Dell BSAFE Crypto-J User guide

  • Hello! I am an AI chatbot trained to assist you with the Dell BSAFE Crypto-J User guide. I’ve already reviewed the document and can help you find the information you need or explain it in simple terms. Just ask your questions, and providing more details will help me assist you more effectively!
RSA BSAFE
®
Crypto-J 6.2.5
Installation Guide
August 2019
Part Number
29.07.19
Copyright and Trademark
Legal Notices
Copyright © 2019 Dell Inc. or its subsidiaries. All rights reserved.
Dell Inc. believes the information in this publication is accurate as of its publication date. The information is subject to
change without notice.
THE INFORMATION IN THIS PUBLICATION IS PROVIDED “AS IS”. DELL INC OR ITS SUBSIDIARIES MAKES
NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS
PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS
FOR A PARTICULAR PURPOSE.
Use, copying, and distribution of any Dell software described in this publication requires an applicable software license.
Dell, RSA, the RSA logo, BSAFE, and other trademarks are registered trademarks of Dell Inc. or its subsidiaries. Other
trademarks may be trademarks of their respective companies.
Third-party licenses
This product may include software developed by parties other than Dell Inc. The text of the license agreements applicable to
third-party software in this product may be viewed in Crypto-J_6.2.4_Third-partyLicenses.pdf.
Note on encryption technologies
This product may contain encryption technology. Many countries prohibit or restrict the use, import, or export of encryption
technologies, and current use, import, and export regulations should be followed when using, importing or exporting this
product.
Distribution
Limit distribution of this document to trusted personnel.
August 2019 Copyright © 2019 Dell Inc. or its subsidiaries. All rights reserved. 1
Installation Guide
29.07.19
RSA BSAFE Crypto-J 6.2.5 Installation Guide
This document provides instructions for installing RSA BSAFE Crypto-J 6.2.5
(Crypto-J) on all released platforms. Instructions are provided for binary installations,
including installation on Google
®
Android™ and the Java™ Web Start application,
and source installations of Crypto-J, including installation on Google Android.
Binary installations are suitable where the compiled version of Crypto-J matches your
installation platform, and where there is no intention to alter the product. Source
installations are suitable where there is a requirement to build Crypto-J for a specific
platform.
Contents:
About the Crypto-J Toolkit ...............................................................................2
Binary Installation ............................................................................................. 4
Binary Installation for Android ...................................................................... 12
Binary Installation for Java Web Start .........................................................20
Source Installation ......................................................................................... 27
Source Installation for Android ..................................................................... 38
System and Security Properties ................................................................... 48
Uninstallation Instructions .............................................................................48
2 About the Crypto-J Toolkit
RSA BSAFE Crypto-J 6.2.5 Installation Guide
About the Crypto-J Toolkit
Crypto-J provides Java™ developers with a state-of-the-art implementation of the
most important privacy, authentication, and data integrity algorithms. The Crypto-J
toolkit contains both the Java Cryptography Extension (JCE) API and Jsafe API.
The Crypto-J distribution media contains the following:
Binary toolkit:
Toolkit Java archive (jar) files.
Source toolkit:
Java source code and build and test systems.
RSA BSAFE Crypto-C Micro Edition 4.1 (Crypto-C ME) shared libraries
Sample source code
Product documentation consisting of:
This document, the RSA BSAFE Crypto-J Installation Guide, in Portable
Document Format (PDF), with instructions on how to install and build
Crypto-J.
RSA BSAFE Crypto-J FIPS Compliance Guide, in PDF, which describes the
FIPS 140 compliance requirements for Crypto-J.
RSA BSAFE Crypto-J Release Notes, in PDF, with the latest information
about Crypto-J.
RSA BSAFE Crypto-J JSAFE and JCE Software Module Security Policy
documents, Level 1 and Level 2, which describe how the Crypto-J JSAFE and
JCE Software Module meets the Level 1 security requirements of FIPS 140-2,
the Level 2 security requirements of FIPS 140-2 for Roles, Authentication and
Services, Level 3 security requirements for Design Assurance, and how to
securely operate it.
