search

eclipse-openj9 / openj9

Eclipse OpenJ9: A Java Virtual Machine for OpenJDK that's optimized for small footprint, fast start-up, and high throughput. Builds on Eclipse OMR (https://github.com/eclipse/omr) and combines with the Extensions for OpenJDK for OpenJ9 repo.
Other
3.28k stars 722 forks source link

jdk_security3_1_FAILED PKCS11Exception: CKR_USER_TYPE_INVALID/CKR_ATTRIBUTE_VALUE_INVALID & InvalidParameterException: RSA key must be at least 1023 bits #15967

Open JasonFengJ9 opened 2 years ago

JasonFengJ9 commented 2 years ago

Failure link

From an internal build(rhel8le-rt1-4):

openjdk version "1.8.0_352"
IBM Semeru Runtime Open Edition (build 1.8.0_352-b05)
Eclipse OpenJ9 VM (build master-784820387, JRE 1.8.0 Linux ppc64le-64-Bit Compressed References 20220923_459 (JIT enabled, AOT enabled)
OpenJ9   - 784820387
OMR      - 24b511df5
JCL      - a7b0cf7c3 based on jdk8u352-b05)

Rerun in Grinder - Change TARGET to run only the failed test targets.

Optional info

Failure output (captured from console output)

[2022-09-24T06:34:42.545Z] variation: Mode650
[2022-09-24T06:34:42.545Z] JVM_OPTIONS:  -XX:-UseCompressedOops 

[2022-09-24T06:48:08.943Z] TEST: sun/security/pkcs11/rsa/TestKeyFactory.java

[2022-09-24T06:48:08.944Z] STDOUT:
[2022-09-24T06:48:08.944Z] libsoftokn3 version = 3.79.  ECC Basic.
[2022-09-24T06:48:08.944Z] Beginning test run TestKeyFactory...
[2022-09-24T06:48:08.944Z] Running test with provider SunPKCS11-NSS (security manager disabled) ...
[2022-09-24T06:48:08.944Z] Testing private key...
[2022-09-24T06:48:08.944Z] Testing public key...
[2022-09-24T06:48:08.944Z] Testing private key...
[2022-09-24T06:48:08.944Z] Testing public key...
[2022-09-24T06:48:08.944Z] Testing private key...
[2022-09-24T06:48:08.944Z] Testing public key...
[2022-09-24T06:48:08.944Z] Testing private key...
[2022-09-24T06:48:08.944Z] Testing public key...
[2022-09-24T06:48:08.944Z] Testing private key...
[2022-09-24T06:48:08.944Z] Testing public key...
[2022-09-24T06:48:08.944Z] STDERR:
[2022-09-24T06:48:08.944Z] java.security.InvalidKeyException: Could not create RSA public key
[2022-09-24T06:48:08.944Z]  at sun.security.pkcs11.P11RSAKeyFactory.implTranslatePublicKey(P11RSAKeyFactory.java:71)
[2022-09-24T06:48:08.944Z]  at sun.security.pkcs11.P11KeyFactory.engineTranslateKey(P11KeyFactory.java:127)
[2022-09-24T06:48:08.944Z]  at java.security.KeyFactory.translateKey(KeyFactory.java:452)
[2022-09-24T06:48:08.944Z]  at TestKeyFactory.testPublic(TestKeyFactory.java:80)
[2022-09-24T06:48:08.944Z]  at TestKeyFactory.test(TestKeyFactory.java:124)
[2022-09-24T06:48:08.944Z]  at TestKeyFactory.main(TestKeyFactory.java:144)
[2022-09-24T06:48:08.944Z]  at PKCS11Test.premain(PKCS11Test.java:125)
[2022-09-24T06:48:08.944Z]  at PKCS11Test.testNSS(PKCS11Test.java:487)
[2022-09-24T06:48:08.945Z]  at PKCS11Test.main(PKCS11Test.java:156)
[2022-09-24T06:48:08.945Z]  at TestKeyFactory.main(TestKeyFactory.java:131)
[2022-09-24T06:48:08.945Z]  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
[2022-09-24T06:48:08.945Z]  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
[2022-09-24T06:48:08.945Z]  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
[2022-09-24T06:48:08.945Z]  at java.lang.reflect.Method.invoke(Method.java:498)
[2022-09-24T06:48:08.945Z]  at com.sun.javatest.regtest.agent.MainWrapper$MainThread.run(MainWrapper.java:127)
[2022-09-24T06:48:08.945Z]  at java.lang.Thread.run(Thread.java:826)
[2022-09-24T06:48:08.945Z] Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ATTRIBUTE_VALUE_INVALID
[2022-09-24T06:48:08.945Z]  at sun.security.pkcs11.wrapper.PKCS11$InnerPKCS11.C_CreateObject(PKCS11.java:183)
[2022-09-24T06:48:08.945Z]  at sun.security.pkcs11.P11RSAKeyFactory.generatePublic(P11RSAKeyFactory.java:198)
[2022-09-24T06:48:08.945Z]  at sun.security.pkcs11.P11RSAKeyFactory.implTranslatePublicKey(P11RSAKeyFactory.java:57)
[2022-09-24T06:48:08.945Z]  ... 15 more
[2022-09-24T06:48:08.945Z] 
[2022-09-24T06:48:08.945Z] JavaTest Message: Test threw exception: java.security.InvalidKeyException: Could not create RSA public key

