Both Oracle (Sun) and IBM JREs are using each other certificates to verify provider signature. So if you have provider signed using certificate from Sun it will work on IBM JRE. So yes - IBM-rooted Java code-signing certificate exists (the CA exists, it's almost impossible to obtain the cert even if you are inside IBM), but the Sun-rooted signature is sufficient. Your cryptographic provider will work on IBM JRE. You don't need to use any com.ibm
package. Moreover it is possible to bypass provider signature requirement: Java HotSpot Cryptographic Provider signature verification issue
Detailed explanation
1. Certificates
The provider certificate verification is done by internal Java 1.6 JCE classes.
- in Oracle
javax.crypto.SunJCE_b#a(X509Certificate c)
- in IBM
javax.crypto.b#a(X509Certificate c)
The CA certificates used to verify signatures are stored in class files. In Oracle JVM as plain strings. IBM is doing this smarter - the certificate strings are obscured. To unobscure them you should use this piece of code:
final char[] key = {0x5f, 38, 3, 111, 110};
char[] decode(final char[] input) {
final char[] output = new char[input.length];
for (int i = 0; i < output.length; i++) {
output[i] = (char)(input[i] ^ key[i % 5]);
}
return output;
}
So in the IBM Java 1.6 you can find CA code signing certificates:
CN = JCE Code Signing CA, OU = Java Software Code Signing, O = Sun Microsystems Inc, L = Palo Alto, S = CA, C = US
CN = JCE Code Signing CA, OU = IBM Code Signing, O = IBM Corporation, C = US
CN = JCE Code Signing - Framework, OU = IBM Code Signing, O = IBM Corporation, C = US
2. Base provider classes
You should extend java.security.Provider
class. For example com.ibm.crypto.provider.IBMJCE
bundled with IBM JRE does it. (AFAIK there is no ProviderSpi
class.) You should use javax.crypto.CipherSpi
class too. For example com.ibm.crypto.provider.DESCipher
from IBM provider does it.