Bug ID: JDK-8322972 Release Note: KEM.getInstance() Should Check If a Third-Party Security Provider Is Signed

JDK-8322972 : Release Note: KEM.getInstance() Should Check If a Third-Party Security Provider Is Signed

Type: Sub-task
Component: security-libs
Sub-Component: javax.crypto
Affected Version: 17.0.13-oracle,21.0.5-oracle,22

Priority: P4
Status: Resolved
Resolution: Delivered

Submitted: 2024-01-03
Updated: 2024-09-27
Resolved: 2024-01-11

Versions (Unresolved/Resolved/Fixed)

The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.

JDK 17	JDK 21	JDK 22
17.0.13-oracleResolved	21.0.5-oracleResolved	22Resolved

Description

When instantiating a third-party security provider's implementation (class) of a `KEM` algorithm, the framework will determine the provider's codebase (JAR file) and verify its signature. In this way, JCA authenticates the provider and ensures that only providers signed by a trusted entity can be plugged into the JCA. This is consistent with other JCE service classes, such as `Cipher`, `Mac`, `KeyAgreement`, and others.