CINXE.COM

Security Group

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=us-ascii" /><title>Security Group</title><link rel="shortcut icon" href="../../images/nanoduke.ico" /><link rel="stylesheet" type="text/css" href="../../page.css" /><script type="text/javascript" src="../../page.js"><noscript></noscript></script><script src="https://cdn.usefathom.com/script.js" data-site="KCYJJPZX" defer="yes"></script></head><body><div id="main"> <h1>The Security Group</h1> <p>The Security <a href="/groups/index.html">group</a> is comprised of developers who participate in the design, implementation, and maintenance of Java Security components.</p> <p>The current members of the Security Group are <a href="https://openjdk.org/census#security">listed in the census</a>.</p> <h2>Submitting Vulnerabilities</h2> <p>If you have any potential vulnerability to report, please see Oracle's <a href="https://www.oracle.com/us/support/assurance/reporting/index.html">Reporting Security Vulnerabilities</a> page or the <a href="https://openjdk.org/groups/vulnerability/report">OpenJDK Vulnerabilities</a> page.</p> <h2>Introduction</h2> <p>The term "Security" has broad meanings and interpretations. It spans a wide range of areas, including cryptography, public key infrastructure, secure communication, authentication, and access control. The security component thus comprises a large set of APIs, tools, and implementations of commonly-used security algorithms and protocols.</p> <p>The security area does not cover security features of the other primary component areas (language features and virtual machine implementations, core libraries, graphics subsystems, hotspot, serviceability, etc). For a more detailed treatment, please see the corresponding component pages.</p> <p>The primary emphasis of these pages is to explore the core security components source bases, and hopefully, get developers up to speed quickly.</p> <h2>The Security Source Layout</h2> <p>The Java security components have been developed and expanded over the years, so the hierarchy may seem complicated simply due to the large number of source files and directories. But the files generally follow fairly straightforward patterns.</p> <p>For general information about the OpenJDK repositories, and how to clone and build the JDK, see the <a href="https://openjdk.org/guide/">OpenJDK Developer's Guide</a>.</p> <p>All of the security component source code is included in the OpenJDK project under the <code>src</code> subtree. As there are many different components, they are split into many subdirectories across several modules, generally based on functional area. In most cases, the main API and implementation-independent classes live in the <code>java/*</code> or <code>javax/*</code> hierarchy, and the implementation classes are in the <code>sun/*</code> hierarchy. Like any software projects, there are exceptions to this guidance.</p> <ul> <li><code>src/java.base/share/classes/java/security</code><br /> <code>src/java.base/share/classes/sun/security</code><br /> <p>The majority of the core security classes live in these two major subdirectories of the <code>java.base</code> module (access control, certificates, keys, message digests, permissions, policy, security managers, secure random number generation, etc). The public API for these classes is in the <code>java/security</code> hierarchy.</p> <p>The implementation-specific code is fairly extensive within the <code>sun/security</code> hierarchy. Some subdirectories of note:</p> <ul> <li><code>ec</code> - Elliptic Curve Cryptography implementation classes.</li> <li><code>jca</code> - Classes to support the <code>*.getInstance()</code> methods. The OpenJDK implements a delayed provider selection mechanism, and the actual provider is selected as close to the actual use as possible. This mechanism is useful for transient tokens such as smart cards.