JDK-8274536 : sun/security/tools/jarsigner/multiRelease/MVJarSigningTest.java fails due to recursive initialisation
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: repo-loom
  • Priority: P2
  • Status: Resolved
  • Resolution: Fixed
  • Submitted: 2021-09-30
  • Updated: 2021-10-04
  • Resolved: 2021-10-04
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
Other
repo-loomFixed
Related Reports
Relates :  
JDK-8269039 - Disable SHA-1 Signed JARs
Description
sun/security/tools/jarsigner/multiRelease/MVJarSigningTest.java is failing in the loom repo since the disabling of SHA-1 in jdk-18+18. It duplicates on all platforms with images builds.

The loom repo has many changes that subtly change the order that classes are loaded and/or initialized and I suspect we are running into a lurking bug.

WARNING: A command line option has enabled the Security Manager
WARNING: The Security Manager is deprecated and will be removed in a future release
Error: A JNI error has occurred, please check your installation and try again
Exception in thread "main" java.util.ServiceConfigurationError: Locale provider adapter "CLDR"cannot be instantiated.
	at java.base/sun.util.locale.provider.LocaleProviderAdapter.forType(LocaleProviderAdapter.java:199)
	at java.base/sun.util.locale.provider.LocaleServiceProviderPool.findProviders(LocaleServiceProviderPool.java:302)
	at java.base/sun.util.locale.provider.LocaleServiceProviderPool.getLocalizedObjectImpl(LocaleServiceProviderPool.java:274)
	at java.base/sun.util.locale.provider.LocaleServiceProviderPool.getLocalizedObject(LocaleServiceProviderPool.java:256)
	at java.base/sun.util.locale.provider.CalendarDataUtility.retrieveFirstDayOfWeek(CalendarDataUtility.java:76)
	at java.base/java.util.Calendar.setWeekCountData(Calendar.java:3397)
	at java.base/java.util.Calendar.<init>(Calendar.java:1607)
	at java.base/java.util.GregorianCalendar.<init>(GregorianCalendar.java:738)
	at java.base/java.util.Calendar$Builder.build(Calendar.java:1492)
	at java.base/sun.security.util.DisabledAlgorithmConstraints$DenyAfterConstraint.<init>(DisabledAlgorithmConstraints.java:702)
	at java.base/sun.security.util.DisabledAlgorithmConstraints$Constraints.<init>(DisabledAlgorithmConstraints.java:419)
	at java.base/sun.security.util.DisabledAlgorithmConstraints.<init>(DisabledAlgorithmConstraints.java:144)
	at java.base/sun.security.util.DisabledAlgorithmConstraints.<init>(DisabledAlgorithmConstraints.java:118)
	at java.base/sun.security.util.DisabledAlgorithmConstraints$JarHolder.<clinit>(DisabledAlgorithmConstraints.java:96)
	at java.base/sun.security.util.DisabledAlgorithmConstraints.jarConstraints(DisabledAlgorithmConstraints.java:108)
	at java.base/sun.security.pkcs.SignerInfo.<clinit>(SignerInfo.java:61)
	at java.base/sun.security.pkcs.PKCS7.parseSignedData(PKCS7.java:390)
	at java.base/sun.security.pkcs.PKCS7.parse(PKCS7.java:174)
	at java.base/sun.security.pkcs.PKCS7.parse(PKCS7.java:142)
	at java.base/sun.security.pkcs.PKCS7.<init>(PKCS7.java:124)
	at java.base/sun.security.util.SignatureFileVerifier.<init>(SignatureFileVerifier.java:118)
	at java.base/java.util.jar.JarVerifier.processEntry(JarVerifier.java:302)
	at java.base/java.util.jar.JarVerifier.update(JarVerifier.java:234)
	at java.base/java.util.jar.JarFile.initializeVerifier(JarFile.java:763)
	at java.base/java.util.jar.JarFile.ensureInitialization(JarFile.java:1034)
	at java.base/java.util.jar.JavaUtilJarAccessImpl.ensureInitialization(JavaUtilJarAccessImpl.java:72)
	at java.base/jdk.internal.loader.URLClassPath$JarLoader$2.getManifest(URLClassPath.java:880)
	at java.base/jdk.internal.loader.BuiltinClassLoader.defineClass(BuiltinClassLoader.java:848)
	at java.base/jdk.internal.loader.BuiltinClassLoader$4.run(BuiltinClassLoader.java:773)
	at java.base/jdk.internal.loader.BuiltinClassLoader$4.run(BuiltinClassLoader.java:768)
	at java.base/java.security.AccessController.doPrivileged(AccessController.java:318)
	at java.base/jdk.internal.loader.BuiltinClassLoader.findClassOnClassPathOrNull(BuiltinClassLoader.java:781)
	at java.base/jdk.internal.loader.BuiltinClassLoader.loadClassOrNull(BuiltinClassLoader.java:681)
	at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:639)
	at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:188)
	at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:520)
	at java.base/java.lang.Class.forName0(Native Method)
	at java.base/java.lang.Class.forName(Class.java:467)
	at java.base/sun.launcher.LauncherHelper.loadMainClass(LauncherHelper.java:791)
	at java.base/sun.launcher.LauncherHelper.checkAndLoadMain(LauncherHelper.java:686)
Caused by: java.lang.reflect.InvocationTargetException
	at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
	at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:85)
