Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8242565

Policy initialization issues when the denyAfter constraint is enabled

    Details

    • Subcomponent:
    • Resolved In Build:
      b20
    • Verification:
      Verified

      Description

      Policy fails to initialize properly under the following set of conditions:

      1. Signed JAR on the classpath
      2. SHA-1 denyAfter constraint set in the jdk.jar.disabledAlgorithms property in the java.security file
      3. SecurityManager enabled
      4. Policy file granting permission based on who signed jar and keystore entry containing the alias/key
      5. Code triggering a permission check based on that grant

      There are two issues that prevent the application from being granted the permission:

      1. A recursive load of the SunEC provider. The PKCS12 KeyStore in the policy file needs to load SunJCE in order to verify the integrity of the keystore. This uses ServiceLoader to find SunJCE which causes all Providers to be loaded, SL also triggers a permission check, which causes the Policy to be parsed again, etc ...

      See comments for stack trace.
       
      2. Similar to above. The PKCS12 KeyStore in the policy file calls sun.security.util.KeyStoreUtil.signedBy(). The static initialization of KeyStoreUtil instantiates java.text.Collator, which uses ServiceLoader to find a locale provider, which triggers a permission check, which causes Policy to be parsed again, etc ...

      See comments for stack trace.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                mullan Sean Mullan
                Reporter:
                mullan Sean Mullan
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: