Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8242565

Policy initialization issues when the denyAfter constraint is enabled

    XMLWordPrintable

    Details

    • Subcomponent:
    • Resolved In Build:
      b20
    • Verification:
      Verified

      Backports

        Description

        Policy fails to initialize properly under the following set of conditions:

        1. Signed JAR on the classpath
        2. SHA-1 denyAfter constraint set in the jdk.jar.disabledAlgorithms property in the java.security file
        3. SecurityManager enabled
        4. Policy file granting permission based on who signed jar and keystore entry containing the alias/key
        5. Code triggering a permission check based on that grant

        There are two issues that prevent the application from being granted the permission:

        1. A recursive load of the SunEC provider. The PKCS12 KeyStore in the policy file needs to load SunJCE in order to verify the integrity of the keystore. This uses ServiceLoader to find SunJCE which causes all Providers to be loaded, SL also triggers a permission check, which causes the Policy to be parsed again, etc ...

        See comments for stack trace.
         
        2. Similar to above. The PKCS12 KeyStore in the policy file calls sun.security.util.KeyStoreUtil.signedBy(). The static initialization of KeyStoreUtil instantiates java.text.Collator, which uses ServiceLoader to find a locale provider, which triggers a permission check, which causes Policy to be parsed again, etc ...

        See comments for stack trace.

          Attachments

            Issue Links

              Activity

                People

                Assignee:
                mullan Sean Mullan
                Reporter:
                mullan Sean Mullan
                Votes:
                0 Vote for this issue
                Watchers:
                6 Start watching this issue

                  Dates

                  Created:
                  Updated:
                  Resolved: