Using a specific Security Provider in Java

Question

I'm currently writing a small Android Library which should enable secure communication with a remote JavaEE Server. It will use HttpsURLConnection and will call a specific servlet on the server side (because i only suply the android library i don't know the server side implementation). This communication should be as secure as possible (nothing will ever be 100% secure). Therefore I don't want to fully rely on protocol negotiation between server and client - just hoping they will choose a current TLS Version. If the server doesn't support a secure protocol the connection should not be possible (e.g. I don't want to support SSL3.0 or lower).

I know that i can define a cipher suite by writing an own SSLSocketFactory. But it would also be nice to know which security provider the application will choose (to know if the communication of my app is affected by a provider-specific security issue). It is definitely possible to add a new provider.

But is there also a way to force java to only use a provider xy of my choice (other than bouncy castle or sun)? Maybe a own implemented provider for OpenSSL?

Update: i found the following statement in oracles provider documentation:

"A program may simply request a particular type of object (such as a Signature object) implementing a particular service (such as the DSA signature algorithm) and get an implementation from one of the installed providers. If desired, a program may instead request an implementation from a specific provider."

and the following example:

 md = MessageDigest.getInstance("MD5", "ProviderC");

So it is possible to define which provider should be used for MessageDigest. But is there the same option for HttpsURLConnection functionality?

Edit: After even more research I found that in Security it is possible to add a provider at a specific position.

public static int insertProviderAt(myProvider, position)

Will it be sufficient for my purpose to add my own provider at the first position?

Answer 1

After many hours of research I finally know how to set which provider should be prefered. In the Provider Documentation of Oracle it is mentioned in the section about Installing Providers:

security.provider.n=masterClassName

This declares a provider, and specifies its preference order n. The preference order is the order in which providers are searched for requested algorithms (when no specific provider is requested). The order is 1-based: 1 is the most preferred, followed by 2, and so on."

Anyway for myself i decided to not implement and register my own provider. It is a hell lot of overhead, really. I guess I will go by securing a socket manually in c++ with OpenSSL or something.

Links you may also find helpfull:

• JuiCE Apache OpenSSL JCE Provider (retired in 2007). You should definitely NOT use their implementation, it is absolutely out of date. But looking at the code will make clear how much work implementing an own provider is. Anyway you would also need a JSSE Provider.

• Sun Provider Source Code, may give you an idea how SUN integrates the crypto functionality (JCE and JSSE Provider)

• OWASP Tutorial for using JSSE - Java Secure Socket Extension. Which shows how to use a provider.

• JSSE Reference Guide with even more usefull information

Edit: You can only be sure that YOUR provider is used if you implement all requested services (or engines) you need in your application. If you make a call for a functionality that is not offered by your service provider java will choose the next available (according to implicit pereference order) service provider which offers the service (and you probably won't notice it).