jre/lib/ext 删除的 Jarsigner 问题
Jarsigner issue with jre/lib/ext removal
在 Java 9.
中删除了 jre/lib/ext
我的问题是我使用的是 Jarsigner,在以前的 Java 版本中,它在 jre/lib/ext 文件夹中找到了我的提供程序 jar。
jarsigner -tsa timestamp.digicert.com -verbose -keystore NONE -storetype PKCS11
-storepass null -providername <MY_PROVIDER_NAME> <JAR_FILE> <CERTIFICATE_NAME>
我该如何解决?
changes to the installed JDK/JRE image 带来运行时图像,其中包含目录,包括 -
conf — contains .properties, .policy, and other kinds of files
intended to be edited by developers, deployers, and end users. These
files were formerly found in the lib directory or its subdirectories.
JDK9 中的 java.security 文件(位于 .../Home/conf/security 下)在默认提供者列表中列出了 SunPKCS11 提供者
security.provider.13=SunPKCS11
#SunPKCS11 Configuration under the reference guide details out how to add provider which is present in the jdk.crypto.cryptoki JDK.
模块
因此,理想情况下,也不需要在 Java9 中配置 sunpkcs11 提供程序的路径。
要添加提供商如何捆绑到模块中的示例,请从 JEP 220: Modular Run-Time Images
Security-policy files and other uses of the CodeSource API can use jrt
URLs to name specific modules for the purpose of granting permissions.
The elliptic-curve cryptography provider, e.g., can now be identified
by the jrt URL
jrt:/jdk.crypto.ec
Other modules that are currently granted all
permissions but do not actually require them can trivially be
de-privileged, i.e., given precisely the permissions they require.
我终于成功解决了这个问题,基于https://docs.oracle.com/javase/9/security/howtoimplaprovider.htm#JSSEC-GUID-7C304A79-6D0B-438B-A02E-51648C909876
需要执行以下操作(仅指定 Java9 的新内容):
按照第 4 步添加模块声明:
module com.foo.MyProvider {
provides java.security.Provider with p.MyProvider;
requires java.security.jgss;
}
当 运行使用模块路径 运行 连接 Jarsigner 运行 时:
jarsigner -J--module-path -J<PATH_TO_PROVIDER_JAR> -J--add-modules -J<MODULE_NAME>
-tsa timestamp.digicert.com -verbose -keystore NONE -storetype PKCS11 -storepass null -providername <MY_PROVIDER_NAME> <JAR_FILE> <CERTIFICATE_NAME>
在 Java 9.
中删除了 jre/lib/ext我的问题是我使用的是 Jarsigner,在以前的 Java 版本中,它在 jre/lib/ext 文件夹中找到了我的提供程序 jar。
jarsigner -tsa timestamp.digicert.com -verbose -keystore NONE -storetype PKCS11
-storepass null -providername <MY_PROVIDER_NAME> <JAR_FILE> <CERTIFICATE_NAME>
我该如何解决?
changes to the installed JDK/JRE image 带来运行时图像,其中包含目录,包括 -
conf — contains .properties, .policy, and other kinds of files intended to be edited by developers, deployers, and end users. These files were formerly found in the lib directory or its subdirectories.
JDK9 中的 java.security 文件(位于 .../Home/conf/security 下)在默认提供者列表中列出了 SunPKCS11 提供者
security.provider.13=SunPKCS11
#SunPKCS11 Configuration under the reference guide details out how to add provider which is present in the jdk.crypto.cryptoki JDK.
因此,理想情况下,也不需要在 Java9 中配置 sunpkcs11 提供程序的路径。
要添加提供商如何捆绑到模块中的示例,请从 JEP 220: Modular Run-Time Images
Security-policy files and other uses of the CodeSource API can use jrt URLs to name specific modules for the purpose of granting permissions. The elliptic-curve cryptography provider, e.g., can now be identified by the jrt URL
jrt:/jdk.crypto.ecOther modules that are currently granted all permissions but do not actually require them can trivially be de-privileged, i.e., given precisely the permissions they require.
我终于成功解决了这个问题,基于https://docs.oracle.com/javase/9/security/howtoimplaprovider.htm#JSSEC-GUID-7C304A79-6D0B-438B-A02E-51648C909876
需要执行以下操作(仅指定 Java9 的新内容):
按照第 4 步添加模块声明:
module com.foo.MyProvider {
provides java.security.Provider with p.MyProvider;
requires java.security.jgss;
}
当 运行使用模块路径 运行 连接 Jarsigner 运行 时:
jarsigner -J--module-path -J<PATH_TO_PROVIDER_JAR> -J--add-modules -J<MODULE_NAME>
-tsa timestamp.digicert.com -verbose -keystore NONE -storetype PKCS11 -storepass null -providername <MY_PROVIDER_NAME> <JAR_FILE> <CERTIFICATE_NAME>