Java and security bits

Modules and Security on OpenJDK

I'd like to say a few words about the projects and code on OpenJDK that I am involved with. First off, if you are interested in reading the JDK source code and maybe even contributing, I suggest starting by downloading the OpenJDK sources as a ZIP file from the download page (who came up with that URL?). You can also browse it online using the Subversion interface, but it is rather painful to navigate (I believe we are getting an OpenGrok server soon).

On to specifics. Let's start with the easy part: there is now a Modules project on OpenJDK. It's easy to talk about because it does not have any real content yet. That will change sometime this summer, once the infrastructure is in place. Then it will host the implementation efforts related to modularity in OpenJDK. That means the JSR 277 implementation, the JSR 294 implementation, as well as related changes not defined by those JSRs, e.g. the java launcher. We will make the code available prior to integration into the official JDK 7 trunk, i.e. much earlier than you would have gotten access prior to open source.

Then there is the Security group, which along with the web page also has a (so far rather quiet) mailing list. A lot of code belongs to that group. Let me highlight the pieces I am somehow involved in.

SSL/TLS (JSSE). The framework lives in src/share/classes/javax/net/ssl. The implementation of the SunJSSE provider is more interesting, see src/share/classes/sun/security/ssl. Note that JSSE was not included in the regular JRL source snapshot drops of JDK 6 and JDK 7 due to legal issues, but it is all available on OpenJDK. For an incremental build to compile just the SSL code after the initial full JDK build, go to the make/sun/security/other and run GNU make.

PKCS#11. The SunPKCS11 provider consists of both Java and C code. The Java code lives in src/share/classes/sun/security/pkcs11 and the C code in src/share/native/sun/security/pkcs11. There is also a little bit of platform specific C code in src/solaris (for Solaris and Linux) and src/windows. For an incremental build, go to make/sun/security/pkcs11. One thing to note about SunPKCS11 is that the encryption interface code is not currently open source. We were working through some build and export control issues with all the code related to encryption, chiefly the JCE framework and SunJCE provider but also parts of SunPKCS11. I believe we cleared all the major hurdles so this should be resolved soon. But for now, when you build SunPKCS11 from OpenJDK, encryption will not be available in that binary.

Smart Card I/O. Although JSR 268 is not part of the Java SE 6 platform, as Sun's Java SE implementation bundles the JSR 268 reference implementation, it is also open source and available on OpenJDK now! You can find the source for the framework in src/share/classes/javax/smartcardio the the SunPCSC provider implementation in src/share/classes/sun/security/smartcardio and src/share/native/sun/security/smartcardio.

Authentication related crypto code, i.e. the SUN and SunRsaSign providers. Most of that is in src/share/classes/sun/security/provider and src/share/classes/sun/security/rsa. As I mentioned above, the SunJCE provider is not yet open source but hopefully will follow soon.

That's about it. To quote Neo: I didn't come here to tell you how this is going to end. I came here to tell you how it's going to begin. In other words: the code is out there now. What happens next is up to you. Exciting times.

One last word: remember that OpenJDK is all about code. Actual bits that do something. The opposite of politics. Of course, some entities are trying to politicize the project. Please ignore them. In particular if those same entities are refusing to commit their core technologies to open source. Just ask them for their bits.

Update: for a status update on the crypto code, see this entry.

Posted at 00:50 May 29, 2007 by Andreas Sterbenz in Java  |  Comments[4]