RSA BSAFE Crypto-J Third-party Licenses, in PDF, with license information
for third-party code used in Crypto-J.
RSA BSAFE Crypto-J Troubleshooting Guide, in PDF, with information and
instructions for troubleshooting common issues with Crypto-J.
RSA BSAFE Crypto-J Developers Guide, in HTML format, with information
and instructions on how to develop applications that integrate Crypto-J.
The following Javadocs in HTML format, with Java API reference
information:
RSA BSAFE JsafeJCE Javadoc
RSA BSAFE Jsafe Javadoc
RSA BSAFE Tools Javadoc.
About the Crypto-J Toolkit 3
RSA BSAFE Crypto-J 6.2.5 Installation Guide
Related product documentation:
The RSA BSAFE Crypto-C Micro Edition Security Policies, Level 1 and
Level 2, in PDF, which describe how the Crypto-C ME Cryptographic Module
meets the Level 1 security requirements of FIPS 140-2, the Level 2 security
requirements of FIPS 140-2 for Roles, Authentication and Services, Level 3
security requirements for Design Assurance, and how to securely operate it.
Documentation for this release and for previous releases of Crypto-J is also available
from RSA Link.
Toolkit Configuration
The following table lists the eight toolkit configurations included in the Crypto-J
toolkit.
Table 1 Toolkit Configuration
Configuration
Cryptographic
Implementation
PKCS #11
Accessible
FIPS
Validated
Pure JSAFE Pure Java No No
Native JSAFE Pure Java and Native
Yes
1
1
Not applicable to Crypto-J on Android.
No
Pure JCE and JSAFE Pure Java No No
Native JCE and JSAFE Pure Java and Native
Yes
1
No
FIPS JSAFE Pure Java No Yes
FIPS Native JSAFE Pure Java and Native
Yes
1
Yes
FIPS JCE and JSAFE Pure Java No Yes
FIPS Native JCE and JSAFE Pure Java and Native
Yes
1
Yes
4 Binary Installation
RSA BSAFE Crypto-J 6.2.5 Installation Guide
Binary Installation
This section describes how to install the Crypto-J binary toolkit on your development
environment. These instructions assume the Crypto-J encrypted package file has been
downloaded and unpacked.
Note: For instructions to install the Crypto-J binary toolkit on an Android
development environment, go to Binary Installation for Android.
For instructions to install the Crypto-J binary toolkit on a Java Web Start
development environment, go to Binary Installation for Java Web Start.
Before you begin:
Ensure that the system you are installing onto has 400 MB of free disk space.
Install JDK 7.0 or above, and set the
JAVA_HOME environment variable
appropriately. The RSA BSAFE Crypto-J Release Notes lists the supported
platforms.
Install one or more of the following:
Apache™ Ant™
JetBrains IntelliJ
®
IDE
Eclipse IDE.
Note: Optional, used to build the samples.
Read these installation instructions.
To install Crypto-J:
The following steps summarize the complete installation process which is detailed
below:
1. Install JCE Unlimited Strength Jurisdiction Policy Files.
2. Install Crypto-J.
3. Build and Run the Samples.
Binary Installation 5
RSA BSAFE Crypto-J 6.2.5 Installation Guide
Install JCE Unlimited Strength Jurisdiction Policy Files
The JCE requires the presence of Unlimited Strength Jurisdiction Policy Files in order
to use some algorithms and key strengths, and the samples that use these.
The following algorithms require these policy files:
AES with key sizes greater than 128 bits
RC2 with key sizes greater than 128 bits
RC4 with key sizes greater than 128 bits
RC5 with key sizes greater than 128 bits
RSA Encryption.
These algorithms are used by some PKCS #12 KeyStore files.
For the latest unlimited strength jurisdiction policy file guidelines, see the
install_jre/lib/security/java.security file.
The latest JDK updates use the unlimited strength jurisdiction policy files by default.
