search

eclipse-openj9 / openj9

Eclipse OpenJ9: A Java Virtual Machine for OpenJDK that's optimized for small footprint, fast start-up, and high throughput. Builds on Eclipse OMR (https://github.com/eclipse/omr) and combines with the Extensions for OpenJDK for OpenJ9 repo.
Other
3.28k stars 720 forks source link

jdk11: security/infra/java/security/cert/CertPathValidator/certification/ComodoCA.java : unexpected status of EE certificate #12176

Closed andrew-m-leonard closed 3 years ago

andrew-m-leonard commented 3 years ago

https://ci.adoptopenjdk.net/job/Test_openjdk11_j9_extended.openjdk_ppc64_aix/14/consoleFull Passes with Hotspot, fails with OpenJ9:

17:53:04  openjdk version "11.0.11" 2021-04-20
17:53:04  OpenJDK Runtime Environment AdoptOpenJDK (build 11.0.11+5)
17:53:04  Eclipse OpenJ9 VM AdoptOpenJDK (build openj9-0.26.0-m1, JRE 11 AIX ppc64-64-Bit Compressed References 20210309_940 (JIT enabled, AOT enabled)
17:53:04  OpenJ9   - b227feba2
17:53:04  OMR      - 4665e2f72
17:53:04  JCL      - 73ab98c885 based on jdk-11.0.11+5)
01:47:02  =====================================================
01:47:02  CONFIGURATION
01:47:02  =====================================================
01:47:02  http.proxyHost :null
01:47:02  http.proxyPort :null
01:47:02  https.proxyHost :null
01:47:02  https.proxyPort :null
01:47:02  https.socksProxyHost :null
01:47:02  https.socksProxyPort :null
01:47:02  jdk.certpath.disabledAlgorithms :MD2, MD5, SHA1 jdkCA & usage TLSServer, RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224, include jdk.disabled.namedCurves
01:47:02  Revocation options :[NO_FALLBACK]
01:47:02  OCSP responder set :null
01:47:02  Trusted root set: false
01:47:02  Expected EE Status:GOOD
01:47:02  =====================================================
01:47:02  Received exception: java.security.cert.CertPathValidatorException: Certificate has been revoked, reason: UNSPECIFIED, revocation date: Tue Mar 02 02:51:39 PST 2021, authority: CN=COMODO RSA Extended Validation Secure Server CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB, extension OIDs: []
01:47:02  Expected Certificate status: GOOD
01:47:02  Certificate status after validation: REVOKED
01:47:02  STDERR:
01:47:02  certpath: PKIXCertPathValidator.engineValidate()...
01:47:02  certpath: X509CertSelector.match(SN: 3e8
01:47:02    Issuer: CN=Hongkong Post Root CA 1, O=Hongkong Post, C=HK
01:47:02    Subject: CN=Hongkong Post Root CA 1, O=Hongkong Post, C=HK)
01:47:02  certpath: X509CertSelector.match: subject DNs don't match
01:47:02  certpath: X509CertSelector.match(SN: 4caaf9cadb636fe01ff74ed85b03869d
01:47:02    Issuer: CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB
01:47:02    Subject: CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB)
01:47:02  certpath: X509CertSelector.match returning: true
01:47:02  certpath: YES - try this trustedCert
01:47:02  certpath: anchor.getTrustedCert().getSubjectX500Principal() = CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB
01:47:02  certpath: Constraints: MD2
01:47:02  certpath: Constraints: MD5
01:47:02  certpath: Constraints: SHA1 jdkCA & usage TLSServer
01:47:02  certpath: Constraints set to jdkCA.
01:47:02  certpath: Constraints usage length is 1
01:47:02  certpath: Constraints: RSA keySize < 1024
01:47:02  certpath: Constraints set to keySize: keySize < 1024
01:47:02  certpath: Constraints: DSA keySize < 1024
01:47:02  certpath: Constraints set to keySize: keySize < 1024
01:47:02  certpath: Constraints: EC keySize < 224
01:47:02  certpath: Constraints set to keySize: keySize < 224
01:47:02  certpath: Constraints: secp112r1
01:47:02  certpath: Constraints: secp112r2
01:47:02  certpath: Constraints: secp128r1
01:47:02  certpath: Constraints: secp128r2
01:47:02  certpath: Constraints: secp160k1
01:47:02  certpath: Constraints: secp160r1
01:47:02  certpath: Constraints: secp160r2
01:47:02  certpath: Constraints: secp192k1
01:47:02  certpath: Constraints: secp192r1
01:47:02  certpath: Constraints: secp224k1
01:47:02  certpath: Constraints: secp224r1
01:47:02  certpath: Constraints: secp256k1
01:47:02  certpath: Constraints: sect113r1
01:47:02  certpath: Constraints: sect113r2
01:47:02  certpath: Constraints: sect131r1
01:47:02  certpath: Constraints: sect131r2
01:47:02  certpath: Constraints: sect163k1
01:47:02  certpath: Constraints: sect163r1
01:47:02  certpath: Constraints: sect163r2
01:47:02  certpath: Constraints: sect193r1
01:47:02  certpath: Constraints: sect193r2
01:47:02  certpath: Constraints: sect233k1
01:47:02  certpath: Constraints: sect233r1
01:47:02  certpath: Constraints: sect239k1
01:47:02  certpath: Constraints: sect283k1
01:47:02  certpath: Constraints: sect283r1
