Using Bouncy Castle for TLS 1.2 on Java ME 3.2

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Using Bouncy Castle for TLS 1.2 on Java ME 3.2

James Bewley
Hello all,

I have a project using a cellular module running Java ME 3.2 (cinterion / Thales).  I'm investigating options for securing client / server comms using TLS 1.2 with some certificate validation.

I'm a bit confused by all the different options available for download and probably need to learn a bit more about the modular structure of Bouncy Castle.  Fortunately there is only one package available for Java ME, so I have downloaded that and tried to compile it.

Unfortunately, it doesn't compile because it requires newer language features (error: generics are not supported in -source 1.3).

So I have some questions.
* Does the Java ME version only support the latest version (Java ME 8.0)?
* Is what I am trying to do with bouncy castle and Java ME 3.2 feasible?
* Is there another version of bouncy castle that might provide TLS for Java ME 3.2 (JDK 1.3)?
* Are security patches always going to be available for older releases?

Many thanks for your help,
James

Reply | Threaded
Open this post in threaded view
|

Re: Using Bouncy Castle for TLS 1.2 on Java ME 3.2

David Hook-3

For ME 3.2 I'd recommend trying to backport the JDK 1.4 version of the
TLS API. I think that might actually work out, there's no JSSE code in
there, anything else you need you can probably pull from the JDK 1.3 build.

Would you email me off-list what errors you saw as well though, the J2ME
build is a bit on the rickety side, while it does get tested, it sounds
like a rogue source file may have snuck into the distribution, although
I'm not sure how - it gets compiled using Java 1.2! It sounds an awful
lot like one of the filters is wrong.

In answer to the question about security patches, you can get older
releases patched if you have a BC support contract through Crypto
Workshop, the end-of-life policy is 5 years after the end of the year in
which the release was done, although it's possible if absolutely
necessary to go back further. I suspect what you're really asking is do
we have something like an LTS release. The answer to that at the moment
is no, but it is something we're exploring and probably moving towards.
We haven't quite got the resources to do that yet, but we're slowly
getting there.

Regards,

David

On 25/3/21 9:52 pm, James Bewley wrote:

> Hello all,
>
> I have a project using a cellular module running Java ME 3.2
> (cinterion / Thales).  I'm investigating options for securing client /
> server comms using TLS 1.2 with some certificate validation.
>
> I'm a bit confused by all the different options available for download
> and probably need to learn a bit more about the modular structure of
> Bouncy Castle.  Fortunately there is only one package available for
> Java ME, so I have downloaded that and tried to compile it.
>
> Unfortunately, it doesn't compile because it requires newer language
> features (error: generics are not supported in -source 1.3).
>
> So I have some questions.
> * Does the Java ME version only support the latest version (Java ME 8.0)?
> * Is what I am trying to do with bouncy castle and Java ME 3.2 feasible?
> * Is there another version of bouncy castle that might provide TLS for
> Java ME 3.2 (JDK 1.3)?
> * Are security patches always going to be available for older releases?
>
> Many thanks for your help,
> James
>


Reply | Threaded
Open this post in threaded view
|

Re: Using Bouncy Castle for TLS 1.2 on Java ME 3.2

James Bewley
Hi David,

Thank you for your help.  I had compilation errors trying to compile the source but I think I've now got a TLS client compiling using bctls-jdk14-168.jar.

The client is using DefaultTlsClient and I think the only thing stopping it working is the requirement for java.security.SecureRandom which I don't think is available in Java ME 3.2.

Regards,
James


On Thu, 25 Mar 2021 at 19:44, David Hook <[hidden email]> wrote:

For ME 3.2 I'd recommend trying to backport the JDK 1.4 version of the
TLS API. I think that might actually work out, there's no JSSE code in
there, anything else you need you can probably pull from the JDK 1.3 build.

Would you email me off-list what errors you saw as well though, the J2ME
build is a bit on the rickety side, while it does get tested, it sounds
like a rogue source file may have snuck into the distribution, although
I'm not sure how - it gets compiled using Java 1.2! It sounds an awful
lot like one of the filters is wrong.

