[11u] RFR: 8266929: Unable to use algorithms from 3p providers
Severin Gehwolf
sgehwolf at redhat.com
Wed May 19 18:52:56 UTC 2021
Hi,
Please review this regression fix for 11.0.11+9. JDK-8249906 got
introduced as part of this update which ended up in code changes which
may yield to earlier initialization of AlgorithmId's OID cache. After,
JDK-8249906, the initialization of the OID cache might happen at jar
file verification time (when signed jars are in play). At that time a
reduced set of security providers are available. Since the OID cache is
never refreshed, a NoSuchAlgorithmException might be thrown later on
when trying to look up an algorithm provided by a third party provider
even though the algorithm provider got added to the list of available
providers (via Security.addProvider() or via a config file).
Bug: https://bugs.openjdk.java.net/browse/JDK-8266929
webrev: https://cr.openjdk.java.net/~sgehwolf/webrevs/JDK-8266929/jdk11/01/webrev/
The proposed fix adds a hard-coded OID mapping to AlgorithmId.algOID()
method so as to avoid initializing the OID cache at jar-file
verification time. Adding SHA256WithRSA to that list seems sufficient
as the JDK providers seem to be signed with that signature. More info
on the bug. With this patch JDK 11u would be back at 11.0.11+8
behaviour. Patch kindly provided by Sean Mullan.
Note that a separate bug has been filed for the OID cache not being
refreshed: JDK-8267397. This bug affects JDK 17 and JDK 16 as well.
Testing: tier1 and :jdk_security. No regressions noted. Passes the
reproducer of the bug post-patch (fails before).
Thoughts?
Thanks,
Severin
More information about the jdk-updates-dev
mailing list