Code review request: 6733443: JCA/JCE init does not completely reset the delayed provider selection mechanism.

Neil Richards neil.richards at ngmr.net
Mon Jul 23 21:13:45 PDT 2012


Hi all,

The PKCS11 documentation [1] describes how the selection of a security
provider implementation is (re-)performed each time any initialization
(init*) method is called on objects of the classes:
      * javax.crypto.Cipher
      * javax.crypto.KeyAgreement
      * javax.crypto.Mac
      * java.security.Signature
so that a suitable implementation is chosen for the Key object given to
these initialization methods.

This behaviour, whose description was introduced in Java 5, is entirely
sensible (from a user's point of view), I think.

However, the (Sun/Oracle/OpenJDK) implementation was not modified to
actually implement the described behaviour.

Java bug 6733443 was raised to report the discrepancy [2].

I have created a webrev [3] with suggested changes to make the
implementation conform to the described behaviour.

It also holds a testcase for the change, which has a bespoke (minimally
implemented) test-specific Provider implementation and associated
classes. These implementations contain function just sufficient for the
tests' needs, to support things to the point of initialization. All
other functions are stubbed out.

Also, the (invocation of the) tests for Cipher, KeyAgreement & Mac are
currently commented out, as they will only work when the provider is
held in a signed jar file, and I wasn't sure how to accomplish that in a
jtreg test.

However, I have successfully run all these tests using versions of the
Cipher, KeyAgreement & Mac classes which have been mildly hacked to
remove their check to JceSecurity.canUseProvider() in chooseProvider().

Please review the suggested fix and let me your thoughts on it.

Thanks,
Neil

[1] http://docs.oracle.com/javase/7/docs/technotes/guides/security/p11guide.html#DelayedSelect
[2] http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6733443
[3] http://cr.openjdk.java.net/~ngmr/6733443/webrev.00/

-- 
Unless stated above:
IBM email: neil_richards at uk.ibm.com
IBM United Kingdom Limited - Registered in England and Wales with number 741598.
Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU




More information about the security-dev mailing list