How Provider Implementations Are Requested and Supplied

For each engine class in the API, a particular implementation is requested and instantiated by calling a getInstance method on the engine class and by specifying the name of the desired algorithm and, optionally, the name of the provider (or the Provider class) whose implementation is desired.

If no provider is specified, getInstance searches the registered providers for an implementation of the requested cryptographic service associated with the named algorithm. In any given Java™ Virtual Machine (JVM), providers are installed in a given preference order, the order in which the provider list is searched if a specific provider is not requested. For example, suppose there are two providers installed in a JVM, PROVIDER_1 and PROVIDER_2. Assume that:
  • PROVIDER_1 implements SHA1withDSA, SHA-1, MD5, DES, and DES3.

    PROVIDER_1 has preference order 1 (the highest priority).

  • PROVIDER_2 implements SHA1withDSA, MD5withRSA, MD2withRSA, MD2, MD5, RC4, RC5, DES, and RSA.

    PROVIDER_2 has preference order 2.

Now let's look at three scenarios:
  1. If we are looking for an MD5 implementation, both providers supply such an implementation. The PROVIDER_1 implementation is returned because PROVIDER_1 has the highest priority and is searched first.
  2. If we are looking for an MD5withRSA signature algorithm, PROVIDER_1 is first searched for it. No implementation is found, so PROVIDER_2 is searched. An implementation is found and returned.
  3. Suppose we are looking for a SHA1withRSA signature algorithm. Because no installed provider implements it, a NoSuchAlgorithmException is thrown.

The getInstance methods that include a provider argument are for developers who want to specify which provider they want an algorithm from. A federal agency, for example, will want to use a provider implementation that has received federal certification. Let's assume that the SHA1withDSA implementation from PROVIDER_1 has not received such certification, while the DSA implementation of PROVIDER_2 has received it.

A federal agency program would then have the following call, specifying PROVIDER_2 since it has the certified implementation:
Signature dsa = Signature.getInstance("SHA1withDSA", "PROVIDER_2");

In this case, if PROVIDER_2 was not installed, a NoSuchProviderException would be thrown, even if another installed provider implements the algorithm requested.

A program also has the option of getting a list of all the installed providers (using the getProviders method in the Security class) and choosing one from the list.