Query - Does JSSE library implement the Ciphers or Algorithms of a SSL protocol ?

Ayaskant Swain ayaskant.swain at gmail.com
Fri Jun 3 05:09:33 UTC 2016


Hi Brad,

Thanks for sending me the link. I had just started going through the JCA
document but did not finish reading the doc when i asked my original
question :-). I will go through these docs in detail.

I saw this line *"Cryptographic implementations in the JDK are distributed
through several different providers ("Sun", "SunJSSE", "SunJCE",
"SunRsaSign")* " in this doc -
http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html.
This is a good piece of information.

So, now i am able to understand the JCA mechanism better now.

Thanks all for your replies.

I am now done with my queries.

Ayaskant


On Thu, Jun 2, 2016 at 11:06 PM, Bradford Wetmore <
bradford.wetmore at oracle.com> wrote:

> > So is *jsse.jar* the default security provider for Java? Can you also
> > give some examples of other security providers?
> >
> > Is it the security providers who actually implement the underlying
> > Ciphers or crytographic Algorithms?
>
> There are many Oracle providers that provide different algorithms.
>
> I think you may not have grasped the Provider-based mechanism yet. Please
> see the documentation:
>
>     http://docs.oracle.com/javase/8/docs/technotes/guides/security/
>
> Specifically:
>
>     Java Cryptography Architecture (JCA) Reference Guide
>         specifically the "Cryptographic Service Providers" section.
>     Standard Algorithm Names
>     Oracle Providers
>
> Brad
>
>
>
>
>> Thanks
>> Ayas
>>
>> On Thu, Jun 2, 2016 at 12:13 AM, Bradford Wetmore
>> <bradford.wetmore at oracle.com <mailto:bradford.wetmore at oracle.com>> wrote:
>>
>>     Hopefully this makes it clear.
>>
>>     For JSSE, javax.net/javax.net.ssl <http://javax.net/javax.net.ssl>
>>     (in rt.jar) contains the APIs which call into JSSE providers.
>>     sun.security.ssl (contained in jsse.jar) is one such provider.  The
>>     JSSE implementation contains routines specific to TLS, but
>>     eventually calls into JCA/JCE for specific crypto algorithms (e.g.
>>     RSA/AES/SHA/DH/ECDH/etc).  The JCA/JCE framework consults its list
>>     of installed providers, and finds the first available implementation
>>     of whatever is needed.  If it can't find something, that ciphersuite
>>     has to be disabled.
>>
>>     Going back to the followup question, on JDK 6, if JCA/JCE can't find
>>     a registered ECC provider, then it must disable the ECC-based
>>     suites.  As Sean said, Solaris has ECC through PKCS11, so OOTB
>>     ECC-based suites should work on JDK 6 if you're on Solaris.  If on
>>     something else, you need to install an ECC provider to get ECC-based
>>     suite.
>>
>>     Brad
>>
>>
>>
>>
>>     On 6/1/2016 1:06 AM, Ayaskant Swain wrote:
>>
>>         Hi All,
>>
>>         My question was not specific to those two cipher suites that I had
>>         pasted in my query. I had just pasted them as examples. Rather my
>>         question was generic.
>>
>>         I want to know which library or packages in JDK implement the
>>         Algorithms/Ciphers that are used for SSL communication?
>>
>>         If java provides the implementation of those cryptographic Algos
>>         through
>>         the *java.security , java.net.ssl & javax.crypto* packages then
>>         what is
>>         the role of the *jsse.jar* library that ships in as part of the
>>         *JAVA_HOME/ jre/lib* directory?
>>
>>         I could clearly see the *jsse.jar *has classes like
>>         *Handshaker.class,
>>         SSLContextImpl.class, HandShakeMessage.class* inside the
>>         sun.security.ssl package which do the actual SSL Handshake.
>>         There are
>>         many more classes inside this package.
>>
>>         So wanted clarification on this.
>>
>>         Thanks
>>         Ayas
>>
>>         On Wed, Jun 1, 2016 at 1:22 PM, Seán Coffey
>>         <sean.coffey at oracle.com <mailto:sean.coffey at oracle.com>
>>         <mailto:sean.coffey at oracle.com <mailto:sean.coffey at oracle.com>>>
>>         wrote:
>>
>>
>>             On 01/06/2016 03:42, Jim Manico wrote:
>>
>>
>>                 I think this is the right answer.
>>
>>                 From
>>
>>
>> https://stackoverflow.com/questions/27323858/java-6-ecdhe-cipher-suite-support
>>
>>                 The SSL/TLS implementation "JSSE" in Java 1.6 and later
>>             supports
>>                 ECDHE suites *IF there is an available (JCE) provider*
>>             for needed
>>                 ECC primitives. *Java 1.6 OOTB does NOT* include such an
>> ECC
>>                 provider, but you can add one. *Java 7 and 8 do* include
>>             SunECC
>>                 provider.
>>
>>             I don't believe Ayaskant's query was specific to ECC. In any
>>         case,
>>             the above answer isn't accurate. ECC support is available
>>         OOTB in JDK
>>             6 for Solaris. It's provided via the SunPKCS11 provider. SunEC
>>             provider was added in JDK 7:
>>
>>
>> http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html#SunEC
>>
>>             regards,
>>             Sean.
>>
>>
>>                 - Jim
>>
>>
>>                 On 5/29/16 8:02 PM, Ayaskant Swain wrote:
>>
>>                     Hi,
>>
>>                     Can anyone please help me know about this - Does
>>                 JSSE library
>>                     implement the Ciphers or Algorithms of a SSL
>>                 protocol ? I see the
>>                     jsse.jar library shipped with the JDK. I read the
>>                 the Oracle
>>                     document about JSSE
>>                     -
>>                 <
>> http://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#Introduction
>> >
>> http://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#Introduction
>>
>>                     So my question is - does the JSSE implement the
>>                 Ciphers or
>>                     Algorithms that are used for a successful SSL
>>                 handshake , server
>>                     authentication, data integrity & data confidentiality
>>                     (Application data encryption).
>>
>>                     Example of cipher suites -
>>                 *TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
>>                     or **TLS_DHE_RSA_WITH_AES_128_GCM_SHA256*
>>                     *
>>                     *
>>                     So is the coding of the above ciphers have been done
>>                 in the JSSE
>>                     library?
>>
>>                     Thanks
>>                     Ayaskant
>>                     Bangalore
>>
>>
>>
>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openjdk.java.net/pipermail/security-dev/attachments/20160603/f17f42a7/attachment-0001.html>


More information about the security-dev mailing list