</li> <li><code>pkcs</code> - Miscellaneous, general PKCS support classes.</li> <li><code>pkcs10</code> - PKCS10 classes.</li> <li><code>pkcs12</code> - The PKCS12 keystore implementation.</li> <li><code>provider</code> - The <code>SUN</code> JCA provider. Many basic cryptographic services (besides encipherment) are implemented here.</li> <li><code>provider/certpath</code> - Certification Path builder and validator classes.</li> <li><code>rsa</code> - The <code>SunRsaSign</code> provider. These classes implement RSA-signatures and a very limited cipher algorithm. Note that RSA is not specified for bulk encipherment, and would be too slow anyway.</li> <li><code>ssl</code> - The SSL/TLS implementation code. See also the SSL/TLS section below for more details.</li> <li><code>timestamp</code> - Routines to support certificate timestamping.</li> <li><code>tools</code> - The source code for <a href="https://docs.oracle.com/en/java/javase/21/docs/specs/man/keytool.html"> keytool</a>.</li> <li><code>util</code> - A variety of utility classes (resource files, data structure manipulations, DER (ASN.1 encoding rules), and so on).</li> <li><code>validator</code> - Various certificate validators for https, codesigning, CertPath, and keystores.</li> <li><code>x509</code> - The major implementation classes for X509 certificates.</li> </ul> </li> </ul> <ul> <li> <code>src/java.base/share/classes/java/lang/SecurityException.java</code><br /> <code>src/java.base/share/classes/java/lang/SecurityManager.java</code><br /> <p>Classes related to the Security Manager.</p> </li> <li><code>src/java.base/share/classes/javax/crypto</code><br /> <code>src/java.base/share/classes/com/sun/crypto/provider</code><br /> <p>These directories contain the core cryptography framework and <code>SunJCE</code> provider. <code>SunJCE</code> contains Java implementations of many popular algorithms.</p> </li> <li><code>src/java.base/share/classes/javax/net</code><br /> <code>src/java.base/share/classes/com/sun/net/ssl</code><br /> <code>src/java.base/share/classes/sun/security/ssl</code><br /> <code>src/java.base/share/classes/sun/net/www/protocol/https</code><br /> <p>The majority of the core SSL/TLS classes. The <code>javax/net</code> contains the APIs and platform-independent code. The SSL/TLS implementation is found in <code>sun/security/ssl</code>. The "https" provider is directly based on the JDK "http" provider, which is located in the <code>sun/net/www/protocol</code> directory.</p> </li> <li> <code>src/java.base/share/classes/javax/security/auth</code><br /> <code>src/java.base/share/classes/com/sun/security</code><br /> <p>Classes for JAAS authentication.</p> </li> <li><code>src/java.base/share/conf/security</code><br /> <code>src/java.base/share/lib/security</code><br /> <p>Security configuration files. (java.policy, java.security, default.policy)</p> </li> <li><code>src/java.base/share/data/cacerts</code><br /> <code>src/java.base/share/data/publicsuffixlist</code><br /> <p>CA cert data files, public suffix list.</p> </li> <li> <code>src/java.base/<b>unix</b>/classes/sun/security</code><br /> <code>src/java.base/<b>windows</b>/classes/sun/security</code><br /> <code>src/java.base/<b>macosx</b>/classes/apple/security</code><br /> <p>Platform-specific Java Code. Platform-independent code is found in <code>src/java.base/share</code>. Platform-dependent code is found in <code>src/<b>{arch}</b></code> For example, the <code>Apple</code> provider can be found in <code>src/java.base/macosx/classes/apple/security</code>.</p> </li> <li> <code>src/java.base/share/<b>native</b>/libjava/AccessController.c</code><br /> <code>src/java.base/share/<b>native</b>/libjava/SecurityManager.c</code><br /> <p>Native method implementations are found in the native directories.