[2022-09-24T06:48:08.946Z] TEST: sun/security/pkcs11/rsa/TestSignatures.java

....

[2022-09-24T06:48:08.949Z] TEST: sun/security/pkcs11/Signature/ByteBuffers.java

[2022-09-24T06:48:08.950Z] STDOUT:
[2022-09-24T06:48:08.950Z] libsoftokn3 version = 3.79.  ECC Basic.
[2022-09-24T06:48:08.950Z] Beginning test run ByteBuffers...
[2022-09-24T06:48:08.950Z] Running test with provider SunPKCS11-NSS (security manager disabled) ...
[2022-09-24T06:48:08.950Z] STDERR:
[2022-09-24T06:48:08.950Z] java.security.InvalidParameterException: RSA key must be at least 1023 bits. The specific key size 512 is not supported
[2022-09-24T06:48:08.950Z]  at sun.security.pkcs11.P11KeyPairGenerator.initialize(P11KeyPairGenerator.java:148)
[2022-09-24T06:48:08.950Z]  at java.security.KeyPairGenerator$Delegate.initialize(KeyPairGenerator.java:640)
[2022-09-24T06:48:08.950Z]  at java.security.KeyPairGenerator.initialize(KeyPairGenerator.java:351)
[2022-09-24T06:48:08.950Z]  at ByteBuffers.main(ByteBuffers.java:56)
[2022-09-24T06:48:08.950Z]  at PKCS11Test.premain(PKCS11Test.java:125)
[2022-09-24T06:48:08.950Z]  at PKCS11Test.testNSS(PKCS11Test.java:487)
[2022-09-24T06:48:08.950Z]  at PKCS11Test.main(PKCS11Test.java:156)
[2022-09-24T06:48:08.950Z]  at ByteBuffers.main(ByteBuffers.java:45)
[2022-09-24T06:48:08.950Z]  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
[2022-09-24T06:48:08.950Z]  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
[2022-09-24T06:48:08.950Z]  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
[2022-09-24T06:48:08.950Z]  at java.lang.reflect.Method.invoke(Method.java:498)
[2022-09-24T06:48:08.950Z]  at com.sun.javatest.regtest.agent.MainWrapper$MainThread.run(MainWrapper.java:127)
[2022-09-24T06:48:08.950Z]  at java.lang.Thread.run(Thread.java:826)

[2022-09-24T06:48:08.951Z] TEST: sun/security/pkcs11/Signature/ReinitSignature.java

....

[2022-09-24T06:48:08.954Z] TEST: sun/security/pkcs11/Signature/TestRSAKeyLength.java

....