To check that the installed JDK does this, look for the
install_jre/lib/security/policy directory. If this directory is not present,
complete the following instructions to manually download and install the unlimited
policy files.
The JDK version installed determines the unlimited strength jurisdiction policy file to
download.
For Oracle
®
JDK 9, follow the instructions in the README.txt located in the
install_jdk9/conf/security/policy directory of the JDK download.
For all other JDK versions, obtain the applicable file from the following download
locations:
JCE Unlimited Strength Jurisdiction Policy Files 7 for:
Oracle JDK 7.0
HP JDK 7.0.
JCE Unlimited Strength Jurisdiction Policy Files 8 for:
Oracle JDK 8.0
HP JDK 8.0.
IBM Unrestricted JCE Policy Files for IBM
®
JDK 7.x and 8.0.
To install the unlimited strength Jurisdiction Policy Files:
1. Extract the local_policy.jar and US_export_policy.jar files from the
downloaded zip file.
2. Copy
local_policy.jar and US_export_policy.jar to the
install_jre/lib/security directory, overwriting the existing policy files.
6 Binary Installation
RSA BSAFE Crypto-J 6.2.5 Installation Guide
Install Crypto-J
The following describes the binary distribution directory structure of the unpacked
Crypto-J distribution package:
To install Crypto-J:
1. Copy the Crypto-J directory structure into a suitable location on the target system.
2. Select the Crypto-J jar
files to use from root/cryptoj/lib, and add them to
the class path.The following table lists the Crypto-J APIs and the corresponding
jar
files.
Directory Content
root/
Crypto-J_6.2.5_InstallGuide.pdf
RSA BSAFE Crypto-J Installation Guide
Crypto-J_6.2.5_ReleaseNotes.pdf
RSA BSAFE Crypto-J Release Notes
license_bsafe.pdf
Product specific license text
readme.txt
cryptoj/
Build scripts and project files.
android/
Android source code
BsafeAndroidSamples/
Android source sample code
doc/
Documentation
DevGuide/
RSA BSAFE Crypto-J Developers Guide
javadoc/
Javadocs
JsafeJCE/
RSA BSAFE JsafeJCE Javadoc
Jsafe/
RSA BSAFE Jsafe Javadoc
Tools/
RSA BSAFE Tools Javadoc
lib/
Jar
file repository
prebuilt/
cryptocme/
Crypto-C ME shared libraries
openldap/
OpenLDAP jar file
sample/
Source sample code
Table 2 Available APIs and Required jar Files
Available APIs Jar Files to Add to the Class Path
Non-FIPS JSAFE
1, 2
cryptojcommon-6.2.5.jar
jcm-6.2.5.jar
FIPS JSAFE cryptojcommon-6.2.5.jar
jcmFIPS-6.2.5.jar
Non-FIPS JSAFE and JCE
2
cryptoj-6.2.5.jar
Non-FIPS JSAFE and JCE
1, 2
cryptojcommon-6.2.5.jar
cryptojce-6.2.5.jar
jcm-6.2.5.jar
FIPS JSAFE and JCE cryptojcommon-6.2.5.jar
cryptojce-6.2.5.jar
jcmFIPS-6.2.5.jar
Binary Installation 7
RSA BSAFE Crypto-J 6.2.5 Installation Guide
3. Depending on other features to be used, additional jar files might need to be added
to the class path. The following table lists these features and the corresponding jar
files to be added to the class path.
4. If you do not wish to use a Native FIPS or Native non-FIPS configuration of
Crypto-J, go to Step 5.
To use a Native FIPS or Native non-FIPS configuration of Crypto-J, the
platform-specific Crypto-C ME shared libraries must be added to the Java library
path. The following table details the subdirectories in
root/cryptoj/prebuilt/cryptocme
that contain the platform-specific
shared libraries.
1
This configuration will yield faster start-up times.
2
Native configuration requires access to Crypto-C ME shared libraries. For more details, see Step 4
on page 7
.
