Dell BSAFE Crypto-J User guide

RSA BSAFE

®

Crypto-J 6.2.5

Installation Guide

August 2019

Part Number

29.07.19

Copyright and Trademark

Legal Notices

Dell Inc. believes the information in this publication is accurate as of its publication date. The information is subject to

change without notice.

THE INFORMATION IN THIS PUBLICATION IS PROVIDED “AS IS”. DELL INC OR ITS SUBSIDIARIES MAKES

NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS

PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS

FOR A PARTICULAR PURPOSE.

Use, copying, and distribution of any Dell software described in this publication requires an applicable software license.

Dell, RSA, the RSA logo, BSAFE, and other trademarks are registered trademarks of Dell Inc. or its subsidiaries. Other

trademarks may be trademarks of their respective companies.

Third-party licenses

This product may include software developed by parties other than Dell Inc. The text of the license agreements applicable to

third-party software in this product may be viewed in Crypto-J_6.2.4_Third-partyLicenses.pdf.

Note on encryption technologies

This product may contain encryption technology. Many countries prohibit or restrict the use, import, or export of encryption

technologies, and current use, import, and export regulations should be followed when using, importing or exporting this

product.

Distribution

Limit distribution of this document to trusted personnel.

Installation Guide

29.07.19

RSA BSAFE Crypto-J 6.2.5 Installation Guide

This document provides instructions for installing RSA BSAFE Crypto-J 6.2.5

(Crypto-J) on all released platforms. Instructions are provided for binary installations,

including installation on Google

®

Android™ and the Java™ Web Start application,

and source installations of Crypto-J, including installation on Google Android.

Binary installations are suitable where the compiled version of Crypto-J matches your

installation platform, and where there is no intention to alter the product. Source

installations are suitable where there is a requirement to build Crypto-J for a specific

platform.

Contents:

About the Crypto-J Toolkit ...............................................................................2

Binary Installation ............................................................................................. 4

Binary Installation for Android ...................................................................... 12

Binary Installation for Java Web Start .........................................................20

Source Installation ......................................................................................... 27

Source Installation for Android ..................................................................... 38

System and Security Properties ................................................................... 48

Uninstallation Instructions .............................................................................48

2 About the Crypto-J Toolkit

RSA BSAFE Crypto-J 6.2.5 Installation Guide

About the Crypto-J Toolkit

Crypto-J provides Java™ developers with a state-of-the-art implementation of the

most important privacy, authentication, and data integrity algorithms. The Crypto-J

toolkit contains both the Java Cryptography Extension (JCE) API and Jsafe API.

The Crypto-J distribution media contains the following:

• Binary toolkit:

– Toolkit Java archive (jar) files.

• Source toolkit:

– Java source code and build and test systems.

• RSA BSAFE Crypto-C Micro Edition 4.1 (Crypto-C ME) shared libraries

• Sample source code

• Product documentation consisting of:

– This document, the RSA BSAFE Crypto-J Installation Guide, in Portable

Document Format (PDF), with instructions on how to install and build

Crypto-J.

– RSA BSAFE Crypto-J FIPS Compliance Guide, in PDF, which describes the

FIPS 140 compliance requirements for Crypto-J.

– RSA BSAFE Crypto-J Release Notes, in PDF, with the latest information

about Crypto-J.

– RSA BSAFE Crypto-J JSAFE and JCE Software Module Security Policy

documents, Level 1 and Level 2, which describe how the Crypto-J JSAFE and

JCE Software Module meets the Level 1 security requirements of FIPS 140-2,

the Level 2 security requirements of FIPS 140-2 for Roles, Authentication and

Services, Level 3 security requirements for Design Assurance, and how to

securely operate it.

– RSA BSAFE Crypto-J Third-party Licenses, in PDF, with license information

for third-party code used in Crypto-J.

– RSA BSAFE Crypto-J Troubleshooting Guide, in PDF, with information and

instructions for troubleshooting common issues with Crypto-J.

