4

I've been looking for the javax.crypto JDK source code and I could not find it. Either this is due to my abject searching inability or there must be a reason why the code is not available (the JDK is supposed to be open source, right?) . My guess is that the current jdk javax.crypto has a NSA-mandated backdoor, making open-source release awkward.

My questions are the following:

  1. Where is the jdk javax.crypto source code?
  2. If, as I believe, the jdk javax.crypto source code is not available, how can I check whether my fears that it contains a backdoor are justfied or not?

See Where do I find the javax.crypto source code?

Community
  • 1
  • 1
Andrea Alciato
  • 199
  • 1
  • 11
  • [This](http://kickjava.com/src/javax/crypto/Cipher.java.htm) belongs to an old version of the jce, but still note the key sentence "Because of various external restrictions (i.e. US export regulations, etc.), the actual source code can not be provided at this time.". My worry is what currently hides behind "etc.". – Andrea Alciato Aug 12 '13 at 08:14
  • 1
    AFAIU, the javax.crypto classes should just provide a bridge to the "specified provider"'s functionality . It is curious that access to such code should be restricted. Unless, that is, the bridge is not neutral and it modifies the provider's functionality. – Andrea Alciato Aug 13 '13 at 06:50

1 Answers1

3

The sources are available over Mercurial. For example, the sources for jdk8-b132's javax.crypto are here.

Notice that if you are suspecting a backdoor, you have no (easy) way to verify that those sources are actually the sources of the binaries you are using. You should build the JDK yourself to be sure…

Community
  • 1
  • 1
Didier L
  • 18,905
  • 10
  • 61
  • 103