Signed JCE and providers jars

David Penick david at penick.net
Tue Feb 5 17:41:27 UTC 2019


Thanks Brad and Bernd!

David 

> On Feb 4, 2019, at 4:08 PM, Bradford Wetmore <bradford.wetmore at oracle.com> wrote:
> 
> Hi David,
> 
>> On 2/4/2019 2:08 AM, David Penick wrote:
>> I’ve downloaded OpenJDK builds from AdoptOpenJDK and Azul Zulu, and I’ve noticed that the jce.jar, sunjce_provider.jar and sunpkcs11.jar jar files do not appear to be signed. I’m surprised they work without being signed, but I also haven’t been able to find anyone asking how to get signed versions of the Sun JCE.
>> How can I get signed versions of the Sun JCE jars, or should I not worry about it, and if so, why not?
> 
> In Oracle's JDK 8 and earlier releases, the same rules still apply in that the Oracle Framework and Providers (previously called the "Sun Framework and Providers" in jce.jar/sunjce_provider.jar/sunpkcs11.jar/sunmscapi.jar/etc.) must be signed and properly verify.  This signing requirement also applies to 3rd Party Provider jar files.
> 
> In Oracle's JDK 9+ releases, the Oracle Framework/Providers are now implemented as modules (java.base/jdk.crypto.cryptoki/etc.) rather than jar files, and are not signed.
> 
> 3rd Party Providers must still be signed in order to be used in the commercial Oracle JDK product.
> 
> 3rd Party providers do not need to be signed for use with the Oracle OpenJDK builds, which is not a commercial product.
> 
> It is up to other OpenJDK-based implementations (AdoptOpenJDK/Azul/IBM/etc.) to determine whether 3rd Party providers must be signed, and make the appropriate modifications to the code.
> 
> Brad
> 
> 
> 


More information about the security-dev mailing list