[13] RFR JDK-8220016 "Clean up redundant RSA services in the SunJSSE provider"
Valerie Peng
valerie.peng at oracle.com
Wed Mar 13 02:57:50 UTC 2019
Please review the CSR at: https://bugs.openjdk.java.net/browse/JDK-8220549
Webrev updated in place for this new approach:
http://cr.openjdk.java.net/~valeriep/8220016/webrev.00/
I changed the synopsis to clarify that we are now removing these
duplicated RSA support.
Thanks,
Valerie
On 3/11/2019 3:59 PM, Valerie Peng wrote:
> Thanks for the info, I'd prefer to completely remove the SunRsaSign
> entries from SunJSSE provider as well.
>
> I will update the webrev and file a CSR then.
>
> Thanks,
>
> Valerie
>
>
> On 3/7/2019 7:30 PM, Xuelei Fan wrote:
>> On 3/7/2019 6:15 PM, Valerie Peng wrote:
>>> Do you mean removing the part about SunRsaSignEntries completely? Or
>>> only remove the MD2/MD5withRSA signature algorithms?
>>>
>> I meant to remove the SunRsaSignEntries completely from the SunJSSE
>> provider.
>>
>>> Do you know the history of including them in the first place? Since
>>> SunRsaSign provider has been in early JDK releases, I wonder why
>>> SunJSSE provider duplicated these RSA algorithms in the first place?
>> The JSSE provider was originally provided as an standalone library,
>> and using the com.sun.net.ssl packet. I think it was in JDK 1.4, the
>> package became part of JDK, and start to using the javax.net.ssl
>> package and the standard JCE providers. However, for compatibility,
>> the old supported signature algorithms are still linked in the
>> SunJSSE provider.
>>
>> In the JDK 9, a noted was added in the SunJSSE provider documentation:
>> The SunJSSE provider is for backwards compatibility with
>> older releases, and should no longer be used for Signature.
>>
>> The compatibility is mainly about coding with explicitly SunJSSE
>> provider name. For example,
>> Signature.getInstance("SHA1withRSA",
>> "com.sun.net.ssl.internal.ssl.Provider");
>>
>> The use may not be common in practice. And the JDK JCE providers
>> support these algorithms, I was wondering the risk of removing them
>> from the SunJSSE provider may be low now.
>>
>> Thanks,
>> Xuelei
>>
>>> I can file a CSR, knowing the history/reason would help.
>>>
>>> Thanks,
>>>
>>> Valerie
>>>
>>>
>>> On 3/7/2019 5:45 PM, Xuelei Fan wrote:
>>>> Hi Valerie,
>>>>
>>>> As you are already there, I may suggest to remove the old RSA
>>>> crypto algorithms in the SunJSSE providers as well. As may
>>>> simplify the code a little bit, though a CSR is needed for the
>>>> SunJSSE behavior change.
>>>>
>>>> Thanks,
>>>> Xuelei
>>>>
>>>> On 3/7/2019 4:56 PM, Valerie Peng wrote:
>>>>> Hi Brad,
>>>>>
>>>>> Do you have time to help review the changes for JDK-8220016?
>>>>> Current changes are to register the same list of RSA-related
>>>>> services as these prior to the fix for JDK-7092821. I am not sure
>>>>> what are the old RSA impls for pre-JDK1.4 implementations.
>>>>> Otherwise, I can remove them as well. Please let me know.
>>>>>
>>>>> Bug: https://bugs.openjdk.java.net/browse/JDK-8220016
>>>>>
>>>>> Webrev: http://cr.openjdk.java.net/~valeriep/8220016/webrev.00/
>>>>>
>>>>> Thanks,
>>>>> Valerie
More information about the security-dev
mailing list