RFR: JDK-8308398 Move SunEC crypto provider into java.base
Alan Bateman
alanb at openjdk.org
Tue Jun 20 10:58:04 UTC 2023
On Tue, 20 Jun 2023 00:57:46 GMT, Sean Mullan <sean.mullan at oracle.com> wrote:
> > Maybe you are thinking about the size of libsunec or non-technical issues that meant it wasn't included by some distributions? There weren't an issue with deciding which providers to include to java.base. I think the motivation for having the SunEC provider in java.base now is probably TLS so there are more secure cipher suites available for those that create a small run-image with jlink and don't include all security providers.
>
> Yes, I think the motivation is more that Elliptic Curve Cryptography is a widely used form of crypto and should be in java.base. I haven't tried this, but I think TLS 1.3 would simply not work if you just had java.base in your runtime.
I think we've converged on the right motivation. If would be good to check if there are TLS tests that could run with --limit-modules java.base, that would give confidence that the API/implementation will work when the run-time image only contains java.base.
-------------
PR Comment: https://git.openjdk.org/jdk/pull/14457#issuecomment-1598552414
More information about the security-dev
mailing list