01:47:02  certpath: Constraints: sect409k1
01:47:02  certpath: Constraints: sect409r1
01:47:02  certpath: Constraints: sect571k1
01:47:02  certpath: Constraints: sect571r1
01:47:02  certpath: Constraints: X9.62 c2tnb191v1
01:47:02  certpath: Constraints: X9.62 c2tnb191v2
01:47:02  certpath: Constraints: X9.62 c2tnb191v3
01:47:02  certpath: Constraints: X9.62 c2tnb239v1
01:47:02  certpath: Constraints: X9.62 c2tnb239v2
01:47:02  certpath: Constraints: X9.62 c2tnb239v3
01:47:02  certpath: Constraints: X9.62 c2tnb359v1
01:47:02  certpath: Constraints: X9.62 c2tnb431r1
01:47:02  certpath: Constraints: X9.62 prime192v2
01:47:02  certpath: Constraints: X9.62 prime192v3
01:47:02  certpath: Constraints: X9.62 prime239v1
01:47:02  certpath: Constraints: X9.62 prime239v2
01:47:02  certpath: Constraints: X9.62 prime239v3
01:47:02  certpath: Constraints: brainpoolP256r1
01:47:02  certpath: Constraints: brainpoolP320r1
01:47:02  certpath: Constraints: brainpoolP384r1
01:47:02  certpath: Constraints: brainpoolP512r1
01:47:02  certpath: AlgorithmChecker.contains: SHA384withRSA
01:47:02  certpath: --------------------------------------------------------------
01:47:02  certpath: Executing PKIX certification path validation algorithm.
01:47:02  certpath: Checking cert1 - Subject: CN=COMODO RSA Extended Validation Secure Server CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB
01:47:02  certpath: Set of critical extensions: {2.5.29.15, 2.5.29.19}
01:47:02  certpath: -Using checker1 ... [sun.security.provider.certpath.UntrustedChecker]
01:47:02  certpath: -checker1 validation succeeded
01:47:02  certpath: -Using checker2 ... [sun.security.provider.certpath.AlgorithmChecker]
01:47:02  certpath: Constraints.permits(): Cert:       [
01:47:02  [
01:47:02    Version: V3
01:47:02    Subject: CN=COMODO RSA Extended Validation Secure Server CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB
01:47:02    Signature Algorithm: SHA384withRSA, OID = 1.2.840.113549.1.1.12
01:47:02  
01:47:02    Key:  Sun RSA public key, 2048 bits
01:47:02    params: null
01:47:02    modulus: 18852343883976351177867209285375546899241199909056589260037763491541024287465416145152998663203131427976323178761005937575801782043437284432553301596955269720177700487530895867235139204029383419229415928025248677617223677276013727041477299253280342882950077393150865069014842382548000139105278661212298036383093899650524647783255378015347163229230119291591198923828804710000401144348493390132524893049049442021793791876844662894473716619309338133357929843669355088224946389994110884836643181091926364691135681642952410107742301254034779421629613126356726840806978638325975031897080564853329376999252821642300937074719
01:47:02    public exponent: 65537
01:47:02    Validity: [From: Sat Feb 11 16:00:00 PST 2012,
01:47:02                 To: Thu Feb 11 15:59:59 PST 2027]
01:47:02    Issuer: CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB
01:47:02    SerialNumber: [    06a74380 d4ebfed4 35b5a3f7 e16abdd8]
01:47:02  
01:47:02  Certificate Extensions: 7
01:47:02  [1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
01:47:02  AuthorityInfoAccess [
01:47:02    [
01:47:02     accessMethod: caIssuers
01:47:02     accessLocation: URIName: http://crt.comodoca.com/COMODORSAAddTrustCA.crt
01:47:02  , 
01:47:02     accessMethod: ocsp
01:47:02     accessLocation: URIName: http://ocsp.comodoca.com
01:47:02  ]
01:47:02  ]
01:47:02  
01:47:02  [2]: ObjectId: 2.5.29.35 Criticality=false
01:47:02  AuthorityKeyIdentifier [
01:47:02  KeyIdentifier [
01:47:02  0000: BB AF 7E 02 3D FA A6 F1   3C 84 8E AD EE 38 98 EC  ....=...<....8..
01:47:02  0010: D9 32 32 D4                                        .22.
01:47:02  ]
01:47:02  ]
01:47:02  
01:47:02  [3]: ObjectId: 2.5.29.19 Criticality=true
01:47:02  BasicConstraints:[
01:47:02    CA:true
01:47:02    PathLen:0
01:47:02  ]
01:47:02  
01:47:02  [4]: ObjectId: 2.5.29.31 Criticality=false
01:47:02  CRLDistributionPoints [
01:47:02    [DistributionPoint:
01:47:02       [URIName: http://crl.comodoca.com/COMODORSACertificationAuthority.crl]
01:47:02  ]]
01:47:02  
01:47:02  [5]: ObjectId: 2.5.29.32 Criticality=false
01:47:02  CertificatePolicies [
01:47:02    [CertificatePolicyId: [2.5.29.32.0]
01:47:02  [PolicyQualifierInfo: [
01:47:02    qualifierID: 1.3.6.1.5.5.7.2.1
01:47:02    qualifier: 0000: 16 1D 68 74 74 70 73 3A   2F 2F 73 65 63 75 72 65  ..https://secure
01:47:02  0010: 2E 63 6F 6D 6F 64 6F 2E   63 6F 6D 2F 43 50 53     .comodo.com/CPS
01:47:02  
01:47:02  ]]  ]
01:47:02  ]
01:47:02  
01:47:02  [6]: ObjectId: 2.5.29.15 Criticality=true
01:47:02  KeyUsage [
01:47:02    Key_CertSign
01:47:02    Crl_Sign
01:47:02  ]
01:47:02  
