Signed JCE and providers jars
Bradford Wetmore
bradford.wetmore at oracle.com
Mon Feb 4 22:08:56 UTC 2019
Hi David,
On 2/4/2019 2:08 AM, David Penick wrote:
> I’ve downloaded OpenJDK builds from AdoptOpenJDK and Azul Zulu, and I’ve
> noticed that the jce.jar, sunjce_provider.jar and sunpkcs11.jar jar
> files do not appear to be signed. I’m surprised they work without being
> signed, but I also haven’t been able to find anyone asking how to get
> signed versions of the Sun JCE.
>
> How can I get signed versions of the Sun JCE jars, or should I not worry
> about it, and if so, why not?
In Oracle's JDK 8 and earlier releases, the same rules still apply in
that the Oracle Framework and Providers (previously called the "Sun
Framework and Providers" in
jce.jar/sunjce_provider.jar/sunpkcs11.jar/sunmscapi.jar/etc.) must be
signed and properly verify. This signing requirement also applies to
3rd Party Provider jar files.
In Oracle's JDK 9+ releases, the Oracle Framework/Providers are now
implemented as modules (java.base/jdk.crypto.cryptoki/etc.) rather than
jar files, and are not signed.
3rd Party Providers must still be signed in order to be used in the
commercial Oracle JDK product.
3rd Party providers do not need to be signed for use with the Oracle
OpenJDK builds, which is not a commercial product.
It is up to other OpenJDK-based implementations
(AdoptOpenJDK/Azul/IBM/etc.) to determine whether 3rd Party providers
must be signed, and make the appropriate modifications to the code.
Brad
More information about the security-dev
mailing list