[13] RFR JDK-8220016 "SunRsaSignEntries were mistakenly added to the SunJSSE provider"
Xuelei Fan
xuelei.fan at oracle.com
Fri Mar 8 03:30:58 UTC 2019
On 3/7/2019 6:15 PM, Valerie Peng wrote:
> Do you mean removing the part about SunRsaSignEntries completely? Or
> only remove the MD2/MD5withRSA signature algorithms?
>
I meant to remove the SunRsaSignEntries completely from the SunJSSE
provider.
> Do you know the history of including them in the first place? Since
> SunRsaSign provider has been in early JDK releases, I wonder why SunJSSE
> provider duplicated these RSA algorithms in the first place?
The JSSE provider was originally provided as an standalone library, and
using the com.sun.net.ssl packet. I think it was in JDK 1.4, the
package became part of JDK, and start to using the javax.net.ssl package
and the standard JCE providers. However, for compatibility, the old
supported signature algorithms are still linked in the SunJSSE provider.
In the JDK 9, a noted was added in the SunJSSE provider documentation:
The SunJSSE provider is for backwards compatibility with
older releases, and should no longer be used for Signature.
The compatibility is mainly about coding with explicitly SunJSSE
provider name. For example,
Signature.getInstance("SHA1withRSA",
"com.sun.net.ssl.internal.ssl.Provider");
The use may not be common in practice. And the JDK JCE providers
support these algorithms, I was wondering the risk of removing them from
the SunJSSE provider may be low now.
Thanks,
Xuelei
> I can file a CSR, knowing the history/reason would help.
>
> Thanks,
>
> Valerie
>
>
> On 3/7/2019 5:45 PM, Xuelei Fan wrote:
>> Hi Valerie,
>>
>> As you are already there, I may suggest to remove the old RSA crypto
>> algorithms in the SunJSSE providers as well. As may simplify the code
>> a little bit, though a CSR is needed for the SunJSSE behavior change.
>>
>> Thanks,
>> Xuelei
>>
>> On 3/7/2019 4:56 PM, Valerie Peng wrote:
>>> Hi Brad,
>>>
>>> Do you have time to help review the changes for JDK-8220016? Current
>>> changes are to register the same list of RSA-related services as
>>> these prior to the fix for JDK-7092821. I am not sure what are the
>>> old RSA impls for pre-JDK1.4 implementations. Otherwise, I can remove
>>> them as well. Please let me know.
>>>
>>> Bug: https://bugs.openjdk.java.net/browse/JDK-8220016
>>>
>>> Webrev: http://cr.openjdk.java.net/~valeriep/8220016/webrev.00/
>>>
>>> Thanks,
>>> Valerie
More information about the security-dev
mailing list