Oracle® Fusion Middleware Developing Applications with Oracle Security Developer Tools 12c (12.2.1.4.0) E95936-01 September 2019 Oracle Fusion Middleware Developing Applications with Oracle Security Developer Tools, 12c (12.2.1.4.0) E95936-01 Copyright © 2019, Oracle and/or its affiliates. All rights reserved. Primary Author: Sudhira Subudhi Contributing Authors: Gaurav Sharma This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited. The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing. If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, then the following notice is applicable: U.S. GOVERNMENT END USERS: Oracle programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, delivered to U.S. Government end users are "commercial computer software" pursuant to the applicable Federal Acquisition Regulation and agency- specific supplemental regulations. As such, use, duplication, disclosure, modification, and adaptation of the programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, shall be subject to license terms and license restrictions applicable to the programs. No other rights are granted to the U.S. Government. This software or hardware is developed for general use in a variety of information management applications. It is not developed or intended for use in any inherently dangerous applications, including applications that may create a risk of personal injury. If you use this software or hardware in dangerous applications, then you shall be responsible to take all appropriate fail-safe, backup, redundancy, and other measures to ensure its safe use. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of this software or hardware in dangerous applications. Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners. Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group. This software or hardware and documentation may provide access to or information about content, products, and services from third parties. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to third-party content, products, and services unless otherwise set forth in an applicable agreement between you and Oracle. Oracle Corporation and its affiliates will not be responsible for any loss, costs, or damages incurred due to your access to or use of third-party content, products, or services, except as set forth in an applicable agreement between you and Oracle. Contents Preface Intended Audience xiv Documentation Accessibility xiv Related Documents xiv Conventions xv What's New in Oracle Security Developer Tools? New Features in 12c (12.2.1) xvi Updates in September 2014 Documentation Refresh for 12c (12.1.3) xvi New Features in 12c (12.1.3) xvi 1 Introduction to Oracle Security Developer Tools 1.1 About Cryptography 1-1 1.1.1 Types of Cryptographic Algorithms 1-2 1.1.1.1 About Symmetric Cryptographic Algorithms 1-2 1.1.1.2 About Asymmetric Cryptographic Algorithms 1-3 1.1.1.3 Understanding Hash Functions 1-3 1.2 About Public Key Infrastructure (PKI) 1-3 1.2.1 Understanding Key Pairs 1-4 1.2.2 About the Certificate Authority 1-4 1.2.3 What are Digital Certificates? 1-4 1.2.4 Related PKI Standards 1-4 1.2.5 Benefits of PKI 1-6 1.3 About Web Services Security 1-7 1.4 About SAML 1-7 1.4.1 Understanding SAML Assertions 1-7 1.4.2 Understanding SAML Requests and Responses 1-8 1.4.2.1 About the SAML Request and Response Cycle 1-9 1.4.2.2 About SAML Protocol Bindings and Profiles 1-10 1.4.2.3 How SAML Integrates with XML Security 1-10 1.5 About Identity Federation 1-10 iii 1.6 About Oracle Security Developer Tools 1-11 1.6.1 Understanding Toolkit Architecture 1-11 1.6.2 Tools for XML, SAML, and Web Services Security Applications 1-12 1.6.2.1 About Oracle XML Security 1-13 1.6.2.2 About Oracle SAML 1-14 1.6.2.3 About Oracle Web Services Security 1-14 1.6.2.4 About Oracle Liberty SDK 1-14 1.6.3 Tools for Public Key Cryptography (PKI) Applications 1-15 1.6.3.1 About Oracle PKI LDAP SDK 1-15 1.6.3.2 About Oracle PKI TSP SDK 1-15 1.6.3.3 About Oracle PKI OCSP SDK 1-15 1.6.3.4 About Oracle PKI CMP SDK 1-16 1.6.3.5 About Oracle XKMS 1-16 1.6.4 Tools for E-mail Security Applications 1-16 1.6.4.1 About