RFR: 8280890: Cannot use '-Djava.system.class.loader' with class loader in signed JAR
Jaikiran Pai
jpai at openjdk.java.net
Sat Feb 5 11:51:09 UTC 2022
On Tue, 1 Feb 2022 21:54:29 GMT, Sean Mullan <mullan at openjdk.org> wrote:
> This fixes a bootstrapping issue if a custom system class loader is set with the `-Djava.system.class.loader` option and the custom class loader is inside a signed JAR. In order to load the custom class loader, the runtime must verify the signed JAR first, and the algorithm constraint code tries to load a `Locale` provider using a `ServiceLoader` before the class loader is set, and this causes a `ServiceConfigurationError`.
>
> The fix removes a dependency from the security algorithm "denyAfter" constraint parsing code on the `Calendar` API which uses a `ServiceLoader` for gathering default locale information. Instead the `ZonedDateTime` API is now used, which simplifies the code and removes some unnecessary code from `keytool` as well.
test/jdk/java/security/SignedJar/SignedJarWithCustomClassLoader.java line 65:
> 63:
> 64: // create signer's keypair
> 65: SecurityTools.keytool("-genkeypair -keyalg RSA -keystore ks " +
Hello Sean,
Looking at the `SecurityTools.keytool` and `SecurityTools.jarsigner` methods, they internally launch a process corresponding to these tools but do not check for the exit code of that process execution. Perhaps the calls to these methods in this test, should add a check to assert that the exit code is `0` by using the returned `OutputAnalyzer`?
-------------
PR: https://git.openjdk.java.net/jdk/pull/7316
More information about the security-dev
mailing list