Table 3 Features and Required jar Files
Feature Jar Files to Add to the class path
LDAP
root/cryptoj/prebuilt/openldap/openldap.jar
Tools API
root/cryptoj/lib/util-6.2.5.jar
Table 4 Platform-specific Native Shared Libraries for Crypto-C ME
Platform-specific Native Shared Libraries
Subdirectory
1
Apple
®
Mac
®
OS X x86 32-bit
macosx_x86
Apple
Mac OS x86_64 64-bit
macosx_x64
FreeBSD
®
64-bit
freebsd_x64_gcc
HP HP-UX 11.31 Itanium2 32-bit
hpux1131ia32i2
HP HP-UX 11.31 Itanium2 64-bit
hpux1131ia64i2
IBM AIX
®
32-bit
aix6
IBM AIX 64-bit
aix6_64
Micro Focus
®
SUSE
®
Linux Enterprise Server 32-bit
linux_x86_lsb30
Micro Focus SUSE Linux Enterprise Server 64-bit
linux_x64_lsb30
Microsoft
®
Windows
®
32-bit
win32vc8
Microsoft Windows 64-bit
win64x64
Oracle Solaris™ x86 32-bit
solx86
Oracle Solaris x86_64 64-bit
solx64
8 Binary Installation
RSA BSAFE Crypto-J 6.2.5 Installation Guide
For example, for systems running a 32-bit Windows operating system:
copy root\cryptoj\prebuilt\cryptocme\win32vc8\*.*
C:\Windows\System32
For systems running a Unix-like operating system, add the Native library to the
library path. For example, on a Solaris operating system:
LD_LIBRARY_PATH=$LD_LIBRARY_PATH:
root/cryptoj/prebuilt/cryptocme/solspv8p
export LD_LIBRARY_PATH
Note: On some operating systems, it may be necessary to set the execute
permissions for the shared libraries. For example:
chmod 755 root/cryptoj/prebuilt/cryptocme/solspv8p/*.so
For details about how to use Native configurations of Crypto-J, see the
API-specific section Using Native Implementations in the RSA BSAFE Crypto-J
Developers Guide.
5. To use the Crypto-J JsafeJCE API, register the Crypto-J JCE provider, JsafeJCE,
either statically or dynamically.
To statically register the JsafeJCE provider:
a. Copy the relevant jar files to the
install_jre
/lib/ext
directory.
b. Edit the
install_jre/lib/security/java.security file to add the
JsafeJCE Provider:
security.provider.n=com.rsa.jsafe.provider.JsafeJCE
To set the JsafeJCE Provider as the default provider, set n to 1.
Change the value of n for any other providers listed in
java.security so
that each provider has a unique number. For example:
security.provider.1=com.rsa.jsafe.provider.JsafeJCE
security.provider.2=sun.security.provider.Sun
To dynamically register the JsafeJCE provider:
a. Add the relevant jar files to the class path.
Oracle Solaris Sparc v8+ 32-bit
solspv8p
Oracle Solaris Sparc v9 64-bit
solspv9
Red Hat
®
Enterprise Server 32-bit
linux_x86_lsb30
Red Hat Enterprise Server 64-bit
linux_x64_lsb30
1
Short Platform Name.
Table 4 Platform-specific Native Shared Libraries for Crypto-C ME (continued)
Platform-specific Native Shared Libraries
Subdirectory
1
Binary Installation 9
RSA BSAFE Crypto-J 6.2.5 Installation Guide
b. Create the provider programmatically using the following Java code:
// Create a Provider object
Provider jsafeProvider = new com.rsa.jsafe.provider.JsafeJCE();
// Add the Crypto-J JsafeJCE Provider to the current
// list of providers available on the system.
Security.insertProviderAt (jsafeProvider, 1);
6. The Crypto-J FIPS 140-2 toolkit may be configured to perform specific operations
at start-up (load). Edit the following file to configure these operations:
install_jre/lib/security/java.security.
