Avoid things that cause CertBlacklist to be preinitialized

Move the CertBlacklist instance to a NoPreloadHolder, then move the
System.getenv call in CertBlacklist to a constructor so it's not called
during class initialization.

(cherry picked from commit 7a21b9a68f2c90bdde986a98a55816d0cf3ea73e)

Bug: 18013422
Change-Id: I39d0f43f948dec243d2d7cb79726d0642638b77a

3 files changed, 29 insertions, 25 deletions

diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/CertBlacklist.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/CertBlacklist.java
index 39ba0ff..c62966d 100644
--- a/bcprov/src/main/java/org/bouncycastle/jce/provider/CertBlacklist.java
+++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/CertBlacklist.java
@@ -34,12 +34,6 @@ import org.bouncycastle.crypto.digests.AndroidDigestFactory;
 import org.bouncycastle.util.encoders.Hex;
 
 public class CertBlacklist {
-
-    private static final String ANDROID_DATA = System.getenv("ANDROID_DATA");
-    private static final String BLACKLIST_ROOT = ANDROID_DATA + "/misc/keychain/";
-    public static final String DEFAULT_PUBKEY_BLACKLIST_PATH = BLACKLIST_ROOT + "pubkey_blacklist.txt";
-    public static final String DEFAULT_SERIAL_BLACKLIST_PATH = BLACKLIST_ROOT + "serial_blacklist.txt";
-
     private static final Logger logger = Logger.getLogger(CertBlacklist.class.getName());
 
     // public for testing
@@ -47,13 +41,19 @@ public class CertBlacklist {
     public final Set<byte[]> pubkeyBlacklist;
 
     public CertBlacklist() {
-        this(DEFAULT_PUBKEY_BLACKLIST_PATH, DEFAULT_SERIAL_BLACKLIST_PATH);
+        String androidData = System.getenv("ANDROID_DATA");
+        String blacklistRoot = androidData + "/misc/keychain/";
+        String defaultPubkeyBlacklistPath = blacklistRoot + "pubkey_blacklist.txt";
+        String defaultSerialBlacklistPath = blacklistRoot + "serial_blacklist.txt";
+
+        pubkeyBlacklist = readPublicKeyBlackList(defaultPubkeyBlacklistPath);
+        serialBlacklist = readSerialBlackList(defaultSerialBlacklistPath);
     }
 
     /** Test only interface, not for public use */
     public CertBlacklist(String pubkeyBlacklistPath, String serialBlacklistPath) {
-        serialBlacklist = readSerialBlackList(serialBlacklistPath);
         pubkeyBlacklist = readPublicKeyBlackList(pubkeyBlacklistPath);
+        serialBlacklist = readSerialBlackList(serialBlacklistPath);
     }
 
     private static boolean isHex(String value) {
diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/PKIXCertPathValidatorSpi.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/PKIXCertPathValidatorSpi.java
index af764f3..d8efa6a 100644
--- a/bcprov/src/main/java/org/bouncycastle/jce/provider/PKIXCertPathValidatorSpi.java
+++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/PKIXCertPathValidatorSpi.java
@@ -37,7 +37,9 @@ public class PKIXCertPathValidatorSpi
         extends CertPathValidatorSpi
 {
     // BEGIN android-added
-    private final static CertBlacklist blacklist = new CertBlacklist();
+    private static class NoPreloadHolder {
+        private final static CertBlacklist blacklist = new CertBlacklist();
+    }
     // END android-added
 
     public CertPathValidatorResult engineValidate(
@@ -87,7 +89,7 @@ public class PKIXCertPathValidatorSpi
 