– RSA BSAFE Crypto-J Developers Guide, in HTML format, with information

and instructions on how to develop applications that integrate Crypto-J.

– The following Javadocs in HTML format, with Java API reference

information:

• RSA BSAFE JsafeJCE Javadoc

• RSA BSAFE Jsafe Javadoc

• RSA BSAFE Tools Javadoc.

About the Crypto-J Toolkit 3

RSA BSAFE Crypto-J 6.2.5 Installation Guide

• Related product documentation:

– The RSA BSAFE Crypto-C Micro Edition Security Policies, Level 1 and

Level 2, in PDF, which describe how the Crypto-C ME Cryptographic Module

meets the Level 1 security requirements of FIPS 140-2, the Level 2 security

requirements of FIPS 140-2 for Roles, Authentication and Services, Level 3

security requirements for Design Assurance, and how to securely operate it.

Documentation for this release and for previous releases of Crypto-J is also available

from RSA Link.

Toolkit Configuration

The following table lists the eight toolkit configurations included in the Crypto-J

toolkit.

Table 1 Toolkit Configuration

Configuration

Cryptographic

Implementation

PKCS #11

Accessible

FIPS

Validated

Pure JSAFE Pure Java No No

Native JSAFE Pure Java and Native

Yes

1

Not applicable to Crypto-J on Android.

No

Pure JCE and JSAFE Pure Java No No

Native JCE and JSAFE Pure Java and Native

Yes

1

No

FIPS JSAFE Pure Java No Yes

FIPS Native JSAFE Pure Java and Native

Yes

1

Yes

FIPS JCE and JSAFE Pure Java No Yes

FIPS Native JCE and JSAFE Pure Java and Native

Yes

1

Yes

4 Binary Installation

RSA BSAFE Crypto-J 6.2.5 Installation Guide

Binary Installation

This section describes how to install the Crypto-J binary toolkit on your development

environment. These instructions assume the Crypto-J encrypted package file has been

downloaded and unpacked.

Note: For instructions to install the Crypto-J binary toolkit on an Android

development environment, go to Binary Installation for Android.

For instructions to install the Crypto-J binary toolkit on a Java Web Start

development environment, go to Binary Installation for Java Web Start.

Before you begin:

• Ensure that the system you are installing onto has 400 MB of free disk space.

• Install JDK 7.0 or above, and set the

JAVA_HOME environment variable

appropriately. The RSA BSAFE Crypto-J Release Notes lists the supported

platforms.

• Install one or more of the following:

– Apache™ Ant™

– JetBrains IntelliJ

®

IDE

– Eclipse IDE.

Note: Optional, used to build the samples.

• Read these installation instructions.

To install Crypto-J:

The following steps summarize the complete installation process which is detailed

below:

1. Install JCE Unlimited Strength Jurisdiction Policy Files.

2. Install Crypto-J.

3. Build and Run the Samples.

Binary Installation 5

RSA BSAFE Crypto-J 6.2.5 Installation Guide

Install JCE Unlimited Strength Jurisdiction Policy Files

The JCE requires the presence of Unlimited Strength Jurisdiction Policy Files in order

to use some algorithms and key strengths, and the samples that use these.

The following algorithms require these policy files:

• AES with key sizes greater than 128 bits

• RC2 with key sizes greater than 128 bits

• RC4 with key sizes greater than 128 bits

• RC5 with key sizes greater than 128 bits

• RSA Encryption.

These algorithms are used by some PKCS #12 KeyStore files.

For the latest unlimited strength jurisdiction policy file guidelines, see the

install_jre/lib/security/java.security file.

The latest JDK updates use the unlimited strength jurisdiction policy files by default.

To check that the installed JDK does this, look for the

install_jre/lib/security/policy directory. If this directory is not present,

complete the following instructions to manually download and install the unlimited

policy files.

The JDK version installed determines the unlimited strength jurisdiction policy file to

download.

For Oracle

®

JDK 9, follow the instructions in the README.txt located in the

install_jdk9/conf/security/policy directory of the JDK download.

For all other JDK versions, obtain the applicable file from the following download

locations:

• JCE Unlimited Strength Jurisdiction Policy Files 7 for:

– Oracle JDK 7.0

– HP JDK 7.0.

• JCE Unlimited Strength Jurisdiction Policy Files 8 for:

– Oracle JDK 8.0

– HP JDK 8.0.

• IBM Unrestricted JCE Policy Files for IBM

®

JDK 7.x and 8.0.

To install the unlimited strength Jurisdiction Policy Files:

1. Extract the local_policy.jar and US_export_policy.jar files from the

downloaded zip file.

2. Copy

local_policy.jar and US_export_policy.jar to the

install_jre/lib/security directory, overwriting the existing policy files.

6 Binary Installation

RSA BSAFE Crypto-J 6.2.5 Installation Guide

Install Crypto-J

The following describes the binary distribution directory structure of the unpacked

Crypto-J distribution package:

To install Crypto-J:

1. Copy the Crypto-J directory structure into a suitable location on the target system.

2. Select the Crypto-J jar

files to use from root/cryptoj/lib, and add them to

the class path.The following table lists the Crypto-J APIs and the corresponding

jar

files.

Directory Content

root/

Crypto-J_6.2.5_InstallGuide.pdf

RSA BSAFE Crypto-J Installation Guide

Crypto-J_6.2.5_ReleaseNotes.pdf

RSA BSAFE Crypto-J Release Notes

license_bsafe.pdf

Product specific license text

readme.txt

cryptoj/

Build scripts and project files.

android/

Android source code

BsafeAndroidSamples/

Android source sample code

doc/

Documentation

DevGuide/

RSA BSAFE Crypto-J Developers Guide

javadoc/

Javadocs

JsafeJCE/

RSA BSAFE JsafeJCE Javadoc

Jsafe/

RSA BSAFE Jsafe Javadoc

Tools/

RSA BSAFE Tools Javadoc

lib/

Jar

file repository

prebuilt/

cryptocme/

Crypto-C ME shared libraries

openldap/

OpenLDAP jar file

sample/

Source sample code

Table 2 Available APIs and Required jar Files

Available APIs Jar Files to Add to the Class Path

Non-FIPS JSAFE

1, 2

cryptojcommon-6.2.5.jar

jcm-6.2.5.jar

FIPS JSAFE cryptojcommon-6.2.5.jar

jcmFIPS-6.2.5.jar

Non-FIPS JSAFE and JCE

2

cryptoj-6.2.5.jar

Non-FIPS JSAFE and JCE

1, 2

cryptojcommon-6.2.5.jar

cryptojce-6.2.5.jar

jcm-6.2.5.jar

FIPS JSAFE and JCE cryptojcommon-6.2.5.jar

cryptojce-6.2.5.jar

jcmFIPS-6.2.5.jar

Binary Installation 7

RSA BSAFE Crypto-J 6.2.5 Installation Guide

3. Depending on other features to be used, additional jar files might need to be added

to the class path. The following table lists these features and the corresponding jar

files to be added to the class path.

4. If you do not wish to use a Native FIPS or Native non-FIPS configuration of

Crypto-J, go to Step 5.

To use a Native FIPS or Native non-FIPS configuration of Crypto-J, the

platform-specific Crypto-C ME shared libraries must be added to the Java library

path. The following table details the subdirectories in

root/cryptoj/prebuilt/cryptocme

that contain the platform-specific

shared libraries.

1

This configuration will yield faster start-up times.

2

Native configuration requires access to Crypto-C ME shared libraries. For more details, see Step 4

on page 7

.

