Developing in Java
The CORE Java API allows Java developer to choose from the following API levels:
- Java Cryptography Architecture (JCA)
Use this level to develop JCA
Java Cryptography Architecture - Java frameworks for implementing cryptography primitives. applications. Refer to Integration with the JCA. - Java PKCS#11 wrapper
Use this level when you need advanced features that are not provided by JCAJava Cryptography Architecture - Java frameworks for implementing cryptography primitives.. Refer to Develop at PKCS#11 Level. - Tokenization and Format Preserving Encryption
Develop with high-level application level encryption methods and specifically tokenization and format preserving encryption. Refer to Tokenization and Format Preserving Encryption.
Develop with Java Security Provider
This section describes development with the Java Cryptography Architecture (JCAJava Cryptography Architecture - Java frameworks for implementing cryptography primitives.) methodology and its java.security.* and javax.crypto.* classes. The term provider refers to a package that supplies a concrete implementation of services that can be accessed by the Java Security API.
The relevant CORE package is: com/unbound/provider
Target Deployments
- Client-based targets - machines that installed the CORE client distribution. On such machines we assume that CORE client has been configured to use CORE partition.
- ClientlessSystem that is using Unbound Java Security Provider without dependency on the UKC Client software. targets - machines that did not install the CORE client for various reasons. Such machines require further preparation. Refer to Using the Provider in Clientless Environment.
Backward Compatibility
There is no need to update applications that refer to the previous name of COREcom/dyadic/provider.
- DYCrytoProvider and UBCryptoProvider have exactly the same APISystem that is using Unbound Java Security Provider without dependency on the UKC Client software. targets
- DYCrytoProvider name is "DYADIC", UBCryptoProvider name is "UNBOUND".
- We support all code written previously using either DYCrytoProvider or UBCryptoProvider.
Supported Crypto Functionality
Prerequisites
To develop with the Unbound java security provider while using the Cipher class, use the following JDK:
- Oracle JDK 1.8.0_191 or later.
- Openjdk 1.8.0_262 or later.
- Openjdk 11.0.2 or later.
Partitions and Users
This section provides information about login and partitions. When using the JCAJava Cryptography Architecture - Java frameworks for implementing cryptography primitives. provider you can use different CORE users and partitions. The JCAJava Cryptography Architecture - Java frameworks for implementing cryptography primitives. API allows providing passwords to access key stores. Refer to CKU_USER and CKU_SO for information about the login.
Different partitions can be accessed. The use case scenario differs based on client type. For the client-based approach:
-
Make sure your client is registered with the relevant partition.
-
If the client is registered with just a single partition, it is used by default.
-
If the client is registered with multiple partitions, the provider accesses the partition registered as slot 0 by default (this may be arbitrary).
-
To specify the exact partition to use when the client is registered with multiple ones, provide the partition name as a constructor parameter to the UBCryptoProvider (or DYCrytoProvider) class.
For clientlessSystem that is using Unbound Java Security Provider without dependency on the UKC Client software. setups, the partition is set based on the client certificate used. See Using the Provider in Clientless Environment for more details.
Key Groups
You can define the Key Groups that are used when creating new keys. This setting is controlled through these different methods.
-
Set environment variables.
-
Set the settings in a configuration file.
-
Use Java runtime properties.
-
Set the settings in the code.
Set environment variables
Set the UKC_GROUPS environment variable. For example, to use groups g1 and g2:
UKC_GROUPS=g1,g2
Set the settings in a configuration file.
Set UKC_GROUPS in a configuration file. For example, to use groups g1 and g2:
export UKC_GROUPS=g1,g2
Use Java runtime properties
A sample command line is:
keytool -genkeypair -keysize 2048 -alias sign-key4 -dname CN=CA -keyalg RSA -keystore NONE -storetype PKCS11 -providername UNBOUND -storepass Password1! -providerclass com.unbound.provider.UBCryptoProvider -J-DukcPfx=C:/ProgramData/dyadic/ekm/client3.pfx -J-DukcPfxPass=Password1! -J-DukcCa=C:/ProgramData/dyadic/ekm/server-ca.p7b -J-DukcServers=https://localhost:8443 -J-DukcComConnectTimeout=20 -J-DukcComReadTimeout=20 -J-DukcComEnableKeepAlive=1 -J-DukcComRetrisesTransmit=3 -J-DukcComRetrySuspend=100 -J-DukcGroups=testkeytool -providerpath ekm-java-provider-2.0.jar
The groups are set with this runtime property
-
-J-DukcGroups=<UKC-GROUPS>
See Clientless Settings for an explanation of the rest of the runtime properties in this command.
