How to sign a custom JCE security provider

Sun’s PKCS11 JCE security provider is lacking some functionality we need.
So I wrote an enhanced version of it using the original sources.

Unfortunately the JCE infrastructure rejects the new provider
“JCE cannot authenticate the provider”
because it is not properly signed.

javax.crypto.JceSecurity.verifyProviderJar(...) throws.
(it calls javax.crypto.JarVerifier.verify())

Any suggestions how to sign the new provider to make it
work with JCE?

Answer

The process is described in the document, “How to Implement a Provider.”

It involves emailing Sun Oracle some information (including the CSR you generated for your signing key), then faxing a confirmation document. Getting your signed certificate back can take a week or more, so plan ahead.

You only need to sign your provider if it provides services that are restricted by some (repressive) governments. For example, a Cipher implementation is a restricted “service,” while MessageDigest is an unrestricted service. I assume with the message you’re getting, that you are trying to provide a restricted services.

If you provide any of these services, there’s no way around it: You need a code-signing certificate issued by Sun. (One from IBM might work too; if I recall correctly, their code-signing CA is supported, but I don’t know anything about their issuing process.)