In the next few chapters, we’ll discuss the engine classes that are part of the core Java API and the security extensions. All engine classes share a similar architecture that we’ll discuss here.

Most programmers are only interested in using the engine classes to perform their desired operation; each engine class has a public interface that defines the operations the engine can perform. None of this is unusual: it is the basis of programming in Java.

However, the engine classes are designed so that users can employ third-party security providers (using the architecture we’ve just examined). For programmers who are interested in writing such providers, the engine classes have an additional interface called the security provider interface (SPI). The SPI is a set of abstract methods that a particular engine must implement in order to fulfill its contract of providing a particular operation.

For most cryptographic engines, the SPI is unrelated to the engine itself; the CertificateFactorySpi class extends the Object class. For historical reasons, this is not true of three engine classes: the KeyPairGeneratorSpi , MessageDigestSpi, and SignatureSpi classes each extends an engine class (the KeyPairGenerator class and so on). However, this difference in class hierarchies has no practical effect on developers.

Hence, if you want to implement a security provider, you extend the SPI of each engine that you want to provide. This allows a developer to ...