问题描述:

The company I work for is wary of Android app development because the default cryptography library, Bouncy Castle, is not FIPS-140 certified. Nothing I can do to change their minds or policies.

I'm wondering what options I have for installing (or at least bundling) SunJCE with my app.

For one, I can't find where I would download the latest version of this jar. I tried grabbing the jce jar from my desktop and setting it as an internal jar in my Android project and received this amusing, if ominous, message:

Attempt to include a core class

(java.* or javax.*) in something other

than a core library. It is likely that

you have attempted to include in an

application the core library (or a

part thereof) from a desktop virtual

machine. This will most assuredly not

work. At a minimum, it jeopardizes the

compatibility of your app with future

versions of the platform. It is also

often of questionable legality.

If you really intend to build a core

library -- which is only appropriate

as part of creating a full virtual

machine distribution, as opposed to

compiling an application -- then use

the "--core-library" option to

suppress this error message.

If you go ahead and use

"--core-library" but are in fact

building an application, then be

forewarned that your application will

still fail to build or run, at some

point. Please be prepared for angry

customers who find, for example, that

your application ceases to function

once they upgrade their operating

system. You will be to blame for this

problem.

If you are legitimately using some

code that happens to be in a core

package, then the easiest safe

alternative you have is to repackage

that code. That is, move the classes

in question into your own package

namespace. This means that they will

never be in conflict with core system

classes. If you find that you cannot

do this, then that is an indication

that the path you are on will

ultimately lead to pain, suffering,

grief, and lamentation.

I'm not one for pain, suffering, grief, OR lamentation, so I'd like to know the proper way to go about this task, provided it's something I should attempt at all.

网友答案:

You are not going to be able to import java.* or javax.* classes, due to the compiler error you encountered. Following their instructions should work, but changing the packages for something the size of JCE may be significant, and I don't know if the result would still qualify as FIPS-140. Plus, if JCE is implemented in pure Java, it may be slow on Android. And unless the JCE is from the GPL'd version of Java, or some other open source implementation, the licensing issue the error message hints at is relevant.

There are other FIPS-140 encryption libraries available, such as NSS, that have Java bindings, and others that you could probably write Java bindings for. It is possible you could get one of those working with the NDK to run on Android.

相关阅读:
Top