JAVA Toolkit
| home | contact

Home > News > IAIK-JCE 5.5 released!

Left menu

News Menu

Latest News

IAIK-JCE 5.60 and IAIK [CP]AdES 2.4 released!


IAIK-JCE 5.60 introduces a "subsidiary" provider as workaround for fixing a JDK JSSE MessageDigest Cloneable bug. IAIK [CP]AdES 2.4 fixes a bug in the AtsHashIndexv3 ASN.1 representation.

ECCelerate 6.01 released!


We proudly present a new maintenance release of our IAIK ECCelerateâ„¢ elliptic curve library! Version 6.01 fixes minor bugs and streamlines ECPoint return types as well as other improvements. IAIK ECCelerateâ„¢ is based on Java 6 technology and has been thoroughly optimized for speed. Currently, it supports ECDSA, EdDSA, ECDH, X25519/448, ECIES and optionally ECMQV.


Our Clients

IAIK-JCE 5.5 released!


We have released version 5.5 of our IAIK-JCE crypto toolkit!

Version 5.5 fixes a signature algorithm name incompatibility in JSSE algorithm constraint checking of JDK 8u141 and (maybe) later. When checking the TLS 1.2 SignatureAlgorithms extension during a TLS 1.2 handshake JSSE expects that method getSigAlgName of the server X09Certificate object returns the name of the certificate signature algorithm as JCA standard name. However, for RSA PKCS#1v1.5 signature algorithms the JCA standard naming scheme has changed from originally "<HASH>/RSA" (e.g. "SHA256/RSA") to "<HASH>withRSA" (e.g. "SHA256withRSA"). For backwards compatibility IAIK-JCE had to stay with the original notation for the getImplementationName() method of its AlgorithmID class. Since X509Certificate.getSigAlgName() calls AlgorithmID.getImplementationName(), JSSE gets the signature algorithm name in the original "<HASH>/RSA" notation when IAIK is installed as first provider, whereas JSSE expects the "<HASH>withRSA" notation. This may cause a TLS handshake to fail with a "Algorithm constraints check failed on signature algorithm: SHA256/RSA" CertPathValidatorException.

For that reason IAIK-JCE 5.5 introduces a new method getJCAStandardName in class AlgorithmID and now uses this method for returning the signature algorithm name in method getSigAlgName of its X509Certificate and X509CRL classes. This fixes the JSSE naming incompatibility but allows applications to continue to use the accustomed original RSA PKCS#1v1.5 signature algorithm name notation when calling AlgorithmID.getImplementationName(). Oracle is also aware of this issue and will fix it in future JRE versions by changing back to provider independent algorithm constraints checking.

Furthermore IAIK-JCE 5.5 implements SHA-3 based signature and HMAC algorithms and adds throughout support for using the IAIK provider without the necessity of installing it within the JCA/JCE Security framework.

See the IAIK-JCE product page for a detailed list of changes, fixes and new features and and visit our download center to get the new version.

Kind regards,
Your SIC/IAIK Java Security Team!

print    tip a friend
back to previous page back  |  top to the top of the page