Query - Does JSSE library implement the Ciphers or Algorithms of a SSL protocol ?
Ayaskant Swain
ayaskant.swain at gmail.com
Fri Jun 3 05:09:33 UTC 2016
Hi Brad,
Thanks for sending me the link. I had just started going through the JCA
document but did not finish reading the doc when i asked my original
question :-). I will go through these docs in detail.
I saw this line *"Cryptographic implementations in the JDK are distributed
through several different providers ("Sun", "SunJSSE", "SunJCE",
"SunRsaSign")* " in this doc -
http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html.
This is a good piece of information.
So, now i am able to understand the JCA mechanism better now.
Thanks all for your replies.
I am now done with my queries.
Ayaskant
On Thu, Jun 2, 2016 at 11:06 PM, Bradford Wetmore <
bradford.wetmore at oracle.com> wrote:
> > So is *jsse.jar* the default security provider for Java? Can you also
> > give some examples of other security providers?
> >
> > Is it the security providers who actually implement the underlying
> > Ciphers or crytographic Algorithms?
>
> There are many Oracle providers that provide different algorithms.
>
> I think you may not have grasped the Provider-based mechanism yet. Please
> see the documentation:
>
> http://docs.oracle.com/javase/8/docs/technotes/guides/security/
>
> Specifically:
>
> Java Cryptography Architecture (JCA) Reference Guide
> specifically the "Cryptographic Service Providers" section.
> Standard Algorithm Names
> Oracle Providers
>
> Brad
>
>
>
>
>> Thanks
>> Ayas
>>
>> On Thu, Jun 2, 2016 at 12:13 AM, Bradford Wetmore
>> <bradford.wetmore at oracle.com <mailto:bradford.wetmore at oracle.com>> wrote:
>>
>> Hopefully this makes it clear.
>>
>> For JSSE, javax.net/javax.net.ssl <http://javax.net/javax.net.ssl>
>> (in rt.jar) contains the APIs which call into JSSE providers.
>> sun.security.ssl (contained in jsse.jar) is one such provider. The
>> JSSE implementation contains routines specific to TLS, but
>> eventually calls into JCA/JCE for specific crypto algorithms (e.g.
>> RSA/AES/SHA/DH/ECDH/etc). The JCA/JCE framework consults its list
>> of installed providers, and finds the first available implementation
>> of whatever is needed. If it can't find something, that ciphersuite
>> has to be disabled.
>>
>> Going back to the followup question, on JDK 6, if JCA/JCE can't find
>> a registered ECC provider, then it must disable the ECC-based
>> suites. As Sean said, Solaris has ECC through PKCS11, so OOTB
>> ECC-based suites should work on JDK 6 if you're on Solaris. If on
>> something else, you need to install an ECC provider to get ECC-based
>> suite.
>>
>> Brad
>>
>>
>>
>>
>> On 6/1/2016 1:06 AM, Ayaskant Swain wrote:
>>
>> Hi All,
>>
>> My question was not specific to those two cipher suites that I had
>> pasted in my query. I had just pasted them as examples. Rather my
>> question was generic.
>>
>> I want to know which library or packages in JDK implement the
>> Algorithms/Ciphers that are used for SSL communication?
>>
>> If java provides the implementation of those cryptographic Algos
>> through
>> the *java.security , java.net.ssl & javax.crypto* packages then
>> what is
>> the role of the *jsse.jar* library that ships in as part of the
>> *JAVA_HOME/ jre/lib* directory?
>>
>> I could clearly see the *jsse.jar *has classes like
>> *Handshaker.class,
>> SSLContextImpl.class, HandShakeMessage.class* inside the
>> sun.security.ssl package which do the actual SSL Handshake.
>> There are
>> many more classes inside this package.
>>
>> So wanted clarification on this.
>>
>> Thanks
>> Ayas
>>
>> On Wed, Jun 1, 2016 at 1:22 PM, Seán Coffey
>> <sean.coffey at oracle.com <mailto:sean.coffey at oracle.com>
>> <mailto:sean.coffey at oracle.com <mailto:sean.coffey at oracle.com>>>
>> wrote:
>>
>>
>> On 01/06/2016 03:42, Jim Manico wrote:
>>
>>
>> I think this is the right answer.
>>
>> From
>>
>>
>> https://stackoverflow.com/questions/27323858/java-6-ecdhe-cipher-suite-support
>>
>> The SSL/TLS implementation "JSSE" in Java 1.6 and later
>> supports
>> ECDHE suites *IF there is an available (JCE) provider*
>> for needed
>> ECC primitives. *Java 1.6 OOTB does NOT* include such an
>> ECC
>> provider, but you can add one. *Java 7 and 8 do* include
>> SunECC
>> provider.
>>
>> I don't believe Ayaskant's query was specific to ECC. In any
>> case,
>> the above answer isn't accurate. ECC support is available
>> OOTB in JDK
>> 6 for Solaris. It's provided via the SunPKCS11 provider. SunEC
>> provider was added in JDK 7:
>>
>>
>> http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html#SunEC
>>
>> regards,
>> Sean.
>>
>>
>> - Jim
>>
>>
>> On 5/29/16 8:02 PM, Ayaskant Swain wrote:
>>
>> Hi,
>>
>> Can anyone please help me know about this - Does
>> JSSE library
>> implement the Ciphers or Algorithms of a SSL
>> protocol ? I see the
>> jsse.jar library shipped with the JDK. I read the
>> the Oracle
>> document about JSSE
>> -
>> <
>> http://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#Introduction
>> >
>> http://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#Introduction
>>
>> So my question is - does the JSSE implement the
>> Ciphers or
>> Algorithms that are used for a successful SSL
>> handshake , server
>> authentication, data integrity & data confidentiality
>> (Application data encryption).
>>
>> Example of cipher suites -
>> *TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
>> or **TLS_DHE_RSA_WITH_AES_128_GCM_SHA256*
>> *
>> *
>> So is the coding of the above ciphers have been done
>> in the JSSE
>> library?
>>
>> Thanks
>> Ayaskant
>> Bangalore
>>
>>
>>
>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20160603/f17f42a7/attachment.htm>
More information about the security-dev
mailing list