bradford.wetmore at oracle.com
Fri Mar 2 00:01:09 UTC 2018
On 2/28/2018 8:36 AM, Bernd wrote:
> there was a thread on BouncyCastle's crypto-dev mailing list how to use
> a custom JCA provider with Java 9+. Since there is no alternative for
> the lib/ext extension mechanism this is a bit tricky (if you do want to
> make the extension in the java.security file permanent).
> There are multiple alternatives (adding to module path, to classpath,
> using service loader or programmatic registration). Those are described
> in the actual documentation.
Hopefully it's clear. There was a lot of moving parts and sharp edges
as JDK 9 came to a close. Comments welcome of course.
> However expanding the java.security list
To be clear, when you say "expanding the java.security list", you mean
adding an entry like:
> does not mention explicitely
> that without the extension mechanism this produces a java home which
> wont start without modifying the module path.
The JDK should still start, but it wouldn't be able to find MyProvider
if it's not in either the class or module path.
> Not sure if there is actually a default way to storesuch a "security
> provider module"
Not aware of anything for JDK 9+, short of putting your provider into
the module/classpath directory. As you note, the extension
mechanism/directory was removed in the JDK 9 (see JEP 220).
> without using for example jlink to build a new image
> (or add the -mp argument).
Please note from the Provider documentation:
You can link a provider in a custom runtime image with the jlink
command as long as it doesn't have a Cipher, KeyAgreement, or MAC
Providers that don't have Cipher/KeyAgreement/MAC implementation can be
However, providers providing Cipher/KeyAgreement/MAC implementations
must be signed using a valid certificate to pass the export tests in
implementations like Oracle JDK. We only support signed modular jars
(module-path) and signed jars (classpath). There is not a signed JMOD
feature, and thus jlink can't be used to create an image that will pass
the export tests.
> Maybe this should be stated explicite?
> "Starting with Java 9 there is no extension mechanism where you could
> install the provider JAR permanently. Therefore expanding the
> java.security leaves typically a incomplete java home and should be
> avoided. Permanently installing an additional module could be done with
> a custom jlink image."
> (I havent tested if JLink works, BCProv is not yet modularized or
> service loader enabled. Classpath and programmatic registration works fine).
> Is that correct?
We could add some wording here to talk about the removal of the
Hope that helps.
More information about the security-dev