1361818 – JDK 1.7.0_111 SunEC InternalError for older nss version

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1361818 - JDK 1.7.0_111 SunEC InternalError for older nss version

Summary: JDK 1.7.0_111 SunEC InternalError for older nss version

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	java-1.7.0-openjdk
Sub Component:
Version:	7.2
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	jiri vanek
QA Contact:	Lukáš Zachar
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-07-30 21:58 UTC by Jeremy Barlow
Modified:	2016-11-03 22:59 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-11-03 22:59:29 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
Compiled GetProviders java class (978 bytes, application/x-java) 2016-07-30 21:58 UTC, Jeremy Barlow	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1332456	0	unspecified	CLOSED	Build java-1.8.0-openjdk-1.8.0.91-2.b14.fc23 breaks tomcat startup for FreeIPA when nss is not upgraded as well	2021-02-22 00:41:40 UTC
Red Hat Product Errata	RHBA-2016:2140	0	normal	SHIPPED_LIVE	java-1.7.0-openjdk bug fix and enhancement update	2016-11-03 13:12:14 UTC

Description Jeremy Barlow 2016-07-30 21:58:46 UTC

Created attachment 1185850 [details]
Compiled GetProviders java class

Description of problem:

When we upgraded from JDK 1.7.0_101 to 1.7.0_111 with the same nss version in place, 3.15.4, various calls into the java.security.Security JDK namespace throw errors. After we upgrade to the latest version of nss, though, the problems no longer occur. This suggests that the latest JDK versions should have a minimum requirement on newer versions of nss that do not have this problem.

A similar discussion about this for JDK 8 on Fedora occurred on this ticket in the RedHat Bugzilla took place here - https://bugzilla.redhat.com/show_bug.cgi?id=1332456.  Maybe the same sort of fix in packaging could be done to address this issue for CentOS 7.

Note that the Security.getProviders() call is made by common Java packages like the maven and leiningen build tools, among others, so I expect that the problem would be pretty widespread. 

Version-Release number of selected component (if applicable):

java-1.7.0_111

How reproducible:

Always

Steps to Reproduce:

1. (optional) Compile the code below with javac to produce the attached `GetProviders.class` file.

----
import java.security.Provider;
import java.security.Security;

public class GetProviders {
    public static void main (String argv[]) {
       Provider[] providers = Security.getProviders();
       if (providers != null) {
         System.out.println ("Got " + providers.length + " providers");
         for (Provider provider : providers) {
           System.out.println("Provider: " + provider.getName());
         }
       }
    }
}
----

2. Run `yum install java-1.7.0-openjdk`.

3. With `nss` version 3.15.4 installed, run `java GetProviders`.

Actual results:

Exception in thread "main" java.lang.InternalError
    at sun.security.ec.SunEC.initialize(Native Method)
    at sun.security.ec.SunEC.access$000(SunEC.java:49)
    at sun.security.ec.SunEC$1.run(SunEC.java:61)
    at sun.security.ec.SunEC$1.run(SunEC.java:58)
    at java.security.AccessController.doPrivileged(Native Method)
    at sun.security.ec.SunEC.<clinit>(SunEC.java:58)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
    at java.lang.reflect.Constructor.newInstance(Constructor.java:526)
    at java.lang.Class.newInstance(Class.java:383)
    at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:221)
    at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:206)
    at java.security.AccessController.doPrivileged(Native Method)
    at sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:206)
    at sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:187)
    at sun.security.jca.ProviderList.loadAll(ProviderList.java:282)
    at sun.security.jca.ProviderList.removeInvalid(ProviderList.java:299)
    at sun.security.jca.Providers.getFullProviderList(Providers.java:173)
    at java.security.Security.getProviders(Security.java:456)
    at GetProviders.main(GetProviders.java:6)

Expected results:

See output like the following:

Got 9 providers
Provider: SUN
Provider: SunRsaSign
Provider: SunEC
Provider: SunJSSE
Provider: SunJCE
Provider: SunJGSS
Provider: SunSASL
Provider: XMLDSig
Provider: SunPCSC

Additional info:

If the following additional steps are followed, the "expected" results from above are seen:

1. Run `yum upgrade nss`.

nss is upgraded to 3.21.0.

2. Run `java GetProviders`.

Comment 2 jiri vanek 2016-08-01 10:14:44 UTC

This was fixed in 8 by depending on build-time  version of nss (or newer) like:

http://pkgs.fedoraproject.org/cgit/rpms/java-1.8.0-openjdk.git/commit/java-1.8.0-openjdk.spec?id=de90c5adee0e876870cc8903cc3d21dec4182233

so time to backport to 7?

The patch is more complicated then it should, because in srpm creation, no nss is available in buildroot.

Comment 6 jiri vanek 2016-08-04 16:23:40 UTC

http://pkgs.devel.redhat.com/cgit/rpms/java-1.7.0-openjdk/commit/?h=rhel-7.3&id=ffb86c91e374e316c4172a2573f99e3ce8da47c4

Comment 10 errata-xmlrpc 2016-11-03 22:59:29 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2140.html

Note You need to log in before you can comment on or make changes to this bug.