Hello, We have a couple questions regarding Jar verification in Java 9 (and later)
We produce a Java based toolkit that contains a Security Provider. Because of this, we follow the guidance on the following page: https://docs.oracle.com/javase/9/security/howtoimplaprovider.htm#JSSEC-GUID-C6054169-FE6E-4837-B2BD-382DFEB955C0 However, we have recently noticed a change between JDK 9 and JDK 8 In JDK 8: (https://docs.oracle.com/javase/7/docs/technotes/guides/security/crypto/HowToImplAProvider.html) Step 1.1: Additional JCA Provider Requirements and Recommendations for Encryption Implementations When instantiating a provider's implementation (class) of a Cipher, KeyAgreement, KeyGenerator, MAC or SecretKey factory, the framework will determine the provider's codebase (JAR file) and verify its signature. In this way, JCA authenticates the provider and ensures that only providers signed by a trusted entity can be plugged into JCA. Thus, one requirement for encryption providers is that they must be signed, as described in later steps. In addition, each provider should perform self-integrity checking to ensure that the JAR file containing its code has not been manipulated in an attempt to invoke provider methods directly rather than through JCA. For further information, see How a Provider Can Do Self-Integrity Checking<https://docs.oracle.com/javase/8/docs/technotes/guides/security/crypto/HowToImplAProvider.html#integritycheck>. In JDK 9: (https://docs.oracle.com/javase/9/security/howtoimplaprovider.htm ) Step 1.1: Consider Additional JCA Provider Requirements and Recommendations for Encryption Implementations When instantiating a provider's implementation (class) of a Cipher, KeyAgreement, KeyGenerator, MAC, or SecretKey factory, the framework will determine the provider's codebase (JAR file) and verify its signature. In this way, JCA authenticates the provider and ensures that only providers signed by a trusted entity can be plugged into the JCA. Thus, one requirement for encryption providers is that they must be signed, as described in later steps. There is no mention of the self-integrity checking in this section? There doesn't seem to be an explanation as to why it was removed? In Section 8.2, it briefly mentions self-integrity checking: Step 8.2: Set Provider Permissions Permissions<https://docs.oracle.com/javase/9/security/java-security-overview1.htm#GUID-7A49C00B-BEA6-4050-9E32-6168211585F7> must be granted for when applications are run while a security manager is installed. A security manager may be installed for an application either through code in the application itself or through a command-line argument. 1. Your provider may need the following permissions granted to it in the client environment: * java.lang.RuntimePermission to get class protection domains. The provider may need to get its own protection domain in the process of doing self-integrity checking. * java.security.SecurityPermission to set provider properties. So we are just wondering if something has changed in JDK 9 (and later) that makes the self-integrity check by a security provider unnecessary. If it has been changed, could we get information as to what has changed and why it changed? Thanks so much John Gray Entrust Datacard
