[jdk8u] RFR: 8280890: Cannot use '-Djava.system.class.loader' with class loader in signed JAR
Severin Gehwolf
sgehwolf at openjdk.org
Fri Dec 23 16:33:50 UTC 2022
On Thu, 22 Dec 2022 15:43:20 GMT, Severin Gehwolf <sgehwolf at openjdk.org> wrote:
> Please review this critical fix which fixes a regression introduced with with [JDK-8269039: Disable SHA-1 Signed JARs](https://bugs.openjdk.org/browse/JDK-8269039) which was included in `8u362` (note that `8u352` is not affected as JDK-8269039 is not there). This should be low-risk as it mainly removes use of `java.util.Calendar` API usage in `DisabledAlgorithmConstraints` which can cause issues with applications that contain `CalendarDataProvider`s in signed jars.
>
> Proposing as critical fix so that we don't regress in that regard in 8u362.
>
> Please review this backport. The changes in `keytool/Main.java` didn't apply. Those aren't critical changes for this patch, so I've omitted them. In addition, the test needed some changes to make it work with JDK 8 (comparing to the 11u version). Used `IOUtils.readAllBytes()` over `InputStream.readAllBytes()` in the custom classloader class, fixed some test lib imports and declared `Throwable` to be thrown in `main` as `ProcessTools.executeProcess` throws `Throwable` over `Exception` in 8u.
>
> Regression test fails prior (current jdk8u tree, without this patch) and passes after the product fix.
Thanks for the review, labelled the bug `jdk8u-critical-request` now.
-------------
PR: https://git.openjdk.org/jdk8u/pull/29
More information about the jdk8u-dev
mailing list