Oracle CMS 1-17 1.6.4.2 About Oracle S/MIME 1-17 1.6.5 Tools for Low-level Cryptographic Applications 1-17 1.6.5.1 About Oracle Crypto 1-17 1.6.5.2 About Oracle Security Engine 1-18 1.6.6 Tools for Web Tokens 1-18 1.6.6.1 About Oracle JWT 1-18 1.7 About Supported Standards 1-18 1.8 Setting the CLASSPATH Environment Variable 1-19 1.8.1 Setting the CLASSPATH on Windows 1-19 1.8.2 Setting the CLASSPATH on UNIX 1-20 2 Oracle Crypto 2.1 About Oracle Crypto Features and Benefits 2-1 2.2 About the Oracle Crypto Packages 2-2 2.3 Setting Up Your Oracle Crypto Environment 2-2 2.4 Understanding and Using Core Classes and Interfaces of Oracle Crypto 2-2 2.4.1 About Oracle Crypto Key Classes 2-3 2.4.1.1 The oracle.security.crypto.core.Key Interface 2-3 2.4.1.2 The oracle.security.crypto.core.PrivateKey Interface 2-3 2.4.1.3 The oracle.security.crypto.core.PublicKey Interface 2-3 2.4.1.4 The oracle.security.crypto.core.SymmetricKey Class 2-3 2.4.2 Using the Oracle Crypto Key Generation Classes 2-3 2.4.2.1 Using the oracle.security.crypto.core.KeyPairGenerator Class 2-3 2.4.2.2 Using the oracle.security.crypto.core.SymmetricKeyGenerator Class 2-4 2.4.3 Using Oracle Crypto Cipher Classes 2-5 iv 2.4.3.1 Using Symmetric Ciphers 2-5 2.4.3.2 Using the RSA Cipher 2-6 2.4.3.3 Using Password Based Encryption (PBE) 2-6 2.4.4 Using the Oracle Crypto Signature Classes 2-7 2.4.5 Using Oracle Crypto Message Digest Classes 2-8 2.4.5.1 Using the oracle.security.crypto.core.MessageDigest Class 2-8 2.4.5.2 Using the oracle.security.crypto.core.MAC Class 2-8 2.4.6 Using the Oracle Crypto Key Agreement Class 2-9 2.4.7 Using Oracle Crypto Pseudo-Random Number Generator Classes 2-9 2.4.7.1 Using the oracle.security.crypto.core.RandomBitsSource class 2-10 2.4.7.2 Using the oracle.security.crypto.core.EntropySource class 2-10 2.5 The Oracle Crypto and Crypto FIPS Java API References 2-11 3 Oracle Security Engine 3.1 Oracle Security Engine Features and Benefits 3-1 3.2 Setting Up Your Oracle Security Engine Environment 3-2 3.3 Core Classes and Interfaces of Oracle Security Engine 3-2 3.3.1 Using the oracle.security.crypto.cert.X500RDN Class 3-3 3.3.2 Using the oracle.security.crypto.cert.X500Name Class 3-3 3.3.3 Using the oracle.security.crypto.cert.CertificateRequest Class 3-3 3.3.4 Using the java.security.cert.X509Certificate Class 3-5 3.4 The Oracle Security Engine Java API Reference 3-5 4 Oracle CMS 4.1 Oracle CMS Features and Benefits 4-1 4.1.1 Content Types in Oracle CMS 4-1 4.1.2 Differences Between Oracle CMS Implementation and RFCs 4-2 4.2 Setting Up Your Oracle CMS Environment 4-3 4.3 Understanding and Developing Applications with Oracle CMS 4-3 4.3.1 About Oracle CMS Classes 4-3 4.3.2 About CMS Object Types 4-4 4.3.3 Constructing CMS Objects using the CMS***ContentInfo Classes 4-4 4.3.3.1 Using the Abstract Base Class CMSContentInfo 4-5 4.3.3.2 Using the CMSDataContentInfo Class 4-6 4.3.3.3 Using the ESSReceipt Class 4-6 4.3.3.4 The CMSDigestedDataContentInfo Class 4-8 4.3.3.5 The CMSSignedDataContentInfo Class 4-9 4.3.3.6 Using the CMSEncryptedDataContentInfo Class 4-13 4.3.3.7 Understanding and Using the CMSEnvelopedDataContentInfo Class 4-15 v 4.3.3.8 Using the CMSAuthenticatedDataContentInfo Class 4-19 4.3.3.9 Working with Wrapped (Triple or more) CMSContentInfo Objects 4-22 4.3.4 CMS Objects using the CMS***Stream and CMS***Connector Classes 4-23 4.3.4.1 Limitations of the CMS***Stream and CMS***Connector Classes 4-23 4.3.4.2 Difference between CMS***Stream and CMS***Connector Classes 4-24 4.3.4.3 Using the CMS***OutputStream and CMS***InputStream Classes 4-24 4.3.4.4 Wrapping (Triple or more) CMS***Connector Objects 4-26 4.4 The Oracle CMS Java API Reference 4-27 5 Oracle S/MIME 5.1 Oracle S/MIME Features and Benefits 5-1 5.2 Setting Up Your Oracle S/MIME Environment 5-1 5.3 Developing Applications with Oracle S/MIME 5-2 5.3.1 Core Classes and Interfaces of Oracle S/MIME 5-2 5.3.1.1 Using the oracle.security.crypto.smime.SmimeObject Interface 5-3 5.3.1.2 Using the oracle.security.crypto.smime.SmimeSignedObject Interface 5-3 5.3.1.3 Using the oracle.security.crypto.smime.SmimeSigned Class 5-4