On 9/25/2018 2:14 PM, John Gray wrote:
Hello,
We have a couple questions regarding Jar verification in Java 9 (and later)
...deleted...
There is no mention of the self-integrity checking in this section?
There doesn’t seem to be an explanation as to why it was removed?
The self-interity requirement check was necessary for very early
versions of JCE when crypto regulations were different, but is no longer
necessary. IIRC, we left the guidance in because some folks were still
targeting those ancient versions along with JDK 6/7. But with the docs
cleanup in 9, we removed some of the old obsolete information like that.
---begin---
IMPORTANT NOTE: In the unbundled version of JCE 1.2.x, (used with JDKs
1.2.x and 1.3.x), providers needed to include code to authenticate the
JCA framework to assure themselves of the integrity and authenticity of
the JCA that they plugged into. In JDK 6 and later, this is no longer
necessary.
---end---
Thanks,
Brad
In Section 8.2, it briefly mentions self-integrity checking:
Step 8.2: Set Provider Permissions
Permissions
<https://docs.oracle.com/javase/9/security/java-security-overview1.htm#GUID-7A49C00B-BEA6-4050-9E32-6168211585F7>
must be granted for when applications are run while a security manager
is installed. A security manager may be installed for an application
either through code in the application itself or through a command-line
argument.
1. Your provider may need the following permissions granted to it in
the client environment:
* java.lang.RuntimePermission to get class protection domains. The
provider may need to get its own protection domain in the
process of doing self-integrity checking.
* java.security.SecurityPermission to set provider properties.
So we are just wondering if something has changed in JDK 9 (and later)
that makes the self-integrity check by a security provider
unnecessary. If it has been changed, could we get information as to
what has changed and why it changed?
Thanks so much
John Gray
Entrust Datacard
