RFR 8130302: jarsigner and keytool -providerClass needs be re-examined for modules
Wang Weijun
weijun.wang at oracle.com
Tue Jun 14 03:28:42 UTC 2016
OK, please take a review at the new version at
http://cr.openjdk.java.net/~weijun/8130302/webrev.04/
Changes from webrev.03:
1. The new option name -addprovider is used, along with the changes in Resources.java.
2. In KeyStoreUtil::loadProviderByClass, special treatment for "sun.security.pkcs11.SunPKCS11" and "com.oracle.security.crypto.UcryptoProvider".
3. In KeyStoreUtil::loadProviderByName, check if the name is already loaded, configure and add it if necessary. As I said in my previous mail, this can be useful if something like SunPKCS11 is defined inside java.base.
4. Valarie asked me to bring in a change to the OracleUcrypto provider, which allows arbitrary config file. Changes are inside java.policy and UcryptoProvider.java.
Thanks
Max
> On Jun 13, 2016, at 12:23 PM, Mandy Chung <mandy.chung at oracle.com> wrote:
>
>
>> On Jun 12, 2016, at 11:33 AM, Alan Bateman <Alan.Bateman at oracle.com> wrote:
>>
>>
>>
>> On 12/06/2016 13:44, Wang Weijun wrote:
>>> I was about to send out a new webrev (CCC just approved) but noticed a behavior change.
>>>
>>> Although "-addprovider SUN" is useless it still worked when I posted webrev.03, but now it failed, because ServiceLoader.load(Provider.class) does not contain "SUN" anymore. Maybe it is inside java.base and loaded in a shortcut mode?
>>>
>> "SUN" ,"SunJCE", "SunRsaSign", and "SunJSSE" are built-in, I think Valerie has code in sun.security.jca.ProviderConfig for this. I don't recall java.base ever declaring that it `provides` these providers, except maybe via a META-INF/services configuration file for a short period from the original JCE work and the dropping the service configuration files.
>
> I think Alan is right. They were not loaded via ServiceLoader.load because of the build complexity to get multiple service config files before the module system went in jdk9.
>
> As it stands now, no provides java.security.Provider in java.base after JDK-8157489 is resolved.
>
> Mandy
More information about the security-dev
mailing list