Bug 1361818 - JDK 1.7.0_111 SunEC InternalError for older nss version
Summary: JDK 1.7.0_111 SunEC InternalError for older nss version
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: java-1.7.0-openjdk
Version: 7.2
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: rc
: ---
Assignee: jiri vanek
QA Contact: Lukáš Zachar
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-07-30 21:58 UTC by Jeremy Barlow
Modified: 2016-11-03 22:59 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-11-03 22:59:29 UTC
Target Upstream Version:

Attachments (Terms of Use)
Compiled GetProviders java class (978 bytes, application/x-java)
2016-07-30 21:58 UTC, Jeremy Barlow 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1332456 0 unspecified CLOSED Build java-1.8.0-openjdk-1.8.0.91-2.b14.fc23 breaks tomcat startup for FreeIPA when nss is not upgraded as well 2021-02-22 00:41:40 UTC
Red Hat Product Errata RHBA-2016:2140 0 normal SHIPPED_LIVE java-1.7.0-openjdk bug fix and enhancement update 2016-11-03 13:12:14 UTC

Description Jeremy Barlow 2016-07-30 21:58:46 UTC 
Created attachment 1185850 [details]
Compiled GetProviders java class

Description of problem:

When we upgraded from JDK 1.7.0_101 to 1.7.0_111 with the same nss version in place, 3.15.4, various calls into the java.security.Security JDK namespace throw errors. After we upgrade to the latest version of nss, though, the problems no longer occur. This suggests that the latest JDK versions should have a minimum requirement on newer versions of nss that do not have this problem.

A similar discussion about this for JDK 8 on Fedora occurred on this ticket in the RedHat Bugzilla took place here - https://bugzilla.redhat.com/show_bug.cgi?id=1332456.  Maybe the same sort of fix in packaging could be done to address this issue for CentOS 7.

Note that the Security.getProviders() call is made by common Java packages like the maven and leiningen build tools, among others, so I expect that the problem would be pretty widespread. 

Version-Release number of selected component (if applicable):

java-1.7.0_111

How reproducible:

Always

Steps to Reproduce:

1. (optional) Compile the code below with javac to produce the attached `GetProviders.class` file.

----
import java.security.Provider;
import java.security.Security;

public class GetProviders {
    public static void main (String argv[]) {
       Provider[] providers = Security.getProviders();
       if (providers != null) {
         System.out.println ("Got " + providers.length + " providers");
         for (Provider provider : providers) {
           System.out.println("Provider: " + provider.getName());
         }
       }
    }
}
----

2. Run `yum install java-1.7.0-openjdk`.

3. With `nss` version 3.15.4 installed, run `java GetProviders`.

Actual results:

Exception in thread "main" java.lang.InternalError
    at sun.security.ec.SunEC.initialize(Native Method)
    at sun.security.ec.SunEC.access$000(SunEC.java:49)
    at sun.security.ec.SunEC$1.run(SunEC.java:61)
    at sun.security.ec.SunEC$1.run(SunEC.java:58)
    at java.security.AccessController.doPrivileged(Native Method)
    at sun.security.ec.SunEC.<clinit>(SunEC.java:58)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
    at java.lang.reflect.Constructor.newInstance(Constructor.java:526)
    at java.lang.Class.newInstance(Class.java:383)
    at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:221)
    at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:206)
    at java.security.AccessController.doPrivileged(Native Method)
    at sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:206)
    at sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:187)
    at sun.security.jca.ProviderList.loadAll(ProviderList.java:282)
    at sun.security.jca.ProviderList.removeInvalid(ProviderList.java:299)
    at sun.security.jca.Providers.getFullProviderList(Providers.java:173)
    at java.security.Security.getProviders(Security.java:456)
    at GetProviders.main(GetProviders.java:6)

Expected results:

See output like the following:

Got 9 providers
Provider: SUN
Provider: SunRsaSign
Provider: SunEC
Provider: SunJSSE
Provider: SunJCE
Provider: SunJGSS
Provider: SunSASL
Provider: XMLDSig
Provider: SunPCSC

Additional info:

If the following additional steps are followed, the "expected" results from above are seen:

1. Run `yum upgrade nss`.

nss is upgraded to 3.21.0.

2. Run `java GetProviders`.
Comment 2 jiri vanek 2016-08-01 10:14:44 UTC 
This was fixed in 8 by depending on build-time  version of nss (or newer) like:

http://pkgs.fedoraproject.org/cgit/rpms/java-1.8.0-openjdk.git/commit/java-1.8.0-openjdk.spec?id=de90c5adee0e876870cc8903cc3d21dec4182233

so time to backport to 7?

The patch is more complicated then it should, because in srpm creation, no nss is available in buildroot.
Comment 6 jiri vanek 2016-08-04 16:23:40 UTC 
http://pkgs.devel.redhat.com/cgit/rpms/java-1.7.0-openjdk/commit/?h=rhel-7.3&id=ffb86c91e374e316c4172a2573f99e3ce8da47c4
Comment 10 errata-xmlrpc 2016-11-03 22:59:29 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2140.html
Note You need to log in before you can comment on or make changes to this bug.