01:47:02  [7]: ObjectId: 2.5.29.14 Criticality=false
01:47:02  SubjectKeyIdentifier [
01:47:02  KeyIdentifier [
01:47:02  0000: 39 DA FF CA 28 14 8A A8   74 13 08 B9 E4 0E A9 D2  9...(...t.......
01:47:02  0010: FA 7E 9D 69                                        ...i
01:47:02  ]
01:47:02  ]
01:47:02  
01:47:02  ]
01:47:02    Algorithm: [SHA384withRSA]
01:47:02    Signature:
01:47:02  0000: 44 42 9D 41 51 2B 48 88   5D 97 9B 79 5E 11 01 4A  DB.AQ+H.]..y^..J
01:47:02  0010: 52 19 7B 41 2C C7 89 3C   D0 72 DC 85 FA 58 AF D5  R..A,..<.r...X..
01:47:02  0020: 25 E4 13 F8 58 65 67 9F   0D FF 57 8B A9 85 5E CA  %...Xeg...W...^.
01:47:02  0030: A6 4B B0 A7 B2 2D E0 8C   22 CD FB FF 79 A4 8C 2B  .K...-.."...y..+
01:47:02  0040: 8D FE 02 3D 24 DE A9 5D   5F E4 0F 47 D0 DB 66 25  ...=$..]_..G..f%
01:47:02  0050: 3E 87 47 0C AE 22 C5 50   22 84 D7 ED 4A 59 1A F6  >.G..".P"...JY..
01:47:02  0060: 93 A5 93 B0 E0 1B 81 F2   56 C4 C8 10 53 E4 D4 76  ........V...S..v
01:47:02  0070: B1 D1 5B 69 4B 77 B2 E0   4F C4 84 E7 D4 A0 50 EE  ..[iKw..O.....P.
01:47:02  0080: 3C FA 44 FC D0 57 B9 E1   28 53 FD 53 CD DC B9 1F  <.D..W..(S.S....
01:47:02  0090: 7A 40 BD 30 3F D8 6C D2   F3 E7 07 9F 1F 22 B5 EA  z@.0?.l......"..
01:47:02  00A0: 22 71 CB 2A F0 56 7C FE   AC A8 D1 06 0F 14 14 52  "q.*.V.........R
01:47:02  00B0: 4C FE 64 2B 0C 69 2A B8   0D 50 6E 3E 04 07 BF 7A  L.d+.i*..Pn>...z
01:47:02  00C0: 20 8B F8 EE 65 09 E1 C7   49 08 32 3D 0D 28 7E 49   ...e...I.2=.(.I
01:47:02  00D0: 1D B7 4A EF 02 E7 0D 80   17 C8 5C E0 61 62 CB EC  ..J.......\.ab..
01:47:02  00E0: B3 60 79 25 DA 1A 65 73   9C 38 10 A0 26 3A B0 C8  .`y%..es.8..&:..
01:47:02  00F0: 16 7D 93 31 22 EE 74 0B   88 C0 5C 89 41 00 28 A9  ...1".t...\.A.(.
01:47:02  0100: 47 31 DF 7D 49 45 9A F5   E6 A7 45 1A D2 8E 13 10  G1..IE....E.....
01:47:02  0110: DF 83 AF 9B 0D AD 7E 7E   9D 35 50 34 04 CE E9 20  .........5P4... 
01:47:02  0120: D6 9E DB 9D D4 A8 DA 64   B4 D1 2F 59 2E 5E A2 36  .......d../Y.^.6
01:47:02  0130: 61 D4 24 A0 82 33 33 8A   A1 D1 6C EF 61 68 A3 E5  a.$..33...l.ah..
01:47:02  0140: D2 56 AD C5 FD 5E 62 EB   15 A8 74 12 4C 2F 31 8C  .V...^b...t.L/1.
01:47:02  0150: E9 C1 DF 10 4B 01 EA F6   54 1B CD 7F 3B BD 5C 9F  ....K...T...;.\.
01:47:02  0160: C1 DB CF 01 CA F2 BA 60   12 21 31 ED A9 64 B8 B2  .......`.!1..d..
01:47:02  0170: 49 58 17 6D 5A D7 CD 8C   6D BE 9E 7F E2 02 58 A7  IX.mZ...m.....X.
01:47:02  0180: DB C3 2D 58 F6 74 06 6A   9A F6 61 F9 F6 00 B6 69  ..-X.t.j..a....i
01:47:02  0190: D8 3A 8B 31 59 DD 91 E6   7C 27 23 87 DD 03 0F 8F  .:.1Y....'#.....
01:47:02  01A0: 2A 8C 1E 83 01 4E 01 61   0C 52 73 6D FC 08 A2 B9  *....N.a.Rsm....
01:47:02  01B0: 2A 66 E4 76 4D 31 A0 56   9B D9 53 8D A2 B6 8F 02  *f.vM1.V..S.....
01:47:02  01C0: C8 E6 3A A6 04 D1 48 FB   C3 4A 02 76 FD 2F D2 BC  ..:...H..J.v./..
01:47:02  01D0: 13 B6 E8 6D 34 24 FA 9D   29 8A C7 A1 2B 14 F1 96  ...m4$..)...+...
01:47:02  01E0: 00 73 B9 13 E9 C0 B9 3A   47 56 02 71 80 27 A4 BC  .s.....:GV.q.'..
01:47:02  01F0: 25 B6 E9 BD E4 E9 98 74   16 F1 37 84 81 07 B4 82  %......t..7.....
01:47:02  
01:47:02  ]
01:47:02  SigAlgo:    SHA384withRSA
01:47:02  AlgParams:  None
01:47:02  NamedCurves: 
01:47:02  Variant:    generic
01:47:02  certpath: KeySizeConstraints.permits(): RSA
01:47:02  certpath: -checker2 validation succeeded
01:47:02  certpath: -Using checker3 ... [sun.security.provider.certpath.KeyChecker]
01:47:02  certpath: KeyChecker.verifyCAKeyUsage() ---checking CA key usage...
01:47:02  certpath: KeyChecker.verifyCAKeyUsage() CA key usage verified.
01:47:02  certpath: -checker3 validation succeeded
01:47:02  certpath: -Using checker4 ... [sun.security.provider.certpath.ConstraintsChecker]
01:47:02  certpath: ---checking basic constraints...
01:47:02  certpath: i = 1, maxPathLength = 2
01:47:02  certpath: after processing, maxPathLength = 0
01:47:02  certpath: basic constraints verified.
01:47:02  certpath: ---checking name constraints...
01:47:02  certpath: prevNC = null, newNC = null
01:47:02  certpath: mergedNC = null
01:47:02  certpath: name constraints verified.
01:47:02  certpath: -checker4 validation succeeded
01:47:02  certpath: -Using checker5 ... [sun.security.provider.certpath.PolicyChecker]
01:47:02  certpath: PolicyChecker.checkPolicy() ---checking certificate policies...
01:47:02  certpath: PolicyChecker.checkPolicy() certIndex = 1
01:47:02  certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: explicitPolicy = 3
01:47:02  certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyMapping = 3
01:47:02  certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: inhibitAnyPolicy = 3
01:47:02  certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyTree = anyPolicy  ROOT
01:47:02  
