The Security Group

The Security group is comprised of developers interested in the design, implementation, and maintanence of Security components.

Introduction

The term "Security" has broad meanings and interpretations. It spans a wide range of areas, including cryptography, public key infrastructure, secure communication, authentication, and access control. The security component thus comprises a large set of APIs, tools, and implementations of commonly-used security algorithms and protocols.

As security concepts such as permissions are tightly interwoven throughout the entire Java source code, these component pages do not address issues in the other primary component areas (language features and virtual machine implementations, core libraries, graphics subsystems, hotspot, serviceability, etc). For a more detailed treatment, please see the corresponding component pages.

The primary emphasis of these pages is to explore the core security components source bases, and hopefully, get developers up to speed quickly.

What's Included...and What's Not...

The Java security components have been developed and expanded over the years, so the hierarchy may seem complicated simply due to the large number of source files and directories. But the files generally follow fairly straightforward patterns.

What's Included...

Almost all of the security component source code is included in the OpenJDK project under the j2se subtree.

As there are so many different components, they are split into many subdirectories, generally based on functional area. In most cases, the main API and implementation-independent classes live in the java/* or javax/* hierarchy, and the implementation classes are in the sun/* hierarchy. The makefiles used to build these files are generally found in the make subdirectory of the same name. Like any software projects, there are exceptions to this guidance.

• src/share/classes/java/security
src/share/classes/sun/security
  

  The majority of the core security classes live in these two major subdirectories (access control, certificates, keys, message digests, permissions, policy, security managers, secure random number generation, etc).

  The Sun implementation-specific code is fairly extensive within the sun/security hierarchy. Some subdirectories of note:

  • ec - Some basic Elliptic Curve Cryptography implementation classes. We expect more work in this area during JDK7.
  • jca - Classes to support the *.getInstance() methods. The Sun JDK implements a delayed provider selection mechanism, and the actual provider is selected as close to the actual use as possible. This is mechanism is useful for transient tokens such as smart cards.
  • jgss - Some of the JGSS implementation classes. Other classes are below.
  • krb5 - Some of the Kerberos implementation classes.
  • pkcs - Miscellaneous, general PKCS support classes.
  • pkcs11 - The PKCS11 provider, which allows calls made through the standard Java cryptography APIs to be routed into native PKCS11 libraries.
  • pkcs12 - The PKCS12 keystore implementation.
  • provider - The "SUN" JCA provider. Many basic cryptographic services (besides encipherment) are implemented here.
  • rsa - The "SunRsaSign" provider. These classes implement RSA-signatures and a very limited cipher algorithm. Note that RSA is not specified for bulk encipherment, and would be too slow anyway.
  • smartcardio - Smard Card implementation routines.
  • timestamp - Routines to support certificate timestamping.
  • tools - The source code for the security tools : keytool, policytool, and jarsigner. Each tool is a single file, and are pretty straightforward.
  • util - A variety of utility classes (resource files, data structure manipulations, DER (ASN.1 encoding rules), and so on).
  • validator - Various certificate validators for https, codesigning, CertPath, and keystores.
  • x509 - The major implementation classes for X509 certificates.
• src/share/classes/java/lang/SecurityException.java
src/share/classes/java/lang/SecurityManager.java
src/share/classes/javax/smartcardio
src/share/classes/javax/xml/crypto
  

  Various other classes of interest.

• src/share/classes/javax/net
src/share/classes/com/sun/net/ssl
src/share/classes/sun/security/ssl
src/share/classes/sun/net/www/protocol/https
  

  The majority of the core SSL/TLS classes. The javax/net contains the APIs and platform-independent code. The SSL/TLS implementation is found in sun/security/ssl. The "https" provider is directly based on the JDK "http" provider, which is located in the sun/net/www/protocol directory.

  In JDK 1.4, the classes in the JSSE 1.x unbundled com/sun/net/ssl package were promoted to the javax.net.ssl package. For compatibility with JSSE 1.x, the original classes remain.

• src/share/classes/org/jcp/xml/dsig
src/share/classes/com/sun/org/apache/xml/internal/security
  

  XML Digital Signature API and implementation files

• src/share/classes/org/ietf/jgss
src/share/classes/com/sun/security
  

  Classes for JAAS authentication, JGSS, and SASL.

• src/share/lib/security
  

  Security configuration files. (cacerts, java.policy, java.security, PKCS11 config)

  The cacerts file shipped with OpenJDK is initially empty. The OpenJDK governing body will be defining a process by which certificates can be added to the OpenJDK cacerts file.