</p> <p>Note that the code currently supports all versions of the various platforms. That includes the various releases of Linux, Windows and macOS. Consult the current supported architectures guidelines for more information.</p> </li> <li> <code>src/java.base/share/classes/javax/security/cert</code><br /> <p>The old JSSE 1.x certificate classes, also here only for compatibility. These APIs should be avoided in favor of the <code>java.security.cert</code> equivalent classes.</p> </li> <li> <code>src/java.security.jgss/share/classes/org/ietf/jgss</code><br /> <code>src/java.security.jgss/share/classes/javax/security/auth/kerberos</code><br /> <code>src/java.security.jgss/share/classes/sun/security/krb5</code><br /> <code>src/java.security.jgss/share/classes/sun/security/jgss</code><br /> <code>src/java.security.jgss/share/classes/sun/net/www/protocol/http/spnego</code><br /> <code>src/java.security.jgss/share/classes/native/libj2gss</code><br /> <p>Classes and native code for the <code>java.security.jgss</code> module which include the Java bindings of GSS-API, Kerberos APIs, and implementations of the Kerberos v5 and SPNEGO GSS-API mechanisms.</p> </li> <li> <code>src/java.security.sasl/share/classes/javax/security/sasl</code><br /> <code>src/java.security.sasl/share/classes/com/sun/security/sasl</code><br /> <p>Classes for the <code>java.security.sasl</code> module which include the SASL API and implementations of the DIGEST-MD5, CRAM-MD5, and NTLM mechanisms.</p> </li> <li> <code>src/java.smartcardio/share/classes/javax/smartcardio</code><br /> <code>src/java.smartcardio/share/classes/sun/security/smartcardio</code><br /> <code>src/java.smartcardio/share/native/libj2pcsc</code><br /> <p>Classes and native code for the <code>java.smartcardio</code> module which include the Smart Card I/O API and <code>SunPCSC</code> provider implementation.</p> </li> <li> <code>src/java.xml.crypto/share/classes/javax/xml/crypto</code><br /> <code>src/java.xml.crypto/share/classes/org/jcp/xml/dsig/internal</code><br /> <code>src/java.xml.crypto/share/classes/com/sun/org/apache/xml/internal/security</code><br /> <p>Classes for the <code>java.xml.crypto</code> module which include the XML Digital Signature API and <code>XMLDSigRI</code> provider implementation.</p> </li> <li> <code>src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11</code><br /> <code>src/jdk.crypto.cryptoki/share/native/libj2pkcs11</code><br /> <p>Classes and native code for the <code>jdk.crypto.cryptoki</code> module which contains the <code>SunPKCS11</code> provider implementation. The <code>SunPKCS11</code> provider allows calls made through the standard Java cryptography APIs to be routed into a native PKCS11 library.</p> </li> <li> <code>src/jdk.crypto.mscapi/windows/classes/sun/security/mscapi</code><br /> <code>src/jdk.crypto.mscapi/native/libsunmscapi</code><br /> <p>Classes and native code for the <code>jdk.crypto.mscapi</code> module which contains the <code>SunMSCAPI</code> provider implementation.</p> </li> <li> <code>src/jdk.jartool/share/classes/jdk/security/jarsigner</code><br /> <code>src/jdk.jartool/share/classes/sun/security/tools/jarsigner</code><br /> <p>Classes for the <code>jdk.jartool</code> module which contains the JarSigner API and source code for <a href="https://docs.oracle.com/en/java/javase/21/docs/specs/man/jarsigner.html"> jarsigner</a>.</p> </li> <li> <code>src/jdk.security.auth/share/classes/com/sun/security/auth</code><br /> <code>src/jdk.security.auth/unix/native/libjaas</code><br /> <code>src/jdk.security.auth/windows/native/libjaas</code><br /> <p>Classes and native code for the <code>jdk.security.auth</code> module which contains implementations of the <code>javax.security.auth</code> interfaces and various authentication modules.