Relationship between JCA, it's providers and JCE?

5.1k views Asked by At

I thought it was simple where JCA was a replacement for JCE. However writing some test code to get all the providers on my system showed this isn't the case.

I noticed the following:

  1. Some algorithms have multiple providers (eg: MD5withRSA is in SunRsaSign as well as SunJSSE)
  2. JCA seems to have type of algorithms that go beyond what's in JCE

Item 1 makes sense as JCA appears (to me) as a library/array of JCE providers to pick from.

Item 2 is a a bit confusing because it suggests that JCA isn't exact an array of "identical" JCE providers; it's some sort of watering hole for any and every "kind" of provider, JCE interfaced or not.

So, whats the working relationship between JCA, it's providers and JCE? Do the providers also exist in independent silos or do they "build" off each other / have dependencies between them?

For the folks interested in the code and the results that prompted this question, its listed below


import java.security.Provider;
import java.security.Security;
import java.util.ArrayList;

public class ConsoleListJca 
{
    public static void main(String[] args) 
    {
        for (Provider provider : Security.getProviders()) 
        {
            System.out.println("Provider: " + provider.getName() + " (ver " + provider.getVersion() + ")");
            System.out.print("  Algorithms: ");
            ArrayList<String> algos = new ArrayList<String>();
            for (Provider.Service service : provider.getServices()) 
            {
                algos.add(String.format( "%s (%s)", service.getAlgorithm(), service.getType()));
            }
            java.util.Collections.sort(algos);
            String algorsStr = algos.toString();
            // remove [ and ] from ArrayList's toString()
            algorsStr = algorsStr.substring(1, algorsStr.length()-1); 
            System.out.println(algorsStr);
            System.out.println();
        }
    }
}

and the results (formatted for SO) are

Provider: SUN (ver 1.7)
  Algorithms: CaseExactJKS (KeyStore), Collection (CertStore), DSA (AlgorithmParameterGenerator), 
              DSA (AlgorithmParameters), DSA (KeyFactory), DSA (KeyPairGenerator), 
              JKS (KeyStore), JavaLoginConfig (Configuration), JavaPolicy (Policy), 
              LDAP (CertStore), MD2 (MessageDigest), MD5 (MessageDigest), NONEwithDSA (Signature), 
              NativePRNG (SecureRandom), PKIX (CertPathBuilder), PKIX (CertPathValidator), 
              SHA (MessageDigest), SHA-256 (MessageDigest), SHA-384 (MessageDigest), 
              SHA-512 (MessageDigest), SHA1PRNG (SecureRandom), SHA1withDSA (Signature), 
              X.509 (CertificateFactory), com.sun.security.IndexedCollection (CertStore)

Provider: SunRsaSign (ver 1.7)
  Algorithms: MD2withRSA (Signature), MD5withRSA (Signature), RSA (KeyFactory), RSA (KeyPairGenerator), 
              SHA1withRSA (Signature), SHA256withRSA (Signature), SHA384withRSA (Signature), 
              SHA512withRSA (Signature)

Provider: SunEC (ver 1.7)
  Algorithms: EC (AlgorithmParameters), EC (KeyFactory), EC (KeyPairGenerator), ECDH (KeyAgreement), 
              NONEwithECDSA (Signature), SHA1withECDSA (Signature), SHA256withECDSA (Signature), 
              SHA384withECDSA (Signature), SHA512withECDSA (Signature)

Provider: SunJSSE (ver 1.7)
  Algorithms: Default (SSLContext), MD2withRSA (Signature), MD5andSHA1withRSA (Signature), 
              MD5withRSA (Signature), NewSunX509 (KeyManagerFactory), PKCS12 (KeyStore), 
              PKIX (TrustManagerFactory), RSA (KeyFactory), RSA (KeyPairGenerator), 
              SHA1withRSA (Signature), SunX509 (KeyManagerFactory), SunX509 (TrustManagerFactory), 
              TLSv1 (SSLContext), TLSv1.1 (SSLContext), TLSv1.2 (SSLContext)