[2022-09-24T07:22:21.507Z] TEST: sun/security/tools/keytool/autotest.sh

....

[2022-09-24T07:40:06.015Z] Test results: passed: 596; failed: 6
[2022-09-24T07:40:06.015Z] Report written to /home/jenkins/workspace/Test_openjdk8_j9_extended.openjdk_ppc64le_linux/aqa-tests/TKG/output_16639895572259/jdk_security3_1/report/html/report.html
[2022-09-24T07:40:06.015Z] Results written to /home/jenkins/workspace/Test_openjdk8_j9_extended.openjdk_ppc64le_linux/aqa-tests/TKG/output_16639895572259/jdk_security3_1/work
[2022-09-24T07:40:06.015Z] Error: Some tests failed or other problems occurred.
[2022-09-24T07:40:06.015Z] 
[2022-09-24T07:40:06.015Z] jdk_security3_1_FAILED

50x internal grinder - passed

pshipton commented 2 years ago

Grinder passed, but passing machines are rhel7, ub18, ub20, ub22. @JasonFengJ9 it may be worth re-trying on rhel8 in case this is a platform specific failure.

JasonFengJ9 commented 2 years ago

Reproduced at rhel8ppc64le-fips4-1

12:51:20  TEST: sun/security/pkcs11/Secmod/TrustAnchors.java

12:51:20  STDERR:
12:51:20  java.security.ProviderException: java.security.ProviderException: Initialization failed
12:51:20    at sun.security.pkcs11.Secmod$Module.newProvider(Secmod.java:537)
12:51:20    at sun.security.pkcs11.Secmod$Module.getTrust(Secmod.java:569)
12:51:20    at sun.security.pkcs11.Secmod.getModuleTrust(Secmod.java:297)
12:51:20    at sun.security.pkcs11.Secmod.isTrusted(Secmod.java:287)
12:51:20    at sun.security.pkcs11.P11KeyStore.mapLabels(P11KeyStore.java:2367)
12:51:20    at sun.security.pkcs11.P11KeyStore.engineLoad(P11KeyStore.java:768)
12:51:20    at java.security.KeyStore.load(KeyStore.java:1445)
12:51:20    at TrustAnchors.main(TrustAnchors.java:70)
12:51:20    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
12:51:20    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
12:51:20    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
12:51:20    at java.lang.reflect.Method.invoke(Method.java:498)
12:51:20    at com.sun.javatest.regtest.agent.MainWrapper$MainThread.run(MainWrapper.java:127)
12:51:20    at java.lang.Thread.run(Thread.java:826)
12:51:20  Caused by: java.security.ProviderException: Initialization failed
12:51:20    at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:421)
12:51:20    at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:129)
12:51:20    at sun.security.pkcs11.Secmod$Module.newProvider(Secmod.java:534)
12:51:20    ... 13 more
12:51:20  Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ARGUMENTS_BAD
12:51:20    at sun.security.pkcs11.wrapper.PKCS11$SynchronizedPKCS11.C_Initialize(PKCS11.java:1680)
12:51:20    at sun.security.pkcs11.wrapper.PKCS11.getInstance(PKCS11.java:216)
12:51:20    at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:352)
12:51:20    ... 15 more

12:51:20  TEST: sun/security/pkcs11/Signature/TestRSAKeyLength.java

12:51:20  STDERR:
12:51:20  java.security.InvalidParameterException: RSA key must be at least 1023 bits. The specific key size 512 is not supported
12:51:20    at sun.security.pkcs11.P11KeyPairGenerator.initialize(P11KeyPairGenerator.java:148)
12:51:20    at java.security.KeyPairGenerator$Delegate.initialize(KeyPairGenerator.java:640)
12:51:20    at java.security.KeyPairGenerator.initialize(KeyPairGenerator.java:351)
12:51:20    at TestRSAKeyLength.main(TestRSAKeyLength.java:55)
12:51:20    at PKCS11Test.premain(PKCS11Test.java:125)
12:51:20    at PKCS11Test.testNSS(PKCS11Test.java:487)
12:51:20    at PKCS11Test.main(PKCS11Test.java:156)
12:51:20    at TestRSAKeyLength.main(TestRSAKeyLength.java:46)
12:51:20    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
12:51:20    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
12:51:20    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
12:51:20    at java.lang.reflect.Method.invoke(Method.java:498)
12:51:20    at com.sun.javatest.regtest.agent.MainWrapper$MainThread.run(MainWrapper.java:127)
12:51:20    at java.lang.Thread.run(Thread.java:826)
pshipton commented 2 years ago

