[jdk8u] RFR: 8280890: Cannot use '-Djava.system.class.loader' with class loader in signed JAR

[Andrew John Hughes]

On Thu, 22 Dec 2022 15:43:20 GMT, Severin Gehwolf <sgehwolf at openjdk.org> wrote:

> Please review this critical fix which fixes a regression introduced with with [JDK-8269039: Disable SHA-1 Signed JARs](https://bugs.openjdk.org/browse/JDK-8269039) which was included in `8u362` (note that `8u352` is not affected as  JDK-8269039 is not there). This should be low-risk as it mainly removes use of `java.util.Calendar` API usage in `DisabledAlgorithmConstraints` which can cause issues with applications that contain `CalendarDataProvider`s in signed jars.
> 
> Proposing as critical fix so that we don't regress in that regard in 8u362.
> 
> Please review this backport. The changes in `keytool/Main.java` didn't apply. Those aren't critical changes for this patch, so I've omitted them. In addition, the test needed some changes to make it work with JDK 8 (comparing to the 11u version). Used `IOUtils.readAllBytes()` over `InputStream.readAllBytes()` in the custom classloader class, fixed some test lib imports and declared `Throwable` to be thrown in `main` as `ProcessTools.executeProcess` throws `Throwable` over `Exception` in 8u.
> 
> Regression test fails prior (current jdk8u tree, without this patch) and passes after the product fix.

The keytool changes are from [JDK-8273236](https://bugs.openjdk.org/browse/JDK-8273236), another recent fix relating to this SHA-1 deprecation. If the SHA-1 deprecation itself had been integrated a bit earlier, it might have made 8u362.

I don't think that's critical enough to try and get in at this stage. I'll propose it for 8u-dev in the new year with the removals from this patch omitted.

The other changes look sensible. Can you enable actions so that builds & tests are run? Once they look good, I'll approve. Thanks.

-------------

PR: https://git.openjdk.org/jdk8u/pull/29