JDK-6495732 : Policy keystore recursion problem loading SunMSCAPI provider
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 6
  • Priority: P4
  • Status: Closed
  • Resolution: Duplicate
  • OS: solaris_10
  • CPU: sparc
  • Submitted: 2006-11-20
  • Updated: 2010-08-06
  • Resolved: 2006-12-05
Related Reports
Duplicate :  
JDK-6424631 - Signed applet hangs browser if a remote policy server is being used
Relates :  
JDK-6474018 - grant signed by fails if certificate is being stored in browser keystore
Description
If you include a keystore entry in the policy file that loads a SunMSCAPI
keystore, ex:

keystore "NONE", "Windows-ROOT", "SunMSCAPI";

and you run an application/applet with a SecurityManager enabled, then the keystore 
cannot be loaded due to a recursion problem loading the SunMSCAPI provider. A portion 
of this stack trace is:

  
ProviderConfig: Recursion loading provider: sun.security.mscapi.SunMSCAPI
java.lang.Exception: Call trace
        at sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:198)
        at sun.security.jca.ProviderList.getProvider(ProviderList.java:215)
        at sun.security.jca.ProviderList.getIndex(ProviderList.java:245)
        at sun.security.jca.ProviderList.getProviderConfig(ProviderList.java:229)
        at sun.security.jca.ProviderList.getProvider(ProviderList.java:235)
        at sun.security.jca.GetInstance.getService(GetInstance.java:64)
        at sun.security.jca.GetInstance.getInstance(GetInstance.java:190)
        at java.security.Security.getImpl(Security.java:662)
        at java.security.KeyStore.getInstance(KeyStore.java:632)
        at sun.security.util.PolicyUtil.getKeyStore(PolicyUtil.java:88)
        at sun.security.provider.PolicyFile.init(PolicyFile.java:618)
        at sun.security.provider.PolicyFile.access$400(PolicyFile.java:263)
        at sun.security.provider.PolicyFile$3.run(PolicyFile.java:529)
        at java.security.AccessController.doPrivileged(Native Method)
        at sun.security.provider.PolicyFile.initPolicyFile(PolicyFile.java:502)
        at sun.security.provider.PolicyFile.initPolicyFile(PolicyFile.java:488)
        at sun.security.provider.PolicyFile.init(PolicyFile.java:447)
        at sun.security.provider.PolicyFile.<init>(PolicyFile.java:305)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
        at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
        at java.lang.reflect.Constructor.newInstance(Constructor.java:513)
        at java.lang.Class.newInstance0(Class.java:355)
        at java.lang.Class.newInstance(Class.java:308)
        at java.security.Policy.getPolicyNoCheck(Policy.java:163)
        at java.security.ProtectionDomain.implies(ProtectionDomain.java:213)
        at java.security.AccessControlContext.checkPermission(AccessControlContext.java:301)
        at java.security.AccessController.checkPermission(AccessController.java:546)
        at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
        at java.lang.SecurityManager.checkLink(SecurityManager.java:818)
        at java.lang.Runtime.loadLibrary0(Runtime.java:817)
        at java.lang.System.loadLibrary(System.java:1030)
        at sun.security.mscapi.SunMSCAPI$1.run(SunMSCAPI.java:34)
        at java.security.AccessController.doPrivileged(Native Method)
        at sun.security.mscapi.SunMSCAPI.<clinit>(SunMSCAPI.java:32)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
        at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
        at java.lang.reflect.Constructor.newInstance(Constructor.java:513)
        at java.lang.Class.newInstance0(Class.java:355)
        at java.lang.Class.newInstance(Class.java:308)
        at sun.security.jca.ProviderConfig$3.run(ProviderConfig.java:240)
        at java.security.AccessController.doPrivileged(Native Method)
        at sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:225)
        at sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:205)
        at sun.security.jca.ProviderList.getProvider(ProviderList.java:215)
        at sun.security.jca.ProviderList.getIndex(ProviderList.java:245)
        at sun.security.jca.ProviderList.getProviderConfig(ProviderList.java:229)
        at sun.security.jca.ProviderList.getProvider(ProviderList.java:235)
        at sun.security.jca.GetInstance.getService(GetInstance.java:64)
        at sun.security.jca.GetInstance.getInstance(GetInstance.java:190)
        at java.security.Security.getImpl(Security.java:662)
        at java.security.KeyStore.getInstance(KeyStore.java:632)
        at sun.security.util.PolicyUtil.getKeyStore(PolicyUtil.java:88)
        at sun.security.provider.PolicyFile.init(PolicyFile.java:618)
        at sun.security.provider.PolicyFile.access$400(PolicyFile.java:263)