01:47:02  certpath: PolicyChecker.processPolicies() policiesCritical = false
01:47:02  certpath: PolicyChecker.processPolicies() rejectPolicyQualifiers = true
01:47:02  certpath: PolicyChecker.processPolicies() processing policy: 2.5.29.32.0
01:47:02  certpath: PolicyChecker.processParents(): matchAny = true
01:47:02  certpath: PolicyChecker.processParents() found parent:
01:47:02  anyPolicy  ROOT
01:47:02  
01:47:02  certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: explicitPolicy = 2
01:47:02  certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyMapping = 2
01:47:02  certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: inhibitAnyPolicy = 2
01:47:02  certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyTree = anyPolicy  ROOT
01:47:02    anyPolicy  CRIT: false  EP: anyPolicy  (1)
01:47:02  
01:47:02  certpath: PolicyChecker.checkPolicy() certificate policies verified
01:47:02  certpath: -checker5 validation succeeded
01:47:02  certpath: -Using checker6 ... [sun.security.provider.certpath.BasicChecker]
01:47:02  certpath: ---checking validity:Tue Mar 09 17:47:01 PST 2021...
01:47:02  certpath: validity verified.
01:47:02  certpath: ---checking subject/issuer name chaining...
01:47:02  certpath: subject/issuer name chaining verified.
01:47:02  certpath: ---checking signature...
01:47:02  certpath: signature verified.
01:47:02  certpath: BasicChecker.updateState issuer: CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB; subject: CN=COMODO RSA Extended Validation Secure Server CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB; serial#: 8843850678629180984542216369971314136
01:47:02  certpath: -checker6 validation succeeded
01:47:02  certpath: -Using checker7 ... [sun.security.provider.certpath.RevocationChecker]
01:47:02  certpath: RevocationChecker.check: checking cert
01:47:02    SN:     06a74380 d4ebfed4 35b5a3f7 e16abdd8
01:47:02    Subject: CN=COMODO RSA Extended Validation Secure Server CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB
01:47:02    Issuer: CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB
01:47:02  certpath: connecting to OCSP service at: http://ocsp.comodoca.com
01:47:02  certpath: OCSP response status: SUCCESSFUL
01:47:02  certpath: OCSP response type: basic
01:47:02  certpath: Responder ID: byKey: BBAF7E023DFAA6F13C848EADEE3898ECD93232D4
01:47:02  certpath: OCSP response produced at: Tue Mar 09 00:04:39 PST 2021
01:47:02  certpath: OCSP number of SingleResponses: 1
01:47:02  certpath: thisUpdate: Tue Mar 09 00:04:39 PST 2021
01:47:02  certpath: nextUpdate: Tue Mar 16 01:04:39 PDT 2021
01:47:02  certpath: Status of certificate (with serial number 8843850678629180984542216369971314136) is: GOOD
01:47:02  certpath: OCSP response is signed by the target's Issuing CA
01:47:02  certpath: Constraints.permits(): Cert:       None
01:47:02  AlgParams:  None
01:47:02  NamedCurves: 
01:47:02  Variant:    generic
01:47:02  certpath: Verified signature of OCSP Response
01:47:02  certpath: OCSP response validity interval is from Tue Mar 09 00:04:39 PST 2021 until Tue Mar 16 01:04:39 PDT 2021
01:47:02  certpath: Checking validity of OCSP response on Tue Mar 09 17:47:01 PST 2021 with allowed interval between Tue Mar 09 17:32:01 PST 2021 and Tue Mar 09 18:02:01 PST 2021
01:47:02  certpath: -checker7 validation succeeded
01:47:02  certpath: 
01:47:02  cert1 validation succeeded.
01:47:02  
01:47:02  certpath: Checking cert2 - Subject: CN=comodorsacertificationauthority-ev.comodoca.com, OU=COMODO EV SGC SSL, O=Sectigo Limited, STREET="3rd Floor, 26 Office Village", STREET=Exchange Quay, STREET=Trafford Road, L=Salford, OID.2.5.4.17=M5 3EQ, C=GB, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=GB, SERIALNUMBER=04058690
01:47:02  certpath: Set of critical extensions: {2.5.29.15, 2.5.29.19}
01:47:02  certpath: -Using checker1 ... [sun.security.provider.certpath.UntrustedChecker]
01:47:02  certpath: -checker1 validation succeeded
01:47:02  certpath: -Using checker2 ... [sun.security.provider.certpath.AlgorithmChecker]
01:47:02  certpath: Constraints.permits(): Cert:       [
01:47:02  [
01:47:02    Version: V3
01:47:02    Subject: CN=comodorsacertificationauthority-ev.comodoca.com, OU=COMODO EV SGC SSL, O=Sectigo Limited, STREET="3rd Floor, 26 Office Village", STREET=Exchange Quay, STREET=Trafford Road, L=Salford, OID.2.5.4.17=M5 3EQ, C=GB, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=GB, SERIALNUMBER=04058690
01:47:02    Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
01:47:02  
01:47:02    Key:  Sun RSA public key, 2048 bits
01:47:02    params: null
