /PKCS5Padding.java client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → signatures } /DSASignature.java client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → signatures } /ECDSASignature.java client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → signatures } /Ed25519Signature.java client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → signatures } /RSASignature.java client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → spec } /SecurityObjectKeySpec.java client/jce/src/main/java/com/fortanix/sdkms/jce/provider/ { → spec } /SecurityObjectParameterSpec.java
3.19.1352
-
Improved Fortanix Data Security Manager (DSM) implementation of Java
Cryptographic
Key and Key Pair interfaces to support initialization using the Name
of the
key, besides Key ID.
-
Old constructor (Deprecated from 3.19 onwards):
SdkmsAESKey key = new SdkmsAESKey("<Key-UUID>", 128, null) -
New constructor: Initialize by Key ID
SdkmsAESKey key = new SdkmsAESKey(new SobjectDescriptor().kid("<Key-UUID>")) -
New constructor: Initialize by Key Name, for example:
SdkmsAESKey key = new SdkmsAESKey(new SobjectDescriptor().name("MyKeyName"))
SdkmsDESKey,SdkmsDESedeKey,RSAPrivateKeyImpl,RSAPublicKeyImpl,ECPrivateKeyImpl,ECPublicKeyImpl,SDKMSKmacKey
- No changes in theKeyGenerator,KeyPairGenerator,Cipher,Signatureusage. -
Old constructor (Deprecated from 3.19 onwards):
- Optimized to Cipher implementation, which eliminates extra API requests, thus improving client-side throughput by two times.
-
Added support for Multipart Cipher operations for AES GCM mode. This
is supported
for Fortanix DSM server version 3.19 or higher only.
- Added support for Elliptic Curve Ed25519 for ECDSA operations.
- Fortanix DSM JCE provider is published to Maven from this release onwards. See the section Maven for updated install instructions.
-
Added support for using Local Sun implementation for
MessageDigestoperations using env variableexport FORTANIX_USE_LOCAL_DIGEST=true. This optimizes signing operations of large files and is helpful in jar signing use-cases. -
Added support for importing public key by default as a
transient key (which are not persisted in Fortanix DSM and lives
only during a session lifetime) using env variable
export FORTANIX_PUBKEY_IMPORT_TRANSIENT=true. This is helpful in jar signing use-cases, wherejarsignerrequires to use the public key in a temporary manner. -
Added support for Fortanix DSM JCE initialization with API Endpoint and
API
Key in provider constructor. Thus, reducing the requirement of using
the
env variable for the same. This is helpful in environments, where setting
the env variable is not possible. For example: initialize(
<apiEndpoint>, <apiKey>).
3.21.1992
Connection Pooling
Fortanix DSM version 3.21 and above supports a new feature called Connection Pooling.
Connection pooling allows restriction and reuse of connections with a maximum limit specified.
This allows setting some safe limits on each JCE application so that no single application
can overwhelm the server.
With JCE Connection Pooling
The environment variable FORTANIX_CONN_MAX is set to the maximum number of connections from that instance of the JCE application.
Without JCE Connection Pooling
When the environment variable FORTANIX_CONN_MAX is not exported or is set to `0`, JCE will behave without any connection pooling/limit. This is similar to JCE behavior prior to version 3.21.
Scenarios
-
FORTANIX_CONN_MAX = 0.- Existing behavior: number of sockets is equal to the number of concurrent threads.
-
FORTANIX_CONN_MAX = X, Concurrent threads less than X.- Behavior: Less than X sockets open at a time.
- Observation: The sockets are also being reused.
-
FORTANIX_CONN_MAX = X, Concurrent threads greater than X.- Behavior: Maximum X sockets open with reuse.
- Observation: higher latency, which is expected since threads are now waiting for connections to get free.
JCE logging
With the 3.21 release, by default the logging option is disabled, and in order to enable it export the following environment variables:
-
To enable debug logs, set the environment variable:
export FORTANIX_LOG_DEBUG=true -
To enable only API logs, set the environment variable:
export FORTANIX_LOG_API=true -
To set a file location for local logs, set the environment variable:
export FORTANIX_LOG_FOLDER="/path/to/logfile-folder"This will create a log file
/path/to/logfile-folder/sdkms-jce.log.
Comments
Article is closed for comments.