Security provider self-integrity checking changes in JDK 9.0?
John Gray
John.Gray at entrustdatacard.com
Tue Sep 25 21:14:43 UTC 2018
Hello,
We have a couple questions regarding Jar verification in Java 9 (and later)
We produce a Java based toolkit that contains a Security Provider. Because of this, we follow the guidance on the following page:
https://docs.oracle.com/javase/9/security/howtoimplaprovider.htm#JSSEC-GUID-C6054169-FE6E-4837-B2BD-382DFEB955C0
However, we have recently noticed a change between JDK 9 and JDK 8
In JDK 8: (https://docs.oracle.com/javase/7/docs/technotes/guides/security/crypto/HowToImplAProvider.html)
Step 1.1: Additional JCA Provider Requirements and Recommendations for Encryption Implementations
When instantiating a provider's implementation (class) of a Cipher, KeyAgreement, KeyGenerator, MAC or SecretKey factory, the framework will determine the provider's codebase (JAR file) and verify its signature. In this way, JCA authenticates the provider and ensures that only providers signed by a trusted entity can be plugged into JCA. Thus, one requirement for encryption providers is that they must be signed, as described in later steps.
In addition, each provider should perform self-integrity checking to ensure that the JAR file containing its code has not been manipulated in an attempt to invoke provider methods directly rather than through JCA. For further information, see How a Provider Can Do Self-Integrity Checking<https://docs.oracle.com/javase/8/docs/technotes/guides/security/crypto/HowToImplAProvider.html#integritycheck>.
In JDK 9: (https://docs.oracle.com/javase/9/security/howtoimplaprovider.htm )
Step 1.1: Consider Additional JCA Provider Requirements and Recommendations for Encryption Implementations
When instantiating a provider's implementation (class) of a Cipher, KeyAgreement, KeyGenerator, MAC, or SecretKey factory, the framework will determine the provider's codebase (JAR file) and verify its signature. In this way, JCA authenticates the provider and ensures that only providers signed by a trusted entity can be plugged into the JCA. Thus, one requirement for encryption providers is that they must be signed, as described in later steps.
There is no mention of the self-integrity checking in this section? There doesn't seem to be an explanation as to why it was removed?
In Section 8.2, it briefly mentions self-integrity checking:
Step 8.2: Set Provider Permissions
Permissions<https://docs.oracle.com/javase/9/security/java-security-overview1.htm#GUID-7A49C00B-BEA6-4050-9E32-6168211585F7> must be granted for when applications are run while a security manager is installed. A security manager may be installed for an application either through code in the application itself or through a command-line argument.
1. Your provider may need the following permissions granted to it in the client environment:
* java.lang.RuntimePermission to get class protection domains. The provider may need to get its own protection domain in the process of doing self-integrity checking.
* java.security.SecurityPermission to set provider properties.
So we are just wondering if something has changed in JDK 9 (and later) that makes the self-integrity check by a security provider unnecessary. If it has been changed, could we get information as to what has changed and why it changed?
Thanks so much
John Gray
Entrust Datacard
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20180925/fea8e171/attachment.htm>
More information about the security-dev
mailing list