JDK-8344361 : Restore null return for invalid services from legacy providers
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 17,20,21,24
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • OS: generic
  • CPU: generic
  • Submitted: 2024-11-16
  • Updated: 2025-04-25
  • Resolved: 2025-01-24
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 17 JDK 21 JDK 24 JDK 25
17.0.16Fixed 21.0.8-oracleFixed 24.0.1Fixed 25 b08Fixed
Related Reports
Causes :  
JDK-8276660 - Scalability bottleneck in java.security.Provider.getService()
Relates :  
JDK-8345139 - Fix bugs and inconsistencies in the Provider services map
Relates :  
JDK-8254711 - Add java.security.Provider.getService JFR Event
Description
A DESCRIPTION OF THE PROBLEM :
In Provider.java around line 1285, the following code exists.

        Service s = serviceMap.get(key);
        if (s == null) {
            s = legacyMap.get(key);
            if (s != null && !s.isValid()) {
                legacyMap.remove(key, s);
            }
        }

There needs to be a "s = null;" after legacyMap.remove() as otherwise a service which fails  the isValid() test will be returned as is resulting in a failure later.

Unfortunately this appears to happen with providers using the legacy format which results in NullPointerException further down the track when the JCA tries to create an object using a Service with a null class name. It's not immediately clear how legacy parsing is resulting in the invalid services, but they are created with a null class name. For what it's worth this has only started happening with Java 21.

REGRESSION : Last worked in version 17.0.13

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Requesting an algorithm which does not exist will cause this to happen (sometimes). It also seems to get triggered when attempts are made to match keys to signature providers which we think is why it shows up with the PKCS11 provider.

The code is incorrect by inspection though, if s.isValid() is false s should be getting returned as null, not as an invalid service class.

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Request for a service which cannot be fully constructed should result in a NoSuchAlgorithmException not a NullPointerException.
ACTUAL -
NullPointerException

CUSTOMER SUBMITTED WORKAROUND :
Catching NullPointerException and hoping it can be treated like NoSuchAlgorithmException.

FREQUENCY : always
Comments
Fix request [17u] I backport this to fix the issue introduced by backport of JDK-8276660 to 17.0.13. Acceptable risk, trivial change. Clean backport. Test passes and reproduces the issue without the fix. SAP nightly testing passed.
09-04-2025
A pull request was submitted for review. Branch: master URL: https://git.openjdk.org/jdk17u-dev/pull/3453 Date: 2025-04-08 13:24:17 +0000
08-04-2025
[jdk21u-fix-request] Approval Request from Paul Hohensee Backport for parity with Oracle 21.0.8. Clean, low risk: obvious bug, updated and new test pass, Provider tests pass: test/jdk/java/security/Provider and test/jdk/sun/security/pkcs11/Provider.
04-04-2025
A pull request was submitted for review. Branch: master URL: https://git.openjdk.org/jdk21u-dev/pull/1600 Date: 2025-04-04 19:30:16 +0000
04-04-2025
A pull request was submitted for review. Branch: master URL: https://git.openjdk.org/jdk21u-dev/pull/1597 Date: 2025-04-04 18:50:08 +0000
04-04-2025
[jdk24u-fix-request] Approval Request from Seán Coffey Correct a recent regression
24-01-2025
A pull request was submitted for review. Branch: master URL: https://git.openjdk.org/jdk24u/pull/31 Date: 2025-01-24 16:06:33 +0000
24-01-2025
Changeset: e20bd018 Branch: master Author: Sean Coffey <coffeys@openjdk.org> Date: 2025-01-24 10:40:36 +0000 URL: https://git.openjdk.org/jdk/commit/e20bd018c4046870d0cf632bb8e5440cb9f5c3c2
24-01-2025
A pull request was submitted for review. Branch: master URL: https://git.openjdk.org/jdk/pull/23201 Date: 2025-01-20 16:06:56 +0000
20-01-2025
Code without the JDK-8276660 fix doesn't appear to be affected
20-01-2025
pre JDK-8254711 code was effectively: simplified view: s = legacyMap.get(key); if (s != null && !s.isValid()) { legacyMap.remove(key, s); return null; } else { return s; } *** post JDK-8254711 code: Service s = serviceMap.get(key); if (s == null) { s = legacyMap.get(key); if (s != null && !s.isValid()) { legacyMap.remove(key, s); } } // some JFR code if JFR turned on return s; ** yes, a null return should be made in the !s.isValid() case. can add a "return null" call after the legacyMap.remove call.
05-12-2024
Looks like the issue is related to JDK-8254711.
17-11-2024