Set the settings in the code
The key groups can be defined in code. For example, to use groups g1 and g2:
Path path = Paths.get("clientless.pfx");
keyStore = KeyStore.getInstance("PKCS12");
ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream( Files.readAllBytes(path));
keyStore.load(byteArrayInputStream, "Password1!".toCharArray());
UBCryptoProvider.allowPrivateKeyWithoutCertificate(true);
Set groups = new HashSet();
groups.add("g1");
groups.add("g2");
provider = new UBCryptoProvider(keyStore,"Password1!",groups);
Security.addProvider(provider);
keyStore = KeyStore.getInstance("PKCS11", "UNBOUND");
keyStore.load(null);
Code Samples
Note
In the following samples we replaced DYCrytoProvider with the UBCryptoProvider. Both are identical. You can continue using the DYCrytoProvider class. In any case, the variables remain prefixed with Dy.Dyadic - the original name of the company-
Create UBCryptoProvider
To use com.unbound.provider.UBCryptoProvider, choose one of the following options:
- Implicit - add
com.unbound.provider.UBCryptoProviderto thejava.securityfile (refer to Java Security File. - Explicit - create a
UBCryptoProviderobject:
Security.addProvider(new UBCryptoProvider());
The KeyStore type is PKCS11.
Follow the standard JCA documentation to use KeyStore, KeyGenerator, and Cipher for generating and using the keys.
Example:
public boolean SelfSign_test()
{
// Add Unbound crypto provider
UBCryptoProvider DyProv = new UBCryptoProvider();
Security.addProvider(DyProv);
KeyStore keyStore;
try {
keyStore = KeyStore.getInstance("PKCS11", "UNBOUND");
// if partition USER has a password, provide it as the 2nd argument of the load:
keyStore.load(null, null);
} catch (Exception e)
{
System.out.println(e.getMessage());
return false;
}
}
return true;
}
Generating a Self-Signed Certificate
Working with the Java cryptography components often requires the existence of a matching certificate for every private key in the key store. To allow support of this method where a CA is not available, the Unbound provider supports generating a self-signed certificate for a key stored in the CORE.
To generate a self-signed certificate, use the SelfSign method:
public java.security.cert.X509Certificate SelfSign(
java.security.PrivateKey key,
java.lang.String hashAlg,
java.lang.String subject,
java.math.BigInteger serialNumber,
int days)
throws java.security.cert.CertificateException
Parameters:
key– the CORE key used for the certificatehashAlg– hash algorithm for the signature (e.g. “SHA256”)subject- subject name for the certificateserialNumber– certificate serial numberdays– certificate expiry period
The following sample code demonstrates the self-signing function:
public boolean SelfSign_test()
{
// Add Unbound crypto provider
UBCryptoProvider DyProv = new UBCryptoProvider();
Security.addProvider(DyProv);
KeyStore keyStore;
KeyPairGenerator keyPairGenerator;
// load key objects
try {
keyStore = KeyStore.getInstance("PKCS11", "UNBOUND");
// if partition USER has a password, provide it as the 2nd argument
keyStore.load(null, null);
keyPairGenerator = KeyPairGenerator.getInstance("RSA", "UNBOUND");
} catch (Exception e)
{
System.out.println(e.getMessage());
return false;
}
>br /> // generate key
/* Unbound supports key size of 2048, 3072, 4096.*/
keyPairGenerator.initialize(2048);
KeyPair keyPair = keyPairGenerator.generateKeyPair();
// generate certificate and save it to CORE key store
X509Certificate cert;
try {
BigInteger serial = new BigInteger(160, new SecureRandom());
cert = DyProv.SelfSign(
