Difference between revisions of "JGridstart/Bouncycastle and Java Web start"
m (add java bug) |
m |
||
Line 1: | Line 1: | ||
− | [http://www.bouncycastle.org/java.html BouncyCastle] is a cryptographic library for [http://java.sun.com/ Java] that complements | + | [http://www.bouncycastle.org/java.html BouncyCastle] is a cryptographic library for [http://java.sun.com/ Java] that complements the default [http://java.sun.com/javase/technologies/security/ Java Cryptography Extension]. To use it as a provider (e.g. to access a [http://java.sun.com/j2se/1.4.2/docs/api/java/security/KeyStore.html KeyStore] that is supported by BouncyCastle), one has to use the [http://en.wikipedia.org/wiki/JAR_%28file_format%29 JAR] file provided by them because that is signed by Sun (because of countries' security policies). When creating a [http://java.sun.com/javase/technologies/desktop/javawebstart/ Java Web Start] application, both the application and the BouncyCastle JAR need to be included. This page explains how this can be done. |
There are two ways in which BouncyCastle can be supplied with a Java Web Start application: including the BouncyCastle JAR with the main application's JNLP, or using a JNLP extension. The latter is slightly more involved, but also works with <tt>all-permissions</tt> for JRE 1.6.0_13 and below. Only this option is described here right now (see [http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6598556 Java bug #6598556]). | There are two ways in which BouncyCastle can be supplied with a Java Web Start application: including the BouncyCastle JAR with the main application's JNLP, or using a JNLP extension. The latter is slightly more involved, but also works with <tt>all-permissions</tt> for JRE 1.6.0_13 and below. Only this option is described here right now (see [http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6598556 Java bug #6598556]). |
Revision as of 12:27, 5 September 2011
BouncyCastle is a cryptographic library for Java that complements the default Java Cryptography Extension. To use it as a provider (e.g. to access a KeyStore that is supported by BouncyCastle), one has to use the JAR file provided by them because that is signed by Sun (because of countries' security policies). When creating a Java Web Start application, both the application and the BouncyCastle JAR need to be included. This page explains how this can be done.
There are two ways in which BouncyCastle can be supplied with a Java Web Start application: including the BouncyCastle JAR with the main application's JNLP, or using a JNLP extension. The latter is slightly more involved, but also works with all-permissions for JRE 1.6.0_13 and below. Only this option is described here right now (see Java bug #6598556).
Using a BouncyCastle JNLP extension
the way to do this is by referencing to a bouncycastle JNLP file using the extension tag. For example the file app.jnlp:
<?xml version="1.0" encoding="utf-8"?> <jnlp spec="1.0+" href="app.jnlp" codebase="http://somewhere/"> <information> <title>App</title> <vendor>Nikhef</vendor> <homepage href="http://somewhere/"/> </information> <security> <all-permissions/> </security> <resources> <j2se href="http://java.sun.com/products/autodl/j2se" version="1.5+"/> <jar href="app.jar"/> <extension name="BouncyCastle cryptography library" href="bcprov-jdk15.jnlp"/> </resources> <application-desc main-class="app.Main"/> </jnlp>
References the file bcprov-jdk15.jnlp which describes the BouncyCastle extension. This can not be put in the application's JNLP because all JARs in a single JNLP file need to be signed by the same key. The file bcprov-jdk15.jnlp can contain:
<?xml version="1.0" encoding="UTF-8"?> <jnlp spec="1.0+" codebase="http://somewhere/" href="bcprov-jdk15.jnlp"> <information> <title>bcprov-jdk15</title> <vendor>Sun Microsystems, Inc.</vendor> <offline-allowed/> </information> <security> <all-permissions/> </security> <resources> <jar href="bcprov-jdk15-146.jar"/> </resources> <component-desc/> </jnlp>
You see that this file also has the all-permissions tag in the security section. This is to allow the file to register itself as a cryptography provider.
Now when the Java Web Start application is run, the user has to accept a warning dialog twice: one for the application itself, and one for the BouncyCastle extension. This is a little troublesome, since the user doesn't care about the extension; if he has just consented to grant the application access why does it ask for it again?
The solution to this issue is to sign the BouncyCastle JAR with the same key as the application JAR; the resulting BouncyCastle JAR will be signed twice: META-INF/BC-KEY.* gives the security permissions to be used as a cryptography provider, and META-INF/<MY-KEY>.* gives the other permissions. Because you use the same key for your application as BouncyCastle, the user only needs to accept it once.
If you don't want to sign the BouncyCastle JAR yourself, it is still possible to workaround the issue, please see Bouncycastle and Java Web Start workaround.