Loading...

XML

Word

Printable

Type: Bug
Resolution: Fixed
Priority: P3
Fix Version/s: 15
Affects Version/s: 8, 11, 13, 15
Component/s: security-libs
Labels:

Subcomponent:
java.security
Resolved In Build:
b20
Verification:
Verified

Issue	Fix Version	Assignee	Priority	Status	Resolution	Resolved In Build
JDK-8295074	13.0.14	Alexey Bakhtin	P3	Resolved	Fixed	b01
JDK-8295117	13.0.13	Alexey Bakhtin	P3	Resolved	Fixed	b05
JDK-8259465	11.0.11-oracle	Prasadarao Koppula	P3	Resolved	Fixed	b01
JDK-8259684	11.0.11	Sean Mullan	P3	Resolved	Fixed	b01
JDK-8267258	openjdk8u302	Alexey Bakhtin	P3	Resolved	Fixed	b04
JDK-8259616	8u291	Prasadarao Koppula	P3	Resolved	Fixed	b02
JDK-8262650	emb-8u291	Prasadarao Koppula	P3	Resolved	Fixed	team
JDK-8260419	7u301	Prasadarao Koppula	P3	Resolved	Fixed	b03

Policy fails to initialize properly under the following set of conditions:

1. Signed JAR on the classpath
2. SHA-1 denyAfter constraint set in the jdk.jar.disabledAlgorithms property in the java.security file
3. SecurityManager enabled
4. Policy file granting permission based on who signed jar and keystore entry containing the alias/key
5. Code triggering a permission check based on that grant

There are two issues that prevent the application from being granted the permission:

1. A recursive load of the SunEC provider. The PKCS12 KeyStore in the policy file needs to load SunJCE in order to verify the integrity of the keystore. This uses ServiceLoader to find SunJCE which causes all Providers to be loaded, SL also triggers a permission check, which causes the Policy to be parsed again, etc ...

See comments for stack trace.

2. Similar to above. The PKCS12 KeyStore in the policy file calls sun.security.util.KeyStoreUtil.signedBy(). The static initialization of KeyStoreUtil instantiates java.text.Collator, which uses ServiceLoader to find a locale provider, which triggers a permission check, which causes Policy to be parsed again, etc ...

See comments for stack trace.

backported by

JDK-8259465 Policy initialization issues when the denyAfter constraint is enabled

Resolved

JDK-8259616 Policy initialization issues when the denyAfter constraint is enabled

Resolved

JDK-8259684 Policy initialization issues when the denyAfter constraint is enabled

Resolved

JDK-8260419 Policy initialization issues when the denyAfter constraint is enabled

Resolved

JDK-8262650 Policy initialization issues when the denyAfter constraint is enabled

Resolved

JDK-8267258 Policy initialization issues when the denyAfter constraint is enabled

Resolved

JDK-8295074 Policy initialization issues when the denyAfter constraint is enabled

Resolved

JDK-8295117 Policy initialization issues when the denyAfter constraint is enabled

Resolved

blocks

JDK-8196415 Disable SHA-1 Signed JARs

Closed

duplicates

JDK-8266290 Jar Verification performs initializations that cause NoSuchAlgorithmException

Closed

JDK-8266279 8u292 NoSuchAlgorithmException unrecognized algorithm name: PBEWithSHA1AndDESede

Closed

relates to

JDK-8247961 java.security.debug may raise ClassCircularityError

Resolved

JDK-8266279 8u292 NoSuchAlgorithmException unrecognized algorithm name: PBEWithSHA1AndDESede

Closed

JDK-8266290 Jar Verification performs initializations that cause NoSuchAlgorithmException

Closed

links to

Commit openjdk/jdk13u-dev/ff312435

Review openjdk/jdk13u-dev/416

(3 backported by, 1 blocks, 2 duplicates, 3 relates to, 2 links to)

Assignee:: Sean Mullan

Reporter:: Sean Mullan

Votes:: 0 Vote for this issue

Watchers:: 7 Start watching this issue

Created:: 2020-04-13 05:11

Updated:: 2022-10-11 00:03

Resolved:: 2020-04-16 06:51

Details

Backports

Description

Attachments

Issue Links

Activity

People

Dates