keyPair.getPrivate(),
"SHA256",
"CN=mySelfSign",
serial,
200);
keyStore.setKeyEntry("self", keyPair.getPrivate(), null, new Certificate[]{ cert});
}catch (Exception e)
{
System.out.println(e.getMessage());
return false;
}
//////
// save the certificate file
String path = "self.crt";
try {
PrintWriter writer = new PrintWriter(path, "UTF-8");
writer.println(X509Factory.BEGIN_CERT);
writer.print(DatatypeConverter.printBase64Binary(cert.getEncoded()).replaceAll("(.{64})", "$1\n"));
writer.println();
writer.println(X509Factory.END_CERT);
writer.close();
}
catch (IOException e){
System.out.println("error wrtitng cert to "+path);
}
catch (CertificateEncodingException e)
{
System.out.println("error encoding cert");
}
return true;
}
Encrypt with RSA
The following code sample demonstrates RSA key generation and usage:
byte[] testData = new byte[]{1, 2, 3, 4, 5};
Security.addProvider(new UBCryptoProvider());
KeyStore keyStore = KeyStore.getInstance("PKCS11", "UNBOUND");
keyStore.load(null);
KeyPairGenerator gen = KeyPairGenerator.getInstance("RSA", "UNBOUND");
gen.initialize(2048);
KeyPair keyPair = gen.generateKeyPair();
keyStore.setEntry("RSA test", new UBCryptoProvider.KeyEntry(keyPair.getPrivate()), null);
PrivateKey prvKey = (PrivateKey) keyStore.getKey("RSA test", null);
Signature sign = Signature.getInstance("SHA256WithRSA", "UNBOUND");
sign.initSign(prvKey);
sign.update(testData);
byte[] signature = sign.sign();
sign = Signature.getInstance("SHA256WithRSA");
RSAPrivateCrtKey rsa = (RSAPrivateCrtKey) prvKey;
KeyFactory kf = KeyFactory.getInstance("RSA");
PublicKey pubKey = kf.generatePublic(new RSAPublicKeySpec(rsa.getModulus(), rsa.getPublicExponent()));
sign.initVerify(pubKey);
sign.update(testData);
boolean ok = sign.verify(signature);
Cipher cipher = Cipher.getInstance("RSA/ECB/OAEPWITHSHA-1ANDMGF1PADDING");
cipher.init(Cipher.ENCRYPT_MODE, pubKey);
byte[] encrypted = cipher.doFinal(testData);
cipher = Cipher.getInstance("RSA/ECB/OAEPWITHSHA-1ANDMGF1PADDING", "UNBOUND");
cipher.init(Cipher.DECRYPT_MODE, prvKey);
byte[] decrypted = cipher.doFinal(encrypted);
ok = Arrays.equals(decrypted, testData);
Encrypt with AES
The following code sample demonstrates AES key generation and usage:
Security.addProvider(new UBCryptoProvider("partition_name"));
keyStore = KeyStore.getInstance("PKCS11", "UNBOUND");
keyStore.load(null);
KeyGenerator gen = KeyGenerator.getInstance("AES", "UNBOUND");
gen.init(KEY_SIZE);
SecretKey secretKey = (SecretKey) gen.generateKey();
keyStore.setKeyEntry("AES test", secretKey, null, null);
SecureRandom secureRandom = new SecureRandom();
byte[] data = new byte[DATA_SIZE];
byte[] iv = new byte[IV_SIZE];
secureRandom.nextBytes(data);
secureRandom.nextBytes(iv);
GCMParameterSpec gcmParameterSpec = new GCMParameterSpec(TAG_LEN_IN_BITS, iv);
Cipher encryptCipherEncrypt = Cipher.getInstance(AES_GCM_PADDING);
encryptCipherEncrypt.init(Cipher.ENCRYPT_MODE, secretKey, gcmParameterSpec);
byte[] enc1 = encryptCipherEncrypt.update(data, 0, data.length / 2);
byte[] enc2 = encryptCipherEncrypt.update(data, data.length / 2, data.length / 2);
byte[] enc3 = encryptCipherEncrypt.doFinal();
byte[] enc = new byte[enc1.length + enc2.length + enc3.length];
System.arraycopy(enc1, 0, enc, 0, enc1.length);
System.arraycopy(enc2, 0, enc, enc1.length, enc2.length);
System.arraycopy(enc3, 0, enc, enc1.length + enc2.length, enc3.length);
Cipher encryptCipherDecrypt = Cipher.getInstance(AES_GCM_PADDING);
encryptCipherDecrypt.init(Cipher.DECRYPT_MODE, secretKey, gcmParameterSpec);
byte[] dec = encryptCipherDecrypt.doFinal(enc);
