JDK 11 | Other |
---|---|
11.0.12-oracleFixed | openjdk8u302Fixed |
Duplicate :
|
|
Duplicate :
|
|
Duplicate :
|
|
Relates :
|
|
Relates :
|
|
Relates :
|
|
Relates :
|
Opening on behalf of Dan Lutker <lutkerd@amazon.com> The change for “JDK-8249906, CVE-2021-2163: Enhance opening JARs” exposes a problem with the caching of algorithms beyond what is being reported in JDK-8266290 or what is fixed by in JDK-8242565. Not only are the SunJCE algorithms no longer available when using signed JARs in 8u292, but no algorithms can be added via new providers in either JDK 8 or JDK 11 The caching of the oidTable happens only once which is now done when JARs are loaded, when you add a new provider this table is never refreshed. Executing the simple reproducer UseBCAlgo.java (requires BouncyCastle) on 8u282 or 11.0.10 works successfully, but both 8u292 and 11.0.11 fail with “java.security.NoSuchAlgorithmException: unrecognized algorithm name: SHA384WITHDSA”. Exception in thread "main" java.security.NoSuchAlgorithmException: unrecognized algorithm name: SHA384WITHDSA at java.base/sun.security.x509.AlgorithmId.get(AlgorithmId.java:448) at java.base/javax.crypto.EncryptedPrivateKeyInfo.<init>(EncryptedPrivateKeyInfo.java:139) at UseBCAlgo.main(UseBCAlgo.java:8) The caching is also incorrect when you remove a provider after it was successfully loaded, if a provider is removed the algorithms it provides are still available. Proposed fix is to clear out the AlgorithmId oidTable whenever signed jar verification completes or the Security providers change, which would cover the regression introduced by JDK-8249906 as well as these issues so that the available Algorithms will reflect the currently loaded providers. This fix is an addition to JDK-8156584 and JDK-8242565, it does not supersede them and it will not work without JDK-8156584.
|