Not sure it's valid to run on a fips machine (in non-fips mode, without the fips exclude list), these machines don't have the non-fips test label. That might explain the ".PKCS11Exception: CKR_ARGUMENTS_BAD" failure.

It would be good to try Temurin as well, since this seems like a OpenJDK issue on rhel8.

JasonFengJ9 commented 2 years ago

Internal grinder(rhel8ppc64le-fips4-1)

14:01:03  OpenJDK Runtime Environment (Temurin)(build 1.8.0_345-b01)
14:01:03  OpenJDK 64-Bit Server VM (Temurin)(build 25.345-b01, mixed mode)

14:04:43  TEST: javax/net/ssl/sanity/ciphersuites/CheckCipherSuites.java
14:04:43  STDERR:
14:04:43  java.lang.Exception: Enabled ciphersuite mismatch
14:04:43    at CheckCipherSuites.main(CheckCipherSuites.java:316)

14:06:25  TEST: javax/net/ssl/SSLSocket/Tls13PacketSize.java
14:06:25  STDERR:
14:06:25  java.lang.IllegalStateException: Can't overwrite cause with javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
14:06:25    at java.lang.Throwable.initCause(Throwable.java:458)
14:06:25    at SSLSocketTemplate.bootup(SSLSocketTemplate.java:846)
14:06:25    at SSLSocketTemplate.run(SSLSocketTemplate.java:81)
14:06:25    at Tls13PacketSize.main(Tls13PacketSize.java:50)
14:06:25    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
14:06:25    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
14:06:25    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
14:06:25    at java.lang.reflect.Method.invoke(Method.java:498)
14:06:25    at com.sun.javatest.regtest.agent.MainWrapper$MainThread.run(MainWrapper.java:127)
14:06:25    at java.lang.Thread.run(Thread.java:750)
14:06:25  Caused by: javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake
14:06:25    at sun.security.ssl.SSLSocketImpl.handleEOF(SSLSocketImpl.java:1575)
14:06:25    at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1405)
14:06:25    at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1305)
14:06:25    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:440)
14:06:25    at sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:818)
14:06:25    at sun.security.ssl.SSLSocketImpl.access$200(SSLSocketImpl.java:73)
14:06:25    at sun.security.ssl.SSLSocketImpl$AppInputStream.read(SSLSocketImpl.java:909)
14:06:25    at sun.security.ssl.SSLSocketImpl$AppInputStream.read(SSLSocketImpl.java:869)
14:06:25    at Tls13PacketSize.runServerApplication(Tls13PacketSize.java:59)
14:06:25    at SSLSocketTemplate.doServerSide(SSLSocketTemplate.java:274)
14:06:25    at SSLSocketTemplate.startServer(SSLSocketTemplate.java:891)
14:06:25    at SSLSocketTemplate.bootup(SSLSocketTemplate.java:805)
14:06:25    ... 8 more
14:06:25  Caused by: java.io.EOFException: SSL peer shut down incorrectly
14:06:25    at sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:167)
14:06:25    at sun.security.ssl.SSLTransport.decode(SSLTransport.java:109)
14:06:25    at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1397)
14:06:25    ... 18 more

