JDK-8220016 : Clean up redundant RSA services in the SunJSSE provider
  • Type: Bug
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Priority: P3
  • Status: Closed
  • Resolution: Fixed
  • Submitted: 2019-03-02
  • Updated: 2019-10-16
  • Resolved: 2019-03-29
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 13
13 b15Fixed
Related Reports
CSR :  
Relates :  
Relates :  
Sub Tasks
JDK-8220615 :  
The fix for JDK-7092821 reorg'd the JDK 12 code to iterate through all of the SunRSASign entries, so SunJSSE now advertises all of the SunRSASign algorithms, including SHA224/256/384/512/512-224/512-256, RSASSA-PSS and others which it didn't do before.


This should probably removed, along with all of the other old RSA implementation which are only there for compatibility with the pre JDK 1.4 implementations.  That could be done under a separate bug or by expanding this bug.
Changes are partly due to JDK-7092821 as well

It turns out that all these RSA entries from reusing SunRsaSign provider are for pre-JDK1.5 impls (before SunRsaSign provider is introduced in JDK 5). In addition, in JDK9 JSSE doc, there is a note cautioning the use of RSA KeyFactory, KeyPairGenerator, and MD2/MD5/SHA1 with RSA Signatures with JSSE provider, i.e. The SunJSSE provider is for backwards compatibility with older releases, and should no longer be used for Signature. (see https://docs.oracle.com/javase/9/security/oracleproviders.htm#JSSEC-GUID-7093246A-31A3-4304-AC5F-5FB6400405E2) Thus, it seems that the right thing to do here is to stop registering these RSA services in SunJSSE provider.

What are the old RSA implementations for pre-JDK1.4 impls? I can remove them in the fix also.

What is the reason for SunJSSE provider to advertise impl from SunRsaSign provider? Will there be a problem removing all RSA related entries? Or, is the goal to "maintain" the same list of RSA algorithm implementations for max backward compatibility?