RFR 8130302: jarsigner and keytool -providerClass needs be re-examined for modules

Mandy Chung mandy.chung at oracle.com
Wed Jun 15 03:53:48 UTC 2016

> On Jun 13, 2016, at 8:28 PM, Wang Weijun <weijun.wang at oracle.com> wrote:
> OK, please take a review at the new version at
>  http://cr.openjdk.java.net/~weijun/8130302/webrev.04/

The new -addProvider option is good.  I mostly reviewed KeyStoreUtil.java and skimmed through other files that I assume the security team will review them in details.

 267      * Loads a security provider in a module with its name.

This does not limit to modules.  It can load security providers from classpath via ServiceLoader.

 282         for (Provider p : ServiceLoader.load(Provider.class)) {

This should use ServiceLoader.load(Provider.class, ClassLoader.getSystemClassLoader()) instead of loading with TCCL.

 291         throw new IllegalArgumentException();

Nit: good to have a message even if it’s not used.

 295      * Loads a non-modularized security provider with its full-qualified name.

I suggest to reword it to “Loads a security provider by a fully-qualified class name”

move line 306 to 317

 241             throw (InvalidParameterException)

This cast should not be needed?

 319             Class<?> clazz;
 320             if (cl != null) {
 321                 clazz = cl.loadClass(provClass);
 322             } else {
 323                 clazz = Class.forName(provClass);
 324             }

You should call Class.forName(provClass, false, cl) instead.


More information about the security-dev mailing list