Cryptography provider conflicting with each other

Hi, I am facing problems currently where it concerns two separate integration projects in the same client company. Both projects are already live in production but Project A(live in a wM6.0.1 production machine) uses cryptix32 encryption provider while Project B (live in a wM4.6 production machine but in the midst of migrating to the wM6.0.1 production machine housing Project A as well) uses OpenPGP encryption provider also from cryptix.

The problem is that I’ve tested and found that once I’ve added the security provider line in file to cater for Project A’s encryption requirements, Project B’s encryption provider will not work unless that particular line is removed using removeProvider. We have tested and found that both will work if we add the provider line and remove it at the end of the each project’s encrypt/decrypt java code, but I wonder if that’s is the right way to do it? Also Project B’s OpenPGP encryption provider from Cryptix will only work provided it is in the specific order when added to the file.

If you have control of the calls to the encryption code, your best bet is to explicitly request the provider required. e.g. Signature sig = Signature.getInstance(“SHA1”, “YourProvider”).

Switching out the providers is not thread-safe. Two threads that execute services in each of the projects will have very bad results.

It looks like your code already has the explicit calls to retrieve the vendor specific implementation e.g. Cipher alg = Cipher.getInstance(“DES-EDE3/ECB/PKCS5”, “Cryptix”);

Given that this is being done, there is no reason that you need to explicitly wrap the service w/ add/removal of the provider for each service invocation.

The best approach for you would be to register a startup/shutdown service for each package that explictly registers the provider that package requires.

If you still run into errors then the most reasonable explanation is that the PGPArmouredMessage (and other classes for PGP functionality) are making assumptions about which provider they’re using. For example the code inside of the library may do something like:

MyPGPCipher cipher = (MyPGPCipher) Cipher.getInstance(“RSA”);