01:47:02    modulus: 26383546808659189353247444703374744937177672109998575987013521927224496318316409484081469137903157521673813099184876589009240924477959897303230621474193078564808398917149553840263181442638463284671584708867409843815004880861108347026164087596329848878022476619600966982340443450786877604060821287936821618673322156343887273332620374383395938651577268536499384778055198324420773128592998536681098844682276365198366435119233692488311600195238062984310774811426910869918179863250175737032566495160421719858048678321204228382832065143556846145819355156270774614605411957777586730908456072988769539077490240151696663733197
01:47:02    public exponent: 65537
01:47:02    Validity: [From: Sun Sep 29 17:00:00 PDT 2019,
01:47:02                 To: Tue Dec 28 15:59:59 PST 2021]
01:47:02    Issuer: CN=COMODO RSA Extended Validation Secure Server CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB
01:47:02    SerialNumber: [    a0c7cabc c25ed935 8ded02cc 1d485545]
01:47:02  
01:47:02  Certificate Extensions: 10
01:47:02  [1]: ObjectId: 1.3.6.1.4.1.11129.2.4.2 Criticality=false
01:47:02  Extension unknown: DER encoded OCTET string =
01:47:02  0000: 04 82 01 6D 04 82 01 69   01 67 00 75 00 EE 4B BD  ...m...i.g.u..K.
01:47:02  0010: B7 75 CE 60 BA E1 42 69   1F AB E1 9E 66 A3 0F 7E  .u.`..Bi....f...
01:47:02  0020: 5F B0 72 D8 83 00 C4 7B   89 7A A8 FD CB 00 00 01  _.r......z......
01:47:02  0030: 6D 83 01 77 9F 00 00 04   03 00 46 30 44 02 20 3A  m..w......F0D. :
01:47:02  0040: 8F D5 E8 A7 3A 23 C7 9D   A1 B5 7C E6 4C 0E B1 1C  ....:#......L...
01:47:02  0050: 44 0C 63 AB 7B C4 97 DE   1F A7 8A 64 9A 47 BB 02  D.c........d.G..
01:47:02  0060: 20 6C 24 EB CF 13 A8 AB   81 C3 8E D7 F9 67 3F B3   l$..........g?.
01:47:02  0070: 51 BA 59 FB 88 F2 63 53   B4 F6 D0 F1 0A E7 FA E6  Q.Y...cS........
01:47:02  0080: 2B 00 76 00 55 81 D4 C2   16 90 36 01 4A EA 0B 9B  +.v.U.....6.J...
01:47:02  0090: 57 3C 53 F0 C0 E4 38 78   70 25 08 17 2F A3 AA 1D  W<S...8xp%../...
01:47:02  00A0: 07 13 D3 0C 00 00 01 6D   83 01 77 49 00 00 04 03  .......m..wI....
01:47:02  00B0: 00 47 30 45 02 21 00 B8   14 23 95 F1 33 53 47 6C  .G0E.!...#..3SGl
01:47:02  00C0: 90 DD AF 5F 61 DA 97 B7   2E 1C CA E2 DA 6E 07 F3  ..._a........n..
01:47:02  00D0: 90 F4 18 02 CA B1 97 02   20 5D AF A9 8D 08 1F C6  ........ ]......
01:47:02  00E0: AD B7 55 C7 4B BB 89 EC   F0 0B B9 AA EE 26 96 BA  ..U.K........&..
01:47:02  00F0: 04 77 AE B5 A5 48 0F 1F   59 00 76 00 BB D9 DF BC  .w...H..Y.v.....
01:47:02  0100: 1F 8A 71 B5 93 94 23 97   AA 92 7B 47 38 57 95 0A  ..q...#....G8W..
01:47:02  0110: AB 52 E8 1A 90 96 64 36   8E 1E D1 85 00 00 01 6D  .R....d6.......m
01:47:02  0120: 83 01 77 5A 00 00 04 03   00 47 30 45 02 20 5D B1  ..wZ.....G0E. ].
01:47:02  0130: B7 D9 D6 A0 31 E2 E1 B9   96 FE 2D 2A 49 3B 5B C8  ....1.....-*I;[.
01:47:02  0140: 06 6C 66 46 73 5D 8B 3E   45 6C 6F 5C 09 BC 02 21  .lfFs].>Elo\...!
01:47:02  0150: 00 AB D5 7F 5F F9 E6 D3   E5 F8 65 0D 43 41 51 15  ...._.....e.CAQ.
01:47:02  0160: 28 AD 3B 4C F1 04 1C 88   18 AE 78 1A AF 1E 4E FE  (.;L......x...N.
01:47:02  0170: D4                                                 .
01:47:02  
01:47:02  
01:47:02  [2]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
01:47:02  AuthorityInfoAccess [
01:47:02    [
01:47:02     accessMethod: caIssuers
01:47:02     accessLocation: URIName: http://crt.comodoca.com/COMODORSAExtendedValidationSecureServerCA.crt
01:47:02  , 
01:47:02     accessMethod: ocsp
01:47:02     accessLocation: URIName: http://ocsp.comodoca.com
01:47:02  ]
01:47:02  ]
01:47:02  
01:47:02  [3]: ObjectId: 2.5.29.35 Criticality=false
01:47:02  AuthorityKeyIdentifier [
01:47:02  KeyIdentifier [
01:47:02  0000: 39 DA FF CA 28 14 8A A8   74 13 08 B9 E4 0E A9 D2  9...(...t.......
01:47:02  0010: FA 7E 9D 69                                        ...i
01:47:02  ]
01:47:02  ]
01:47:02  
01:47:02  [4]: ObjectId: 2.5.29.19 Criticality=true
01:47:02  BasicConstraints:[
01:47:02    CA:false
01:47:02    PathLen: undefined
01:47:02  ]
01:47:02  
01:47:02  [5]: ObjectId: 2.5.29.31 Criticality=false
01:47:02  CRLDistributionPoints [
01:47:02    [DistributionPoint:
01:47:02       [URIName: http://crl.comodoca.com/COMODORSAExtendedValidationSecureServerCA.crl]
01:47:02  ]]
01:47:02  
01:47:02  [6]: ObjectId: 2.5.29.32 Criticality=false
01:47:02  CertificatePolicies [
01:47:02    [CertificatePolicyId: [1.3.6.1.4.1.6449.1.2.1.5.1]
01:47:02  [PolicyQualifierInfo: [
01:47:02    qualifierID: 1.3.6.1.5.5.7.2.1
01:47:02    qualifier: 0000: 16 1D 68 74 74 70 73 3A   2F 2F 73 65 63 75 72 65  ..https://secure
01:47:02  0010: 2E 63 6F 6D 6F 64 6F 2E   63 6F 6D 2F 43 50 53     .comodo.com/CPS
01:47:02  
01:47:02  ]]  ]
01:47:02    [CertificatePolicyId: [2.23.140.1.1]
01:47:02  []  ]
01:47:02  ]
01:47:02  
