JDK-8220549 : Clean up redundant RSA services in the SunJSSE provider
  • Type: CSR
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Priority: P3
  • Status: Closed
  • Resolution: Approved
  • Fix Versions: 13
  • Submitted: 2019-03-13
  • Updated: 2019-03-26
  • Resolved: 2019-03-26
Related Reports
CSR :  
JDK-8220016 - Clean up redundant RSA services in the SunJSSE provider
Description
Summary
-------
Remove the RSA support in SunJSSE provider which are duplicates of SunRsaSign provider.

Problem
-------
For historical reasons, SunJSSE provider contains support for RSA algorithms, i.e. KeyFactory, KeyPairGenerator, Signatures. Starting JDK 5, SunRsaSign provider is introduced for supporting these and more RSA algorithms. The only reason for SunJSSE provider to continue supporting these RSA algorithms are for pre-JDK5 applications. It's time to clean up and remove this duplicated support for RSA algorithms from SunJSSE provider.

Solution
--------
Remove these RSA entries from SunJSSE provider service registration.

Specification
-------------
< src/java.base/share/classes/sun/security/ssl/SunJSSE.java>

    @@ -25,22 +25,16 @@
     
     package sun.security.ssl;
     
     import java.security.*;
     import java.util.*;
    -import sun.security.rsa.SunRsaSignEntries;
     import static sun.security.util.SecurityConstants.PROVIDER_VER;
     import static sun.security.provider.SunEntries.createAliases;
     
     /**
      * The JSSE provider.
      *
    - * The RSA implementation has been removed from JSSE, but we still need to
    - * register the same algorithms for compatibility. We just point to the RSA
    - * implementation in the SunRsaSign provider. This works because all classes
    - * are in the bootclasspath and therefore loaded by the same classloader.
    - *
      * SunJSSE now supports an experimental FIPS compliant mode when used with an
      * appropriate FIPS certified crypto provider. In FIPS mode, we:
      *  . allow only TLS 1.0 or later
      *  . allow only FIPS approved ciphersuites
      *  . perform all crypto in the FIPS crypto provider
    
    @@ -82,16 +76,10 @@
                 List<String> aliases, HashMap<String, String> attrs) {
             putService(new Provider.Service(this, type, algo, cn, aliases, attrs));
         }
     
         private void doRegister() {
    -        Iterator<Provider.Service> rsaIter =
    -            new SunRsaSignEntries(this).iterator();
    -        while (rsaIter.hasNext()) {
    -            putService(rsaIter.next());
    -        }
    -
             ps("Signature", "MD5andSHA1withRSA",
                 "sun.security.ssl.RSASignature", null, null);
     
             ps("KeyManagerFactory", "SunX509",
                 "sun.security.ssl.KeyManagerFactoryImpl$SunX509", null, null);

Complete webrev including regression test updates can be found at: http://cr.openjdk.java.net/~valeriep/8220016/webrev.00/
Comments
Moving to Approved.
26-03-2019
[~darcy]Right, I have added the release-note=yes label. Thanks! Please let me know if there is anything else that I need to address.
26-03-2019
[~valeriep], the release note should be associated with the original bug report. (I didn't see the release note sub-task; I was expecting to see the release note label as well.) Thanks.
21-03-2019
Yes, there is already a release note (https://bugs.openjdk.java.net/browse/JDK-8220615) associated with JDK-8220016, also doc team is aware of this and there is a doc bug for updating SunJSSE provider info in JDK provider's guide (https://bugs.openjdk.java.net/browse/JDK-8218860). Should the release note change associate with CSR or the original bug record?
20-03-2019
Should this change get a release note? Moving to Provisional.
18-03-2019