Table 3 Features and Required jar Files

Feature Jar Files to Add to the class path

LDAP

root/cryptoj/prebuilt/openldap/openldap.jar

Tools API

root/cryptoj/lib/util-6.2.5.jar

Table 4 Platform-specific Native Shared Libraries for Crypto-C ME

Platform-specific Native Shared Libraries

Subdirectory

1

Apple

®

Mac

®

OS X x86 32-bit

macosx_x86

Apple

Mac OS x86_64 64-bit

macosx_x64

FreeBSD

®

64-bit

freebsd_x64_gcc

HP HP-UX 11.31 Itanium2 32-bit

hpux1131ia32i2

HP HP-UX 11.31 Itanium2 64-bit

hpux1131ia64i2

IBM AIX

®

32-bit

aix6

IBM AIX 64-bit

aix6_64

Micro Focus

®

SUSE

®

Linux Enterprise Server 32-bit

linux_x86_lsb30

Micro Focus SUSE Linux Enterprise Server 64-bit

linux_x64_lsb30

Microsoft

®

Windows

®

32-bit

win32vc8

Microsoft Windows 64-bit

win64x64

Oracle Solaris™ x86 32-bit

solx86

Oracle Solaris x86_64 64-bit

solx64

8 Binary Installation

RSA BSAFE Crypto-J 6.2.5 Installation Guide

For example, for systems running a 32-bit Windows operating system:

copy root\cryptoj\prebuilt\cryptocme\win32vc8\*.*

C:\Windows\System32

For systems running a Unix-like operating system, add the Native library to the

library path. For example, on a Solaris operating system:

LD_LIBRARY_PATH=$LD_LIBRARY_PATH:

root/cryptoj/prebuilt/cryptocme/solspv8p

export LD_LIBRARY_PATH

Note: On some operating systems, it may be necessary to set the execute

permissions for the shared libraries. For example:

chmod 755 root/cryptoj/prebuilt/cryptocme/solspv8p/*.so

For details about how to use Native configurations of Crypto-J, see the

API-specific section Using Native Implementations in the RSA BSAFE Crypto-J

Developers Guide.

5. To use the Crypto-J JsafeJCE API, register the Crypto-J JCE provider, JsafeJCE,

either statically or dynamically.

To statically register the JsafeJCE provider:

a. Copy the relevant jar files to the

install_jre

/lib/ext

directory.

b. Edit the

install_jre/lib/security/java.security file to add the

JsafeJCE Provider:

security.provider.n=com.rsa.jsafe.provider.JsafeJCE

To set the JsafeJCE Provider as the default provider, set n to 1.

Change the value of n for any other providers listed in

java.security so

that each provider has a unique number. For example:

security.provider.1=com.rsa.jsafe.provider.JsafeJCE

security.provider.2=sun.security.provider.Sun

To dynamically register the JsafeJCE provider:

a. Add the relevant jar files to the class path.

Oracle Solaris Sparc v8+ 32-bit

solspv8p

Oracle Solaris Sparc v9 64-bit

solspv9

Red Hat

®

Enterprise Server 32-bit

linux_x86_lsb30

Red Hat Enterprise Server 64-bit

linux_x64_lsb30

1

Short Platform Name.

Table 4 Platform-specific Native Shared Libraries for Crypto-C ME (continued)

Platform-specific Native Shared Libraries

Subdirectory

1

Binary Installation 9

RSA BSAFE Crypto-J 6.2.5 Installation Guide

b. Create the provider programmatically using the following Java code:

// Create a Provider object

Provider jsafeProvider = new com.rsa.jsafe.provider.JsafeJCE();

// Add the Crypto-J JsafeJCE Provider to the current

// list of providers available on the system.

Security.insertProviderAt (jsafeProvider, 1);

6. The Crypto-J FIPS 140-2 toolkit may be configured to perform specific operations

at start-up (load). Edit the following file to configure these operations:

install_jre/lib/security/java.security.

The following table lists the property that must be set for FIPS 140-2 compliant

operation.

For FIPS 140-2 Level 2 Roles, Authentication and Services compliance, the

security properties listed in the following table must be added.

7. Crypto-J uses CTRDRBG128 as the default random algorithm where no other

random algorithm is specified.