01:47:02  [7]: ObjectId: 2.5.29.37 Criticality=false
01:47:02  ExtendedKeyUsages [
01:47:02    serverAuth
01:47:02    clientAuth
01:47:02  ]
01:47:02  
01:47:02  [8]: ObjectId: 2.5.29.15 Criticality=true
01:47:02  KeyUsage [
01:47:02    DigitalSignature
01:47:02    Key_Encipherment
01:47:02  ]
01:47:02  
01:47:02  [9]: ObjectId: 2.5.29.17 Criticality=false
01:47:02  SubjectAlternativeName [
01:47:02    DNSName: comodorsacertificationauthority-ev.comodoca.com
01:47:02  ]
01:47:02  
01:47:02  [10]: ObjectId: 2.5.29.14 Criticality=false
01:47:02  SubjectKeyIdentifier [
01:47:02  KeyIdentifier [
01:47:02  0000: 3E 4B 86 61 22 BC 0E A1   E1 AC F4 10 53 E2 E5 EA  >K.a".......S...
01:47:02  0010: F3 D5 31 FE                                        ..1.
01:47:02  ]
01:47:02  ]
01:47:02  
01:47:02  ]
01:47:02    Algorithm: [SHA256withRSA]
01:47:02    Signature:
01:47:02  0000: 33 F0 3F D5 D8 28 73 93   4F D6 7F B0 DD 25 FD A9  3.?..(s.O....%..
01:47:02  0010: 67 0D ED 04 FB 13 17 6B   9D 94 A5 62 09 F4 3C 5D  g......k...b..<]
01:47:02  0020: 9F C7 88 33 ED CB CD 2A   E7 1B A5 02 4D 03 80 BD  ...3...*....M...
01:47:02  0030: 6B 01 B2 77 26 0A F3 FA   39 28 35 17 B7 72 BB 79  k..w&...9(5..r.y
01:47:02  0040: BD 4E 01 9F CD 64 18 F2   82 C2 6C 8A 45 EF C6 50  .N...d....l.E..P
01:47:02  0050: 61 F2 81 28 A8 13 9F 3A   DA F6 E2 5D 0D 19 45 A7  a..(...:...]..E.
01:47:02  0060: 3F C4 1E BB F5 4F 70 83   04 47 85 7C A9 7F A2 9F  ?....Op..G......
01:47:02  0070: 4A 42 5E 44 9D EB B9 E4   A7 A0 6C 11 CA A1 0C F8  JB^D......l.....
01:47:02  0080: 26 CD D4 82 D6 04 07 B1   9B 81 76 8B 46 D7 83 9F  &.........v.F...
01:47:02  0090: 74 7D 5C 1B 56 D1 2B A1   9A 74 84 8B 1B 58 7C 04  t.\.V.+..t...X..
01:47:02  00A0: 5B A4 55 E9 B8 D8 1D 78   F6 FF 05 30 22 14 40 06  [.U....x...0".@.
01:47:02  00B0: 29 AC 05 6F D9 69 53 64   A0 71 F5 7C EE 2B A2 0A  )..o.iSd.q...+..
01:47:02  00C0: DF E9 25 1D 9D 3B 25 FB   E3 BE DE CF 3C 6E 47 29  ..%..;%.....<nG)
01:47:02  00D0: 23 16 04 C9 CC 69 31 CA   73 24 08 1B 7B 7D D7 2C  #....i1.s$.....,
01:47:02  00E0: 3B 06 73 4D 22 76 65 05   2B 05 B6 A8 DB 1E 10 DC  ;.sM"ve.+.......
01:47:02  00F0: AF BB AB B9 97 5B 8B 4A   DE AD 2B 22 DA A0 EB D3  .....[.J..+"....
01:47:02  
01:47:02  ]
01:47:02  SigAlgo:    SHA256withRSA
01:47:02  AlgParams:  None
01:47:02  NamedCurves: 
01:47:02  Variant:    generic
01:47:02  certpath: KeySizeConstraints.permits(): RSA
01:47:02  certpath: -checker2 validation succeeded
01:47:02  certpath: -Using checker3 ... [sun.security.provider.certpath.KeyChecker]
01:47:02  certpath: -checker3 validation succeeded
01:47:02  certpath: -Using checker4 ... [sun.security.provider.certpath.ConstraintsChecker]
01:47:02  certpath: ---checking basic constraints...
01:47:02  certpath: i = 2, maxPathLength = 0
01:47:02  certpath: after processing, maxPathLength = 0
01:47:02  certpath: basic constraints verified.
01:47:02  certpath: ---checking name constraints...
01:47:02  certpath: prevNC = null, newNC = null
01:47:02  certpath: mergedNC = null
01:47:02  certpath: name constraints verified.
01:47:02  certpath: -checker4 validation succeeded
01:47:02  certpath: -Using checker5 ... [sun.security.provider.certpath.PolicyChecker]
01:47:02  certpath: PolicyChecker.checkPolicy() ---checking certificate policies...
01:47:02  certpath: PolicyChecker.checkPolicy() certIndex = 2
01:47:02  certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: explicitPolicy = 2
01:47:02  certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyMapping = 2
01:47:02  certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: inhibitAnyPolicy = 2
01:47:02  certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyTree = anyPolicy  ROOT
01:47:02    anyPolicy  CRIT: false  EP: anyPolicy  (1)
01:47:02  
01:47:02  certpath: PolicyChecker.processPolicies() policiesCritical = false
01:47:02  certpath: PolicyChecker.processPolicies() rejectPolicyQualifiers = true
01:47:02  certpath: PolicyChecker.processPolicies() processing policy: 1.3.6.1.4.1.6449.1.2.1.5.1
01:47:02  certpath: PolicyChecker.processParents(): matchAny = false
01:47:02  certpath: PolicyChecker.processParents(): matchAny = true
01:47:02  certpath: PolicyChecker.processParents() found parent:
01:47:02    anyPolicy  CRIT: false  EP: anyPolicy  (1)
01:47:02  
01:47:02  certpath: PolicyChecker.processPolicies() processing policy: 2.23.140.1.1
01:47:02  certpath: PolicyChecker.processParents(): matchAny = false
01:47:02  certpath: PolicyChecker.processParents(): matchAny = true
01:47:02  certpath: PolicyChecker.processParents() found parent:
01:47:02    anyPolicy  CRIT: false  EP: anyPolicy  (1)
01:47:02  
01:47:02  certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: explicitPolicy = 2