</p> </li> <li> <code>src/jdk.security.jgss/share/classes/com/sun/security/jgss</code><br /> <code>src/jdk.security.jgss/share/classes/com/sun/security/sasl/gsskerb</code><br /> <p>Classes for the <code>jdk.security.jgss</code> module which contains JDK extensions to the GSS-API and an implementation of the SASL GSSAPI mechanism.</p> </li> </ul> <h2>Cryptographic Cautions</h2> <p>Anyone who has worked in cryptography knows the import/export of cryptographic code involves complicated legal issues. The JCE in OpenJDK has an open cryptographic interface, meaning it does not restrict which providers can be used. <b>Compliance with United States export controls and with local law governing the import/export of products incorporating the JCE in the OpenJDK is the responsibility of the licensee.</b></p> <h2>Testing your changes</h2> <p>As a rule, unit tests for fixes and new functionality are pretty much mandatory. However, before submitting changes, you should run the relevant regression tests to make sure that the existing tests continue to pass. For the security component, at a minimum you should run:</p> <ul> <li>test/jdk/*/net</li> <li>test/jdk/*/security</li> <li>test/jdk/javax/crypto</li> <li>test/jdk/com/sun/crypto</li> <li>test/jdk/javax/xml/crypto</li> <li>test/jdk/javax/smartcardio</li> <li>test/jdk/com/sun/security</li> <li>test/jdk/com/sun/org/apache/xml/internal/security</li> <li>test/jdk/security/infra</li> </ul> <p>You can run the security tests with <code>make test</code>:</p> <code>make test TEST="jdk_security jdk_security_infra"</code> <p>To run a single test, specify the pathname of the test, ex:</p> <code>make test TEST="test/jdk/java/security/Provider/GetInstance.java"</code> <p>It is also a good idea to run all tests in tier1 and tier2 for more assurance that your change won't break other parts of the JDK:</p> <code>make test TEST="tier1 tier2"</code> <p>See the <a href="https://openjdk.org/guide/#testing-the-jdk">Testing the JDK section</a> of the OpenJDK Developer's Guide for more details on how to write and run tests. If your changes break something, it will be a lot more work to diagnose, and then fix or back out. Do as much testing as possible.</p> <h2>Issues</h2> Issues are tracked in the <a href="https://bugs.openjdk.org/">JDK Bug System</a>. Security bugs are tracked in the <code>security-libs</code> component. There are several subcomponents depending on what area the issue affects: <code>java.security</code>, <code>javax.security</code>, <code>javax.net.ssl</code>, <code>javax.crypto</code>, <code>javax.crypto:pkcs11</code>, <code>org.ietf.jgss</code>, <code>org.ietf.jgss:krb5</code>, <code>javax.xml.crypto</code>, <code>javax.smartcardio</code>, and <code>jdk.security</code>. <h2>Documentation</h2> <ul> <li><a href="https://docs.oracle.com/en/java/javase/21/security/java-security-overview1.html"> The Java Security Overview</a> (SE 21 version, part of the Security Documentation below) is probably the best place to start learning about the overall Java security architecture and implementation.</li> <li><a href="https://docs.oracle.com/en/java/javase/21/security/index.html">The Java SE 21 Security Documentation</a> provides much more detailed information, and should be understood before undertaking any work in this area.</li> <li>The book <a href="https://www.oracle.com/java/technologies/javaee/api-design-implementation.html"> <i>Inside the Java 2 Platform Security, Second Edition</i></a> by Li Gong (et.al.) is dated (circa JDK 1.4), but provides valuable information and rationale for some of the JDK design decisions.</li> </ul> <h2>Community</h2> <ul> <li><strong>Mailing lists</strong> <ul> <li><a href="https://mail.openjdk.org/mailman/listinfo/security-dev">security-dev</a><br /> This mailing list is sponsored by the members of the OpenJDK Security community and is comprised of developers interested in the design, implementation, and maintenance of the various Java Standard Edition (Java SE) security components. It is not for general JDK support.