The following table lists the property that must be set for FIPS 140-2 compliant
operation.
For FIPS 140-2 Level 2 Roles, Authentication and Services compliance, the
security properties listed in the following table must be added.
7. Crypto-J uses CTRDRBG128 as the default random algorithm where no other
random algorithm is specified.
Use the security property
com.rsa.crypto.default.random to change this
as required. The following are valid values for this security property:
The installation of
Crypto-J is complete. For information on how to run the sample
code, see Build and Run the Samples.
Table 5 FIPS 140-2 Property Setting
Property Name Value
com.rsa.cryptoj.fips140initialmode
FIPS140_MODE
1
1
The fips140initialmode value can be any of FIPS140_MODE, FIPS140_SSL_MODE, FIPS140_ECC_MODE,
FIPS140_SSL_ECC_MODE or NON_FIPS140_MODE
.
Table 6 FIPS 140-2 Level 2 Property Settings
Property Name Value
com.rsa.cryptoj.fips140auth LEVEL2
com.rsa.cryptoj.configfile
1
1
This security property is optional. There are APIs to dynamically specify this property.
path and filename
2
2
The path and filename can be an absolute path or a path relative to the user.dir Java system property.
CTRDRBG
CTRDRBG128
CTRDRBG192
CTRDRBG256
HASHDRBG
HASHDRBG128
HASHDRBG192
HASHDRBG256
HMACDRBG
HMACDRBG128
HMACDRBG192
HMACDRBG256
10 Binary Installation
RSA BSAFE Crypto-J 6.2.5 Installation Guide
Build and Run the Samples
The following procedure for running the sample code is applicable only for the binary
toolkit.
Sample source code is available for each API:
The JSAFE and ASN.1 samples are in
root/cryptoj/sample/src/jsafe
The JsafeJCE samples are in root/cryptoj/sample/src/jce
The Tools samples are in root/cryptoj/sample/src/tools.
There are two ways to build and run the samples for Crypto-J:
Use IDE project files
The project files to build and run the samples have been included in this release of
Crypto-J for the following development environments:
JetBrains IntelliJ IDE
Eclipse IDE.
These project files are located at
root/cryptoj.
Use Apache Ant build scripts
Build scripts to build and run the samples are included in this release of Crypto-J
at
root/cryptoj. Ensure that your execution path will allow the ant command
to be executed.
Note: The following instructions are based on the use of Apache Ant.
In the following instructions, replace api_name
with either jsafe, jce or tools
as required. For the ASN.1 samples, use
jsafe.
To build and run the sample code when using a Pure Java configuration:
1. Navigate to the cryptoj directory.
cd root/cryptoj
2. Build and run the samples:
a. To run all of the samples:
ant -f build-api_name.xml run.all
b. To run a specific sample, specify the sample name. For example:
ant -f build-api_name.xml run.ECIESwithAES
Binary Installation 11
RSA BSAFE Crypto-J 6.2.5 Installation Guide
To build and run the sample code when using a Native configuration:
Note: Step 4 on page 7 has the full list of the platforms and details of how to
configure a Native implementation.
1. Navigate to the
cryptoj directory.
cd root/cryptoj
2. Build and run the samples:
To run all of the JCE API samples:
ant -f build-jce.xml run.native.all -Djvm.arg=”
-Dcom.rsa.cryptoj.native.fips140.path=
root/cryptoj/prebuilt/cryptocme/platform
-Djava.library.path=
root/cryptoj/prebuilt/cryptocme/platform
To run all of the JSAFE API samples:
ant -f build-jsafe.xml run.all -Djvm.arg=”
-Dcom.rsa.cryptoj.native.fips140.path=
root/cryptoj/prebuilt/cryptocme/platform
-Djava.library.path=
root/cryptoj/prebuilt/cryptocme/platform
To run a specific sample:
a. To run a specific non-FIPS sample, specify the sample name.
