为什么 JcaPEMKeyConverter 有一个 setProvider 方法?

huangapple go评论77阅读模式
英文:

why does JcaPEMKeyConverter have a setProvider method?

问题

我明白为什么java.security.Security有一个addProvider方法 - 因为Java有多个提供程序可以提供诸如javax.crypto.Cipher.getInstance()可以使用的功能(sun.security.provider.Sunorg.bouncycastle.jce.provider.BouncyCastleProvider等)。

但是为什么org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter有一个addProvider方法呢?考虑到所使用的命名空间,我很难想象除了BouncyCastle之外会有任何其他“提供程序”提供可替代的组件...

英文:

I get why java.security.Security has an addProvider method - because Java has multiple providers that can provide stuff like javax.crypto.Cipher.getInstance() can use (sun.security.provider.Sun, org.bouncycastle.jce.provider.BouncyCastleProvider, etc).

But why does org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter have an addProvider method? Given the namespacing being used I find it hard to imagine that any "provider" other than BouncyCastle would provide a drop in replacement...

答案1

得分: 1

我不知道你认为正在使用的“命名空间”是什么。JcaPEMKeyConverter 使用 JCA 来实现所需的加密操作,它可以使用提供所需操作的 任何 JCA 提供程序;几乎 JCA 的整个 目的 就是供应商使用相同的 API(或在技术上是 SPI,服务提供商接口),以便您可以选择地为相同的操作使用不同的提供商。

bcpkix、bcpg 和 bcmail 库中的一些,也许是大多数,操作可以使用 任何 合适的 JCA API(使用任何合适的 JCA 提供商)或 Bouncycastle 自己的私有 API(仅使用 Bouncy 代码),例如 org.bouncycastle.pkcs.PKCS12MacCalculator[Builder] 是具有可互换实现的接口 org.bouncycastle.pkcs.bc.BcPKCS12MacCalculator[Builder]org.bouncycastle.pkcs.jcajace.JcePKCS12MacCalcuator[Builder]。(Bouncy 在名称上没有像人们希望的那样在一致性上区分 JCA 和 JCE。)然而,JcaPEMKeyConverter 仅以 JCA 形式存在。

的确,拥有 Bouncy 附加库的人通常也会拥有并能够使用 Bouncy 提供程序,但并不总是如此。例如,美国联邦政府系统必须使用在 FIPS140 下验证的某些加密功能(主要是基元),而 Bouncy 确实有一个 FIPS140 实现,但在商业上使用它需要付费,而如果您在某些 IBM 系统上使用 IBM Java,则其提供程序(与常见的 Sun/Oracle/OpenJDK 不同)是经过 FIPS140 验证的,而无需额外付费。

英文:

I don't know what 'namespacing' you think is being used. JcaPEMKeyConverter uses JCA to implement the crypto operations it needs, and it can use any JCA provider that provides the needed operations; nearly the whole point of JCA is that providers use the same API (or technically SPI, Service Provider Interface) so that you can selectively use different providers for the same operation(s).

Some, perhaps most, of the operations in bcpkix bcpg and bcmail libraries can use either JCA API (using any suitable JCA provider(s)) or Bouncycastle's own private API (using only Bouncy code), e.g. org.bouncycastle.pkcs.PKCS12MacCalculator[Builder] are interfaces with interchangeable implementations org.bouncycastle.pkcs.bc.BcPKCS12MacCalculator[Builder] and org.bouncycastle.pkcs.jcajace.JcePKCS12MacCalcuator[Builder]. (Bouncy isn't as careful as one might wish about distinguishing JCA from JCE in names consistently.) However, JcaPEMKeyConverter comes only in the JCA form.

It is true someone who has Bouncy add-on libraries will often have and be able to use the Bouncy provider as well, but not always. For example, US federal government systems are required to use certain cryptographic functions (mostly primitives) that are validated under FIPS140 (currently at revision -2, soon -3), and while Bouncy does have a FIPS140 implementation, using it commercially requires payment, while if you are using e.g. IBM Java on certain IBM systems it has providers (different from the common Sun/Oracle/OpenJDK ones) that are FIPS140 validated at no additional charge.

答案2

得分: 1

翻译如下:

API 的设计并不基于用户必须使用 BouncyCastle 来提供加密服务的假设 - 一个明显的例子是人们使用 FIPS 提供程序,比如 BCFIPS。

然而,对于前面的回答有一个小修正,BCFIPS Java 提供程序没有许可费用或类似费用,作为该项目的成员之一,我对看到有人这样说感到非常不安。我很想知道这是从哪里听来的。

对于 FIPS 和非 FIPS 用户,我们提供支持计划,并在其中提供即将发布的 FIPS 版本的提前访问,这是需要付费的(这是我们资金的来源)。然而,一旦在 bouncycastle.org 上发布的实际 FIPS JAR 包是在 BC 许可下发布的,该许可基本上是 MIT X11 许可,与我们所有其他已发布的作品一样。我希望这能消除混淆。

英文:

It's correct that the API is not designed on the assumption that the user has to use BouncyCastle for the provision of cryptographic services - and a ready example of this is people using a FIPS provider, such as BCFIPS.

One small correction though to the preceding answer, there is no license fee or similar for the BCFIPS Java provider and as one of the members of the project I'm more than a little disturbed to see someone stating that. I would be curious to know where that was heard from.

We do have a support program for FIPS and non-FIPS users and it does provide early access to the in-progress FIPS releases as part of it and that does cost (that's how we fund everything). However, the actual released FIPS jars, once published on bouncycastle.org are licensed under the BC license, which is basically the MIT X11 license, like all our other published work. I hope this clears up the confusion.

huangapple
  • 本文由 发表于 2020年9月4日 10:12:42
  • 转载请务必保留本文链接:https://go.coder-hub.com/63733906.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定