2 Migrating to the JCE Framework 2-1 2 Migrating to the JCE Framework The Oracle Security Developer Tools framework in OracleAS 11gR1 introduces changes to low-level libraries to comply with the Java Cryptography Extension JCE framework. The changes affect both client programs and higher-level libraries of the Oracle Security Developer Tools. This chapter describes how the changes affect the toolkit architecture , and explain how you can migrate your programs to leverage the new functions. It contains these topics: ■ The JCE Framework ■ JCE Keys ■ JCE Certificates ■ JCE Certificate Revocation Lists CRLs ■ JCE Keystores Additional Reading The primary focus of this chapter is on the changes to the Oracle Security Developer Tools for the JCE framework, and how to migrate your existing security artifacts to JCE objects. For more information about how to utilize the capabilities of the JCE framework and security-related APIs, including such topics as generating different types of keys and key pairs, certificates, and so on, refer to the JDK 6 Security documentation at http:java.sun.comjavase6docstechnotesguidessecurityinde x.html .

2.1 The JCE Framework

Prior to Oracle Fusion Middleware 11g, Oracle Security Developer Tools used a cryptographic engine that was developed prior to the adoption of JCE in the market. To enable applications including Oracle Application Server to continue their move to adopt JCE, the Oracle Security Developer Tools have standardized on low-level libraries that are compliant with the Java Cryptography Extension JCE framework with Oracle Fusion Middleware 11g. Benefits of the new toolkit include: ■ standards-based implementations of cryptographic and certificate management engines ■ a pluggable JCE provider architecture that enables you to leverage third-party JCE provider implementations 2-2 Oracle Fusion Middleware Reference for Oracle Security Developer Tools ■ the ability to use third-party providers as the cryptographic engine

2.2 JCE Keys

In OracleAS 11gR1, the higher level toolkits Oracle XML Security, Oracle Web Services Security, Oracle CMS, Oracle SMIME, Oracle XKMS have changed so that instead of taking Oracle cryptographic keys and certificates, they take standard JCE keys and certificates. Thus, APIs that were taking oracle.security.crypto.core.PublicKey now take a java.security.PublicKey. ■ oracle.security.crypto.core.PublicKey changed to java.security.PublicKey ■ oracle.security.crypto.core.PrivateKey changed to java.security.PrivateKey ■ oracle.security.crypto.core.SymmetricKey changed to javax.crypto.SecretKey