14:06:25  TEST: javax/net/ssl/Stapling/HttpsUrlConnClient.java
14:06:25  javax.net.ssl|SEVERE|09|MainThread|2022-09-28 11:06:20.284 PDT|TransportContext.java:316|Fatal (BAD_CERT_STATUS_RESPONSE): PKIX path validation failed: java.security.cert.CertPathValidatorException: Certificate has been revoked, reason: UNSPECIFIED, revocation date: Wed Sep 28 03:06:19 PDT 2022, authority: CN=Intermediate CA Cert, O=SomeCompany, extension OIDs: [] (
14:06:25  "throwable" : {
14:06:25    sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Certificate has been revoked, reason: UNSPECIFIED, revocation date: Wed Sep 28 03:06:19 PDT 2022, authority: CN=Intermediate CA Cert, O=SomeCompany, extension OIDs: []
14:06:25        at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:386)
14:06:25        at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:279)

14:06:25    Caused by: java.security.cert.CertPathValidatorException: Certificate has been revoked, reason: UNSPECIFIED, revocation date: Wed Sep 28 03:06:19 PDT 2022, authority: CN=Intermediate CA Cert, O=SomeCompany, extension OIDs: []
14:06:25        at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135)
14:06:25        at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:220)
14:06:25        at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:140)
14:06:25        at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:79)
14:06:25        at java.security.cert.CertPathValidator.validate(CertPathValidator.java:292)
14:06:25        at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:381)
14:06:25        ... 31 more
14:06:25    Caused by: java.security.cert.CertificateRevokedException: Certificate has been revoked, reason: UNSPECIFIED, revocation date: Wed Sep 28 03:06:19 PDT 2022, authority: CN=Intermediate CA Cert, O=SomeCompany, extension OIDs: []

14:07:27  TEST: javax/net/ssl/TLS/TLSClientPropertyTest.java
14:07:27  java.lang.RuntimeException: FAILED Default protocol TLSv1.3missing
14:07:27    at TLSClientPropertyTest.error(TLSClientPropertyTest.java:181)

14:21:06  TEST: sun/security/pkcs11/fips/TestTLS12.java
14:21:06  STDERR:
14:21:06  java.security.ProviderException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ARGUMENTS_BAD
14:21:06    at sun.security.pkcs11.P11KeyPairGenerator.generateKeyPair(P11KeyPairGenerator.java:424)
14:21:06    at java.security.KeyPairGenerator$Delegate.generateKeyPair(KeyPairGenerator.java:697)
14:21:06    at sun.security.ssl.DHKeyExchange$DHEPossession.generateDHKeyPair(DHKeyExchange.java:181)
14:21:06    at sun.security.ssl.DHKeyExchange$DHEPossession.<init>(DHKeyExchange.java:139)
14:21:06    at sun.security.ssl.DHKeyExchange$DHEPossessionGenerator.createPossession(DHKeyExchange.java:389)
14:21:06    at sun.security.ssl.SSLKeyExchange$T12KeyAgreement.createPossession(SSLKeyExchange.java:376)
14:21:06    at sun.security.ssl.SSLKeyExchange.createPossessions(SSLKeyExchange.java:89)
14:21:06    at sun.security.ssl.ServerHello$T12ServerHelloProducer.chooseCipherSuite(ServerHello.java:433)
14:21:06    at sun.security.ssl.ServerHello$T12ServerHelloProducer.produce(ServerHello.java:296)
14:21:06    at sun.security.ssl.SSLHandshake.produce(SSLHandshake.java:421)
14:21:06    at sun.security.ssl.ClientHello$T12ClientHelloConsumer.consume(ClientHello.java:1020)
14:21:06    at sun.security.ssl.ClientHello$ClientHelloConsumer.onClientHello(ClientHello.java:727)
14:21:06    at sun.security.ssl.ClientHello$ClientHelloConsumer.consume(ClientHello.java:693)
14:21:06    at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:377)
14:21:06    at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
14:21:06    at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:981)
14:21:06    at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:968)
14:21:06    at java.security.AccessController.doPrivileged(Native Method)
14:21:06    at sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:915)
14:21:06    at TestTLS12$testTLS12SunPKCS11Communication.runDelegatedTasks(TestTLS12.java:363)
14:21:06    at TestTLS12$testTLS12SunPKCS11Communication.run(TestTLS12.java:312)
14:21:06    at TestTLS12.main(TestTLS12.java:92)
14:21:06    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
14:21:06    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
14:21:06    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
14:21:06    at java.lang.reflect.Method.invoke(Method.java:498)
14:21:06    at com.sun.javatest.regtest.agent.MainWrapper$MainThread.run(MainWrapper.java:127)
14:21:06    at java.lang.Thread.run(Thread.java:750)
14:21:06  Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ARGUMENTS_BAD
14:21:06    at sun.security.pkcs11.wrapper.PKCS11.C_GenerateKeyPair(Native Method)
14:21:06    at sun.security.pkcs11.P11KeyPairGenerator.generateKeyPair(P11KeyPairGenerator.java:416)
14:21:06    ... 27 more