For example:
ant -f build-api_name.xml run.ECIESwithAES
b. To run a specific FIPS sample, specify the sample name and the platform
specific arguments. For example:
ant -f build-api_name.xml run.FIPS140Compliant
-Djvm.arg=”-Dcom.rsa.cryptoj.native.fips140.path=
root/cryptoj/prebuilt/cryptocme/platform
-Djava.library.path=
root/cryptoj/prebuilt/cryptocme/platform
12 Binary Installation for Android
RSA BSAFE Crypto-J 6.2.5 Installation Guide
Binary Installation for Android
This section describes how to install the Crypto-J binary toolkit on your Android
development environment. These instructions assume the Crypto-J encrypted package
file has been downloaded and unpacked.
Before you begin:
Ensure that the system you are installing onto has 400 MB of free disk space.
Install JDK 7.0 or newer, and set the
JAVA_HOME environment variable
appropriately. The RSA BSAFE Crypto-J Release Notes lists the supported
platforms.
Install Gradle 4.10.3 or newer.
Install Android Studio 3.3.2 or newer.
Install Android SDK Platform 28 or newer.
Set the
ANDROID_HOME environmental variable to the Android SDK installation
location.
Ensure an Android device running a supported version of Android is available to
run Crypto-J. A hardware device or an emulator can be used for this.
Add
android-sdk/platform-tools, android-sdk/tools and
gradle-home/bin to the path environment variable to allow the Android
commands to be called from the Crypto-J build scripts.
Read these installation instructions.
To install Crypto-J:
The following steps summarize the complete installation process which is detailed
below:
1. Install Crypto-J.
2. Build an Application to Run the System Tests.
Binary Installation for Android 13
RSA BSAFE Crypto-J 6.2.5 Installation Guide
Install Crypto-J
The following describes the binary distribution directory structure of the unpacked
Crypto-J distribution package:
To install Crypto-J:
1. Copy the Crypto-J directory structure into a suitable location on the target system.
2. Select the Crypto-J jar
files to use, from root/cryptoj/lib, and add them to
the class path.The following table lists the Crypto-J APIs and the corresponding
jar
files.
Directory Content
root/
Crypto-J_6.2.5_InstallGuide.pdf
RSA BSAFE Crypto-J Installation Guide
Crypto-J_6.2.5_ReleaseNotes.pdf
RSA BSAFE Crypto-J Release Notes
license_bsafe.pdf
Product specific license text
readme.txt
cryptoj/
Build scripts and project files.
android/
Android source code
BsafeAndroidSamples/
Android source sample code
cryptoj/
src/
Android projects
doc/
Documentation
DevGuide/
RSA BSAFE Crypto-J Developers Guide
javadoc/
Javadocs
JsafeJCE/
RSA BSAFE JsafeJCE Javadoc
Jsafe/
RSA BSAFE Jsafe Javadoc
Tools/
RSA BSAFE Tools Javadoc
lib/
Jar
file repository
prebuilt/
cryptocme/
Crypto-C ME shared libraries
openldap/
OpenLDAP jar file
sample/
Source sample code
Table 7 Available APIs and Required jar Files
Available APIs Jar Files to Add to the Class Path
Non-FIPS JSAFE
1
,
2
cryptojcommon-6.2.5.jar
jcm-6.2.5.jar
FIPS JSAFE
cryptojcommon-6.2.5.jar
jcmandroidfips-6.2.5.jar
Non-FIPS JSAFE and JCE
2
cryptoj-6.2.5.jar
Non-FIPS JSAFE and JCE
1, 2
cryptojcommon-6.2.5.jar
cryptojce-6.2.5.jar
jcm-6.2.5.jar
FIPS JSAFE and JCE
cryptojcommon-6.2.5.jar
cryptojce-6.2.5.jar
jcmandroidfips-6.2.5.jar
14 Binary Installation for Android
RSA BSAFE Crypto-J 6.2.5 Installation Guide
3. Copy the jar files to the specified directories:
To work with non-FIPS 140-2 compliant Crypto-J, copy
cryptoj-6.2.5.jar to the library file folder in the Android project, for
example,
android-project/libs, located at
root/cryptoj/android/BsafeAndroidSamples/cryptoj/src, .
