[jdk8u] RFR: 8280890: Cannot use '-Djava.system.class.loader' with class loader in signed JAR

Severin Gehwolf sgehwolf at openjdk.org
Thu Dec 22 15:50:51 UTC 2022


Please review this critical fix which fixes a regression introduced with with [JDK-8269039: Disable SHA-1 Signed JARs](https://bugs.openjdk.org/browse/JDK-8269039) which was included in `8u362` (note that `8u352` is not affected as  JDK-8269039 is not there). This should be low-risk as it mainly removes use of `java.util.Calendar` API usage in `DisabledAlgorithmConstraints` which can cause issues with applications that contain `CalendarDataProvider`s in signed jars.

Proposing as critical fix so that we don't regress in that regard in 8u362.

Please review this backport. The changes in `keytool/Main.java` didn't apply. Those aren't critical changes for this patch, so I've omitted them. In addition, the test needed some changes to make it work with JDK 8 (comparing to the 11u version). Used `IOUtils.readAllBytes()` over `InputStream.readAllBytes()` in the custom classloader class, fixed some test lib imports and declared `Throwable` to be thrown in `main` as `ProcessTools.executeProcess` throws `Throwable` over `Exception` in 8u.

Regression test fails prior (current jdk8u tree, without this patch) and passes after the product fix.

-------------

Commit messages:
 - 8280890: Cannot use '-Djava.system.class.loader' with class loader in signed JAR

Changes: https://git.openjdk.org/jdk8u/pull/29/files
 Webrev: https://webrevs.openjdk.org/?repo=jdk8u&pr=29&range=00
  Issue: https://bugs.openjdk.org/browse/JDK-8280890
  Stats: 171 lines in 3 files changed: 140 ins; 15 del; 16 mod
  Patch: https://git.openjdk.org/jdk8u/pull/29.diff
  Fetch: git fetch https://git.openjdk.org/jdk8u pull/29/head:pull/29

PR: https://git.openjdk.org/jdk8u/pull/29


More information about the jdk8u-dev mailing list