2.2.1 Converting an Existing Key Object to a JCE Key Object

If you are using a java.security.KeyStore to store your keys, you will directly get a java.security.PrivateKey object from it, so you do not need to do any conversion. However if you are using a oracle.security.crypto.cert.PKCS12 object to store your keys, you will get an oracle.security.crypto.core.PrivateKey from it, and then you need to convert to a java.security.PrivateKey object. Converting a Private Key from Oracle Security Developer Tools to JCE Object Conversion or PrivateKeys from OSDT - JCE { Example code to convert an RSAPrivateKey non CRT to JCE oracle.security.crypto.core.RSAPrivateKey osdtKey = null; RSAPrivateKeySpec keySpec = new RSAPrivateKeySpec osdtKey.getModulus, osdtKey.getExponent; KeyFactory kf = KeyFactory.getInstanceRSA; RSAPrivateKey jceKey = RSAPrivateKeykf.generatePrivatekeySpec; } { Example code to convert an RSAPrivateKey CRT to JCE oracle.security.crypto.core.RSAPrivateKey osdtKey = null; RSAPrivateKeySpec keySpec = new RSAPrivateCrtKeySpec osdtKey.getModulus, osdtKey.getPublicExponent, osdtKey.getExponent, osdtKey.getPrimeP, osdtKey.getPrimeQ, osdtKey.getPrimeExponentP, osdtKey.getPrimeExponentQ, osdtKey.getCrtCoefficient; KeyFactory kf = KeyFactory.getInstanceRSA; Note: This discussion highlights changes in the Oracle Security Developer Tools in support of JCE. For fuller details of all the available cryptographic functions, see the API documentation. Migrating to the JCE Framework 2-3 RSAPrivateCrtKey jceKey = RSAPrivateCrtKeykf.generatePrivatekeySpec; } { Example code to convert a DSAPrivateKey to JCE oracle.security.crypto.core.DSAPrivateKey osdtKey = null; DSAPrivateKeySpec keySpec = new DSAPrivateKeySpec osdtKey.getX, osdtKey.getParams.getP, osdtKey.getParams.getQ, osdtKey.getParams.getG; KeyFactory kf = KeyFactory.getInstanceDSA; DSAPrivateKey jceKey = DSAPrivateKeykf.generatePrivatekeySpec; } { Example code to convert a DHPrivateKey to JCE oracle.security.crypto.core.DHPrivateKey osdtKey = null; Note q is assumed to be p-12 DHPrivateKeySpec keySpec = new DHPrivateKeySpec osdtKey.getX, osdtKey.getParams.getP, osdtKey.getParams.getG; KeyFactory kf = KeyFactory.getInstanceDiffieHelman; DHPrivateKey jceKey = DHPrivateKeykf.generatePrivatekeySpec; } Converting a Private Key from JCE Object to Oracle Security Developer Tools Conversion or Private Keys from JCE - OSDT { Example code to convert an RSAPrivateKey non CRT to OSDT RSAPrivateKey jceKey = null; oracle.security.crypto.core.RSAPrivateKey osdtKey = new oracle.security.crypto.core.RSAPrivateKey jceKey.getModulus, jceKey.getPrivateExponent; } { Example code to convert an RSAPrivateKey CRT to OSDT RSAPrivateCrtKey jceKey = null; oracle.security.crypto.core.RSAPrivateKey osdtKey = new oracle.security.crypto.core.RSAPrivateKey jceKey.getModulus, jceKey.getPrivateExponent, jceKey.getPublicExponent, jceKey.getPrimeP, jceKey.getPrimeQ, jceKey.getPrimeExponentP, jceKey.getPrimeExponentQ, jceKey.getCrtCoefficient; } 2-4 Oracle Fusion Middleware Reference for Oracle Security Developer Tools { Example code to convert an DSAPrivateKey to OSDT DSAPrivateKey jceKey = null; oracle.security.crypto.core.DSAPrivateKey osdtKey = new oracle.security.crypto.core.DSAPrivateKey jceKey.getX, new oracle.security.crypto.core.DSAParams jceKey.getParams.getP, jceKey.getParams.getQ, jceKey.getParams.getG; } { Example code to convert an DHPrivateKey to OSDT DHPrivateKey jceKey = null; Note calculate q = p-12 oracle.security.crypto.core.DHPrivateKey osdtKey = new oracle.security.crypto.core.DHPrivateKey jceKey.getX, new oracle.security.crypto.core.DHParams jceKey.getParams.getP, jceKey.getParams.getG, jceKey.getParams.getP.subtractnew BigInteger1.dividenew BigInteger2; }

2.3 JCE Certificates

In OracleAS 11gR1, oracle.security.crypto.cert.X509 is changed to java.security.cert.X509Certificate. Several utility methods are available for creating and working with JCE certificates:

2.3.1 Switching to a JCE Certificate

An X509Certificate object can be created from an input stream using java.security.cert.CertificateFactory. The input stream can be one of the following: ■ a FileInputSream, if the certificate is stored in a file, or ■ a ByteArrayInputStream, if we got the encoded bytes from an old X509 object, or ■ any other sources. For example, the following code converts an Oracle Security Developer Tools certificate to a JCE certificate: CertificateFactory cf = CertificateFactory.getInstanceX.509; X509Certificate cert = X509Certificatecf.generateCertificate new FileInputStreamcertFileName; where certFileName is the name of the certificate file.

2.4 JCE Certificate Revocation Lists CRLs

In OracleAS 11gR1, oracle.security.crypto.cert.CRL is replaced by java.security.cert.CRL. Migrating to the JCE Framework 2-5 You can create the java.security.cert.CRL object: ■ from an input stream ■ by using java.security.cert.CertificateFactory The input stream can be one of the following: ■ FileInputSream, if the CRL is stored in a file ■ ByteArrayInputStream, if the encoded bytes were obtained from an old oracle.security.crypto.cert.CRL object ■ any other source Here is an example of a CRL object creation: CertificateFactory cf = CertificateFactory.getInstanceX.509; 509Certificate cert = X509Certificatecf.generateCRL new FileInputStreamcrlFileName; where the crlFileName is the name of the CRL file.

2.5 JCE Keystores