From ebc2e494001d3caaa7c8c26414ed45a974b73a19 Mon Sep 17 00:00:00 2001 From: Jason Katonica Date: Tue, 17 Sep 2024 08:32:56 -0400 Subject: [PATCH] Ensure static fields set during signed jar process When loading a signed jar file that is on the classpath, such as the bouncy castle signed JCE jar file, it has been observed that the value of `restrictedJarVerificationProviders` and `jarVerificationProviders` are set to `null`. This causes a NullPointerException during the loading process. This update moves the static declarations of both `restrictedJarVerificationProviders` and `jarVerificationProviders` to be prior to the method call `RestrictedSecurity.checkHashValues()` since this method call needs both of these fields to be initialized to work correctly. Signed-off-by: Jason Katonica --- .../classes/sun/security/jca/Providers.java | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/src/java.base/share/classes/sun/security/jca/Providers.java b/src/java.base/share/classes/sun/security/jca/Providers.java index 6d52933a82..d583a280df 100644 --- a/src/java.base/share/classes/sun/security/jca/Providers.java +++ b/src/java.base/share/classes/sun/security/jca/Providers.java @@ -55,14 +55,6 @@ public class Providers { // Note volatile immutable object, so no synchronization needed. private static volatile ProviderList providerList; - static { - // set providerList to empty list first in case initialization somehow - // triggers a getInstance() call (although that should not happen) - providerList = ProviderList.EMPTY; - providerList = ProviderList.fromSecurityProperties(); - RestrictedSecurity.checkHashValues(); - } - private Providers() { // empty } @@ -113,6 +105,14 @@ private Providers() { "com.sun.crypto.provider.SunJCE", }; + static { + // set providerList to empty list first in case initialization somehow + // triggers a getInstance() call (although that should not happen) + providerList = ProviderList.EMPTY; + providerList = ProviderList.fromSecurityProperties(); + RestrictedSecurity.checkHashValues(); + } + // Return Sun provider. // This method should only be called by // sun.security.util.ManifestEntryVerifier and java.security.SecureRandom.