  Note that until the cacerts files has been populated, things like the default https TrustManager will not have certificates to trust, and will thus reject https connections.

• src/solaris/classes/com/sun/security
src/solaris/classes/sun/security
src/windows/classes/com/sun/security
src/windows/classes/sun/security
  

  Platform-specific Java Code. Platform-independent code is found in src/share. Platform-dependent code is found in src/{arch} For example, the MSCAPI provider can be found in src/windows/classes/sun/security/mscapi.

  The "solaris" directory is somewhat incorrectly named, and probably has stuck only due to historical reasons. It should more properly be named "unix", as this is where the platform dependent code for both "solaris" and "linux" live.

• src/share/native/java/lang/SecurityManager.c
src/share/native/java/security
src/share/native/sun/security
src/solaris/native/com/sun/security
src/solaris/native/sun/security
src/windows/native/com/sun/security
src/windows/native/sun/security
  

  Similar to the platform-specific Java code layout, native method implementations are found in the corresponding native directories.

  Note that the code currently support all versions of the various platforms. That includes the various releases of Solaris, Linux and Windows. Consult the current supported architectures guidelines for more information.

• src/share/classes/javax/security
src/share/classes/com/sun/security/cert
  

  The old JSSE 1.x certificate classes, also here only for compatibility. These API's should be avoided in favor of the java.security equivalent classes.

• src/share/doc/stub/javax/crypto
  

  We currently are not releasing the source code for the JCE framework and SunJCE provider (see below). To allow for javadoc generation for the crypto classes, stub files are used. These files contain all the API's of the crypto classes, but with no actual code.

What's Not Included...

Anyone who has worked in cryptography knows the import/export of cryptographic code involves complicated legal issues. At this time we are not releasing the Java Cryptography Extension (JCE) framework, the SunJCE provider, and portions of the Sun JDK providers (SunPKCS11 and MSCAPI) which make calls to the underlying cryptographic implementations (via the javax.crypto.Cipher and related classes).

The JCE framework and the SunJCE provider is available in OpenJDK via the prebuilt library files from the "Import JDK". The OpenJDK makefiles will copy the jce.jar and sunjce_provider.jar files from the JDK_IMPORT_PATH directory into the OpenJDK builds.

This is a huge hassle for us as well. We are actively working to remove these restrictions.

Building the security components

The workspace distribution MUST ALWAYS BE buildable from scratch. As the security components have interdependencies with other parts of the JDK, you should always do a successful tops-down build on any new workspace BEFORE making any changes. It will be very helpful to keep the build log, so that if any changes are not compiling, you can determine the correct makefile to use.

When you have changes that are almost ready to submit, you should delete your build directories and rebuild everything from scratch one last time, just to ensure you haven't introduced an incompatible build change or unexpected interdependency. If your changes might impact other workspaces (such as control, deploy, or install), you should build those workspaces as well. See the build instructions for more information on building the various workspaces.

As mentioned earlier, the makefiles generally follow the package hierarchy. If you make a change to java.security.KeyStore, you should go to the make/java/security and issue a make command from there.

Testing your changes

As a rule, unit tests for fixes and new functionality are pretty much mandatory. However, before submitting changes, you should run the relevent regression tests to make sure that the existing tests continue to pass. For the security component, at a minimum you should run:

• test/*/net
• test/*/security
• test/javax/xml/crypto
• test/javax/smartcardio
• test/com/sun/security
• test/com/sun/net
• test/lib/security

The full suite will be run before your changes are placed into the source tree. However, if your changes break something, it will be a lot more work to diagnose, and then fix or back out. Do as much testing as possible.

Documentation

• The Java Security Overview is probably the best place to start learning about the overall Java security architecture and implementation.
• The Java 6 Security Documentation provides much more detailed information, and should be understood before undertaking any work in this area.
• The book Inside the Java 2 Platform Security-Second Edition by Li Gong (et.al.) is dated (circa JDK 1.4), but provides valuable information and rationale for some of the JDK design decisions.

Community

• Mailing lists
  • security-dev

• Security bloggers

  • Martin England

    Java security vulnerability analyst, also working on the source control management of OpenJDK.

  • Sean Mullan

    Co-specification lead of JSR 105 (Digital Signatures) and is a member of the Java security team, working on XML security, Public Key Infrastructure (PKI), and other Java SE security technologies.

  • Andreas Sterbenz

    Member of the Java security team, working on PKCS11, Smart Cards, JSSE, and other Java SE security technologies.