Groups
Projects
The Securitygroup is comprisedof developers who participate in the design, implementation, andmaintenance of Java Security components.
The current members of the Security Group arelisted in the census.
If you have any potential vulnerability to report, please seeOracle'sReportingSecurity Vulnerabilities page or theOpenJDKVulnerabilities page.
The term "Security" has broad meanings and interpretations. Itspans a wide range of areas, including cryptography, public keyinfrastructure, secure communication, authentication, and accesscontrol. The security component thus comprises a large set of APIs,tools, and implementations of commonly-used security algorithms andprotocols.
The security area does not cover security features of the otherprimary component areas (language features and virtual machineimplementations, core libraries, graphics subsystems, hotspot,serviceability, etc). For a more detailed treatment, please see thecorresponding component pages.
The primary emphasis of these pages is to explore the coresecurity components source bases, and hopefully, get developers upto speed quickly.
The Java security components have been developed and expandedover the years, so the hierarchy may seem complicated simply due tothe large number of source files and directories. But the filesgenerally follow fairly straightforward patterns.
For general information about the OpenJDK repositories, and howto clone and build the JDK, see theOpenJDK Developer's Guide.
All of the security component source code is included in theOpenJDK project under thesrc subtree. As there aremany different components, they are split into many subdirectoriesacross several modules, generally based on functional area. In mostcases, the main API and implementation-independent classes live inthejava/* orjavax/* hierarchy, and theimplementation classes are in thesun/* hierarchy.Like any software projects, there are exceptions to thisguidance.
src/java.base/share/classes/java/securitysrc/java.base/share/classes/sun/securityThe majority of the core security classes live in these twomajor subdirectories of thejava.base module (accesscontrol, certificates, keys, message digests, permissions, policy,security managers, secure random number generation, etc). Thepublic API for these classes is in thejava/securityhierarchy.
The implementation-specific code is fairly extensive within thesun/security hierarchy. Some subdirectories ofnote:
ec - Elliptic Curve Cryptography implementationclasses.jca - Classes to support the*.getInstance() methods. The OpenJDK implements adelayed provider selection mechanism, and the actual provider isselected as close to the actual use as possible. This mechanism isuseful for transient tokens such as smart cards.pkcs - Miscellaneous, general PKCS supportclasses.pkcs10 - PKCS10 classes.pkcs12 - The PKCS12 keystore implementation.provider - TheSUN JCA provider. Manybasic cryptographic services (besides encipherment) are implementedhere.provider/certpath - Certification Path builder andvalidator classes.rsa - TheSunRsaSign provider. Theseclasses implement RSA-signatures and a very limited cipheralgorithm. Note that RSA is not specified for bulk encipherment,and would be too slow anyway.ssl - The SSL/TLS implementation code. See alsothe SSL/TLS section below for more details.timestamp - Routines to support certificatetimestamping.tools - The source code forkeytool.util - A variety of utility classes (resourcefiles, data structure manipulations, DER (ASN.1 encoding rules),and so on).validator - Various certificate validators forhttps, codesigning, CertPath, and keystores.x509 - The major implementation classes for X509certificates.src/java.base/share/classes/java/lang/SecurityException.javasrc/java.base/share/classes/java/lang/SecurityManager.javaClasses related to the Security Manager.
src/java.base/share/classes/javax/cryptosrc/java.base/share/classes/com/sun/crypto/providerThese directories contain the core cryptography framework andSunJCE provider.SunJCE contains Javaimplementations of many popular algorithms.
src/java.base/share/classes/javax/netsrc/java.base/share/classes/com/sun/net/sslsrc/java.base/share/classes/sun/security/sslsrc/java.base/share/classes/sun/net/www/protocol/httpsThe majority of the core SSL/TLS classes. Thejavax/net contains the APIs and platform-independentcode. The SSL/TLS implementation is found insun/security/ssl. The "https" provider is directlybased on the JDK "http" provider, which is located in thesun/net/www/protocol directory.
src/java.base/share/classes/javax/security/authsrc/java.base/share/classes/com/sun/securityClasses for JAAS authentication.
src/java.base/share/conf/securitysrc/java.base/share/lib/securitySecurity configuration files. (java.policy, java.security,default.policy)
src/java.base/share/data/cacertssrc/java.base/share/data/publicsuffixlistCA cert data files, public suffix list.
src/java.base/unix/classes/sun/securitysrc/java.base/windows/classes/sun/securitysrc/java.base/macosx/classes/apple/securityPlatform-specific Java Code. Platform-independent code is foundinsrc/java.base/share. Platform-dependent code isfound insrc/{arch} For example, theApple provider can be found insrc/java.base/macosx/classes/apple/security.
src/java.base/share/native/libjava/AccessController.csrc/java.base/share/native/libjava/SecurityManager.cNative method implementations are found in the nativedirectories.
