1155824 – [GSS] (6.3.z) Package certificate SecurityErrors triggered by MODULES-192

Bug 1155824 - [GSS] (6.3.z) Package certificate SecurityErrors triggered by MODULES-192

Summary: [GSS] (6.3.z) Package certificate SecurityErrors triggered by MODULES-192

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	JBoss Enterprise Application Platform 6
Classification:	JBoss
Component:	Class Loading
Sub Component:
Version:	6.3.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	urgent
Target Milestone:	CR1
Target Release:	EAP 6.3.3
Assignee:	David M. Lloyd
QA Contact:	Martin Svehla
Docs Contact:
URL:
Whiteboard:
Depends On:	1155823
Blocks:	eap633-payload 1161356
TreeView+	depends on / blocked

Reported:	2014-10-22 23:05 UTC by James Livingston
Modified:	2019-08-19 12:42 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	Cause: JarFileResourceLoader attempts to retrieve the certificates before rather than after reading the class stream, which usually results in the certificates not being loaded. Consequence: When signed classes are loaded concurrently by multiple threads, a SecurityError may occur. Fix: Retrieve the certificates after reading the class stream instead. Result: No SecurityError occurs.
Clone Of:	1155823
Environment:
Last Closed:	2019-08-19 12:42:08 UTC
Type:	Bug
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1116806	0	urgent	CLOSED	(6.4.0) Performance degradation caused by MODULES-192	2021-02-22 00:41:40 UTC
Red Hat Issue Tracker	MODULES-201	0	Major	Resolved	Package certificate SecurityErrors triggered by MODULES-192	2017-03-02 04:44:01 UTC

Description James Livingston 2014-10-22 23:05:33 UTC

+++ This bug was initially created as a clone of Bug #1155823 +++

Bug 1116806 pulled in MODULES-192, which introduced a problem which can cause classloading failures of signed jars.

The JarEntry.getCodeSigners() call was moved from after to before the input stream is read, and as per the documentation it MUST be after. This will cause null to be returned rather than the signing certificates the first time the resource loader is called for it.

Usually the resource loader will only be called once for a class since it is cached after being loaded, so the only effect is the missing certificates. If however two threads concurrently load the same class, the second caller to the resource loader will get the certificates, resulting in a SecurityError since it does not match the lack of certificates for other classes.


This has been seen occurring for the MS SQL JDBC driver (which is code-signed) when deployed as module.

Comment 3 Dominik Pospisil 2014-12-03 11:32:28 UTC

Fixed in jboss-modules-1.3.5.

Comment 4 Martin Svehla 2015-01-27 11:50:03 UTC

Verified with EAP 6.3.3.CP.CR2 / JBoss Modules 1.3.5.Final

Note You need to log in before you can comment on or make changes to this bug.