14:21:45  TEST: sun/security/pkcs11/Signature/ByteBuffers.java
14:21:45  STDERR:
14:21:45  java.security.InvalidParameterException: RSA key must be at least 1023 bits. The specific key size 512 is not supported
14:21:45    at sun.security.pkcs11.P11KeyPairGenerator.initialize(P11KeyPairGenerator.java:150)

14:21:46  TEST: sun/security/pkcs11/Signature/InitAgainPSS.java
14:21:46  STDERR:
14:21:46  java.security.InvalidKeyException: RSA key must be at least 1023 bytes
14:21:46    at sun.security.pkcs11.P11PSSSignature.checkKeySize(P11PSSSignature.java:355)
14:21:46    at sun.security.pkcs11.P11PSSSignature.engineInitSign(P11PSSSignature.java:467

Since RI failed similarly at rhel8ppc64le-fips4-1, this is not an OpenJ9 issue.

pshipton commented 2 years ago

The original failure wasn't on a fips machine, not sure how fips got involved. We should try the tests with Temurin on a non-fips machine, although I expect the outcome to be the same (not an OpenJ9 issue).

JasonFengJ9 commented 2 years ago

As expected https://github.com/eclipse-openj9/openj9/issues/15967#issuecomment-1261414041, hotspot had same error at the machine rhel8le-rt1-4 - internal grinder where this issue was reported initially.

17:57:18  TEST: sun/security/pkcs11/rsa/TestKeyFactory.java

17:57:18  STDERR:
17:57:18  java.security.InvalidKeyException: Could not create RSA public key
17:57:18    at sun.security.pkcs11.P11RSAKeyFactory.implTranslatePublicKey(P11RSAKeyFactory.java:71)
17:57:18    at sun.security.pkcs11.P11KeyFactory.engineTranslateKey(P11KeyFactory.java:127)
17:57:18    at java.security.KeyFactory.translateKey(KeyFactory.java:452)

17:57:18  Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ATTRIBUTE_VALUE_INVALID
17:57:18    at sun.security.pkcs11.wrapper.PKCS11.C_CreateObject(Native Method)
17:57:18    at sun.security.pkcs11.P11RSAKeyFactory.generatePublic(P11RSAKeyFactory.java:198)
17:57:18    at sun.security.pkcs11.P11RSAKeyFactory.implTranslatePublicKey(P11RSAKeyFactory.java:57)

17:57:29  TEST: sun/security/pkcs11/Signature/KeyAndParamCheckForPSS.java

17:57:29  STDERR:
17:57:29  java.security.InvalidKeyException: RSA key must be at least 1023 bytes
17:57:29    at sun.security.pkcs11.P11PSSSignature.checkKeySize(P11PSSSignature.java:355)
17:57:29    at sun.security.pkcs11.P11PSSSignature.engineInitSign(P11PSSSignature.java:467)

So this confirms it is not an OpenJ9 issue.