To work with FIPS 140-2 compliant Crypto-J, copy
cryptojcommon-6.2.5.jar and cryptojce-6.2.5.jar to
android-project/libs.
To make the FIPS 140-2 compliant cryptographic implementations available,
copy the FIPS140 jar,
jcmandroidfips-6.2.5.jar, to the relevant
folder for loading.
To load the FIPS140 jar from the raw resources folder in the Android
project, copy
jcmandroidfips-6.2.5.jar to the raw resources
folder,
android-project/res/raw as jcmandroidfips.raw.
To load the FIPS140 jar from a file, the jar must be available on the
Android device that is running the application as a File, in a location such
as
/sdcard.
For details about how to load the jar file, see the section Introduction to
Crypto-J > Android in the RSA BSAFE Crypto-J Developers Guide.
4. Depending on other features to be used, additional jar
files may be required to be
added to the class path. The following table lists these features and the
corresponding jar
files to be added to the class path.
1
This configuration will yield faster start-up times.
2
Native configuration requires access to Crypto-C ME shared libraries. For more details, see step 5 on page 15.
Table 8 Features and Required jar Files
Feature Jar Files to Add to the class path
LDAP
root/cryptoj/prebuilt/openldap/openldap.jar
Tools API
root/cryptoj/lib/util-6.2.5.jar
Binary Installation for Android 15
RSA BSAFE Crypto-J 6.2.5 Installation Guide
5. If you do not wish to use a Native FIPS or Native non-FIPS configuration of
Crypto-J, go to Step 7.
To use a Native FIPS or Native non-FIPS configuration of Crypto-J, the
platform-specific Crypto-C ME shared libraries must be added to the Java library
path. The following table details the subdirectories in
root/cryptoj/prebuilt/cryptocme
that contain the platform-specific
shared libraries.
6. Select the Native shared library
.so files to use and copy them to the specified
directories:
Note: In the following instructions, replace platform with either x86
or armeabi-v7a as applicable.
To work with Crypto-J configured as non-FIPS 140-2 compliant, copy
libncm.so to the platform-specific folder for the shared native library files
in the Android project,
android-project at /jniLibs/platform or
/libs/platform.
To work with Crypto-J configured as FIPS 140-2 compliant:
Copy the following shared libraries to the platform-specific folder for the
shared native library files in the Android project at
/jniLibs/platform or /libs/platform:
Copy the signature file,
libcryptocme.sig, to the
android-project/assets/platform directory.
For details about how to use Native configurations of Crypto-J, see the
API-specific section “Using Native Implementations” in the RSA BSAFE
Crypto-J Developers Guide.
7. To use the Crypto-J JsafeJCE API, dynamically register the Crypto-J JCE
provider, JsafeJCE:
a. Add the relevant jar files to the class path.
Table 9 Platform-specific Native Shared Libraries for Crypto-C ME
Subdirectory
1
1
Short Platform Name.
Platform-specific Native Shared Libraries
android_x86
Google Android 32-bit
android_armv7
Google Android ARM
®
v7
libccme_asym.so libccme_ecc_accel_fips.so
libccme_aux_entropy.so libccme_ecc_accel_non_fips.so
libccme_base.so libccme_ecdrbg.so
libccme_base_non_fips.so libccme_error_info.so
libccme_ecc.so libcryptocme.so
libccme_ecc_non_fips.so libncm_fips140.so
16 Binary Installation for Android
RSA BSAFE Crypto-J 6.2.5 Installation Guide
b. Create the provider programmatically using the following Java code:
// Create a Provider object
Provider jsafeProvider = new com.rsa.jsafe.provider.JsafeJCE();
// Add the Crypto-J JsafeJCE Provider to the current
// list of providers available on the system.
Security.insertProviderAt (jsafeProvider, 1);
Note: Unlike standard Java, Android doesn't support static
registration of JCE providers, therefore the provider must be loaded
dynamically.