Use the security property

com.rsa.crypto.default.random to change this

as required. The following are valid values for this security property:

The installation of

Crypto-J is complete. For information on how to run the sample

code, see Build and Run the Samples.

Table 5 FIPS 140-2 Property Setting

Property Name Value

com.rsa.cryptoj.fips140initialmode

FIPS140_MODE

1

The fips140initialmode value can be any of FIPS140_MODE, FIPS140_SSL_MODE, FIPS140_ECC_MODE,

FIPS140_SSL_ECC_MODE or NON_FIPS140_MODE

.

Table 6 FIPS 140-2 Level 2 Property Settings

Property Name Value

com.rsa.cryptoj.fips140auth LEVEL2

com.rsa.cryptoj.configfile

1

This security property is optional. There are APIs to dynamically specify this property.

path and filename

2

The path and filename can be an absolute path or a path relative to the user.dir Java system property.

• CTRDRBG

• CTRDRBG128

• CTRDRBG192

• CTRDRBG256

• HASHDRBG

• HASHDRBG128

• HASHDRBG192

• HASHDRBG256

• HMACDRBG

• HMACDRBG128

• HMACDRBG192

• HMACDRBG256

10 Binary Installation

RSA BSAFE Crypto-J 6.2.5 Installation Guide

Build and Run the Samples

The following procedure for running the sample code is applicable only for the binary

toolkit.

Sample source code is available for each API:

• The JSAFE and ASN.1 samples are in

root/cryptoj/sample/src/jsafe

• The JsafeJCE samples are in root/cryptoj/sample/src/jce

• The Tools samples are in root/cryptoj/sample/src/tools.

There are two ways to build and run the samples for Crypto-J:

• Use IDE project files

The project files to build and run the samples have been included in this release of

Crypto-J for the following development environments:

– JetBrains IntelliJ IDE

– Eclipse IDE.

These project files are located at

root/cryptoj.

• Use Apache Ant build scripts

Build scripts to build and run the samples are included in this release of Crypto-J

at

root/cryptoj. Ensure that your execution path will allow the ant command

to be executed.

Note: The following instructions are based on the use of Apache Ant.

In the following instructions, replace api_name

with either jsafe, jce or tools

as required. For the ASN.1 samples, use

jsafe.

To build and run the sample code when using a Pure Java configuration:

1. Navigate to the cryptoj directory.

cd root/cryptoj

2. Build and run the samples:

a. To run all of the samples:

ant -f build-api_name.xml run.all

b. To run a specific sample, specify the sample name. For example:

ant -f build-api_name.xml run.ECIESwithAES

Binary Installation 11

RSA BSAFE Crypto-J 6.2.5 Installation Guide

To build and run the sample code when using a Native configuration:

Note: Step 4 on page 7 has the full list of the platforms and details of how to

configure a Native implementation.

1. Navigate to the

cryptoj directory.

cd root/cryptoj

2. Build and run the samples:

To run all of the JCE API samples:

ant -f build-jce.xml run.native.all -Djvm.arg=”

-Dcom.rsa.cryptoj.native.fips140.path=

root/cryptoj/prebuilt/cryptocme/platform

-Djava.library.path=

root/cryptoj/prebuilt/cryptocme/platform”

To run all of the JSAFE API samples:

ant -f build-jsafe.xml run.all -Djvm.arg=”

-Dcom.rsa.cryptoj.native.fips140.path=

root/cryptoj/prebuilt/cryptocme/platform

-Djava.library.path=

root/cryptoj/prebuilt/cryptocme/platform”

To run a specific sample:

a. To run a specific non-FIPS sample, specify the sample name.

For example:

ant -f build-api_name.xml run.ECIESwithAES

b. To run a specific FIPS sample, specify the sample name and the platform

specific arguments. For example:

ant -f build-api_name.xml run.FIPS140Compliant

-Djvm.arg=”-Dcom.rsa.cryptoj.native.fips140.path=

root/cryptoj/prebuilt/cryptocme/platform

-Djava.library.path=

root/cryptoj/prebuilt/cryptocme/platform”

12 Binary Installation for Android

RSA BSAFE Crypto-J 6.2.5 Installation Guide

Binary Installation for Android

This section describes how to install the Crypto-J binary toolkit on your Android

development environment. These instructions assume the Crypto-J encrypted package

file has been downloaded and unpacked.

