1155823 – [GSS] (6.4.0) Package certificate SecurityErrors triggered by MODULES-192

Bug 1155823 - [GSS] (6.4.0) Package certificate SecurityErrors triggered by MODULES-192

Summary: [GSS] (6.4.0) Package certificate SecurityErrors triggered by MODULES-192

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	JBoss Enterprise Application Platform 6
Classification:	JBoss
Component:	Class Loading
Sub Component:
Version:	6.3.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	urgent
Target Milestone:	DR11
Target Release:	EAP 6.4.0
Assignee:	David M. Lloyd
QA Contact:	Martin Svehla
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1154682 (view as bug list)
Depends On:
Blocks:	1155824 1161353
TreeView+	depends on / blocked

Reported:	2014-10-22 23:00 UTC by James Livingston
Modified:	2019-08-19 12:44 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	In previous releases of JBoss EAP 6, the `JarFileResourceLoader` attempted to retrieve the certificates before rather than after reading the class stream, which resulted in the certificates not being loaded. This would cause a `SecurityError` to occur when signed classes were loaded concurrently by multiple threads. In this release the `JarFileResourceLoader` retrieves the certificates after reading the class stream and the `SecurityError` no longer occurs.
Clone Of:
Clones:	1155824 (view as bug list)
Environment:
Last Closed:
Type:	Bug
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1116806	0	urgent	CLOSED	(6.4.0) Performance degradation caused by MODULES-192	2021-02-22 00:41:40 UTC
Red Hat Issue Tracker	MODULES-201	0	Major	Resolved	Package certificate SecurityErrors triggered by MODULES-192	2019-08-14 16:50:22 UTC

Description James Livingston 2014-10-22 23:00:22 UTC

Bug 1116806 pulled in MODULES-192, which introduced a problem which can cause classloading failures of signed jars.

The JarEntry.getCodeSigners() call was moved from after to before the input stream is read, and as per the documentation it MUST be after. This will cause null to be returned rather than the signing certificates the first time the resource loader is called for it.

Usually the resource loader will only be called once for a class since it is cached after being loaded, so the only effect is the missing certificates. If however two threads concurrently load the same class, the second caller to the resource loader will get the certificates, resulting in a SecurityError since it does not match the lack of certificates for other classes.


This has been seen occurring for the MS SQL JDBC driver (which is code-signed) when deployed as module.

Comment 1 Kabir Khan 2014-11-20 12:07:26 UTC

Assume this is fixed by 1.3.5 modules upgrade

Comment 2 Martin Svehla 2014-11-24 08:14:05 UTC

*** Bug 1154682 has been marked as a duplicate of this bug. ***

Comment 3 Jan Martiska 2014-11-26 12:51:47 UTC

Martin, you seem to have encountered the same bug and therefore I suppose you will be more competent to verify this ;)

Comment 4 Martin Svehla 2014-12-02 10:54:29 UTC

Verified with EAP 6.4.0.DR11 / JBoss Modules 1.3.6.Final

Note You need to log in before you can comment on or make changes to this bug.