8. Set the following properties for FIPS 140-2 compliant operation.
For FIPS 140-2 Level 2 Roles, Authentication and Services compliance, the
security properties listed in the following table must be added.
9. Crypto-J uses
CTRDRBG128 as the default random algorithm where no other
random algorithm is specified.
Use the security property
com.rsa.crypto.default.random to change this
as required. The following are valid values for this security property:
The installation of
Crypto-J is complete. For information on how to run the sample
code, see Build an Application to Run the System Tests.
Table 10 FIPS 140-2 Property Setting
Property Name Value
com.rsa.cryptoj.fips140initialmode
FIPS140_MODE
1
1
The fips140initialmode value can be any of FIPS140_MODE, FIPS140_SSL_MODE, FIPS140_ECC_MODE,
FIPS140_SSL_ECC_MODE or NON_FIPS140_MODE
.
com.rsa.cryptoj.native.fips140.path path
Table 11 FIPS 140-2 Level 2 Property Settings
Property Name Value
com.rsa.cryptoj.fips140auth LEVEL2
com.rsa.cryptoj.configfile
1
1
This security property is optional. There are APIs to dynamically specify this property.
path and filename
2
2
The path and filename can be an absolute path.
CTRDRBG
CTRDRBG128
CTRDRBG192
CTRDRBG256
HASHDRBG
HASHDRBG128
HASHDRBG192
HASHDRBG256
HMACDRBG
HMACDRBG128
HMACDRBG192
HMACDRBG256
Binary Installation for Android 17
RSA BSAFE Crypto-J 6.2.5 Installation Guide
Note: Services created by JCE providers do not follow the non-Android
priority order. In a non-Android system, a
SecureRandom created with
no defined algorithm would normally use the algorithm with the highest
priority set in the security properties. On Android, a different algorithm
could be used each time. RSA recommends that on Android an algorithm
is always specified when creating a
SecureRandom or when using any
JCE component that has an option to use a default SecureRandom.
Note: For details about how to run ProGuard with Crypto-J jar files, see the
section Introduction to Crypto-J > ProGuard and Crypto-J Jar Files in
the RSA BSAFE Crypto-J Developers Guide.
18 Binary Installation for Android
RSA BSAFE Crypto-J 6.2.5 Installation Guide
Build an Application to Run the System Tests
A samples application to run the Crypto-J system tests can be built from the command
line or Android Studio. Instructions are provided to:
Build an Application from the Command Line
Install a Samples Application from Android Studio.
Gradle scripts to build the application are included in this release at
root/cryptoj/android/BsafeAndroidSamples.
Samples are available in four build variants:
cryptoj - non-FIPS 140-2 mode with the Pure Java implementation
cryptojFips - FIPS 140-2 mode with the Pure Java implementation
cryptojNative - non-FIPS 140-2 mode with the Native implementation
cryptojNativeFips - FIPS 140-2 mode with the Native implementation.
Note: The samples can be run in either FIPS 140-2 Level 1 or Level 2 mode,
per installation. To re-run the samples in the alternate mode, they must first be
un-installed and then re-installed.
Build an Application from the Command Line
Before you Begin:
Ensure that your execution path will allow the gradle command to be executed.
Attach the relevant Android device.
To build the sample code:
1. Navigate to the Android samples directory.
cd root/cryptoj/android/BsafeAndroidSamples.
2. Run the Gradle wrapper task in the BsafeAndroidSamples project to create
the Gradle wrapper:
gradle wrapper --gradle-version=version
[--gradle-distribution-url=url]
Where:
version is the installed version of Gradle.
url is optional, provided where Gradle is already downloaded, in the
format
file://
full_path/gradle-distribution-zipfile
.
If not specified, the wrapper task downloads a new Gradle distribution.
3. Install and run the samples application on the attached device:
For a system running a Unix-like operating system:
./gradlew installvariantSamplesRelease
/