[13] RFR JDK-8220016 "SunRsaSignEntries were mistakenly added to the SunJSSE provider"

Xuelei Fan xuelei.fan at oracle.com
Fri Mar 8 03:30:58 UTC 2019 

On 3/7/2019 6:15 PM, Valerie Peng wrote:
> Do you mean removing the part about SunRsaSignEntries completely? Or 
> only remove the MD2/MD5withRSA signature algorithms?
> 
I meant to remove the SunRsaSignEntries completely from the SunJSSE 
provider.

> Do you know the history of including them in the first place? Since 
> SunRsaSign provider has been in early JDK releases, I wonder why SunJSSE 
> provider duplicated these RSA algorithms in the first place?
The JSSE provider was originally provided as an standalone library, and 
using the com.sun.net.ssl packet.  I think it was in JDK 1.4, the 
package became part of JDK, and start to using the javax.net.ssl package 
and the standard JCE providers.  However, for compatibility, the old 
supported signature algorithms are still linked in the SunJSSE provider.

In the JDK 9, a noted was added in the SunJSSE provider documentation:
    The SunJSSE provider is for backwards compatibility with
    older releases, and should no longer be used for Signature.

The compatibility is mainly about coding with explicitly SunJSSE 
provider name.  For example,
     Signature.getInstance("SHA1withRSA",
         "com.sun.net.ssl.internal.ssl.Provider");

The use may not be common in practice.  And the JDK JCE providers 
support these algorithms, I was wondering the risk of removing them from 
the SunJSSE provider may be low now.

Thanks,
Xuelei

> I can file a CSR, knowing the history/reason would help.
> 
> Thanks,
> 
> Valerie
> 
> 
> On 3/7/2019 5:45 PM, Xuelei Fan wrote:
>> Hi Valerie,
>>
>> As you are already there, I may suggest to remove the old RSA crypto 
>> algorithms in the SunJSSE providers as well.  As may simplify the code 
>> a little bit, though a CSR is needed for the SunJSSE behavior change.
>>
>> Thanks,
>> Xuelei
>>
>> On 3/7/2019 4:56 PM, Valerie Peng wrote:
>>> Hi Brad,
>>>
>>> Do you have time to help review the changes for JDK-8220016? Current 
>>> changes are to register the same list of RSA-related services as 
>>> these prior to the fix for JDK-7092821. I am not sure what are the 
>>> old RSA impls for pre-JDK1.4 implementations. Otherwise, I can remove 
>>> them as well. Please let me know.
>>>
>>> Bug: https://bugs.openjdk.java.net/browse/JDK-8220016
>>>
>>> Webrev: http://cr.openjdk.java.net/~valeriep/8220016/webrev.00/
>>>
>>> Thanks,
>>> Valerie

More information about the security-dev mailing list