RFR: 8357691: File blocked.certs contains bad content when boot jdk 25 is used, sun/security/lib/CheckBlockedCerts.java failing

Ioi Lam iklam at openjdk.org
Fri Sep 26 00:53:16 UTC 2025 

On Thu, 25 Sep 2025 09:10:40 GMT, Matthias Baesken <mbaesken at openjdk.org> wrote:

> When using boot JDK 25 we end up with bad content in  lib/security/blocked.certs  because  cds related warning output shows up there.
> 
> The problem is with extra lines in the generated `blocked.certs` file, at the start of the file there is something like this
> 
> 
>> [0.010s][error][cds] An error has occurred while processing the shared archive file. Run with -Xlog:aot,cds for details.
>> [0.010s][error][cds] Mismatched values for property jdk.module.addexports: java.base/sun.security.util=ALL-UNNAMED specified during runtime but not during dump time
>> [0.010s][error][cds] Disabling optimized module handling

Marked as reviewed by iklam (Reviewer).

The fix looks OK to me.

Background: when using the default CDS archive, such warnings are disabled. The reason is -- we assume the default archive is general purpose and can be used for different sets of command-lines. We don't print warnings as it's not "wrong" for the app to specify ` --add-exports`.


$ ${JAVA_HOME}/bin/java --add-exports=java.base/sun.security.util=ALL-UNNAMED --version
java 26-internal 2026-03-17
Java(TM) SE Runtime Environment (build 26-internal-adhoc.iklam.rum)
JavaHotSpot(TM) 64-Bit Server VM (build 26-internal-adhoc.iklam.rum, mixed mode, sharing)


But when you are using `-XX:SharedArchiveFile` to specify a CDS archive, we assume that the archive has been tailored to the specific application that you're using, so the warnings are printed more eagerly, as you might have unintentionally given an incompatible VM option: 


$ cp ${JAVA_HOME}/lib/server/classes.jsa foo.jsa
$ ${JAVA_HOME}/bin/java -XX:SharedArchiveFile=foo.jsa --add-exports=java.base/sun.security.util=ALL-UNNAMED --version
[0.026s][error][cds] An error has occurred while processing the shared archive file. Run with -Xlog:aot,cds for details.
[0.026s][error][cds] Mismatched values for property jdk.module.addexports: java.base/sun.security.util=ALL-UNNAMED specified during runtime but not during dump time
[0.026s][error][cds] Disabling optimized module handling
java 26-internal 2026-03-17
Java(TM) SE Runtime Environment (build 26-internal-adhoc.iklam.rum)
JavaHotSpot(TM) 64-Bit Server VM (build 26-internal-adhoc.iklam.rum, mixed mode, sharing)


In this case, I think the JDK build system creates its own CDS archive with the BOOT JDK, so it falls under the second scenario. Using `-Xlog:cds=off` is appropriate.

-------------

PR Review: https://git.openjdk.org/jdk/pull/27485#pullrequestreview-3269822895
PR Comment: https://git.openjdk.org/jdk/pull/27485#issuecomment-3336409510

More information about the security-dev mailing list