Differences between the software JCE implementation and the hardware JCE implementation
There are few differences between the software cryptography implementations of JCE and the hardware implementation (IBMJCECCA).
One difference, described in later topics in this section, is in the required key attribute restrictions for the RSA cipher algorithm. A more important difference is in the list of supported cryptographic algorithms. The IBMJCECCA provider generally supports fewer algorithms than the other providers, due to limitations in the currently available hardware. The cryptographic operations that are provided by the IBMJCECCA provider are generally the same as for other versions of JCE providers. Therefore, an existing application can be migrated from a software JCE provider, into the hardware JCE environment, IBMJCECCA. To migrate, it is only necessary to generate new key pairs for RSA, DSA, or EC with appropriate attributes (described in topics later in this section) to change the security provider.
The security provider can be changed either by using API calls with the provider parameter or by changing the provider list to place the IBMJCECCA in a preferred position (that is, with a smaller sequence number than the software JCE provider). If you must have a software JCE provider, such as OpenJCEPlus, in the provider list in a position that is preferred to the position of the IBMJCECCA provider, you must specify the IBMJCECCA provider in the getInstance() API if you want to use it instead of the software provider. If the provider is not specified on an API call, the provider that is invoked at run time is the first one on the provider list that supports the requested algorithm and key type. This behavior could cause a software JCE provider to be used instead of the IBMJCECCA provider.
The following sections and topics describe the restrictions and features that differ between the basic software JCE providers and the hardware-assisted JCE provider (IBMJCECCA).
HMAC and PBE
The HMAC and PBE algorithms are supported in the IBMJCECCA provider by using the same APIs that are supported by software JCE providers. However, the IBMJCECCA provider supports them by using other algorithms that are implemented in the cryptographic hardware.
Reading Base64-Encoded Certificates
Certificates that are encoded with Base64 are read in and written out in the ISO8859_1 code page, not the local code page. This is done to make them compatible with the Base64-Encoded Certificates on other platforms. For this reason, an encoded certificate might not be human readable on some platforms.