[13] RFR JDK-8220016 "SunRsaSignEntries were mistakenly added to the SunJSSE provider"

Valerie Peng valerie.peng at oracle.com
Mon Mar 11 22:59:44 UTC 2019 

Thanks for the info, I'd prefer to completely remove the SunRsaSign 
entries from SunJSSE provider as well.

I will update the webrev and file a CSR then.

Thanks,

Valerie


On 3/7/2019 7:30 PM, Xuelei Fan wrote:
> On 3/7/2019 6:15 PM, Valerie Peng wrote:
>> Do you mean removing the part about SunRsaSignEntries completely? Or 
>> only remove the MD2/MD5withRSA signature algorithms?
>>
> I meant to remove the SunRsaSignEntries completely from the SunJSSE 
> provider.
>
>> Do you know the history of including them in the first place? Since 
>> SunRsaSign provider has been in early JDK releases, I wonder why 
>> SunJSSE provider duplicated these RSA algorithms in the first place?
> The JSSE provider was originally provided as an standalone library, 
> and using the com.sun.net.ssl packet.  I think it was in JDK 1.4, the 
> package became part of JDK, and start to using the javax.net.ssl 
> package and the standard JCE providers.  However, for compatibility, 
> the old supported signature algorithms are still linked in the SunJSSE 
> provider.
>
> In the JDK 9, a noted was added in the SunJSSE provider documentation:
>    The SunJSSE provider is for backwards compatibility with
>    older releases, and should no longer be used for Signature.
>
> The compatibility is mainly about coding with explicitly SunJSSE 
> provider name.  For example,
>     Signature.getInstance("SHA1withRSA",
>         "com.sun.net.ssl.internal.ssl.Provider");
>
> The use may not be common in practice.  And the JDK JCE providers 
> support these algorithms, I was wondering the risk of removing them 
> from the SunJSSE provider may be low now.
>
> Thanks,
> Xuelei
>
>> I can file a CSR, knowing the history/reason would help.
>>
>> Thanks,
>>
>> Valerie
>>
>>
>> On 3/7/2019 5:45 PM, Xuelei Fan wrote:
>>> Hi Valerie,
>>>
>>> As you are already there, I may suggest to remove the old RSA crypto 
>>> algorithms in the SunJSSE providers as well.  As may simplify the 
>>> code a little bit, though a CSR is needed for the SunJSSE behavior 
>>> change.
>>>
>>> Thanks,
>>> Xuelei
>>>
>>> On 3/7/2019 4:56 PM, Valerie Peng wrote:
>>>> Hi Brad,
>>>>
>>>> Do you have time to help review the changes for JDK-8220016? 
>>>> Current changes are to register the same list of RSA-related 
>>>> services as these prior to the fix for JDK-7092821. I am not sure 
>>>> what are the old RSA impls for pre-JDK1.4 implementations. 
>>>> Otherwise, I can remove them as well. Please let me know.
>>>>
>>>> Bug: https://bugs.openjdk.java.net/browse/JDK-8220016
>>>>
>>>> Webrev: http://cr.openjdk.java.net/~valeriep/8220016/webrev.00/
>>>>
>>>> Thanks,
>>>> Valerie

More information about the security-dev mailing list