[jdk8u] RFR: 8280890: Cannot use '-Djava.system.class.loader' with class loader in signed JAR
Severin Gehwolf
sgehwolf at openjdk.org
Thu Dec 22 15:50:51 UTC 2022
Please review this critical fix which fixes a regression introduced with with [JDK-8269039: Disable SHA-1 Signed JARs](https://bugs.openjdk.org/browse/JDK-8269039) which was included in `8u362` (note that `8u352` is not affected as JDK-8269039 is not there). This should be low-risk as it mainly removes use of `java.util.Calendar` API usage in `DisabledAlgorithmConstraints` which can cause issues with applications that contain `CalendarDataProvider`s in signed jars.
Proposing as critical fix so that we don't regress in that regard in 8u362.
Please review this backport. The changes in `keytool/Main.java` didn't apply. Those aren't critical changes for this patch, so I've omitted them. In addition, the test needed some changes to make it work with JDK 8 (comparing to the 11u version). Used `IOUtils.readAllBytes()` over `InputStream.readAllBytes()` in the custom classloader class, fixed some test lib imports and declared `Throwable` to be thrown in `main` as `ProcessTools.executeProcess` throws `Throwable` over `Exception` in 8u.
Regression test fails prior (current jdk8u tree, without this patch) and passes after the product fix.
-------------
Commit messages:
- 8280890: Cannot use '-Djava.system.class.loader' with class loader in signed JAR
Changes: https://git.openjdk.org/jdk8u/pull/29/files
Webrev: https://webrevs.openjdk.org/?repo=jdk8u&pr=29&range=00
Issue: https://bugs.openjdk.org/browse/JDK-8280890
Stats: 171 lines in 3 files changed: 140 ins; 15 del; 16 mod
Patch: https://git.openjdk.org/jdk8u/pull/29.diff
Fetch: git fetch https://git.openjdk.org/jdk8u pull/29/head:pull/29
PR: https://git.openjdk.org/jdk8u/pull/29
More information about the jdk8u-dev
mailing list