System.out.println(Arrays.equals(dec, data) ? "OK" : "Failed");
Sign with ECDSA
The following code sample demonstrates ECDSAElliptic Curve Digital Signature Algorithm - A variant of the Digital Signature Algorithm (DSA) which uses elliptic curve cryptography. key generation and signature:
Security.addProvider(new UBCryptoProvider());
KeyStore keyStore = KeyStore.getInstance("PKCS11", "UNBOUND");
keyStore.load(null);
KeyPairGenerator gen = KeyPairGenerator.getInstance("EC", "UNBOUND");
gen.initialize(new ECGenParameterSpec("secp256r1"));
KeyPair keyPair = gen.generateKeyPair();
keyStore.setEntry("ECDSA test",
new UBCryptoProvider.KeyEntry(keyPair.getPrivate()), null);
PrivateKey prvKey = (PrivateKey) keyStore.getKey("ECDSA test", null);
byte[] testData = new byte[] { 1, 2, 3, 4, 5 };
Signature sign = Signature.getInstance("SHA256WithECDSA", "UNBOUND");
sign.initSign(prvKey);
sign.update(testData);
byte[] signature = sign.sign();
sign = Signature.getInstance("SHA256WithECDSA");
sign.initVerify(keyPair.getPublic());
sign.update(testData);
boolean ok = sign.verify(signature);
Sign with RSA using SHA3-256
The following code sample demonstrates using UID of the RSA for signing with the SHA3-256.
Using the Provider in Clientless Environment
The default for the Java Security Provider requires using it on a registered CORE client and utilizing the complete stack of CORE client native libraries. However, there are scenarios where the provider is used in a restricted environment, which does not allow installing the CORE client or executing the client registration. This type of environment could be different cloud-native environments or an OS where the CORE client is not supported, such as IBM z/OS®.
To support this type of configuration, the provider supports a Java-only mode where no native libraries or client registration are required. The runtime parameters are provided as specified in Clientless Settings.
To prepare the execution environment, use one of the following methods:
Clientless Settings
In addition to the settings mentioned in the following sections, which mainly cover connecting and authenticating to the CORE server, there are settings that control the behavior of the clientlessSystem that is using Unbound Java Security Provider without dependency on the UKC Client software. provider (client-based settings follow the different Client Machine Settings).
These settings can be used to control the CORE environment through these different methods.
-
Set environment variables.
-
Set the settings in a configuration file.
-
Use Java runtime properties.
-
Set the settings in the code.
The following list contains the additional clientlessSystem that is using Unbound Java Security Provider without dependency on the UKC Client software. settings:
-
UKC_NO_NATIVE - set to 1 for clientless
System that is using Unbound Java Security Provider without dependency on the UKC Client software. mode, set to 0 for client-based mode. This setting may be helpful during development. Default is 0.Note
This parameter can only be set via an environment variable. -
DYLOG_ENABLED - set to 1 to collect troubleshooting information. See DyLog Files in User Guide. Default is 0.
Note
This parameter can only be set via an environment variable. -
UKC_COM_CONNECT_TIMEOUT - the timeout for connecting to a CORE Entry Point when creating a connection, in seconds. Default is 0.
-
UKC_COM_READ_TIMEOUT - the timeout for waiting for a reply from the CORE Entry Point during a request, in seconds. Default is 0.