JasonFengJ9 commented 2 years ago

Internal build(rhel9x86-rt3-1)

openjdk version "1.8.0_352"
IBM Semeru Runtime Open Edition (build 1.8.0_352-b06)
Eclipse OpenJ9 VM (build openj9-0.35.0-m2b, JRE 1.8.0 Linux amd64-64-Bit Compressed References 20221002_489 (JIT enabled, AOT enabled)
OpenJ9   - 2e24c0da7
OMR      - 447afc0f0
JCL      - fa9321797d based on jdk8u352-b06)
JasonFengJ9 commented 2 years ago

Internal build(p10rhel053)

openjdk version "11.0.17" 2022-10-18
IBM Semeru Runtime Open Edition 11.0.17.0-m2b (build 11.0.17+7)
Eclipse OpenJ9 VM 11.0.17.0-m2b (build openj9-0.35.0-m2b, JRE 11 Linux ppc64le-64-Bit Compressed References 20221001_507 (JIT enabled, AOT enabled)
OpenJ9   - 2e24c0da7
OMR      - 447afc0f0
JCL      - e9ad99b74d based on jdk-11.0.17+7)

Internal build(rhel9s390xrt-2)

openjdk version "11.0.17" 2022-10-18
IBM Semeru Runtime Open Edition 11.0.17.0-m2b (build 11.0.17+7)
Eclipse OpenJ9 VM 11.0.17.0-m2b (build openj9-0.35.0-m2b, JRE 11 Linux s390x-64-Bit Compressed References 20221001_469 (JIT enabled, AOT enabled)
OpenJ9   - 2e24c0da7
OMR      - 447afc0f0
JCL      - e9ad99b74d based on jdk-11.0.17+7)
JasonFengJ9 commented 2 years ago

Internal 0.35 rc1 build(rhel8x86-rt2-1)

openjdk version "11.0.17" 2022-10-18
IBM Semeru Runtime Open Edition 11.0.17.0-rc1 (build 11.0.17+8)
Eclipse OpenJ9 VM 11.0.17.0-rc1 (build openj9-0.35.0-rc1, JRE 11 Linux amd64-64-Bit Compressed References 20221020_550 (JIT enabled, AOT enabled)
OpenJ9   - e04a7f6c1
OMR      - 85a21674f
JCL      - a94c231303 based on jdk-11.0.17+8)
WilburZjh commented 2 years ago

Similar failure in JDK17 java/security/cert/CertPathBuilder/targetConstraints/BuildEEBasicConstraints.java.BuildEEBasicConstraints. This BuildEEBasicConstraints test case in jdk17 failed when running in Jenkins build at rhel8x64-fips4-1.fyre.ibm.com.

java.security.cert.CertificateParsingException: java.io.IOException: subject key, Could not create RSA public key
    at java.base/sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:171)
    at java.base/sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1785)
    at java.base/sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:183)
    at java.base/sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:105)
    at java.base/java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:355)
    at jdk.test.lib.security.CertUtils.getCertFromStream(CertUtils.java:434)
    at jdk.test.lib.security.CertUtils.getCertFromFile(CertUtils.java:467)
    at BuildEEBasicConstraints.main(BuildEEBasicConstraints.java:60)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
    at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.base/java.lang.reflect.Method.invoke(Method.java:568)
    at com.sun.javatest.regtest.agent.MainWrapper$MainThread.run(MainWrapper.java:127)
    at java.base/java.lang.Thread.run(Thread.java:857)
Caused by: java.io.IOException: subject key, Could not create RSA public key
    at java.base/sun.security.x509.X509Key.parse(X509Key.java:175)
    at java.base/sun.security.x509.CertificateX509Key.<init>(CertificateX509Key.java:75)
    at java.base/sun.security.x509.X509CertInfo.parse(X509CertInfo.java:674)
    at java.base/sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:169)
    ... 13 more
Caused by: java.security.InvalidKeyException: Could not create RSA public key
    at java.base/sun.security.x509.X509Key.buildX509Key(X509Key.java:228)
    at java.base/sun.security.x509.X509Key.parse(X509Key.java:171)
    ... 16 more
Caused by: java.security.spec.InvalidKeySpecException: Could not create RSA public key
    at jdk.crypto.cryptoki/sun.security.pkcs11.P11RSAKeyFactory.engineGeneratePublic(P11RSAKeyFactory.java:116)
    at java.base/java.security.KeyFactory.generatePublic(KeyFactory.java:351)
    at java.base/sun.security.x509.X509Key.buildX509Key(X509Key.java:224)
    ... 17 more
Caused by: java.security.InvalidKeyException: Could not create RSA public key
    at jdk.crypto.cryptoki/sun.security.pkcs11.P11RSAKeyFactory.implTranslatePublicKey(P11RSAKeyFactory.java:70)
    at jdk.crypto.cryptoki/sun.security.pkcs11.P11RSAKeyFactory.engineGeneratePublic(P11RSAKeyFactory.java:114)
    ... 19 more
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ATTRIBUTE_VALUE_INVALID
    at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11.C_CreateObject(Native Method)
    at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11$InnerPKCS11.C_CreateObject(PKCS11.java:187)
    at jdk.crypto.cryptoki/sun.security.pkcs11.P11RSAKeyFactory.generatePublic(P11RSAKeyFactory.java:193)
    at jdk.crypto.cryptoki/sun.security.pkcs11.P11RSAKeyFactory.implTranslatePublicKey(P11RSAKeyFactory.java:59)
    ... 20 more

