IBMJCE and SUNJCE
843811Aug 11 2005 — edited Aug 12 2005I'm sending a SecretKey object using applet-servlet communications. This worked as long as the app-server was using Sun's JCE classes. Recently we started adding support for servers on AIX, which uses the ibmjceprovider.jar.
Due to this, the AIX server can no longer call readObject on the applet input stream - I get
'java.lang.ClassNotFoundException: com.sun.crypto.provider.DESedeKey'
Because the SecretKey was one of the fields of the object I'm sending over and is created using the Sun classes (because they're running the browser from a windows PC)
I've got two possible solutions, one seems more likely to work than the other, just trying to find out if there's other ways for me to handle this that I haven't thought of.
Solution 1: Rather than including a SecretKey as a field of the object we're sending, I need to extract the keys bytes and keep those as a field of the object, then reconstitute the key on the server side (presumably using the IBM classes.) I'm unsure of how much this compromises security (if the bytes are read off the wire, cant someone re-constitute the key themselves?)
Solution 2: and I'm not even sure if this is possible. I currently just declare the field as a SecretKey. Can I declare the field as some super class which either Sun's or IBM's could cast easily and avoid the problem?
thanks for any help,
Tom