-
UKC_COM_ENABLE_KEEP_ALIVE - set to 1 for TRUE, any other value is FALSE. If set to TRUE, the connection is kept open for performance reasons. Default is TRUE.
-
UKC_COM_RETRIES_TRANSMIT - the number of times to try and execute a request after a network failure. Default is 1.
-
UKC_COM_RETRY_SUSPEND - wait time between retrying requests on network failure, in milliseconds. Default is 50.
Note
If these settings are set to 0, then they use the default for the platform.
Use Client Certificate
The following runtime parameters are required:
- CORE CA certificate
- Client PFXAn archive file format for storing cryptography objects using Base64 encoding (generated as a client in full mode)
- Client PFXAn archive file format for storing cryptography objects using Base64 encoding password
- CORE EP server(s) hostname(s) or IP(s)
To prepare the clientlessSystem that is using Unbound Java Security Provider without dependency on the UKC Client software. environment:
- Create a full mode client. A PFXAn archive file format for storing cryptography objects using Base64 encoding file and password are created in this step.
- ucl root_ca . A p7b file is generated in this step.
- Copy the PFXAn archive file format for storing cryptography objects using Base64 encoding and p7b files to the client machine.
Example using a configuration file
Note
In these examples we you use the JAVA 8 command syntax, and the corresponding ekm-java-provider-2.0.jar. We also assume that the commands are performed by the default user of the specified partition. To use JAVA 9 and 11 versions, refer to the keytool and jarsigner examples in Code Signing Integration Guide. Refer to Jarsigner for Java 9 and 11.
- Create a configuration file
ukc.conf. It contains: - Verify that the setup is working by listing keys in the certified partition.
- Create an RSA key with the self-certified (alias
sign-key). - Use the key to sign
test.jarfile.
UKC_CA=/<path-to-ukc-root-ca-certificate>/<server-ca>.p7b
UKC_PFX=/<path-to-client-certificate>/<client>.pfx
UKC_PFX_PASS=<password-for-client-pfx>
UKC_SERVERS=<EP1 hostname or IP>[,<EP2 hostname or IP>]
keytool -list \
-keystore NONE -storetype PKCS11 -providername UNBOUND -storepass NULL \
-providerclass com.unbound.provider.UBCryptoProvider \
-providerarg ukc.conf \
-providerpath ekm-java-provider-2.0.jar
keytool -verbose -genkeypair -keysize 2048 -alias sign-key -dname CN=CA -keyalg RSA \
-keystore NONE -storetype PKCS11 -providername UNBOUND -storepass NULL \
-providerclass com.unbound.provider.UBCryptoProvider \
-providerarg ukc.conf \
-providerpath ekm-java-provider-2.0.jar
jarsigner -keystore NONE -storetype PKCS11 -providername UNBOUND -storepass NULL \
-providerclass com.unbound.provider.UBCryptoProvider \
-providerarg ukc.conf \
test.jar sign-key
Example with environment variable
- Set the environment variables.
- Perform commands 2, 3, and 4 in the previous test without the
-providerarg ukc.confoption.
export UKC_CA=/<path-to-ukc-root-ca-certificate>/server-ca.p7b
export UKC_PFX=/<path-to-client-certificate>/client.pfx
export UKC_PFX_PASS=<password-to-pfx>
export UKC_SERVERS=<EP1 hostname or IP>[,<EP2 hostname or IP>]
Example setting configuration using code
This code sets the p7b file and the server URL.
com.unbound.provider.UBCryptoProvider.initialize(
String[] servers, // <list of servers with , delimiter>
KeyStore trusted // trusted server CA certificates
);
This code sets the PFXAn archive file format for storing cryptography objects using Base64 encoding file and passphrase.
