Ensure static fields set during signed jar process

When loading a signed jar file that is on the classpath, such as the bouncy castle signed JCE jar file, it has been observed that the value of `restrictedJarVerificationProviders` and `jarVerificationProviders` are set to `null`. This causes a NullPointerException during the loading process. This update moves the static declarations of both `restrictedJarVerificationProviders` and `jarVerificationProviders` to be prior to the method call `RestrictedSecurity.checkHashValues()` since this method call needs both of these fields to be initialized to work correctly. Signed-off-by: Jason Katonica <katonica@us.ibm.com>
jasonkatonica · Sep 18, 2024 · cfc417e · cfc417e
1 parent 48a49a1
commit cfc417e
Showing 1 changed file with 12 additions and 12 deletions.
diff --git a/src/java.base/share/classes/sun/security/jca/Providers.java b/src/java.base/share/classes/sun/security/jca/Providers.java
@@ -56,18 +56,6 @@ public class Providers {
     // Note volatile immutable object, so no synchronization needed.
     private static volatile ProviderList providerList;
 
-    static {
-        // set providerList to empty list first in case initialization somehow
-        // triggers a getInstance() call (although that should not happen)
-        providerList = ProviderList.EMPTY;
-        providerList = ProviderList.fromSecurityProperties();
-        RestrictedSecurity.checkHashValues();
-    }
-
-    private Providers() {
-        // empty
-    }
-
     // After the switch to modules, JDK providers are all in modules and JDK
     // no longer needs to load signed jars during start up.
     //
@@ -114,6 +102,18 @@ private Providers() {
         "com.sun.crypto.provider.SunJCE",
     };
 
+    static {
+        // set providerList to empty list first in case initialization somehow
+        // triggers a getInstance() call (although that should not happen)
+        providerList = ProviderList.EMPTY;
+        providerList = ProviderList.fromSecurityProperties();
+        RestrictedSecurity.checkHashValues();
+    }
+
+    private Providers() {
+        // empty
+    }
+
     // Return Sun provider.
     // This method should only be called by
     // sun.security.util.ManifestEntryVerifier and java.security.SecureRandom.