[Pki-devel] Integrating JSS into an existing java project

Alexander Scheel ascheel at redhat.com
Tue Nov 13 15:58:26 UTC 2018 

Hi Jon,


I do have to say I'm not that familiar with your use case. You might want to
take a look at TomcatJSS and PKI for examples using JSS. One thing that I will
point out is that, rather than directly adding the JSSProvider to the JCE, we
let the CryptoManager deal with that:

See:

https://github.com/dogtagpki/pki/blob/master/base/server/cmscore/src/com/netscape/cmscore/security/JssSubsystem.java#L305

Which calls here:

https://github.com/dogtagpki/jss/blob/master/org/mozilla/jss/CryptoManager.java#L437


I'm guessing the latter will give you the clues you seek for initializing the
RNG if you want to do it yourself... :)


(So I think to directly answer the last question, you either need to initialize
 the CryptoManager class, or do the work it does (RNG initialization in this
 current case) and/or the subset of work it does that enables your use cases...
 so I'd perhaps consider just using the CryptoManager class myself).



- Alex


----- Original Message -----
> From: "Jon Moroney" <jonm at rescale.com>
> To: pki-devel at redhat.com
> Sent: Wednesday, November 7, 2018 6:47:08 PM
> Subject: [Pki-devel] Integrating JSS into an existing java project
> 
> Hey all,
> 
> Sorry if this question has been covered, I did a cursory search and came up
> with nothing.
> 
> I’m trying to integrate the signed JSS jar into my build to be used as a JCE
> provider for fips compliance and am running into issues. Using the java
> Security class I’m trying to set the JSS provider as the default security
> provider
> ```
> Security.insertProviderAt(new JSSProvider() ,1);
> ```
> This works, however when running my test suite I get about a billion errors
> which all seem to trace back to errors around the default PRNG provider. Ex.
> ```
> Could not initialize class javax.crypto.JceSecurityManager
> ```
> I’ve read that in order to use jss classes directly one needs to initialize
> the cryptomanager class. Is this necessary if I just want to use jss as a
> JCE provider? If so, how do I know what arguments to pass into the
> initialize function?
> 
> Thanks,
> Jon
> 
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel

More information about the Pki-devel mailing list