</li> </ul> </li> </ul> </div><div id="sidebar"><div id="openjdk-sidebar-logo"><a href="/"><img alt="OpenJDK logo" src="../../images/openjdk-small.png" /></a></div><div class="links"><div class="link"><a href="/install/">Installing</a></div><div class="link"><a href="/guide/#contributing-to-an-openjdk-project">Contributing</a></div><div class="link"><a href="/guide/#reviewing-and-sponsoring-a-change">Sponsoring</a></div><div class="link"><a href="/guide/">Developers' Guide</a></div><div class="link"><a href="/groups/vulnerability/report">Vulnerabilities</a></div><div class="link"><a href="https://jdk.java.net">JDK GA/EA Builds</a></div></div><div class="links"><div class="links"><a href="https://mail.openjdk.org">Mailing lists</a></div><div class="link"><a href="https://wiki.openjdk.org">Wiki</a> &#183; <a href="/irc">IRC</a></div></div><div class="links"><div class="links"><a href="/bylaws">Bylaws</a> &#183; <a href="/census">Census</a></div><div class="link"><a href="/legal/">Legal</a></div></div><div class="links"><div class="links"><a href="/workshop"><b>Workshop</b></a></div></div><div class="links"><div class="links"><a href="/jeps/0"><b>JEP Process</b></a></div></div><div class="links"><div class="about">Source code</div><div class="link"><a href="https://github.com/openjdk/">GitHub</a></div><div class="link"><a href="https://hg.openjdk.org">Mercurial</a></div></div><div class="links"><div class="about">Tools</div><div class="link"><a href="http://git-scm.org/">Git</a></div><div class="link"><a href="/jtreg/">jtreg harness</a></div></div><div class="links"><div class="about">Groups</div><div class="link"><a href="/groups/">(overview)</a></div><div class="link"><a href="/groups/adoption">Adoption</a></div><div class="link"><a href="/groups/build">Build</a></div><div class="link"><a href="/groups/client-libs">Client Libraries</a></div><div class="link"><a href="/groups/csr">Compatibility &amp; Specification Review</a></div><div class="link"><a href="/groups/compiler">Compiler</a></div><div class="link"><a href="/groups/conformance">Conformance</a></div><div class="link"><a href="/groups/core-libs">Core Libraries</a></div><div class="link"><a href="/groups/gb">Governing Board</a></div><div class="link"><a href="/groups/hotspot">HotSpot</a></div><div class="link"><a href="/groups/ide-support">IDE Tooling &amp; Support</a></div><div class="link"><a href="/groups/i18n">Internationalization</a></div><div class="link"><a href="/groups/jmx">JMX</a></div><div class="link"><a href="/groups/members">Members</a></div><div class="link"><a href="/groups/net">Networking</a></div><div class="link"><a href="/groups/porters">Porters</a></div><div class="link"><a href="/groups/quality">Quality</a></div><div class="link"><a href="/groups/security">Security</a></div><div class="link"><a href="/groups/serviceability">Serviceability</a></div><div class="link"><a href="/groups/vulnerability">Vulnerability</a></div><div class="link"><a href="/groups/web">Web</a></div></div><div class="links"><div class="about">Projects</div><div class="link">(<a href="/projects/">overview</a>, <a href="/projects/archive">archive</a>)</div><div class="link"><a href="/projects/amber">Amber</a></div><div class="link"><a href="/projects/babylon">Babylon</a></div><div class="link"><a href="/projects/crac">CRaC</a></div><div class="link"><a href="/projects/code-tools">Code Tools</a></div><div class="link"><a href="/projects/coin">Coin</a></div><div class="link"><a href="/projects/cvmi">Common VM Interface</a></div><div class="link"><a href="/projects/guide">Developers' Guide</a></div><div class="link"><a href="/projects/dio">Device I/O</a></div><div class="link"><a href="/projects/duke">Duke</a></div><div class="link"><a href="/projects/galahad">Galahad</a></div><div class="link"><a href="/projects/graal">Graal</a></div><div class="link"><a href="/projects/icedtea">IcedTea</a></div><div class="link"><a href="/projects/jdk7">JDK 7</a></div><div class="link"><a href="/projects/jdk8">JDK 8</a></div><div class="link"><a href="/projects/jdk8u">JDK 8 Updates</a></div><div class="link"><a href="/projects/jdk9">JDK 9</a></div><div class="link"><a href="/projects/jdk">JDK</a> (&#8230;, <a href="/projects/jdk/22">22</a>, <a href="/projects/jdk/23">23</a>, <a href="/projects/jdk/24">24</a>)</div><div class="link"><a href="/projects/jdk-updates">JDK Updates</a></div><div class="link"><a href="/projects/jigsaw">Jigsaw</a></div><div class="link"><a href="/projects/kona">Kona</a></div><div class="link"><a href="/projects/kulla">Kulla</a></div><div class="link"><a href="/projects/lanai">Lanai</a></div><div class="link"><a href="/projects/leyden">Leyden</a></div><div class="link"><a href="/projects/lilliput">Lilliput</a></div><div class="link"><a href="/projects/locale-enhancement">Locale Enhancement</a></div><div class="link"><a href="/projects/loom">Loom</a></div><div class="link"><a href="/projects/jmm">Memory Model Update</a></div><div class="link"><a href="/projects/metropolis">Metropolis</a></div><div class="link"><a href="/projects/jmc">Mission Control</a></div><div class="link"><a href="/projects/mlvm">Multi-Language VM</a></div><div class="link"><a href="/projects/nashorn">Nashorn</a></div><div class="link"><a href="/projects/nio">New I/O</a></div><div class="link"><a href="/projects/openjfx">OpenJFX</a></div><div class="link"><a href="/projects/panama">Panama</a></div><div class="link"><a href="/projects/penrose">Penrose</a></div><div class="link"><a href="/projects/aarch32-port">Port: AArch32</a></div><div class="link"><a href="/projects/aarch64-port">Port: AArch64</a></div><div class="link"><a href="/projects/bsd-port">Port: BSD</a></div><div class="link"><a href="/projects/haiku-port">Port: Haiku</a></div><div class="link"><a href="/projects/macosx-port">Port: Mac OS X</a></div><div class="link"><a href="/projects/mips-port">Port: MIPS</a></div><div class="link"><a href="/projects/mobile">Port: Mobile</a></div><div class="link"><a href="/projects/ppc-aix-port">Port: PowerPC/AIX</a></div><div class="link"><a href="/projects/riscv-port">Port: RISC-V</a></div><div class="link"><a href="/projects/s390x-port">Port: s390x</a></div><div class="link"><a href="/projects/sctp">SCTP</a></div><div class="link"><a href="/projects/shenandoah">Shenandoah</a></div><div class="link"><a href="/projects/skara">Skara</a></div><div class="link"><a href="/projects/sumatra">Sumatra</a></div><div class="link"><a href="/projects/tsan">Tsan</a></div><div class="link"><a href="/projects/valhalla">Valhalla</a></div><div class="link"><a href="/projects/verona">Verona</a></div><div class="link"><a href="/projects/visualvm">VisualVM</a></div><div class="link"><a href="/projects/wakefield">Wakefield</a></div><div class="link"><a href="/projects/zero">Zero</a></div><div class="link"><a href="/projects/zgc">ZGC</a></div></div><div class="buttons"><a href="https://oracle.com"><img alt="Oracle logo" src="../../images/oracle.png" /></a></div></div><div id="footer"> &#169; 2024 Oracle Corporation and/or its affiliates <br /><a href="/legal/tou/">Terms of Use</a> &#183; License: <a href="/legal/gplv2+ce.html">GPLv2</a> &#183; <a href="https://www.oracle.com/us/legal/privacy/">Privacy</a> &#183; <a href="https://openjdk.org/legal/openjdk-trademark-notice.html">Trademarks</a></div><script type="text/javascript" src="/eea-kQ1i6vbvUcdAbcHFPVvDu0Y/Y1a7h4NVz1Srr7Xu/HTwfBwVCYw/GBMAW1/QYPlM"></script></body></html>

Pages: 1 2 3 4 5 6 7 8 9 10