Before you begin:

• Ensure that the system you are installing onto has 400 MB of free disk space.

• Install JDK 7.0 or newer, and set the

JAVA_HOME environment variable

appropriately. The RSA BSAFE Crypto-J Release Notes lists the supported

platforms.

• Install Gradle 4.10.3 or newer.

• Install Android Studio 3.3.2 or newer.

• Install Android SDK Platform 28 or newer.

• Set the

ANDROID_HOME environmental variable to the Android SDK installation

location.

• Ensure an Android device running a supported version of Android is available to

run Crypto-J. A hardware device or an emulator can be used for this.

• Add

android-sdk/platform-tools, android-sdk/tools and

gradle-home/bin to the path environment variable to allow the Android

commands to be called from the Crypto-J build scripts.

• Read these installation instructions.

To install Crypto-J:

The following steps summarize the complete installation process which is detailed

below:

1. Install Crypto-J.

2. Build an Application to Run the System Tests.

Binary Installation for Android 13

RSA BSAFE Crypto-J 6.2.5 Installation Guide

Install Crypto-J

The following describes the binary distribution directory structure of the unpacked

Crypto-J distribution package:

To install Crypto-J:

1. Copy the Crypto-J directory structure into a suitable location on the target system.

2. Select the Crypto-J jar

files to use, from root/cryptoj/lib, and add them to

the class path.The following table lists the Crypto-J APIs and the corresponding

jar

files.

Directory Content

root/

Crypto-J_6.2.5_InstallGuide.pdf

RSA BSAFE Crypto-J Installation Guide

Crypto-J_6.2.5_ReleaseNotes.pdf

RSA BSAFE Crypto-J Release Notes

license_bsafe.pdf

Product specific license text

readme.txt

cryptoj/

Build scripts and project files.

android/

Android source code

BsafeAndroidSamples/

Android source sample code

cryptoj/

src/

Android projects

doc/

Documentation

DevGuide/

RSA BSAFE Crypto-J Developers Guide

javadoc/

Javadocs

JsafeJCE/

RSA BSAFE JsafeJCE Javadoc

Jsafe/

RSA BSAFE Jsafe Javadoc

Tools/

RSA BSAFE Tools Javadoc

lib/

Jar

file repository

prebuilt/

cryptocme/

Crypto-C ME shared libraries

openldap/

OpenLDAP jar file

sample/

Source sample code

Table 7 Available APIs and Required jar Files

Available APIs Jar Files to Add to the Class Path

Non-FIPS JSAFE

1

,

2

cryptojcommon-6.2.5.jar

jcm-6.2.5.jar

FIPS JSAFE

cryptojcommon-6.2.5.jar

jcmandroidfips-6.2.5.jar

Non-FIPS JSAFE and JCE

2

cryptoj-6.2.5.jar

Non-FIPS JSAFE and JCE

1, 2

cryptojcommon-6.2.5.jar

cryptojce-6.2.5.jar

jcm-6.2.5.jar

FIPS JSAFE and JCE

cryptojcommon-6.2.5.jar

cryptojce-6.2.5.jar

jcmandroidfips-6.2.5.jar

14 Binary Installation for Android

RSA BSAFE Crypto-J 6.2.5 Installation Guide

3. Copy the jar files to the specified directories:

– To work with non-FIPS 140-2 compliant Crypto-J, copy

cryptoj-6.2.5.jar to the library file folder in the Android project, for

example,

android-project/libs, located at

root/cryptoj/android/BsafeAndroidSamples/cryptoj/src, .

