On Sat, 17 Jun 2023 13:10:35 GMT, Alan Bateman <al...@openjdk.org> wrote:
> > This moves the SunEC JCE Provider (Elliptic Curve) into java.base. EC has > > always been separate from the base module/pkg because of its dependence on > > a native library. That library was removed in JDK 16. > > The proposed changes look okay, meaning it should be okay to have the SunEC > provider in java.base. However, the motivation isn't clear as there isn't an > issue with JCE providers in java.base using native code. I know there were > non-technical issues with libsunec in the past but that would haven't prevent > the SunEC code form being compiled into java.base. > >From what I was told, the native library was one of the reasons it was not in >the base pkg before modularization and just remained so afterwards. > I assume the main implications of the change is that 3rd party JCE providers > signed with an EC certificate can now be deployed on the module path. Another > way to solve that issue is that delay verification of signed JARs until the > boot layer is created - if we did that, would you still want to move the > SunEC provider into java.base? Maybe you want it in java.base so there is an > alternative to RSA in all run-time images? Just before this review went out I tried JDK-8215932. At this point, I'm unable to reproduce the original problem with EC JCE signed jars. I talked to the submitter and at this point I'm not sure if JDK-8215932 was incorrect or it was fixed elsewhere. That doesn't reduce the motivation to remove the module. ------------- PR Comment: https://git.openjdk.org/jdk/pull/14457#issuecomment-1596540890
