Bug 1361818

Summary: JDK 1.7.0_111 SunEC InternalError for older nss version
Product: Red Hat Enterprise Linux 7 Reporter: Jeremy Barlow <jeremy.barlow>
Component: java-1.7.0-openjdkAssignee: jiri vanek <jvanek>
Status: CLOSED ERRATA QA Contact: Lukáš Zachar <lzachar>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 7.2CC: ahughes, dbhole, jvanek
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-03 22:59:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Compiled GetProviders java class none

Description Jeremy Barlow 2016-07-30 21:58:46 UTC 
Created attachment 1185850 [details]
Compiled GetProviders java class

Description of problem:

When we upgraded from JDK 1.7.0_101 to 1.7.0_111 with the same nss version in place, 3.15.4, various calls into the java.security.Security JDK namespace throw errors. After we upgrade to the latest version of nss, though, the problems no longer occur. This suggests that the latest JDK versions should have a minimum requirement on newer versions of nss that do not have this problem.

A similar discussion about this for JDK 8 on Fedora occurred on this ticket in the RedHat Bugzilla took place here - https://bugzilla.redhat.com/show_bug.cgi?id=1332456.  Maybe the same sort of fix in packaging could be done to address this issue for CentOS 7.

Note that the Security.getProviders() call is made by common Java packages like the maven and leiningen build tools, among others, so I expect that the problem would be pretty widespread. 

Version-Release number of selected component (if applicable):

java-1.7.0_111

How reproducible:

Always

Steps to Reproduce:

1. (optional) Compile the code below with javac to produce the attached `GetProviders.class` file.

----
import java.security.Provider;
import java.security.Security;

public class GetProviders {
    public static void main (String argv[]) {
       Provider[] providers = Security.getProviders();
       if (providers != null) {
         System.out.println ("Got " + providers.length + " providers");
         for (Provider provider : providers) {
           System.out.println("Provider: " + provider.getName());
         }
       }
    }
}
----

2. Run `yum install java-1.7.0-openjdk`.

3. With `nss` version 3.15.4 installed, run `java GetProviders`.

Actual results:

Exception in thread "main" java.lang.InternalError
    at sun.security.ec.SunEC.initialize(Native Method)
    at sun.security.ec.SunEC.access$000(SunEC.java:49)
    at sun.security.ec.SunEC$1.run(SunEC.java:61)
    at sun.security.ec.SunEC$1.run(SunEC.java:58)
    at java.security.AccessController.doPrivileged(Native Method)
    at sun.security.ec.SunEC.<clinit>(SunEC.java:58)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
    at java.lang.reflect.Constructor.newInstance(Constructor.java:526)
    at java.lang.Class.newInstance(Class.java:383)
    at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:221)
    at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:206)
    at java.security.AccessController.doPrivileged(Native Method)
    at sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:206)
    at sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:187)
    at sun.security.jca.ProviderList.loadAll(ProviderList.java:282)
    at sun.security.jca.ProviderList.removeInvalid(ProviderList.java:299)
    at sun.security.jca.Providers.getFullProviderList(Providers.java:173)
    at java.security.Security.getProviders(Security.java:456)
    at GetProviders.main(GetProviders.java:6)

Expected results:

See output like the following:

Got 9 providers
Provider: SUN
Provider: SunRsaSign
Provider: SunEC
Provider: SunJSSE
Provider: SunJCE
Provider: SunJGSS
Provider: SunSASL
Provider: XMLDSig
Provider: SunPCSC

Additional info:

If the following additional steps are followed, the "expected" results from above are seen:

1. Run `yum upgrade nss`.

nss is upgraded to 3.21.0.

2. Run `java GetProviders`.
Comment 2 jiri vanek 2016-08-01 10:14:44 UTC 
This was fixed in 8 by depending on build-time  version of nss (or newer) like:

http://pkgs.fedoraproject.org/cgit/rpms/java-1.8.0-openjdk.git/commit/java-1.8.0-openjdk.spec?id=de90c5adee0e876870cc8903cc3d21dec4182233

so time to backport to 7?

The patch is more complicated then it should, because in srpm creation, no nss is available in buildroot.
Comment 6 jiri vanek 2016-08-04 16:23:40 UTC 
http://pkgs.devel.redhat.com/cgit/rpms/java-1.7.0-openjdk/commit/?h=rhel-7.3&id=ffb86c91e374e316c4172a2573f99e3ce8da47c4
Comment 10 errata-xmlrpc 2016-11-03 22:59:29 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2140.html