Review Request: loading JCE providers using ServiceLoader

[Sean Mullan]

On 7/23/12 9:39 AM, mark.reinhold at oracle.com wrote:
> 2012/7/22 13:20 -0700, sean.mullan at oracle.com:
>> On 7/22/12 10:09 AM, Alan Bateman wrote:
>>> If so then it's a minor that we need to
>>> re-visit the issue of configured preferred order. If we did that then
>>> maybe it could be used in class path mode, assuming we could work out a
>>> migration from the existing java.security list.
>>
>> Actually, the preference order in the java.security file is preserved in either
>> classpath or module mode, since this order is enforced in the provider code
>> (sun.security.jca.ProviderList). It uses the ServiceLoader to find the Provider,
>> but ignores the order.
>
> So what happens if a provider is available as a service but isn't
> mentioned in the java.security file?  Is it ignored?

Yes -- if the application is using the 1-argument getInstance method or 
the 2-argument getInstance method that takes the Provider as a String, ex:

MessageDigest.getInstance("SHA-256");
MessageDigest.getInstance("SHA-256", "Sun");

These methods call the Security.getProviders() method to find an 
appropriate provider from the list of registered providers.  Additional 
Provideras can be registered by calling the Security.addProvider method. 
But nothing in that API explicitly mentions creating providers from 
information in the java.security file, so AFAICT, that part is an 
implementation detail.

It's plausible we should automatically add all the Providers available 
as services to the list of registered providers.

However, the one problematic provider with respect to services is the 
SunPKCS11 provider. This requires a configuration file as input, and 
that can only be specified by configuring the java.security file, or by 
instantiating the provider directly with an additional config file 
parameter:

Provider p = new sun.security.pkcs11.SunPKCS11(configName);

--Sean