– To work with FIPS 140-2 compliant Crypto-J, copy

cryptojcommon-6.2.5.jar and cryptojce-6.2.5.jar to

android-project/libs.

– To make the FIPS 140-2 compliant cryptographic implementations available,

copy the FIPS140 jar,

jcmandroidfips-6.2.5.jar, to the relevant

folder for loading.

• To load the FIPS140 jar from the raw resources folder in the Android

project, copy

jcmandroidfips-6.2.5.jar to the raw resources

folder,

android-project/res/raw as jcmandroidfips.raw.

• To load the FIPS140 jar from a file, the jar must be available on the

Android device that is running the application as a File, in a location such

as

/sdcard.

For details about how to load the jar file, see the section Introduction to

Crypto-J > Android in the RSA BSAFE Crypto-J Developers Guide.

4. Depending on other features to be used, additional jar

files may be required to be

added to the class path. The following table lists these features and the

corresponding jar

files to be added to the class path.

1

This configuration will yield faster start-up times.

2

Native configuration requires access to Crypto-C ME shared libraries. For more details, see step 5 on page 15.

Table 8 Features and Required jar Files

Feature Jar Files to Add to the class path

LDAP

root/cryptoj/prebuilt/openldap/openldap.jar

Tools API

root/cryptoj/lib/util-6.2.5.jar

Binary Installation for Android 15

RSA BSAFE Crypto-J 6.2.5 Installation Guide

5. If you do not wish to use a Native FIPS or Native non-FIPS configuration of

Crypto-J, go to Step 7.

To use a Native FIPS or Native non-FIPS configuration of Crypto-J, the

platform-specific Crypto-C ME shared libraries must be added to the Java library

path. The following table details the subdirectories in

root/cryptoj/prebuilt/cryptocme

that contain the platform-specific

shared libraries.

6. Select the Native shared library

.so files to use and copy them to the specified

directories:

Note: In the following instructions, replace platform with either x86

or armeabi-v7a as applicable.

– To work with Crypto-J configured as non-FIPS 140-2 compliant, copy

libncm.so to the platform-specific folder for the shared native library files

in the Android project,

android-project at /jniLibs/platform or

/libs/platform.

– To work with Crypto-J configured as FIPS 140-2 compliant:

• Copy the following shared libraries to the platform-specific folder for the

shared native library files in the Android project at

/jniLibs/platform or /libs/platform:

• Copy the signature file,

libcryptocme.sig, to the

android-project/assets/platform directory.

For details about how to use Native configurations of Crypto-J, see the

API-specific section “Using Native Implementations” in the RSA BSAFE

Crypto-J Developers Guide.

7. To use the Crypto-J JsafeJCE API, dynamically register the Crypto-J JCE

provider, JsafeJCE:

a. Add the relevant jar files to the class path.

Table 9 Platform-specific Native Shared Libraries for Crypto-C ME

Subdirectory

1

Short Platform Name.

Platform-specific Native Shared Libraries

android_x86

Google Android 32-bit

android_armv7

Google Android ARM

®

v7

• libccme_asym.so • libccme_ecc_accel_fips.so

• libccme_aux_entropy.so • libccme_ecc_accel_non_fips.so

• libccme_base.so • libccme_ecdrbg.so

• libccme_base_non_fips.so • libccme_error_info.so

• libccme_ecc.so • libcryptocme.so

• libccme_ecc_non_fips.so • libncm_fips140.so

16 Binary Installation for Android

RSA BSAFE Crypto-J 6.2.5 Installation Guide

b. Create the provider programmatically using the following Java code:

// Create a Provider object

Provider jsafeProvider = new com.rsa.jsafe.provider.JsafeJCE();

// Add the Crypto-J JsafeJCE Provider to the current

// list of providers available on the system.

Security.insertProviderAt (jsafeProvider, 1);

Note: Unlike standard Java, Android doesn't support static

registration of JCE providers, therefore the provider must be loaded

dynamically.

8. Set the following properties for FIPS 140-2 compliant operation.

For FIPS 140-2 Level 2 Roles, Authentication and Services compliance, the

security properties listed in the following table must be added.

