[13] RFR JDK-8220016 "Clean up redundant RSA services in the SunJSSE provider"

Xuelei Fan xuelei.fan at oracle.com
Wed Mar 13 03:18:11 UTC 2019 

On 3/12/2019 7:57 PM, Valerie Peng wrote:
> Please review the CSR at: https://bugs.openjdk.java.net/browse/JDK-8220549
> 
I added myself as reviewer.

> Webrev updated in place for this new approach: 
> http://cr.openjdk.java.net/~valeriep/8220016/webrev.00/
> 
It looks fine to me.

Xuelei

> I changed the synopsis to clarify that we are now removing these 
> duplicated RSA support.
> 
> Thanks,
> 
> Valerie
> 
> 
> On 3/11/2019 3:59 PM, Valerie Peng wrote:
>> Thanks for the info, I'd prefer to completely remove the SunRsaSign 
>> entries from SunJSSE provider as well.
>>
>> I will update the webrev and file a CSR then.
>>
>> Thanks,
>>
>> Valerie
>>
>>
>> On 3/7/2019 7:30 PM, Xuelei Fan wrote:
>>> On 3/7/2019 6:15 PM, Valerie Peng wrote:
>>>> Do you mean removing the part about SunRsaSignEntries completely? Or 
>>>> only remove the MD2/MD5withRSA signature algorithms?
>>>>
>>> I meant to remove the SunRsaSignEntries completely from the SunJSSE 
>>> provider.
>>>
>>>> Do you know the history of including them in the first place? Since 
>>>> SunRsaSign provider has been in early JDK releases, I wonder why 
>>>> SunJSSE provider duplicated these RSA algorithms in the first place?
>>> The JSSE provider was originally provided as an standalone library, 
>>> and using the com.sun.net.ssl packet.  I think it was in JDK 1.4, the 
>>> package became part of JDK, and start to using the javax.net.ssl 
>>> package and the standard JCE providers. However, for compatibility, 
>>> the old supported signature algorithms are still linked in the 
>>> SunJSSE provider.
>>>
>>> In the JDK 9, a noted was added in the SunJSSE provider documentation:
>>>    The SunJSSE provider is for backwards compatibility with
>>>    older releases, and should no longer be used for Signature.
>>>
>>> The compatibility is mainly about coding with explicitly SunJSSE 
>>> provider name.  For example,
>>>     Signature.getInstance("SHA1withRSA",
>>>         "com.sun.net.ssl.internal.ssl.Provider");
>>>
>>> The use may not be common in practice.  And the JDK JCE providers 
>>> support these algorithms, I was wondering the risk of removing them 
>>> from the SunJSSE provider may be low now.
>>>
>>> Thanks,
>>> Xuelei
>>>
>>>> I can file a CSR, knowing the history/reason would help.
>>>>
>>>> Thanks,
>>>>
>>>> Valerie
>>>>
>>>>
>>>> On 3/7/2019 5:45 PM, Xuelei Fan wrote:
>>>>> Hi Valerie,
>>>>>
>>>>> As you are already there, I may suggest to remove the old RSA 
>>>>> crypto algorithms in the SunJSSE providers as well.  As may 
>>>>> simplify the code a little bit, though a CSR is needed for the 
>>>>> SunJSSE behavior change.
>>>>>
>>>>> Thanks,
>>>>> Xuelei
>>>>>
>>>>> On 3/7/2019 4:56 PM, Valerie Peng wrote:
>>>>>> Hi Brad,
>>>>>>
>>>>>> Do you have time to help review the changes for JDK-8220016? 
>>>>>> Current changes are to register the same list of RSA-related 
>>>>>> services as these prior to the fix for JDK-7092821. I am not sure 
>>>>>> what are the old RSA impls for pre-JDK1.4 implementations. 
>>>>>> Otherwise, I can remove them as well. Please let me know.
>>>>>>
>>>>>> Bug: https://bugs.openjdk.java.net/browse/JDK-8220016
>>>>>>
>>>>>> Webrev: http://cr.openjdk.java.net/~valeriep/8220016/webrev.00/
>>>>>>
>>>>>> Thanks,
>>>>>> Valerie

More information about the security-dev mailing list