Provider: SunJCE (ver 1.7)
  Algorithms: AES (AlgorithmParameters), AES (Cipher), AES (KeyGenerator), AESWrap (Cipher), 
              ARCFOUR (Cipher), ARCFOUR (KeyGenerator), Blowfish (AlgorithmParameters), 
              Blowfish (Cipher), Blowfish (KeyGenerator), DES (AlgorithmParameters), 
              DES (Cipher), DES (KeyGenerator), DES (SecretKeyFactory), DESede (AlgorithmParameters), 
              DESede (Cipher), DESede (KeyGenerator), DESede (SecretKeyFactory), DESedeWrap (Cipher), 
              DiffieHellman (AlgorithmParameterGenerator), DiffieHellman (AlgorithmParameters), 
              DiffieHellman (KeyAgreement), DiffieHellman (KeyFactory), 
              DiffieHellman (KeyPairGenerator), HmacMD5 (KeyGenerator), HmacMD5 (Mac), 
              HmacPBESHA1 (Mac), HmacSHA1 (KeyGenerator), HmacSHA1 (Mac), HmacSHA256 (KeyGenerator), 
              HmacSHA256 (Mac), HmacSHA384 (KeyGenerator), HmacSHA384 (Mac), HmacSHA512 (KeyGenerator), 
              HmacSHA512 (Mac), JCEKS (KeyStore), OAEP (AlgorithmParameters), PBE (AlgorithmParameters), 
              PBEWithMD5AndDES (AlgorithmParameters), PBEWithMD5AndDES (Cipher), 
              PBEWithMD5AndDES (SecretKeyFactory), PBEWithMD5AndTripleDES (AlgorithmParameters), 
              PBEWithMD5AndTripleDES (Cipher), PBEWithMD5AndTripleDES (SecretKeyFactory), 
              PBEWithSHA1AndDESede (AlgorithmParameters), PBEWithSHA1AndDESede (Cipher), 
              PBEWithSHA1AndDESede (SecretKeyFactory), PBEWithSHA1AndRC2_40 (AlgorithmParameters), 
              PBEWithSHA1AndRC2_40 (Cipher), PBEWithSHA1AndRC2_40 (SecretKeyFactory), 
              PBKDF2WithHmacSHA1 (SecretKeyFactory), RC2 (AlgorithmParameters), RC2 (Cipher), 
              RC2 (KeyGenerator), RSA (Cipher), SslMacMD5 (Mac), SslMacSHA1 (Mac), 
              SunTls12Prf (KeyGenerator), SunTlsKeyMaterial (KeyGenerator), SunTlsMasterSecret (KeyGenerator), 
              SunTlsPrf (KeyGenerator), SunTlsRsaPremasterSecret (KeyGenerator)

Provider: SunJGSS (ver 1.7)
  Algorithms: 1.2.840.113554.1.2.2 (GssApiMechanism), 1.3.6.1.5.5.2 (GssApiMechanism)

Provider: SunSASL (ver 1.7)
  Algorithms: CRAM-MD5 (SaslClientFactory), CRAM-MD5 (SaslServerFactory), DIGEST-MD5 (SaslClientFactory), 
              DIGEST-MD5 (SaslServerFactory), EXTERNAL (SaslClientFactory), GSSAPI (SaslClientFactory), 
              GSSAPI (SaslServerFactory), NTLM (SaslClientFactory), NTLM (SaslServerFactory), PLAIN (SaslClientFactory)

Provider: XMLDSig (ver 1.0)
  Algorithms: DOM (KeyInfoFactory), DOM (XMLSignatureFactory), 
              http://www.w3.org/2000/09/xmldsig#base64 (TransformService), 
              http://www.w3.org/2000/09/xmldsig#enveloped-signature (TransformService), 
              http://www.w3.org/2001/10/xml-exc-c14n# (TransformService), 
              http://www.w3.org/2001/10/xml-exc-c14n#WithComments (TransformService), 
              http://www.w3.org/2002/06/xmldsig-filter2 (TransformService), 
              http://www.w3.org/2006/12/xml-c14n11 (TransformService), 
              http://www.w3.org/2006/12/xml-c14n11#WithComments (TransformService), 
              http://www.w3.org/TR/1999/REC-xpath-19991116 (TransformService), 
              http://www.w3.org/TR/1999/REC-xslt-19991116 (TransformService), 
              http://www.w3.org/TR/2001/REC-xml-c14n-20010315 (TransformService), 
              http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments (TransformService)

Provider: SunPCSC (ver 1.7)
  Algorithms: PC/SC (TerminalFactory)

Provider: Apple (ver 1.1)
  Algorithms: KeychainStore (KeyStore)
2

There are 2 answers

0
Svetlin Nakov On

JCE was initially a separate API, but now JCE is merged as part of JCA.

From the JDK 11 documentation:

Prior to JDK 1.4, the JCE was an unbundled product, and as such, the JCA and JCE were regularly referred to as separate, distinct components. As JCE is now bundled in the JDK, the distinction is becoming less apparent. Since the JCE uses the same architecture as the JCA, the JCE should be more properly thought of as a part of the JCA.

Now, JCE is built-in part of JCA and the term JCE slowly disappears from the Java ecosystem.

In short: JCE is a technology / term / concept from the history. Modern Java developers use JCA to access cryptography in Java and never mention JCE.

0
Hesper On

The basic difference between JCA and JCE is that JCE is an extension of JCA, not a replacement. The JCA includes classes like MessageDigest, SecureRandom, KeyFactory, Signature and KeyStore. JCE add some more classes of cryptography like Cipher, KeyGeneration, Mac and KeyGeneration. The distinction between JCA and JCE has largely faded as the JCE has been provided with the standard runtime for some time now.

JCA/JCE is designed to separate cryptographic implementation from abstraction. It is a provider based architecture where you can plug in a provider of your choice, for instance BouncyCastle, that has more cryptographic algorithm support than what is provided by the providers contained within the standard Java runtime.