JDK-8062515 : Migrate use of sun.security.** to supported API
  • Type: Bug
  • Component: security-libs
  • Priority: P4
  • Status: Closed
  • Resolution: Not an Issue
  • Submitted: 2014-10-30
  • Updated: 2017-05-11
  • Resolved: 2014-10-30
Related Reports
Relates :  
JDK-8058778 - New APIs for creating certificates and certificate requests
Relates :  
JDK-7192189 - Support new endpoint identification algorithm in RFC 6125
Relates :  
JDK-8056174 - New APIs for jar signing
Relates :  
JDK-8043071 - Expose session key and KRB_CRED through extended GSS-API
Relates :  
JDK-8042967 - Add variant of DSA Signature algorithms that do not ASN.1 encode the signature bytes
Description
All sun.security.** classes are JDK internal APIs that are not supported and should not be used. This issue documents the supported APIs that you should migrate to use.  For any sun.security.** classes not listed below, there is no replacement.

1) sun.security.action.* 

They should be replaced with java.security.PrivilegedAction (@since 1.1) to call System.getProperty or other action instead. Example

   AccessController.doPrivileged((PrivilegedAction<String>) () -> System.getProperty(key));

2) sun.security.util.SecurityConstants 

The SecurityConstants class defines instance of several permission types.  It should be replaced with creating the instance of the public permission type.   Example,
       new NetPermission("getCookieHandler");

java.lang.RuntimePermission, java.net.NetPermission, or many Permission class were added @since 1.1

3)  sun.security.provider.Sun

One option is calling java.security.Security.getProvider("SUN") that is not the recommended way.

In general, you should avoid depending on a specific provider as it may not be available on other Java implementations. See Oracle security providers documentation for more rationale.  That is,
   getInstance("...", "SunJCE");  // not recommended

versus

   getInstance("...");            // recommended

4) sun.security.provider.PolicyFile

It should be replaced to use:
   java.security.Policy.getInstance("JavaPolicy", new java.security.URIParameter(uri)); 

This getInstance method was added @since 1.6.

5) sun.security.krb5.**

JDK-8043071 defines the supported APIs in JDK 9 to get the context session key to do their own encryption/decryption and also deal with the KRB-CRED token in its own way:

@see javax.security.auth.kerberos.EncryptionKey and KerberosCredMessage
@see javax.security.auth.kerberos.KerberosTicket.getSessionKey()

Also see org.ietf.jgss and com.sun.security.jgss APIs

6) sun.security.x509.** 

Use javax.security.auth.x500.X500Principal @since 1.4 to replace sun.security.x509.X500Name 

Many of the extensions and fields of an X509 Certificate can be accessed via the standard java.security.cert API.  Use java.security.cert API instead.

7) sun.security.util.HostnameChecker.match checks if the certificate allows use of the given server name

javax.net.ssl.SSLParameters.setEndpointIdentificationAlgorithm("HTTPS" or "LDAPS") can be used to enabled hostname checking during handshaking, and javax.net.ssl.HttpsURLConnection.setHostnameVerifier() can be customized hostname verifier rules for URL operations.

See also JDK-7192189 for the new endpoint identification support.