01:47:02  certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyMapping = 2
01:47:02  certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: inhibitAnyPolicy = 2
01:47:02  certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyTree = anyPolicy  ROOT
01:47:02    anyPolicy  CRIT: false  EP: anyPolicy  (1)
01:47:02      1.3.6.1.4.1.6449.1.2.1.5.1  CRIT: false  EP: 1.3.6.1.4.1.6449.1.2.1.5.1  (2)
01:47:02      2.23.140.1.1  CRIT: false  EP: 2.23.140.1.1  (2)
01:47:02  
01:47:02  certpath: PolicyChecker.checkPolicy() certificate policies verified
01:47:02  certpath: -checker5 validation succeeded
01:47:02  certpath: -Using checker6 ... [sun.security.provider.certpath.BasicChecker]
01:47:02  certpath: ---checking validity:Tue Mar 09 17:47:01 PST 2021...
01:47:02  certpath: validity verified.
01:47:02  certpath: ---checking subject/issuer name chaining...
01:47:02  certpath: subject/issuer name chaining verified.
01:47:02  certpath: ---checking signature...
01:47:02  certpath: signature verified.
01:47:02  certpath: BasicChecker.updateState issuer: CN=COMODO RSA Extended Validation Secure Server CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB; subject: CN=comodorsacertificationauthority-ev.comodoca.com, OU=COMODO EV SGC SSL, O=Sectigo Limited, STREET="3rd Floor, 26 Office Village", STREET=Exchange Quay, STREET=Trafford Road, L=Salford, OID.2.5.4.17=M5 3EQ, C=GB, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=GB, SERIALNUMBER=04058690; serial#: 213713858402224217355623573844556010821
01:47:02  certpath: -checker6 validation succeeded
01:47:02  certpath: -Using checker7 ... [sun.security.provider.certpath.RevocationChecker]
01:47:02  certpath: RevocationChecker.check: checking cert
01:47:02    SN:     a0c7cabc c25ed935 8ded02cc 1d485545
01:47:02    Subject: CN=comodorsacertificationauthority-ev.comodoca.com, OU=COMODO EV SGC SSL, O=Sectigo Limited, STREET="3rd Floor, 26 Office Village", STREET=Exchange Quay, STREET=Trafford Road, L=Salford, OID.2.5.4.17=M5 3EQ, C=GB, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=GB, SERIALNUMBER=04058690
01:47:02    Issuer: CN=COMODO RSA Extended Validation Secure Server CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB
01:47:02  certpath: connecting to OCSP service at: http://ocsp.comodoca.com
01:47:02  certpath: OCSP response status: SUCCESSFUL
01:47:02  certpath: OCSP response type: basic
01:47:02  certpath: Responder ID: byKey: 39DAFFCA28148AA8741308B9E40EA9D2FA7E9D69
01:47:02  certpath: OCSP response produced at: Mon Mar 08 17:00:19 PST 2021
01:47:02  certpath: OCSP number of SingleResponses: 1
01:47:02  certpath: Revocation time: Tue Mar 02 02:51:39 PST 2021
01:47:02  certpath: Revocation reason: UNSPECIFIED
01:47:02  certpath: thisUpdate: Mon Mar 08 17:00:19 PST 2021
01:47:02  certpath: nextUpdate: Mon Mar 15 18:00:19 PDT 2021
01:47:02  certpath: Status of certificate (with serial number 213713858402224217355623573844556010821) is: REVOKED
01:47:02  certpath: OCSP response is signed by the target's Issuing CA
01:47:02  certpath: Constraints.permits(): Cert:       None
01:47:02  AlgParams:  None
01:47:02  NamedCurves: 
01:47:02  Variant:    generic
01:47:02  certpath: Verified signature of OCSP Response
01:47:02  certpath: OCSP response validity interval is from Mon Mar 08 17:00:19 PST 2021 until Mon Mar 15 18:00:19 PDT 2021
01:47:02  certpath: Checking validity of OCSP response on Tue Mar 09 17:47:01 PST 2021 with allowed interval between Tue Mar 09 17:32:01 PST 2021 and Tue Mar 09 18:02:01 PST 2021
01:47:02  certpath: X509CertSelector.match(SN: cbe
01:47:02    Issuer: CN=TWCA Global Root CA, OU=Root CA, O=TAIWAN-CA, C=TW
01:47:02    Subject: CN=TWCA Global Root CA, OU=Root CA, O=TAIWAN-CA, C=TW)
01:47:02  certpath: X509CertSelector.match: subject DNs don't match
01:47:02  java.lang.RuntimeException: TEST FAILED: unexpected status of EE certificate
01:47:02    at ValidatePathWithParams.validate(ValidatePathWithParams.java:193)
01:47:02    at ComodoRSA.runTest(ComodoCA.java:222)
01:47:02    at ComodoCA.main(ComodoCA.java:62)
01:47:02    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
01:47:02    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
01:47:02    at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
01:47:02    at java.base/java.lang.reflect.Method.invoke(Method.java:566)
01:47:02    at com.sun.javatest.regtest.agent.MainWrapper$MainThread.run(MainWrapper.java:127)
01:47:02    at java.base/java.lang.Thread.run(Thread.java:836)
01:47:02  
01:47:02  JavaTest Message: Test threw exception: java.lang.RuntimeException: TEST FAILED: unexpected status of EE certificate
andrew-m-leonard commented 3 years ago

