JCE provider differences

Some IBM JCE provider functions do not have an equivalent in the Oracle providers. Equivalent functions, if available, come from multiple Oracle providers: SUN, SunJCE, SunEC, and SunRsaSign. The following table shows the distribution of functions across the various Oracle providers.

The following sections describe the differences between the IBM and Oracle JCE support:

Algorithms

Algorithms that are available in the IBM JCE provider might not be available, or might have different names, in the Oracle providers. For a detailed list, see Differences between IBM and Oracle JCE algorithms.

Keys

• IBM DH KeyPairGenerator and AlgorithmParameterGenerator support key sizes between 256 and 2048 bits, that are a multiple of 64. The Oracle equivalents support key sizes between 512 and 2048 bits, that are a multiple of 64.
• IBM DH KeyPairGenerator defaults to a key size of 1024 bits. The Oracle equivalent defaults to 2048 bits.
• IBM DSA KeyPairGenerator defaults to a key size of 2048 bits. The Oracle equivalent defaults to 1024 bits.
• IBM RSA KeyFactory recognizes the com.ibm.crypto.provider.restrictRSAExponent property. The corresponding Oracle RSA KeyFactory recognizes the sun.security.rsa.restrictRSAExponent property.
• The Oracle security implementation does not support RFC5915-encoded EC private keys. The IBMJCE provider has supported these keys since IBM® SDK, Java™ Technology Edition, Version 8, service refresh 2, fix pack 10.
• Before IBM SDK, Java Technology Edition Version 8, service refresh 1, fix pack 10, the IBM PKCS12S2 keystore type was equivalent to the Oracle PKCS12 keystore type, but the IBM PKCS12 keystore type was not. In IBM SDK, Java Technology Edition Version 8 service refresh 1, fix pack 10 and later, the IBM PKCS12 and PKCS12S2 keystore types are modified to use a shared implementation. This shared implementation is forwards and backwards compatible with older IBM and Oracle PKCS12 implementations. However, the Oracle Java 9 and later PKCS12 Keystore type is not compatible with these IBM PKCS12 and PKCS12S2 keystore types.

Ciphers

IBM RSA Cipher recognizes the com.ibm.crypto.provider.DoRSATypeChecking property. When this property is set, the runtime environment checks that RSA public keys are not used for decryption, and that RSA private keys are not used for encryption. There is no equivalent function in the Oracle security implementation.

Mask generation

IBM and Oracle implementations differ in the default mask generation function (MGF1) that is used when performing RSA OAEP operations. The Oracle implementation always uses SHA-1 whereas the IBMJCE provider uses a mask generation function that corresponds to the OAEP hash algorithm.

z/OS® specifics

The IBMJCE provider has a check for z/OS systems where the configured seed source is not available, for example when ICSF is not enabled. In this situation, the provider reverts the SHA1PRNG implementation to use a software-only seeding approach. This check exists because the performance of the ThreadedSeedGenerator class in SeedGenerator.java, which is normally used when the configured seed source is not specified or cannot be used, can be poor.

In version 8, the IBMJCE provider provided keystore functionality for all supported types of keystore. In this release, keystore functions for JCERACFKS keystore are provided by the IBMZSecurity provider; keystore functions for other types of keystore are provided by the SUN and SunJCE providers.

Hardware acceleration

The IBMJCE provider supports hardware acceleration for some ciphers, if hardware acceleration is supported on that platform. The Oracle JCE implementation does not have this support.