In answer to the question about security patches, you can get older
releases patched if you have a BC support contract through Crypto
Workshop, the end-of-life policy is 5 years after the end of the year in
which the release was done, although it's possible if absolutely
necessary to go back further. I suspect what you're really asking is do
we have something like an LTS release. The answer to that at the moment
is no, but it is something we're exploring and probably moving towards.
We haven't quite got the resources to do that yet, but we're slowly
getting there.

Regards,

David

On 25/3/21 9:52 pm, James Bewley wrote:
> Hello all,
>
> I have a project using a cellular module running Java ME 3.2
> (cinterion / Thales).  I'm investigating options for securing client /
> server comms using TLS 1.2 with some certificate validation.
>
> I'm a bit confused by all the different options available for download
> and probably need to learn a bit more about the modular structure of
> Bouncy Castle.  Fortunately there is only one package available for
> Java ME, so I have downloaded that and tried to compile it.
>
> Unfortunately, it doesn't compile because it requires newer language
> features (error: generics are not supported in -source 1.3).
>
> So I have some questions.
> * Does the Java ME version only support the latest version (Java ME 8.0)?
> * Is what I am trying to do with bouncy castle and Java ME 3.2 feasible?
> * Is there another version of bouncy castle that might provide TLS for
> Java ME 3.2 (JDK 1.3)?
> * Are security patches always going to be available for older releases?
>
> Many thanks for your help,
> James
>

Reply | Threaded
Open this post in threaded view
|

Re: Using Bouncy Castle for TLS 1.2 on Java ME 3.2

David Hook-3
Good to hear.

There's a version of this class in the J2ME distribution - usually we've compiled everything including it and then used an obfuscator to change the name of the class.

Regards,

David
On 27/3/21 5:26 am, James Bewley wrote:
Hi David,

Thank you for your help.  I had compilation errors trying to compile the source but I think I've now got a TLS client compiling using bctls-jdk14-168.jar.

The client is using DefaultTlsClient and I think the only thing stopping it working is the requirement for java.security.SecureRandom which I don't think is available in Java ME 3.2.

Regards,
James


On Thu, 25 Mar 2021 at 19:44, David Hook <[hidden email]> wrote:

For ME 3.2 I'd recommend trying to backport the JDK 1.4 version of the
TLS API. I think that might actually work out, there's no JSSE code in
there, anything else you need you can probably pull from the JDK 1.3 build.

Would you email me off-list what errors you saw as well though, the J2ME
build is a bit on the rickety side, while it does get tested, it sounds
like a rogue source file may have snuck into the distribution, although
I'm not sure how - it gets compiled using Java 1.2! It sounds an awful
lot like one of the filters is wrong.

In answer to the question about security patches, you can get older
releases patched if you have a BC support contract through Crypto
Workshop, the end-of-life policy is 5 years after the end of the year in
which the release was done, although it's possible if absolutely
necessary to go back further. I suspect what you're really asking is do
we have something like an LTS release. The answer to that at the moment
is no, but it is something we're exploring and probably moving towards.
We haven't quite got the resources to do that yet, but we're slowly
getting there.

Regards,

David

On 25/3/21 9:52 pm, James Bewley wrote:
> Hello all,
>
> I have a project using a cellular module running Java ME 3.2
> (cinterion / Thales).  I'm investigating options for securing client /
> server comms using TLS 1.2 with some certificate validation.
>
> I'm a bit confused by all the different options available for download
> and probably need to learn a bit more about the modular structure of
> Bouncy Castle.  Fortunately there is only one package available for
> Java ME, so I have downloaded that and tried to compile it.
>
> Unfortunately, it doesn't compile because it requires newer language
> features (error: generics are not supported in -source 1.3).
>
> So I have some questions.
> * Does the Java ME version only support the latest version (Java ME 8.0)?
> * Is what I am trying to do with bouncy castle and Java ME 3.2 feasible?
> * Is there another version of bouncy castle that might provide TLS for
> Java ME 3.2 (JDK 1.3)?
> * Are security patches always going to be available for older releases?
>
> Many thanks for your help,
> James
>