	at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
	at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:499)
	at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:480)
	at java.base/sun.util.locale.provider.LocaleProviderAdapter.forType(LocaleProviderAdapter.java:188)
	... 39 more
Caused by: java.util.ServiceConfigurationError: sun.util.locale.provider.LocaleDataMetaInfo: Unable to load sun.util.resources.cldr.provider.CLDRLocaleDataMetaInfo
	at java.base/java.util.ServiceLoader.fail(ServiceLoader.java:586)
	at java.base/java.util.ServiceLoader.loadProvider(ServiceLoader.java:870)
	at java.base/java.util.ServiceLoader$ModuleServicesLookupIterator.hasNext(ServiceLoader.java:1084)
	at java.base/java.util.ServiceLoader$2.hasNext(ServiceLoader.java:1309)
	at java.base/java.util.ServiceLoader$3.hasNext(ServiceLoader.java:1393)
	at java.base/sun.util.cldr.CLDRLocaleProviderAdapter.lambda$new$0(CLDRLocaleProviderAdapter.java:86)
	at java.base/java.security.AccessController.doPrivileged(AccessController.java:569)
	at java.base/sun.util.cldr.CLDRLocaleProviderAdapter.<init>(CLDRLocaleProviderAdapter.java:85)
	... 45 more
Caused by: java.lang.NoClassDefFoundError: Could not initialize class javax.crypto.JceSecurity
	at java.base/javax.crypto.Cipher.getInstance(Cipher.java:547)
	at java.base/sun.security.pkcs12.PKCS12KeyStore.lambda$engineLoad$1(PKCS12KeyStore.java:2147)
	at java.base/sun.security.pkcs12.PKCS12KeyStore$RetryWithZero.run(PKCS12KeyStore.java:257)
	at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2145)
	at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:221)
	at java.base/java.security.KeyStore.load(KeyStore.java:1473)
	at java.base/sun.security.util.PolicyUtil.getKeyStore(PolicyUtil.java:166)
	at java.base/sun.security.provider.PolicyFile.init(PolicyFile.java:532)
	at java.base/sun.security.provider.PolicyFile$4.run(PolicyFile.java:422)
	at java.base/sun.security.provider.PolicyFile$4.run(PolicyFile.java:394)
	at java.base/java.security.AccessController.doPrivileged(AccessController.java:318)
	at java.base/sun.security.provider.PolicyFile.initPolicyFile(PolicyFile.java:394)
	at java.base/sun.security.provider.PolicyFile.initPolicyFile(PolicyFile.java:381)
	at java.base/sun.security.provider.PolicyFile.init(PolicyFile.java:338)
	at java.base/sun.security.provider.PolicyFile.<init>(PolicyFile.java:292)
	at java.base/java.security.Policy.loadPolicyProvider(Policy.java:221)
	at java.base/java.security.Policy.getPolicyNoCheck(Policy.java:191)
	at java.base/java.security.ProtectionDomain.implies(ProtectionDomain.java:325)
	at java.base/java.security.ProtectionDomain.impliesWithAltFilePerm(ProtectionDomain.java:357)
	at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:463)
	at java.base/java.security.AccessController.checkPermission(AccessController.java:1068)
	at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:416)
	at java.base/java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1332)
	at java.base/java.lang.ClassLoader$1.run(ClassLoader.java:690)
	at java.base/java.lang.ClassLoader$1.run(ClassLoader.java:688)
	at java.base/java.security.AccessController.doPrivileged(AccessController.java:399)
	at java.base/java.lang.ClassLoader.checkPackageAccess(ClassLoader.java:688)
	at java.base/java.lang.ClassLoader.defineClass2(Native Method)
	at java.base/java.lang.ClassLoader.defineClass(ClassLoader.java:1103)
	at java.base/java.security.SecureClassLoader.defineClass(SecureClassLoader.java:182)
	at java.base/jdk.internal.loader.BuiltinClassLoader.defineClass(BuiltinClassLoader.java:821)
	at java.base/jdk.internal.loader.BuiltinClassLoader.lambda$findClassInModuleOrNull$2(BuiltinClassLoader.java:743)
	at java.base/java.security.AccessController.doPrivileged(AccessController.java:318)
	at java.base/jdk.internal.loader.BuiltinClassLoader.findClassInModuleOrNull(BuiltinClassLoader.java:744)
	at java.base/jdk.internal.loader.BuiltinClassLoader.findClass(BuiltinClassLoader.java:621)
	at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:632)
	at java.base/java.lang.Class.forName(Class.java:545)
	at java.base/java.util.ServiceLoader.lambda$loadProvider$1(ServiceLoader.java:864)
	at java.base/java.security.AccessController.doPrivileged(AccessController.java:569)
	at java.base/java.util.ServiceLoader.loadProvider(ServiceLoader.java:866)
	... 51 more
Caused by: java.lang.ExceptionInInitializerError: Exception java.lang.Error: Circular loading of URL stream handler providers detected [in thread "main"]
	at java.base/java.net.URL.lookupViaProviders(URL.java:1352)
	at java.base/java.net.URL.getURLStreamHandler(URL.java:1440)
	at java.base/java.net.URL.<init>(URL.java:681)
	at java.base/java.net.URL.<init>(URL.java:570)
	at java.base/java.net.URL.<init>(URL.java:517)
