无法将已签名的Java安全提供程序与JMOD打包

huangapple go评论82阅读模式
英文:

Cannot package signed Java security providers with JMOD

问题

我正在阅读有关在Java密码体系结构中实现提供程序的文档,它指出:

> 不能将已签名的提供程序打包到JMOD文件中

该文章还指出:

> 仅提供那些提供Cipher、KeyAgreement、KeyGenerator、Mac或SecretKeyFactory实例的提供程序必须签名。如果您的提供程序只提供SecureRandom、MessageDigest、Signature、KeyStore等实例,则不需要对提供程序进行签名。

我尝试使用JDK 11版本开发此提供程序,该版本使用.jmod文件来替代.jar文件。

我还查看了标准安全策略使用的函数,并且其中许多函数使用Cipher、KeyAgreement、KeyGenerator、Mac或SecretKeyFactory,但在我使用的JDK 11中以某种方式打包为.jmod格式。

有人能进一步解释这个吗?

英文:

I'm reading this documentation about implementing a provider in the Java cryptography architecture and it states that

> You cannot package signed providers in JMOD files

The article also states:

> Only providers that supply instances of Cipher, KeyAgreement, KeyGenerator, Mac, or SecretKFactory must be signed. If your provider only supplies instances of SecureRandom, MessageDigest, Signature, KeyStore, etc., the provider does not need to be signed.

I am trying to develop this provider using the JDK 11 version, which makes use of .jmod files in replacement of .jar files.

And I was looking at the functions used by the standard security policies
and many of them use Cipher, KeyAgreement, KeyGenerator, Mac, or SecretKeyFactory, but are somehow packaged into .jmod format in the JDK 11 I'm using.

Can anyone explain this further?

答案1

得分: 1

以下是翻译好的部分:

在JDK中打包的jmod文件中的提供程序未经过“签名”,因为jmod不支持签名。如果您使用jmod list检查.jmod文件,您将不会找到任何.SF签名文件。

我正在尝试使用JDK 11版本开发此提供程序,该版本使用.jmod文件来替代.jar文件。

请注意,.jmod文件不完全替代jar文件。jmod文件只是链接文件。根据jmod文档

JMOD文件格式使您能够聚合除.class文件、元数据和资源之外的其他文件。此格式可传输但不可执行,这意味着您可以在编译时或链接时使用它,但在运行时不能使用。

换句话说,与JDK捆绑在一起的jmod文件不会直接加载进行执行,而是应该提供给诸如jlink之类的工具,这些工具会将其拆开并重新打包。这种重新打包会使任何签名哈希失效,因此很少有理由让jmod文件支持签名。

如果您想要分发自定义提供程序,必须使用jar文件进行分发,然后对这些jar文件进行签名。加载提供程序时是否需要签名取决于JDK发行版。

请注意,JDK自己的提供程序不是从捆绑的jmod文件中加载的,而是从一个实现特定的存档中加载的,其有效性是使用另一种机制进行验证的。


只有在您想要将本机库打包到存档中并分发该存档时,才需要使用jmod文件。在这种情况下,您的用户将不得不重新打包,然后重新对基于jmod文件生成的任何工件进行签名。

如果您不需要分发本机库,我的建议是改为分发.jar文件,这些文件可以使用jarsigner进行签名,然后直接用于执行。正如jmod文档中所述:

注意:对于大多数开发任务,包括在模块路径上部署模块或将其发布到Maven存储库,请继续将模块打包在模块化的JAR文件中。jmod工具适用于具有本机库或其他配置文件的模块,或者用于您打算使用jlink工具链接到运行时映像的模块。

英文:

The providers in the jmod files packaged in the JDK are not 'signed', because jmods don't support signing. If you inspect the .jmod files with jmod list you will not find any .SF signature files for instance.

> I am trying to develop this provider using the JDK 11 version, which makes use of .jmod files in replacement of .jar files.

Note that .jmod files are not full replacements for jar files. jmod files are link-only artifacts. From the jmod doc:

> The JMOD file format lets you aggregate files other than .class files, metadata, and resources. This format is transportable but not executable, which means that you can use it during compile time or link time but not at run time.

In other words, the jmod files bundled with the JDK are not loaded directly for execution, but are instead meant to be fed to tools such as jlink, which pull them apart and re-package them. This re-packaging would invalidate any signature hashes any ways, so there is less reason why jmod files need to support signing.

If you want to distribute custom providers, you will have to distribute them using jar files, and then sign those jar files. Whether the signing is required when loading the providers depends on the JDK distribution.

Note that the JDK's own providers are not loaded from the bundled jmod files, but from an implementation specific archive whose validity is verified using another mechanism.


Using jmod files is only necessary if you want to package native libraries into an archive, and then distribute that archive. In that case, your users would have to re-package and then re-sign whatever artifact they end up generating based the jmod files.

If you don't need to distribute native libraries, my advice would be to distribute .jar files instead, which can be signed with jarsigner and then used for execution directly. As also stated in the jmod doc:

> Note: For most development tasks, including deploying modules on the module path or publishing them to a Maven repository, continue to package modules in modular JAR files. The jmod tool is intended for modules that have native libraries or other configuration files or for modules that you intend to link, with the jlink tool, to a runtime image.

huangapple
  • 本文由 发表于 2020年7月24日 05:00:00
  • 转载请务必保留本文链接:https://go.coder-hub.com/63063042.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定