new com.unbound.provider.UBCryptoProvider(
KeyStore pfx, // client key and certificate
String pfxPass // optional PFX password
);
Example setting configuration using Java runtime properties
A sample command line is:
keytool -genkeypair -keysize 2048 -alias sign-key4 -dname CN=CA -keyalg RSA -keystore NONE -storetype PKCS11 -providername UNBOUND -storepass Password1! -providerclass com.unbound.provider.UBCryptoProvider -J-DukcPfx=C:/ProgramData/dyadic/ekm/client3.pfx -J-DukcPfxPass=Password1! -J-DukcCa=C:/ProgramData/dyadic/ekm/server-ca.p7b -J-DukcServers=https://localhost:8443 -J-DukcComConnectTimeout=20 -J-DukcComReadTimeout=20 -J-DukcComEnableKeepAlive=1 -J-DukcComRetrisesTransmit=3 -J-DukcComRetrySuspend=100 -providerpath ekm-java-provider-2.0.jar
These runtime properties are available:
-
-J-DukcPfx=<PFX
An archive file format for storing cryptography objects using Base64 encoding filename>.pfxNote
To avoid using a file, you can pass the PFXAn archive file format for storing cryptography objects using Base64 encoding value on the command line in this format:-J-DukcPfx=pfx:<b64 pfx value> -
-J-DukcPfxPass=<Password>
-
-J-DukcCa=<CA file>.p7b
Note
To avoid using a file, you can pass the p7b value on the command line in this format:-J-DukcCa=p7b:<b64 p7b value> -
-J-DukcServers=<Server URL>:<Port number>
-
-J-DukcComConnectTimeout=<Connection timeout>
-
-J-DukcComReadTimeout=<Read timeout>
-
-J-DukcComEnableKeepAlive=<Keep alive>
-
-J-DukcComRetrisesTransmit=<Number of retries>
-
-J-DukcComRetrySuspend=<Time between retries>
Use Activation Code
In the previous section, we showed using the provider in clientlessSystem that is using Unbound Java Security Provider without dependency on the UKC Client software. mode using a client PFXAn archive file format for storing cryptography objects using Base64 encoding (generated in FULL mode). There are scenarios where we would like to avoid storing a PFXAn archive file format for storing cryptography objects using Base64 encoding or reusing a PFXAn archive file format for storing cryptography objects using Base64 encoding for multiple clients.
In these scenarios, the clientlessSystem that is using Unbound Java Security Provider without dependency on the UKC Client software. provider mode also supports using an activation code. The provider would complete the client registration process as part of the application execution and store the key and certificate in memory for the lifetime of the application.
This approach is well suited for using ephemeral clients and has the advantage that the client certificate is not persistent, as well as complete tracking of each connected application since each would be a different client.
This option is implemented by replacing the UKC_PFXAn archive file format for storing cryptography objects using Base64 encoding and UKC_PFXAn archive file format for storing cryptography objects using Base64 encoding_PASS with different settings holding the activation code (regular or ephemeral), as follows:
The following runtime parameters are required:
- CORE CA certificate
- Partition name, its Access Code (template) name, and the Access Code value
- CORE EP server(s) hostname(s) or IP(s)
Configuration options are:
- The ukc.conf file:
- Environment variables.
- Configuration using code.
UKC_CA=/<path-to-ukc-root-ca-certificate>/<server-ca>.p7b
UKC_SERVERS=<EP1 hostname or IP>[,<EP2 hostname or IP>]
UKC_CLIENT_NAME=<hostname>
UKC_PARTITION_NAME = <partition name>
UKC_TEMPLATE_NAME = <template name>
UKC_ACTIVATION_CODE = <activation code>
export UKC_CA=/<path-to-ukc-root-ca-certificate>/<server-ca>.p7b
export UKC_SERVERS=<EP1 hostname or IP>[,<EP2 hostname or IP>]
export UKC_CLIENT_NAME = <client name>
export UKC_PARTITION_NAME = <partition name>
export UKC_TEMPLATE_NAME = <template name>
export UKC_ACTIVATION_CODE = <activation code>
This code sets the p7b file and the server URL.
com.unbound.provider.UBCryptoProvider.initialize(
String[] servers, // <list of servers with , delimiter>
KeyStore trusted // trusted server CA certificates
);
This code acquires the PFXAn archive file format for storing cryptography objects using Base64 encoding and its password.
new com.unbound.provider.UBCryptoProvider(
String partitionName,
String clientName, // optional, default value is HOST-NAME
String templateName, // optional
String activationCode
);