	at java.base/javax.crypto.JceSecurity.<clinit>(JceSecurity.java:246)
	at java.base/javax.crypto.Cipher.getInstance(Cipher.java:547)
	at java.base/sun.security.pkcs12.PKCS12KeyStore.lambda$engineLoad$1(PKCS12KeyStore.java:2147)
	at java.base/sun.security.pkcs12.PKCS12KeyStore$RetryWithZero.run(PKCS12KeyStore.java:257)
	at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2145)
	at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:221)
	at java.base/java.security.KeyStore.load(KeyStore.java:1473)
	at java.base/sun.security.util.PolicyUtil.getKeyStore(PolicyUtil.java:166)
	at java.base/sun.security.provider.PolicyFile.init(PolicyFile.java:532)
	at java.base/sun.security.provider.PolicyFile$4.run(PolicyFile.java:422)
	at java.base/sun.security.provider.PolicyFile$4.run(PolicyFile.java:394)
	at java.base/java.security.AccessController.doPrivileged(AccessController.java:318)
	at java.base/sun.security.provider.PolicyFile.initPolicyFile(PolicyFile.java:394)
	at java.base/sun.security.provider.PolicyFile.initPolicyFile(PolicyFile.java:381)
	at java.base/sun.security.provider.PolicyFile.init(PolicyFile.java:338)
	at java.base/sun.security.provider.PolicyFile.<init>(PolicyFile.java:292)
	at java.base/java.security.Policy.loadPolicyProvider(Policy.java:221)
	at java.base/java.security.Policy.getPolicyNoCheck(Policy.java:191)
	at java.base/java.security.ProtectionDomain.implies(ProtectionDomain.java:325)
	at java.base/java.security.ProtectionDomain.impliesWithAltFilePerm(ProtectionDomain.java:357)
	at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:463)
	at java.base/java.security.AccessController.checkPermission(AccessController.java:1068)
	at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:416)
	at java.base/java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1332)
	at java.base/java.lang.ClassLoader$1.run(ClassLoader.java:690)
	at java.base/java.lang.ClassLoader$1.run(ClassLoader.java:688)
	at java.base/java.security.AccessController.doPrivileged(AccessController.java:399)
	at java.base/java.lang.ClassLoader.checkPackageAccess(ClassLoader.java:688)
	at java.security.jgss/sun.security.jgss.SunProvider.<init>(SunProvider.java:104)
	at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
	at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:85)
	at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
	at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:499)
	at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:480)
	at java.base/java.util.ServiceLoader$ProviderImpl$2.run(ServiceLoader.java:797)
	at java.base/java.security.AccessController.doPrivileged(AccessController.java:712)
	at java.base/java.util.ServiceLoader$ProviderImpl.newInstance(ServiceLoader.java:802)
	at java.base/java.util.ServiceLoader$ProviderImpl.get(ServiceLoader.java:729)
	at java.base/java.util.ServiceLoader$3.next(ServiceLoader.java:1403)
	at java.base/sun.security.jca.ProviderConfig$ProviderLoader.load(ProviderConfig.java:347)
	at java.base/sun.security.jca.ProviderConfig$3.run(ProviderConfig.java:254)
	at java.base/sun.security.jca.ProviderConfig$3.run(ProviderConfig.java:248)
	at java.base/java.security.AccessController.doPrivileged(AccessController.java:318)
	at java.base/sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:248)
	at java.base/sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:226)
	at java.base/sun.security.jca.ProviderList.getProvider(ProviderList.java:268)
	at java.base/sun.security.jca.ProviderList.getService(ProviderList.java:381)
	at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:157)
	at java.base/java.security.Security.getImpl(Security.java:694)
	at java.base/java.security.AlgorithmParameters.getInstance(AlgorithmParameters.java:157)
	at java.base/sun.security.pkcs12.PKCS12KeyStore.parseAlgParameters(PKCS12KeyStore.java:847)
	at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2113)
	... 87 more
Comments
Sean diagnosed this issue to be specific to the loom repo. The TLs used to track recursive initialisation in the URL and JarFile code were incorrectly detecting recursive initialisation when initialising both at the same time. This has not been fixed.
04-10-2021
EventHelper.isLoggingSecurity works around a similar issue by testing JarFile::isInitializing. It's possible that there are other places will need the same check. One difference between the main line and the loom repo is that the main line uses thread locals to catch recursive initialisation issue in both the JarFile and URL code. In loom these have been replaced with a non-TL solution. From what I can tell, these are working correctly and the issue is something to do with the executing of DisabledAlgorithmConstraints.jarConstraints while loading a signed JAR.
30-09-2021