From dev-return-23091-apmail-harmony-dev-archive=harmony.apache.org@harmony.apache.org Mon Jan 15 03:26:28 2007 Return-Path: Delivered-To: apmail-harmony-dev-archive@www.apache.org Received: (qmail 17660 invoked from network); 15 Jan 2007 03:26:28 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 15 Jan 2007 03:26:28 -0000 Received: (qmail 15506 invoked by uid 500); 15 Jan 2007 03:26:33 -0000 Delivered-To: apmail-harmony-dev-archive@harmony.apache.org Received: (qmail 15480 invoked by uid 500); 15 Jan 2007 03:26:32 -0000 Mailing-List: contact dev-help@harmony.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@harmony.apache.org Delivered-To: mailing list dev@harmony.apache.org Received: (qmail 15471 invoked by uid 99); 15 Jan 2007 03:26:32 -0000 Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 14 Jan 2007 19:26:32 -0800 X-ASF-Spam-Status: No, hits=2.0 required=10.0 tests=HTML_MESSAGE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (herse.apache.org: domain of paulex.yang@gmail.com designates 64.233.182.191 as permitted sender) Received: from [64.233.182.191] (HELO nf-out-0910.google.com) (64.233.182.191) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 14 Jan 2007 19:26:22 -0800 Received: by nf-out-0910.google.com with SMTP id a4so2027753nfc for ; Sun, 14 Jan 2007 19:26:01 -0800 (PST) DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; b=l9xwmZAg5+n5pdO4DGBtxpSvRd7cFB8yX0VMiOeLqNEqpDNVxTspBui1lFtymwNhk0nVJUVPzhlyu9ppAU9mkSLn/X/Egv8eAgfOo3KXQTVH/fefew6RQG6lOAhgNcTt/SjUrjiwKXc8MLG+Icm1CNkSuFEcUL6V7qQhD/+0p4Q= Received: by 10.49.68.6 with SMTP id v6mr3700854nfk.1168831561122; Sun, 14 Jan 2007 19:26:01 -0800 (PST) Received: by 10.49.14.20 with HTTP; Sun, 14 Jan 2007 19:26:00 -0800 (PST) Message-ID: Date: Mon, 15 Jan 2007 11:26:00 +0800 From: "Yang Paulex" To: dev@harmony.apache.org Subject: Re: [jira] Created: (HARMONY-2940) [classlib][security]Class.forName("org.bouncycastle.jce.provider.BouncyCastleProvider"); fails while org.bouncycastle.jce.provider.BouncyCastleProvider is added as a security provider In-Reply-To: <6e47b64f0701120034s48122d54j21f4da221c29dc69@mail.gmail.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_188377_20994724.1168831560962" References: <23495160.1167901527495.JavaMail.jira@brutus> <6e47b64f0701120034s48122d54j21f4da221c29dc69@mail.gmail.com> X-Virus-Checked: Checked by ClamAV on apache.org ------=_Part_188377_20994724.1168831560962 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline 2007/1/12, Stepan Mishura : > > On 1/4/07, Yang Paulex wrote: > > > > This issue is interesting, because if you tried to load any classes in > the > > security provider jars by Class.forName(), it fails. But if you invoke > the > > Security.getProviders() at first, the issue disappears. > > > > After deeper look inside, I found the key is the time at which > > o.a.h.security.fortress.Services is loaded, Services will try to load > all > > security provider classes, if you invoke the Class.forName("some class > in > > bouncycastle") at first, the stacktrace will look like: > > > > Class.forName()->URLClassLoader->JarFile(bouncycastle.jar > > )->JarVerifier->Services->JarFile(bouncycastle.jaragain!)->JarVerifier... > > > > Please note that for good reasons, the JarFile instance for bc.jar are > > cached by URLClassLoader, so it is reused when Services tries to load > > security provider from bc.jar, but unfortunetely when Services returned, > > the > > internal status of that JarFile instance has been changed, so that NPE > is > > thrown. > > > > One workaround is to add "Security.getProviders()" to > j.u.jar.JarVerifier > > 's > > static init block, so that it is guarenteed that the security providers > > will > > be loaded before any classes in certified jars are explicitly used. But > > I'm > > not sure it is the right thing to do. any security gurus to comment? > > > IMHO the case with BC provider only is just particular case of classloader > bug. As you pointed out URLClassloader caches JarFile instances - so the > problem is that during JarFile object initialization there may be request > to > load a class from the same jar-file. For example, the request may be > initiated by a security manager (not by Services class). > > So adding to static init block "Security.getProviders()" will resolve > problem only with "bouncycastle.jar". This workaround can resolve problems related with any security providers. But I agree this is just a special case, that's exactly why I have concern on it. And I thought that maybe URLClassLoader should not cache the JarFile instance until it is fully initiated, but because URLClassLoader is so widely used, so I need more tests to validate. Thanks, > Stepan. > > 2007/1/4, Leo Li (JIRA) : > > > > > > [classlib][security]Class.forName(" > > > org.bouncycastle.jce.provider.BouncyCastleProvider"); fails while > > > org.bouncycastle.jce.provider.BouncyCastleProvider is added as a > > security > > > provider > > > > > > > > > --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- > > > > > > Key: HARMONY-2940 > > > URL: > https://issues.apache.org/jira/browse/HARMONY-2940 > > > Project: Harmony > > > Issue Type: Bug > > > Components: Classlib > > > Reporter: Leo Li > > > Priority: Critical > > > > > > > > > Here is a testcase: > > > > > > public void test() > > > { > > > Class cls = Class.forName(" > > > org.bouncycastle.jce.provider.BouncyCastleProvider"); > > > } > > > > > > Harmony fails. > > > > > > After digging into it, I found that it is related with bcprov.jar has > a > > > certificate signed by the signature provided by itself. I tried to > > remove > > > it signature and move it into the boot directory and it works. > > > > > > So I recommend to put an unsigned bcprov.jar into the boot directory. > > > > > > > > > -- > > > This message is automatically generated by JIRA. > > > - > > > If you think it was sent incorrectly contact one of the > administrators: > > > https://issues.apache.org/jira/secure/Administrators.jspa > > > - > > > For more information on JIRA, see: > > http://www.atlassian.com/software/jira > > > > > > > > > > > > > > > -- > > Paulex Yang > > China Software Development Labotary > > IBM > > > > > > > -- > Stepan Mishura > Intel Enterprise Solutions Software Division > > -- Paulex Yang China Software Development Labotary IBM ------=_Part_188377_20994724.1168831560962--