Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8220549

Clean up redundant RSA services in the SunJSSE provider

XMLWordPrintable

    • Icon: CSR CSR
    • Resolution: Approved
    • Icon: P3 P3
    • 13
    • security-libs
    • None
    • behavioral
    • low
    • Hide
      Applications which directly request these RSA implementations against SunJSSE provider will encounter NoSuchAlgorithmException. However, SunRsaSign provider has been introduced since JDK 5, thus we feel most if not all applications should either not specify a provider or use SunRsaSign provider for RSA support.
      Show
      Applications which directly request these RSA implementations against SunJSSE provider will encounter NoSuchAlgorithmException. However, SunRsaSign provider has been introduced since JDK 5, thus we feel most if not all applications should either not specify a provider or use SunRsaSign provider for RSA support.
    • Other
    • Implementation

      Summary

      Remove the RSA support in SunJSSE provider which are duplicates of SunRsaSign provider.

      Problem

      For historical reasons, SunJSSE provider contains support for RSA algorithms, i.e. KeyFactory, KeyPairGenerator, Signatures. Starting JDK 5, SunRsaSign provider is introduced for supporting these and more RSA algorithms. The only reason for SunJSSE provider to continue supporting these RSA algorithms are for pre-JDK5 applications. It's time to clean up and remove this duplicated support for RSA algorithms from SunJSSE provider.

      Solution

      Remove these RSA entries from SunJSSE provider service registration.

      Specification

      < src/java.base/share/classes/sun/security/ssl/SunJSSE.java>

      @@ -25,22 +25,16 @@

 package sun.security.ssl;

 import java.security.*;
 import java.util.*;
-import sun.security.rsa.SunRsaSignEntries;
 import static sun.security.util.SecurityConstants.PROVIDER_VER;
 import static sun.security.provider.SunEntries.createAliases;

 /**
  * The JSSE provider.
  *
- * The RSA implementation has been removed from JSSE, but we still need to
- * register the same algorithms for compatibility. We just point to the RSA
- * implementation in the SunRsaSign provider. This works because all classes
- * are in the bootclasspath and therefore loaded by the same classloader.
- *
  * SunJSSE now supports an experimental FIPS compliant mode when used with an
  * appropriate FIPS certified crypto provider. In FIPS mode, we:
  *  . allow only TLS 1.0 or later
  *  . allow only FIPS approved ciphersuites
  *  . perform all crypto in the FIPS crypto provider

@@ -82,16 +76,10 @@
             List<String> aliases, HashMap<String, String> attrs) {
         putService(new Provider.Service(this, type, algo, cn, aliases, attrs));
     }

     private void doRegister() {
-        Iterator<Provider.Service> rsaIter =
-            new SunRsaSignEntries(this).iterator();
-        while (rsaIter.hasNext()) {
-            putService(rsaIter.next());
-        }
-
         ps("Signature", "MD5andSHA1withRSA",
             "sun.security.ssl.RSASignature", null, null);

         ps("KeyManagerFactory", "SunX509",
             "sun.security.ssl.KeyManagerFactoryImpl$SunX509", null, null);

      Complete webrev including regression test updates can be found at: http://cr.openjdk.java.net/~valeriep/8220016/webrev.00/

            valeriep Valerie Peng
            wetmore Bradford Wetmore
            Xuelei Fan
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: