[11u] RFR: 8266929: Unable to use algorithms from 3p providers

Lutker, Dan lutkerd at amazon.com
Wed May 19 21:47:00 UTC 2021 

Hi Severin,

All of the algorithms supported by jarsigner should be added, based on the "Supported Algorithms" table on [1] we should have to add SHA256withRSA, SHA384withRSA and SHA512withRSA.

-Dan

[1] https://docs.oracle.com/en/java/javase/11/tools/jarsigner.html 

On 5/19/21, 11:53 AM, "Severin Gehwolf" <sgehwolf at redhat.com> wrote:

    CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.



    Hi,

    Please review this regression fix for 11.0.11+9. JDK-8249906 got
    introduced as part of this update which ended up in code changes which
    may yield to earlier initialization of AlgorithmId's OID cache. After,
    JDK-8249906, the initialization of the OID cache might happen at jar
    file verification time (when signed jars are in play). At that time a
    reduced set of security providers are available. Since the OID cache is
    never refreshed, a NoSuchAlgorithmException might be thrown later on
    when trying to look up an algorithm provided by a third party provider
    even though the algorithm provider got added to the list of available
    providers (via Security.addProvider() or via a config file).

    Bug: https://bugs.openjdk.java.net/browse/JDK-8266929
    webrev: https://cr.openjdk.java.net/~sgehwolf/webrevs/JDK-8266929/jdk11/01/webrev/

    The proposed fix adds a hard-coded OID mapping to AlgorithmId.algOID()
    method so as to avoid initializing the OID cache at jar-file
    verification time. Adding SHA256WithRSA to that list seems sufficient
    as the JDK providers seem to be signed with that signature. More info
    on the bug. With this patch JDK 11u would be back at 11.0.11+8
    behaviour. Patch kindly provided by Sean Mullan.

    Note that a separate bug has been filed for the OID cache not being
    refreshed: JDK-8267397. This bug affects JDK 17 and JDK 16 as well.

    Testing: tier1 and :jdk_security. No regressions noted. Passes the
    reproducer of the bug post-patch (fails before).

    Thoughts?

    Thanks,
    Severin

More information about the jdk-updates-dev mailing list