Jarsigner issue with jre/lib/ext removal

Question

According to this article : https://blogs.oracle.com/java-platform-group/planning-safe-removal-of-under-used-endorsed-extension-directories

the jre/lib/ext removed in Java 9.

My problem is that I am using Jarsigner which in previous Java versions found my provider jar in the jre/lib/ext folder.

jarsigner -tsa timestamp.digicert.com -verbose -keystore NONE -storetype PKCS11 
      -storepass null -providername <MY_PROVIDER_NAME> <JAR_FILE> <CERTIFICATE_NAME>

How can I solve it?

Isn't the `` enough to specify the jar to be signed. How does the `jre/lib/ext` removal impact this? — Naman, Nov 22 '17 at 03:37
The is the JAR file to be signed. In jre/lib/ext i put my Java security provider JAR. — Saar peer, Nov 22 '17 at 08:25

Naman · Answer 1 · 2017-11-23T02:10:52.783

The changes to the installed JDK/JRE image brings along runtime images which consists of directories including -

conf — contains .properties, .policy, and other kinds of files intended to be edited by developers, deployers, and end users. These files were formerly found in the lib directory or its subdirectories.

The java.security file within JDK9 (located under .../Home/conf/security) lists out the SunPKCS11 provider amongst the list of default providers

security.provider.13=SunPKCS11

#SunPKCS11 Configuration under the reference guide details out how to add provider which is present in the jdk.crypto.cryptoki module of the JDK.

So, ideally there shouldn't be a need to configure path to the sunpkcs11 provider in Java9 as well.

To add and example of how providers are bundled into modules, to it from the JEP 220: Modular Run-Time Images

Security-policy files and other uses of the CodeSource API can use jrt URLs to name specific modules for the purpose of granting permissions. The elliptic-curve cryptography provider, e.g., can now be identified by the jrt URL
jrt:/jdk.crypto.ec 
Other modules that are currently granted all permissions but do not actually require them can trivially be de-privileged, i.e., given precisely the permissions they require.

score 1 · Accepted Answer · answered Dec 03 '17 at 12:35

i finally succeeded to resolve this issue, based on https://docs.oracle.com/javase/9/security/howtoimplaprovider.htm#JSSEC-GUID-7C304A79-6D0B-438B-A02E-51648C909876

Need to do the following (Only specifying what is new for Java9) :

Follow step 4 and add a module declaration:

module com.foo.MyProvider {
    provides java.security.Provider with p.MyProvider;
    requires java.security.jgss;
}

When running the Jarsigner run with with module–path:

jarsigner -J--module-path -J<PATH_TO_PROVIDER_JAR> -J--add-modules -J<MODULE_NAME>
-tsa timestamp.digicert.com -verbose -keystore NONE -storetype PKCS11 -storepass null -providername <MY_PROVIDER_NAME> <JAR_FILE> <CERTIFICATE_NAME>

Jarsigner issue with jre/lib/ext removal

2 Answers2