pLinux: https://ci.adoptopenjdk.net/job/Test_openjdk11_j9_extended.openjdk_ppc64le_linux/25/

andrew-m-leonard commented 3 years ago

https://ci.adoptopenjdk.net/job/Test_openjdk11_j9_extended.openjdk_s390x_linux/14/#showFailuresLink

pshipton commented 3 years ago

Based on some internal test information (openj9-openjdk-jdk11-zos/issues/596), this seems a recent regression, tracking the first failing build.

pshipton commented 3 years ago

I tried the 0.23 and 0.24 release builds and they also fail, this isn't a (recent) regression. Also tried running with -Djdk.nativeCrypto=false but this doesn't change the behavior.

pshipton commented 3 years ago

@andrew-m-leonard are you able to take on determining why this fails on OpenJ9?

sxa commented 3 years ago

It's not specific to OpenJ9 as it shows up here too. I presume it's started failing since the 2nd March given that the error seems to be related to a certificate that was revoked on that date.

andrew-m-leonard commented 3 years ago

Ah, so just re-tried Hotspot and it now fails as well: https://ci.adoptopenjdk.net/job/Grinder/7590/console Looks like an expired certificate:

11:26:49  Received exception: java.security.cert.CertPathValidatorException: Certificate has been revoked, reason: UNSPECIFIED, revocation date: Tue Mar 02 04:51:39 CST 2021, authority: CN=COMODO RSA Extended Validation Secure Server CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB, extension OIDs: []
andrew-m-leonard commented 3 years ago

Raised an openjdk-build issue to investigate Cert validity: https://github.com/AdoptOpenJDK/openjdk-build/issues/2527