9. Crypto-J uses

CTRDRBG128 as the default random algorithm where no other

random algorithm is specified.

Use the security property

com.rsa.crypto.default.random to change this

as required. The following are valid values for this security property:

The installation of

Crypto-J is complete. For information on how to run the sample

code, see Build an Application to Run the System Tests.

Table 10 FIPS 140-2 Property Setting

Property Name Value

com.rsa.cryptoj.fips140initialmode

FIPS140_MODE

1

The fips140initialmode value can be any of FIPS140_MODE, FIPS140_SSL_MODE, FIPS140_ECC_MODE,

FIPS140_SSL_ECC_MODE or NON_FIPS140_MODE

.

com.rsa.cryptoj.native.fips140.path path

Table 11 FIPS 140-2 Level 2 Property Settings

Property Name Value

com.rsa.cryptoj.fips140auth LEVEL2

com.rsa.cryptoj.configfile

1

This security property is optional. There are APIs to dynamically specify this property.

path and filename

2

The path and filename can be an absolute path.

• CTRDRBG

• CTRDRBG128

• CTRDRBG192

• CTRDRBG256

• HASHDRBG

• HASHDRBG128

• HASHDRBG192

• HASHDRBG256

• HMACDRBG

• HMACDRBG128

• HMACDRBG192

• HMACDRBG256

Binary Installation for Android 17

RSA BSAFE Crypto-J 6.2.5 Installation Guide

Note: Services created by JCE providers do not follow the non-Android

priority order. In a non-Android system, a

SecureRandom created with

no defined algorithm would normally use the algorithm with the highest

priority set in the security properties. On Android, a different algorithm

could be used each time. RSA recommends that on Android an algorithm

is always specified when creating a

SecureRandom or when using any

JCE component that has an option to use a default SecureRandom.

Note: For details about how to run ProGuard with Crypto-J jar files, see the

section Introduction to Crypto-J > ProGuard and Crypto-J Jar Files in

the RSA BSAFE Crypto-J Developers Guide.

18 Binary Installation for Android

RSA BSAFE Crypto-J 6.2.5 Installation Guide

Build an Application to Run the System Tests

A samples application to run the Crypto-J system tests can be built from the command

line or Android Studio. Instructions are provided to:

• Build an Application from the Command Line

• Install a Samples Application from Android Studio.

Gradle scripts to build the application are included in this release at

root/cryptoj/android/BsafeAndroidSamples.

Samples are available in four build variants:

•

cryptoj - non-FIPS 140-2 mode with the Pure Java implementation

•

cryptojFips - FIPS 140-2 mode with the Pure Java implementation

•

cryptojNative - non-FIPS 140-2 mode with the Native implementation

•

cryptojNativeFips - FIPS 140-2 mode with the Native implementation.

Note: The samples can be run in either FIPS 140-2 Level 1 or Level 2 mode,

per installation. To re-run the samples in the alternate mode, they must first be

un-installed and then re-installed.

Build an Application from the Command Line

Before you Begin:

• Ensure that your execution path will allow the gradle command to be executed.

• Attach the relevant Android device.

To build the sample code:

1. Navigate to the Android samples directory.

cd root/cryptoj/android/BsafeAndroidSamples.

2. Run the Gradle wrapper task in the BsafeAndroidSamples project to create

the Gradle wrapper:

gradle wrapper --gradle-version=version

[--gradle-distribution-url=url]

Where:

• version is the installed version of Gradle.

• url is optional, provided where Gradle is already downloaded, in the

format

file://

full_path/gradle-distribution-zipfile

.

If not specified, the wrapper task downloads a new Gradle distribution.

3. Install and run the samples application on the attached device:

For a system running a Unix-like operating system:

./gradlew installvariantSamplesRelease

Page is loading ...

Dell BSAFE Crypto-J User guide

Dell BSAFE Crypto-J User guide

Related papers

Other documents