AW: Trusted service?

Bernd Eckenfels ecki at zusammenkunft.net
Wed Aug 13 14:11:03 UTC 2014


Just a BTW: It would be really cool to have a SPI interface for that, so people who need SRP, CCM or shared secret handshakes (or stuff like NPN?) don't need to use a third party SSL engine.

-- 
http://bernd.eckenfels.net

----- Ursprüngliche Nachricht -----
Von: "Wang Weijun" <weijun.wang at oracle.com>
Gesendet: ‎13.‎08.‎2014 12:20
An: "OpenJDK Dev list" <core-libs-dev at openjdk.java.net>; "OpenJDK Dev list" <security-dev at openjdk.java.net>
Betreff: Trusted service?

Hi All

I'm working on "8038089: TLS optional support for Kerberos cipher suites needs to be re-examine" which will separate the implementation of Kerberos-related TLS ciphersuites from the other TLS codes. I am thinking of defining a ServiceLoader interface called ExternalCipherSuiteProvider inside the TLS module and implement a Krb5CipherSuiteProvider in the JGSS module. Now if the JGSS module is installed, it will be found and thus supports the TLS_KRB5_* ciphersuites.

However, it looks like any application can include an implementation and register it by adding its own $CLASSPATH/META-INF/services line. Is there anyway I can find out which is the "trusted" one? I've looked at some ServiceLoader example inside JDK and it looks like they first load an implementation specified by a system property and then do the ServiceLoader.load() loop. Is that system property meant to provide the "trusted" or "builtin" implementation? I wonder if it still works now because even if we define a system property (or security property), the implementation class will be invisible in a different module.

Thanks
Max

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20140813/39d4ca97/attachment.htm>


More information about the security-dev mailing list