Privacy Policy
User's Guide
JCAPI Javadoc
Download Evaluation



The Pheox JCAPI (Java CryptoAPI) is a JCE (Java Cryptography Extension) provider that provides access to key- and certificate stores on Microsoft operating systems.

All cryptographic operations are performed by the native MS CAPI (Microsoft CryptoAPI) layer through installed CSPs (Cryptographic Service Provider) that supports cryptographic algorithms and functions.
The JCAPI Java classes responsible for cryptographic operations will use the JNI (Java Native Interface) technology to delegate an operation to the JCAPI DLL, which in turn will use a specific MS CAPI enabled CSP to complete the actual operation.
JCAPI is thus a JCE compliant light-weight mediator library that delegates all crypto related operations to a specific CSP available in the native MS CAPI layer.

The following SPI (Service Provider Interface) classes are implemented by JCAPI:

  • javax.crypto.CipherSpi

Some of the major features are (please read the JCAPI User's Guide for a complete list of available features):

  • Add, remove, list and access X.509 certificates.
  • Add, remove, access and export RSA private keys.
  • Add, remove, access and export DSA private keys.
  • Create signatures with RSA private keys using the following algorithms:
    • SHA512withRSA
    • SHA384withRSA
    • SHA256withRSA
    • SHA1withRSA
    • MD5withRSA
    • MD4withRSA
    • MD2withRSA
    • SHAMD5withRSA
    • NONEwithRSA
  • Verify signatures with RSA public keys.
  • Create signatures with DSA private keys using the following algorithms:
    • SHA1withDSA
  • Verify signatures with DSA public keys.
  • Encrypt/decrypt data with RSA public/private keys using the following algorithm, mode and padding:
    • RSA/ECB/PKCS1Padding
    • RSA/ECB/OAEPPadding
  • Wrap and unwrap symmetric- and asymmetric keys with RSA key pairs through MS CAPI and PKCS#11.
  • Encrypt and decrypt data using symmetric keys through MS CAPI. The following algorithms are supported:
    • AES
    • 3DES
    • DES
    • RC2
    • RC4
  • Create and verify message digests (hashed data) through your preferred MS CAPI CSP. The following algorithms are supported by default:
    • SHA-512
    • SHA-384
    • SHA-256
    • SHA-1
    • MD5
    • MD4
    • MD2
  • Use the PKCS#7 framework to encode and decode signed or enveloped data messages through MS CAPI.
  • Built-in support for tested PKCS#11 CSP manufacturers that is compliant with the functions required by JCAPI.
  • Dynamically adding/removing of PKCS#11 CSPs into JCAPI.
  • Private key call-back interface for PKCS#11 providers. You can provide your own preferred Java call-back implementation to be called whenever a private key is accessed through PKCS#11.
  • List, configure, and query MS CAPI system (certificate) stores. You can list all available system stores and configure JCAPI to use a certain system store for a specific type of certificate.
  • Use a MS CAPI system (certificate) store as an un-trusted store.
  • Set and get MS CAPI friendly names for certificates.
  • Get MS CAPI friendly names for system (certificate) stores.
  • Get secure random numbers through MS CAPI, either generated through collected low level events in the operating system, or generated through hardware by third party CSP vendors.
  • Configure what system store registry location to use.
  • Get detailed information about your PKCS#11 hardware token through the JCAPI PKCS#11 information classes.
  • Create and delete MS CAPI system (certificate) stores with arbitrary names.
  • Create instances which maps to one specific MS CAPI system store only. This is very handy when SSL/TLS is to be used for handling private keys and trusted certificates. The following additional key store types are supported:
    • msks-MY
    • msks-ROOT
    • msks-KEYSTORE
    • msks-TRUSTSTORE
  • List all available MS CAPI CSPs and configure what CSP that shall be used by JCAPI for a specific cryptographic operation.
  • Configure what RSA supported CSP that JCAPI shall use. JCAPI uses by default the following CSPs in preferred order:
    1. Microsoft Enhanced RSA and AES Cryptographic Provider
    2. Microsoft Enhanced Cryptographic Provider v1.0
    3. Microsoft Strong Cryptographic Provider
    4. Microsoft Base Cryptographic Provider v1.0
  • Configure what DSA supported CSP that JCAPI shall use. JCAPI uses by default the following CSPs in preferred order:
    1. Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider
    2. Microsoft Base DSS and Diffie-Hellman Cryptographic Provider
    3. Microsoft Base DSS Cryptographic Provider
    4. Microsoft DH SChannel Cryptographic Provider
  • List and use supported algorithms supported by all MS CAPI CSPs.
  • List and use supported key lengths that are supported for a MS CAPI CSP for each algorithm.
  • Get the key usage information about each DSA/RSA private key stored in a MS CAPI system store.
  • Create a dynamic JCAPI cryptographic instance wrapped into one of the following Java Cryptography Extension (JCE) interfaces:
    • javax.crypto.Cipher
    Being able to dynamically create and wrap an arbitrary cryptographic algorithm in MS CAPI into a standardized JCE interface, is an extremely powerful feature.
    It gives the programmer the possibility to query MS CAPI in runtime about what algorithms that can be used for encryption and decryption (symmetric/asymmetric), and for creating signatures and message digests. When a desired algorithm has been found, it can then be wrapped into a standard JCE class.
  • Full SSL/TLS support. Use JCAPI seamlessly with other SSL/TLS frameworks (JSSE etc.) with just a few lines of extra code. Using unprotected (exportable) private keys, and protected private keys stored in MS CAPI is fully supported.
  • Base64 encode & decode data.
  • JCAPI is signed with a qualified code signing certificate that is trusted by all modern web browsers which makes it suitable in trusted applets.

Supported 32-bit Operating Systems:

  • Windows 2000
  • Windows XP
  • Windows Server 2003
  • Windows Server 2008
  • Windows Server 2008 RC2
  • Windows Vista
  • Windows 7
  • Windows 8

Supported 64-bit Operating Systems:

  • Windows XP
  • Windows Server 2003
  • Windows Server 2008
  • Windows Server 2008 RC2
  • Windows Vista
  • Windows 7
  • Windows 8

Supported 32-bit Java versions:

  • Java 1.4
  • Java 1.5
  • Java 6
  • Java 7

Supported 64-bit Java versions:

  • Java 1.5
  • Java 6
  • Java 7

The following hardware token CSPs are supported by default:

  • Feitian ePass - FTSafe ePass2000 RSA Cryptographic Service Provider
  • Aladdin eToken - eToken Base Cryptographic Provider
  • Telia eID - SmartTrust Cryptographic Service Provider
  • Athena ASECard - Athena ASECard Crypto CSP
  • Eutron Cryptoidentity ITSEC-I - SI_CSP
  • Eutron Cryptoidentity ITSEC-P - SafeSign CSP Version 1.0
  • Eutron Cryptoidentity Crypto 5 - AR Base Cryptographic Provider
  • SafeNet iKey 2032 - Datakey RSA CSP
  • SafeNet iKey 2032 - SafeNet RSA CSP
  • ACOS 5 - Advanced Card Systems CSP v1.5
Copyright © 2004-2018 Pheox AB