Note that the code currently supports all versions of thevarious platforms. That includes the various releases of Linux,Windows and macOS. Consult the current supported architecturesguidelines for more information.
src/java.base/share/classes/javax/security/certThe old JSSE 1.x certificate classes, also here only forcompatibility. These APIs should be avoided in favor of thejava.security.cert equivalent classes.
src/java.security.jgss/share/classes/org/ietf/jgsssrc/java.security.jgss/share/classes/javax/security/auth/kerberossrc/java.security.jgss/share/classes/sun/security/krb5src/java.security.jgss/share/classes/sun/security/jgsssrc/java.security.jgss/share/classes/sun/net/www/protocol/http/spnegosrc/java.security.jgss/share/classes/native/libj2gssClasses and native code for thejava.security.jgssmodule which include the Java bindings of GSS-API, Kerberos APIs,and implementations of the Kerberos v5 and SPNEGO GSS-APImechanisms.
src/java.security.sasl/share/classes/javax/security/saslsrc/java.security.sasl/share/classes/com/sun/security/saslClasses for thejava.security.sasl module whichinclude the SASL API and implementations of the DIGEST-MD5,CRAM-MD5, and NTLM mechanisms.
src/java.smartcardio/share/classes/javax/smartcardiosrc/java.smartcardio/share/classes/sun/security/smartcardiosrc/java.smartcardio/share/native/libj2pcscClasses and native code for thejava.smartcardiomodule which include the Smart Card I/O API andSunPCSC provider implementation.
src/java.xml.crypto/share/classes/javax/xml/cryptosrc/java.xml.crypto/share/classes/org/jcp/xml/dsig/internalsrc/java.xml.crypto/share/classes/com/sun/org/apache/xml/internal/securityClasses for thejava.xml.crypto module whichinclude the XML Digital Signature API andXMLDSigRIprovider implementation.
src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11src/jdk.crypto.cryptoki/share/native/libj2pkcs11Classes and native code for thejdk.crypto.cryptokimodule which contains theSunPKCS11 providerimplementation. TheSunPKCS11 provider allows callsmade through the standard Java cryptography APIs to be routed intoa native PKCS11 library.
src/jdk.crypto.mscapi/windows/classes/sun/security/mscapisrc/jdk.crypto.mscapi/native/libsunmscapiClasses and native code for thejdk.crypto.mscapimodule which contains theSunMSCAPI providerimplementation.
src/jdk.jartool/share/classes/jdk/security/jarsignersrc/jdk.jartool/share/classes/sun/security/tools/jarsignerClasses for thejdk.jartool module which containsthe JarSigner API and source code forjarsigner.
src/jdk.security.auth/share/classes/com/sun/security/authsrc/jdk.security.auth/unix/native/libjaassrc/jdk.security.auth/windows/native/libjaasClasses and native code for thejdk.security.authmodule which contains implementations of thejavax.security.auth interfaces and variousauthentication modules.
src/jdk.security.jgss/share/classes/com/sun/security/jgsssrc/jdk.security.jgss/share/classes/com/sun/security/sasl/gsskerbClasses for thejdk.security.jgss module whichcontains JDK extensions to the GSS-API and an implementation of theSASL GSSAPI mechanism.
Anyone who has worked in cryptography knows the import/export ofcryptographic code involves complicated legal issues. The JCE inOpenJDK has an open cryptographic interface, meaning it does notrestrict which providers can be used.Compliance with UnitedStates export controls and with local law governing theimport/export of products incorporating the JCE in the OpenJDK isthe responsibility of the licensee.
As a rule, unit tests for fixes and new functionality are prettymuch mandatory. However, before submitting changes, you should runthe relevant regression tests to make sure that the existing testscontinue to pass. For the security component, at a minimum youshould run:
You can run the security tests withmake test:
make test TEST="jdk_security jdk_security_infra"To run a single test, specify the pathname of the test, ex:
make testTEST="test/jdk/java/security/Provider/GetInstance.java"It is also a good idea to run all tests in tier1 and tier2 formore assurance that your change won't break other parts of theJDK:
make test TEST="tier1 tier2"See theTesting the JDKsection of the OpenJDK Developer's Guide for more details onhow to write and run tests. If your changes break something, itwill be a lot more work to diagnose, and then fix or back out. Doas much testing as possible.
security-libs component. There are severalsubcomponents depending on what area the issue affects:java.security,javax.security,javax.net.ssl,javax.crypto,javax.crypto:pkcs11,org.ietf.jgss,org.ietf.jgss:krb5,javax.xml.crypto,javax.smartcardio, andjdk.security.