Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8215932

JCE third-party provider not loading when signed with EC certificate

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: P3 P3
    • None
    • 9, 10, 11.0.1, 12
    • security-libs

      A third-party provider signed with a certificate using an EC key (secp384r1) is failing to load when used with the module path option on the command line (-p). When signed with an RSA-based certificate from the same CA, the provider loads properly.

      The EC signed provider will load properly using default provider locations with JDK 8 (8u191), which may point to a module loading issue. This issue was first observed with JDK 11 (11.0.1), though other module-based JDK releases have not been tested at this time and may exhibit similar failures.

      It should also be noted that when the path to the provider jar is specified on the command line with the -cp option, JDK 11 test code that would fail with the -p option will pass.

      Detailed logs show that the SunEC provider fails to load through the ServiceLoader facility (snippet from the JDK 11 debug log):

      ProviderConfig: Loading provider SunEC
      ProviderConfig: Attempt to load SunEC using SL
      ProviderConfig: Loading legacy provider: SunEC
      ProviderConfig: Error loading legacy provider SunEC
      java.lang.ClassNotFoundException: SunEC
          at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:583)
          at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:178)
          at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:521)
          at java.base/sun.security.jca.ProviderConfig$ProviderLoader.legacyLoad(ProviderConfig.java:381)
          at java.base/sun.security.jca.ProviderConfig$ProviderLoader.load(ProviderConfig.java:358)
          at java.base/sun.security.jca.ProviderConfig$3.run(ProviderConfig.java:244)
          at java.base/sun.security.jca.ProviderConfig$3.run(ProviderConfig.java:238)
          at java.base/java.security.AccessController.doPrivileged(Native Method)
          at java.base/sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:238)
          at java.base/sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:218)
          at java.base/sun.security.jca.ProviderList.getProvider(ProviderList.java:266)
          at java.base/sun.security.jca.ProviderList.getService(ProviderList.java:379)
          at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:157)
          at java.base/java.security.Security.getImpl(Security.java:698)
          at java.base/java.security.AlgorithmParameters.getInstance(AlgorithmParameters.java:158)
          at java.base/sun.security.x509.AlgorithmId.decodeParams(AlgorithmId.java:121)
          at java.base/sun.security.x509.AlgorithmId.<init>(AlgorithmId.java:114)
          at java.base/sun.security.x509.AlgorithmId.parse(AlgorithmId.java:374)
          at java.base/sun.security.x509.X509Key.parse(X509Key.java:168)
          at java.base/sun.security.x509.CertificateX509Key.<init>(CertificateX509Key.java:75)
          at java.base/sun.security.x509.X509CertInfo.parse(X509CertInfo.java:674)
          at java.base/sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:169)
          at java.base/sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1854)
          at java.base/sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:195)
          at java.base/sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:102)
          at java.base/java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:355)
          at java.base/sun.security.pkcs.PKCS7.parseSignedData(PKCS7.java:328)
          at java.base/sun.security.pkcs.PKCS7.parse(PKCS7.java:186)
          at java.base/sun.security.pkcs.PKCS7.parse(PKCS7.java:154)
          at java.base/sun.security.pkcs.PKCS7.<init>(PKCS7.java:136)
          at java.base/sun.security.util.SignatureFileVerifier.<init>(SignatureFileVerifier.java:127)
          at java.base/java.util.jar.JarVerifier.processEntry(JarVerifier.java:297)
          at java.base/java.util.jar.JarVerifier.update(JarVerifier.java:230)
          at java.base/java.util.jar.JarFile.initializeVerifier(JarFile.java:757)
          at java.base/java.util.jar.JarFile.getInputStream(JarFile.java:838)
          at java.base/jdk.internal.module.ModulePath.deriveModuleDescriptor(ModulePath.java:545)
          at java.base/jdk.internal.module.ModulePath.readJar(ModulePath.java:643)
          at java.base/jdk.internal.module.ModulePath.readModule(ModulePath.java:330)
          at java.base/jdk.internal.module.ModulePath.scanDirectory(ModulePath.java:283)
          at java.base/jdk.internal.module.ModulePath.scan(ModulePath.java:231)
          at java.base/jdk.internal.module.ModulePath.scanNextEntry(ModulePath.java:189)
          at java.base/jdk.internal.module.ModulePath.findAll(ModulePath.java:165)
          at java.base/java.lang.module.ModuleFinder$2.lambda$findAll$2(ModuleFinder.java:368)
          at java.base/java.util.stream.ReferencePipeline$7$1.accept(ReferencePipeline.java:271)
          at java.base/java.util.AbstractList$RandomAccessSpliterator.forEachRemaining(AbstractList.java:720)
          at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:484)
          at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:474)
          at java.base/java.util.stream.ForEachOps$ForEachOp.evaluateSequential(ForEachOps.java:150)
          at java.base/java.util.stream.ForEachOps$ForEachOp$OfRef.evaluateSequential(ForEachOps.java:173)
          at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
          at java.base/java.util.stream.ReferencePipeline.forEach(ReferencePipeline.java:497)
          at java.base/java.lang.module.ModuleFinder$2.findAll(ModuleFinder.java:369)
          at java.base/java.lang.module.Resolver.findAll(Resolver.java:841)
          at java.base/java.lang.module.Resolver.bind(Resolver.java:223)
          at java.base/java.lang.module.Configuration.resolveAndBind(Configuration.java:304)
          at java.base/java.lang.module.ModuleDescriptor$1.resolveAndBind(ModuleDescriptor.java:2735)
          at java.base/jdk.internal.module.ModuleBootstrap.boot(ModuleBootstrap.java:331)
          at java.base/java.lang.System.initPhase2(System.java:2011)
      ProviderConfig: Error loading provider SunEC

      With the 3rd party provider jar file in the module path as opposed to an explicit member of the classpath, the ServiceLoader appears to go into a recursive loop trying to verify SunEC and eventually results in the exception above. We don't see this with Sun and SunRsaSign providers because the loading code directly instantiates the providers. With SunEC (and some other providers as well) the ServiceLoader is involved. When the classpath approach is used on the command line, the ServiceLoader doesn't find SunEC and falls back to the classpath to load SunEC, which works.

        1. osign-ecsign-j11-fulldbg.txt.gz
          7 kB
        2. osignprov-ecsign.jar
          4 kB
        3. osignprov-rsasign.jar
          5 kB
        4. SignedProviderTest.java
          0.9 kB

            jnimeh Jamil Nimeh
            jnimeh Jamil Nimeh
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated: