JDK-8130302 : Add -addprovider option to jarsigner and keytool
  • Type: Enhancement
  • Component: security-libs
  • Sub-Component: java.security
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • Submitted: 2015-07-02
  • Updated: 2019-10-14
  • Resolved: 2016-07-12
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 9
9 b128Fixed
Related Reports
Blocks :  
JDK-8150227 - L10n change for JDK-8130302
Blocks :  
JDK-8150226 - doc change for JDK-8130302
Relates :  
JDK-8162882 - Permission merge issue in jdk.crypto.ucrypto module
Relates :  
JDK-8231598 - keytool does not export sun.security.mscapi
Relates :  
JDK-8161340 - ProblemList.txt update for sun/security/tools/keytool/autotest.sh
Sub Tasks
JDK-8150226 :  
doc change for JDK-8130302 - Resolved
JDK-8150227 :  
L10n change for JDK-8130302 - Closed
Description
Before jdk9, a user can use the -providerclass option in keytool and jarsigner to add a new security provider not loaded by JRE by default (i.e. not listed in java.security) or which needs a configuration. For example:
 
  keytool -providerclass com.example.MyProvider ...
 
  keytool -providerclass sun.security.pkcs11.SunPKCS11 -providerarg some.cfg ...
 
With modules in jdk9, security provider in a named module must be a service provider. It will be identified by a provider name (java.security.Provider::getName) rather than a class name.
 
This RFE suggests creating a new option called -addprovider, whose value is the name of a security provider defined in a module. For example:
 
  keytool -J-mp mods -addprovider MyProvider ...
 
  keytool -addprovider SunPKCS11 -providerarg some.cfg ...
 
For compatibility reason, the SunPKCS11 and OracleUcrypto providers can still be loaded with "-providerclass sun.security.pkcs11.SunPKCS11" and "-providerclass com.oracle.security.crypto.UcryptoProvider" even if they are now defined in modules. These are the only modules included in JDK that need a configuration, and therefore most widely used with the -providerclass option.
 
For legacy security providers located on classpath and loaded by reflection, -providerclass should still be used. For example:
 
  keytool -providerclass com.example.MyProvider ...
  (If MyProvider is a legacy provider loaded via reflection)
Comments
[~alanb] See the comment above from [~asmotrak], sun/security/tools/keytool/autotest.sh test fails because using -providerClass caused IllegalAccessException. As a result, this test is in ProblemList.txt.
01-07-2016
FC Extension Request: description of remaining work: none, CCC and webrev already approved risk level: minimal brief justification: modularization-related, need new option to set security provider as a service, should be included in jdk9 best estimate of the date by which the feature will be complete: now
30-06-2016
Rajan - I'm not sure that I understand your comment. This issue tracks new options but perhaps you are asking about the test on the ProblemList.txt file?
10-06-2016
Here is some details about sun/security/tools/keytool/autotest.sh test failure just to be clear. Test test runs keytool with the following command: keytool -debug -J-Dnss.lib=/usr/lib/mps/amd64/libsoftokn3.so -keystore NONE -storetype PKCS11 -providerName SunPKCS11-nss -providerClass sun.security.pkcs11.SunPKCS11 -providerArg p11-nss.txt -storepass test12 -list which fails with the following exception because of "-providerClass sun.security.pkcs11.SunPKCS11" option Exception in thread "main" java.lang.IllegalAccessException: class sun.security.tools.keytool.Main (in module java.base) cannot access class sun.security.pkcs11.SunPKCS11 (in module jdk.crypto.pkcs11) because module jdk.crypto.pkcs11 does not export sun.security.pkcs11 to module java.base at sun.reflect.Reflection.throwIllegalAccessException(java.base@9-ea/Reflection.java:411) at sun.reflect.Reflection.throwIllegalAccessException(java.base@9-ea/Reflection.java:402) at sun.reflect.Reflection.ensureMemberAccess(java.base@9-ea/Reflection.java:99) at java.lang.Class.newInstance(java.base@9-ea/Class.java:542) at sun.security.tools.keytool.Main.doCommands(java.base@9-ea/Main.java:731) at sun.security.tools.keytool.Main.run(java.base@9-ea/Main.java:376) at sun.security.tools.keytool.Main.main(java.base@9-ea/Main.java:369) at KeyToolTest.test(KeyToolTest.java:171) at KeyToolTest.test(KeyToolTest.java:139) at KeyToolTest.testOK(KeyToolTest.java:194) at KeyToolTest.testPKCS11(KeyToolTest.java:684) at KeyToolTest.main(KeyToolTest.java:1827)
16-03-2016
Thanks, I was not aware of -help -list so I didn't know it also had a -providerclass option. In that case we can change this bug to cover both jarsigner and keytool.
03-07-2015
"keytool" only show commands, "keytool -help -list" shows options for the "list" command.
03-07-2015
I don't see anything about provider class in the keytool usage page. Is this a hidden option?
03-07-2015
Same options in keytool. Or was there another bug filed?
03-07-2015