Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

8280890: Cannot use '-Djava.system.class.loader' with class loader in signed JAR #7316

Closed
wants to merge 3 commits into from

Conversation

seanjmullan
Copy link
Member

@seanjmullan seanjmullan commented Feb 1, 2022

This fixes a bootstrapping issue if a custom system class loader is set with the -Djava.system.class.loader option and the custom class loader is inside a signed JAR. In order to load the custom class loader, the runtime must verify the signed JAR first, and the algorithm constraint code tries to load a Locale provider using a ServiceLoader before the class loader is set, and this causes a ServiceConfigurationError.

The fix removes a dependency from the security algorithm "denyAfter" constraint parsing code on the Calendar API which uses a ServiceLoader for gathering default locale information. Instead the ZonedDateTime API is now used, which simplifies the code and removes some unnecessary code from keytool as well.


Progress

  • Change must not contain extraneous whitespace
  • Commit message must refer to an issue
  • Change must be properly reviewed

Issue

  • JDK-8280890: Cannot use '-Djava.system.class.loader' with class loader in signed JAR

Reviewers

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.java.net/jdk pull/7316/head:pull/7316
$ git checkout pull/7316

Update a local copy of the PR:
$ git checkout pull/7316
$ git pull https://git.openjdk.java.net/jdk pull/7316/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 7316

View PR using the GUI difftool:
$ git pr show -t 7316

Using diff file

Download this PR as a diff file:
https://git.openjdk.java.net/jdk/pull/7316.diff

@bridgekeeper
Copy link

bridgekeeper bot commented Feb 1, 2022

👋 Welcome back mullan! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

@openjdk
Copy link

openjdk bot commented Feb 1, 2022

@seanjmullan The following label will be automatically applied to this pull request:

  • security

When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing list. If you would like to change these labels, use the /label pull request command.

@openjdk openjdk bot added the security security-dev@openjdk.org label Feb 1, 2022
@openjdk openjdk bot added the rfr Pull request is ready for review label Feb 1, 2022
@mlbridge
Copy link

mlbridge bot commented Feb 1, 2022

Webrevs

Copy link
Contributor

@wangweij wangweij left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

@openjdk
Copy link

openjdk bot commented Feb 4, 2022

@seanjmullan This change now passes all automated pre-integration checks.

ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details.

After integration, the commit message for the final commit will be:

8280890: Cannot use '-Djava.system.class.loader' with class loader in signed JAR

Reviewed-by: weijun, hchao

You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed.

At the time when this comment was updated there had been 97 new commits pushed to the master branch:

  • f7814c1: 8139173: [macosx] JInternalFrame shadow is not properly drawn
  • 77b0240: 8281183: RandomGenerator:NextDouble() default behavior partially fixed by JDK-8280950
  • 42e272e: 8281289: Improve with List.copyOf
  • 48523b0: 8281049: man page update for jstatd Security Manager dependency removal
  • 8e4ef81: 8280767: -XX:ArchiveClassesAtExit does not archive BoundMethodHandle$Species classes
  • f5d6fdd: 8280476: [macOS] : hotspot arm64 bug exposed by latest clang
  • d4b99bc: 8281120: G1: Rename G1BlockOffsetTablePart::alloc_block to update_for_block
  • 66b2c3b: 8280948: [TESTBUG] Write a regression test for JDK-4659800
  • 7207f2a: Merge
  • 01f93dd: 8279385: [test] Adjust sun/security/pkcs12/KeytoolOpensslInteropTest.java after 8278344
  • ... and 87 more: https://git.openjdk.java.net/jdk/compare/ece89c6df167e9a7f99b00e3f89c2c41c10ab31b...master

As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details.

➡️ To integrate this PR with the above commit message to the master branch, type /integrate in a new comment.

@openjdk openjdk bot added the ready Pull request is ready to be integrated label Feb 4, 2022
@haimaychao
Copy link
Contributor

Looks good to me.

classes.resolve("Main.class"));

// create signer's keypair
SecurityTools.keytool("-genkeypair -keyalg RSA -keystore ks " +
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello Sean,
Looking at the SecurityTools.keytool and SecurityTools.jarsigner methods, they internally launch a process corresponding to these tools but do not check for the exit code of that process execution. Perhaps the calls to these methods in this test, should add a check to assert that the exit code is 0 by using the returned OutputAnalyzer?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch - fixed in latest update.

@jaikiran
Copy link
Member

jaikiran commented Feb 7, 2022

Thank you for that change, Sean. Looks fine to me.

@seanjmullan
Copy link
Member Author

/integrate

@openjdk
Copy link

openjdk bot commented Feb 7, 2022

Going to push as commit a0f6f24.
Since your change was applied there have been 106 commits pushed to the master branch:

  • 22a1a32: 8268387: Rename maximum compaction to maximal compaction in G1
  • 7667771: 8281114: G1: Remove PreservedMarks::init_forwarded_mark
  • 4c16949: 8272996: JNDI DNS provider fails to resolve SRV entries when IPV6 stack is enabled
  • f3e8242: 8280965: Tests com/sun/net/httpserver/simpleserver fail with FileSystemException on Windows 11
  • 95fd9d2: 8281243: Test java/lang/instrument/RetransformWithMethodParametersTest.java is failing
  • f5e0870: 8281117: Add regression test for JDK-8280587
  • f230282: 8281298: Revise the creation of unmodifiable list
  • 5dfff74: 8166050: partialArray is not created in javax.swing.text.html.parser.NPrintWriter.println(...) method
  • 2f48a3f: 8279878: java/awt/font/JNICheck/JNICheck.sh test fails on Ubuntu 21.10
  • f7814c1: 8139173: [macosx] JInternalFrame shadow is not properly drawn
  • ... and 96 more: https://git.openjdk.java.net/jdk/compare/ece89c6df167e9a7f99b00e3f89c2c41c10ab31b...master

Your commit was automatically rebased without conflicts.

@openjdk openjdk bot added the integrated Pull request has been integrated label Feb 7, 2022
@openjdk openjdk bot closed this Feb 7, 2022
@openjdk openjdk bot removed ready Pull request is ready to be integrated rfr Pull request is ready for review labels Feb 7, 2022
@openjdk
Copy link

openjdk bot commented Feb 7, 2022

@seanjmullan Pushed as commit a0f6f24.

💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
integrated Pull request has been integrated security security-dev@openjdk.org
4 participants