             if (cert != null) {
                 BigInteger serial = cert.getSerialNumber();
-                if (blacklist.isSerialNumberBlackListed(serial)) {
+                if (NoPreloadHolder.blacklist.isSerialNumberBlackListed(serial)) {
                     // emulate CRL exception message in RFC3280CertPathUtilities.checkCRLs
                     String message = "Certificate revocation of serial 0x" + serial.toString(16);
                     System.out.println(message);
@@ -274,7 +276,7 @@ public class PKIXCertPathValidatorSpi
         for (index = certs.size() - 1; index >= 0; index--)
         {
             // BEGIN android-added
-            if (blacklist.isPublicKeyBlackListed(workingPublicKey)) {
+            if (NoPreloadHolder.blacklist.isPublicKeyBlackListed(workingPublicKey)) {
                 // emulate CRL exception message in RFC3280CertPathUtilities.checkCRLs
                 String message = "Certificate revocation of public key " + workingPublicKey;
                 System.out.println(message);
diff --git a/patches/bcprov.patch b/patches/bcprov.patch
index 0880f97..a22ef4d 100644
--- a/patches/bcprov.patch
+++ b/patches/bcprov.patch
@@ -7085,12 +7085,6 @@ diff -Naur bcprov-jdk15on-150.orig/org/bouncycastle/jce/provider/CertBlacklist.j
 +import org.bouncycastle.util.encoders.Hex;
 +
 +public class CertBlacklist {
-+
-+    private static final String ANDROID_DATA = System.getenv("ANDROID_DATA");
-+    private static final String BLACKLIST_ROOT = ANDROID_DATA + "/misc/keychain/";
-+    public static final String DEFAULT_PUBKEY_BLACKLIST_PATH = BLACKLIST_ROOT + "pubkey_blacklist.txt";
-+    public static final String DEFAULT_SERIAL_BLACKLIST_PATH = BLACKLIST_ROOT + "serial_blacklist.txt";
-+
 +    private static final Logger logger = Logger.getLogger(CertBlacklist.class.getName());
 +
 +    // public for testing
@@ -7098,13 +7092,19 @@ diff -Naur bcprov-jdk15on-150.orig/org/bouncycastle/jce/provider/CertBlacklist.j
 +    public final Set<byte[]> pubkeyBlacklist;
 +
 +    public CertBlacklist() {
-+        this(DEFAULT_PUBKEY_BLACKLIST_PATH, DEFAULT_SERIAL_BLACKLIST_PATH);
++        String androidData = System.getenv("ANDROID_DATA");
++        String blacklistRoot = androidData + "/misc/keychain/";
++        String defaultPubkeyBlacklistPath = blacklistRoot + "pubkey_blacklist.txt";
++        String defaultSerialBlacklistPath = blacklistRoot + "serial_blacklist.txt";
++
++        pubkeyBlacklist = readPublicKeyBlackList(defaultPubkeyBlacklistPath);
++        serialBlacklist = readSerialBlackList(defaultSerialBlacklistPath);
 +    }
 +
 +    /** Test only interface, not for public use */
 +    public CertBlacklist(String pubkeyBlacklistPath, String serialBlacklistPath) {
-+        serialBlacklist = readSerialBlackList(serialBlacklistPath);
 +        pubkeyBlacklist = readPublicKeyBlackList(pubkeyBlacklistPath);
++        serialBlacklist = readSerialBlackList(serialBlacklistPath);
 +    }
 +
 +    private static boolean isHex(String value) {
@@ -8179,17 +8179,19 @@ diff -Naur bcprov-jdk15on-150.orig/org/bouncycastle/jce/provider/PKIXCertPathVal
  import java.security.InvalidAlgorithmParameterException;
  import java.security.PublicKey;
  import java.security.cert.CertPath;
-@@ -33,6 +36,9 @@
+@@ -33,6 +36,11 @@
  public class PKIXCertPathValidatorSpi
          extends CertPathValidatorSpi
  {
 +    // BEGIN android-added
-+    private final static CertBlacklist blacklist = new CertBlacklist();
++    private static class NoPreloadHolder {
++        private final static CertBlacklist blacklist = new CertBlacklist();
++    }
 +    // END android-added
  
      public CertPathValidatorResult engineValidate(
              CertPath certPath,
-@@ -75,6 +81,22 @@
+@@ -75,6 +83,22 @@
          {
              throw new CertPathValidatorException("Certification path is empty.", null, certPath, 0);
          }
@@ -8199,7 +8201,7 @@ diff -Naur bcprov-jdk15on-150.orig/org/bouncycastle/jce/provider/PKIXCertPathVal
 +
 +            if (cert != null) {
 +                BigInteger serial = cert.getSerialNumber();
-+                if (blacklist.isSerialNumberBlackListed(serial)) {
++                if (NoPreloadHolder.blacklist.isSerialNumberBlackListed(serial)) {
 +                    // emulate CRL exception message in RFC3280CertPathUtilities.checkCRLs
 +                    String message = "Certificate revocation of serial 0x" + serial.toString(16);
 +                    System.out.println(message);
@@ -8212,12 +8214,12 @@ diff -Naur bcprov-jdk15on-150.orig/org/bouncycastle/jce/provider/PKIXCertPathVal
  
          //
          // (b)
-@@ -251,6 +273,15 @@
+@@ -251,6 +275,15 @@
  
          for (index = certs.size() - 1; index >= 0; index--)
          {
 +            // BEGIN android-added
-+            if (blacklist.isPublicKeyBlackListed(workingPublicKey)) {
++            if (NoPreloadHolder.blacklist.isPublicKeyBlackListed(workingPublicKey)) {
 +                // emulate CRL exception message in RFC3280CertPathUtilities.checkCRLs
 +                String message = "Certificate revocation of public key " + workingPublicKey;
 +                System.out.println(message);