        at sun.security.provider.PolicyFile$3.run(PolicyFile.java:529)
        at java.security.AccessController.doPrivileged(Native Method)
        at sun.security.provider.PolicyFile.initPolicyFile(PolicyFile.java:502)
        at sun.security.provider.PolicyFile.initPolicyFile(PolicyFile.java:488)
        at sun.security.provider.PolicyFile.init(PolicyFile.java:447)
        at sun.security.provider.PolicyFile.<init>(PolicyFile.java:305)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
        at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
        at java.lang.reflect.Constructor.newInstance(Constructor.java:513)
        at java.lang.Class.newInstance0(Class.java:355)
        at java.lang.Class.newInstance(Class.java:308)
        at java.security.Policy.getPolicyNoCheck(Policy.java:163)
        at java.security.ProtectionDomain.implies(ProtectionDomain.java:213)
        at java.security.AccessControlContext.checkPermission(AccessControlContext.java:301)
        at java.security.AccessController.checkPermission(AccessController.java:546)
        at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
        at java.lang.SecurityManager.checkSecurityAccess(SecurityManager.java:1698)
        at java.security.Provider.check(Provider.java:386)
        at java.security.Provider.put(Provider.java:309)
        at com.sun.crypto.provider.SunJCE$1.run(DashoA13*..)
        at java.security.AccessController.doPrivileged(Native Method)
        at com.sun.crypto.provider.SunJCE.<init>(DashoA13*..)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
        at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
        at java.lang.reflect.Constructor.newInstance(Constructor.java:513)
        at java.lang.Class.newInstance0(Class.java:355)
        at java.lang.Class.newInstance(Class.java:308)
        at sun.security.jca.ProviderConfig$3.run(ProviderConfig.java:240)
        at java.security.AccessController.doPrivileged(Native Method)
        at sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:225)
        at sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:205)
        at sun.security.jca.ProviderList.getProvider(ProviderList.java:215)
        at sun.security.jca.ProviderList.getIndex(ProviderList.java:245)
        at sun.security.jca.ProviderList.getProviderConfig(ProviderList.java:229)
        at sun.security.jca.ProviderList.getProvider(ProviderList.java:235)
        at sun.security.jca.GetInstance.getService(GetInstance.java:64)
        at sun.security.jca.GetInstance.getInstance(GetInstance.java:190)
        at java.security.Security.getImpl(Security.java:662)
        at java.security.KeyStore.getInstance(KeyStore.java:632)
        at sun.security.util.PolicyUtil.getKeyStore(PolicyUtil.java:88)
        at sun.security.provider.PolicyFile.init(PolicyFile.java:618)
        at sun.security.provider.PolicyFile.access$400(PolicyFile.java:263)
        at sun.security.provider.PolicyFile$3.run(PolicyFile.java:529)
        at java.security.AccessController.doPrivileged(Native Method)
        at sun.security.provider.PolicyFile.initPolicyFile(PolicyFile.java:502)
        at sun.security.provider.PolicyFile.initPolicyFile(PolicyFile.java:488)
        at sun.security.provider.PolicyFile.init(PolicyFile.java:447)
        at sun.security.provider.PolicyFile.<init>(PolicyFile.java:305)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
        at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
        at java.lang.reflect.Constructor.newInstance(Constructor.java:513)
        at java.lang.Class.newInstance0(Class.java:355)
        at java.lang.Class.newInstance(Class.java:308)
        at java.security.Policy.getPolicyNoCheck(Policy.java:163)
        at java.security.ProtectionDomain.implies(ProtectionDomain.java:213)
        at java.security.AccessControlContext.checkPermission(AccessControlContext.java:301)
        at java.security.AccessController.checkPermission(AccessController.java:546)
        at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
	...

The problem is caused when the SunMSCAPI provider loads a native library, which requires a permission,
which then causes the policy to be parsed and the SunMSCAPI provider to be loaded again, etc. Eventually
the JCA provider loading code detects the recursion and throws an exception which is not fatal but results in
the keystore entry in the policy file being ignored. This causes any grant entries that depend on this
keystore entry to not be processed correctly.
Comments
EVALUATION This is a duplicate of 6424631 (Signed applet hangs browser if a remote policy server is being used). The fix for that bug also fixed the policy recursion loop in this bug.
05-12-2006