The company I work for is wary of Android app development because the default cryptography library, Bouncy Castle, is not FIPS-140 certified. Nothing I can do to change their minds or policies.
I’m wondering what options I have for installing (or at least bundling) SunJCE with my app.
For one, I can’t find where I would download the latest version of this jar. I tried grabbing the jce jar from my desktop and setting it as an internal jar in my Android project and received this amusing, if ominous, message:
Attempt to include a core class
(java.* or javax.*) in something other
than a core library. It is likely that
you have attempted to include in an
application the core library (or a
part thereof) from a desktop virtual
machine. This will most assuredly not
work. At a minimum, it jeopardizes the
compatibility of your app with future
versions of the platform. It is also
often of questionable legality.If you really intend to build a core
library — which is only appropriate
as part of creating a full virtual
machine distribution, as opposed to
compiling an application — then use
the “–core-library” option to
suppress this error message.If you go ahead and use
“–core-library” but are in fact
building an application, then be
forewarned that your application will
still fail to build or run, at some
point. Please be prepared for angry
customers who find, for example, that
your application ceases to function
once they upgrade their operating
system. You will be to blame for this
problem.If you are legitimately using some
code that happens to be in a core
package, then the easiest safe
alternative you have is to repackage
that code. That is, move the classes
in question into your own package
namespace. This means that they will
never be in conflict with core system
classes. If you find that you cannot
do this, then that is an indication
that the path you are on will
ultimately lead to pain, suffering,
grief, and lamentation.
I’m not one for pain, suffering, grief, OR lamentation, so I’d like to know the proper way to go about this task, provided it’s something I should attempt at all.
You are not going to be able to import
java.*orjavax.*classes, due to the compiler error you encountered. Following their instructions should work, but changing the packages for something the size of JCE may be significant, and I don’t know if the result would still qualify as FIPS-140. Plus, if JCE is implemented in pure Java, it may be slow on Android. And unless the JCE is from the GPL’d version of Java, or some other open source implementation, the licensing issue the error message hints at is relevant.There are other FIPS-140 encryption libraries available, such as NSS, that have Java bindings, and others that you could probably write Java bindings for. It is possible you could get one of those working with the NDK to run on Android.