JavaTest Message: Test threw exception: java.security.cert.CertificateParsingException: java.io.IOException: subject key, Could not create RSA public key
JavaTest Message: shutting down test

STATUS:Failed.`main' threw exception: java.security.cert.CertificateParsingException: java.io.IOException: subject key, Could not create RSA public key

But it is passed by running jtreg in a Fyre machine with Redhat OS and FIPS mode enabled. Results can be found at here.

#Test Results (version 2)
#Wed Oct 26 10:49:09 PDT 2022
#-----testdescription-----
$file=/root/jtreg/test/openj9-openjdk-jdk17/test/jdk/java/security/cert/CertPathBuilder/targetConstraints/BuildEEBasicConstraints.java
$root=/root/jtreg/test/openj9-openjdk-jdk17/test/jdk
keywords=bug6714842 othervm
library=/test/lib
run=USER_SPECIFIED main/othervm BuildEEBasicConstraints\n
source=BuildEEBasicConstraints.java
title=make sure a PKIX CertPathBuilder builds a path to an end entity certificate when the setBasicConstraints method of the X509CertSelector of the targetConstraints PKIXBuilderParameters parameter is set to -2.

#-----environment-----

#-----testresult-----
description=file\:/root/jtreg/test/openj9-openjdk-jdk17/test/jdk/java/security/cert/CertPathBuilder/targetConstraints/BuildEEBasicConstraints.java
elapsed=3478 0\:00\:03.478
end=Wed Oct 26 10\:49\:09 PDT 2022
environment=regtest
execStatus=Passed. Execution successful
harnessLoaderMode=Classpath Loader
harnessVariety=Full Bundle
hostname=jdk17-ssl-test1.fyre.ibm.com
javatestOS=Linux 4.18.0-372.19.1.el8_6.x86_64 (amd64)
javatestVersion=6.0-ea+b24-2022-10-26-${BUILT_FROM_COMMIT}
jtregVersion=jtreg 7.1 dev 0
script=com.sun.javatest.regtest.exec.RegressionScript
sections=script_messages build compile main
start=Wed Oct 26 10\:49\:06 PDT 2022
test=java/security/cert/CertPathBuilder/targetConstraints/BuildEEBasicConstraints.java
testJDK=/root/jdk/jdk17/latestJDK17/jdk
testJDK_OS=[name\:Linux,arch\:amd64,version\:4.18.0-372.19.1.el8_6.x86_64,family\:linux,simple_arch\:x64,simple_version\:4.18,processors\:2,maxMemory\:3913011200,maxSwap\:17175670784]
testJDK_os.arch=amd64
testJDK_os.name=Linux
testJDK_os.version=4.18.0-372.19.1.el8_6.x86_64
totalTime=3486
user.name=root
work=/root/jtreg/test/jtreg_result/work/java/security/cert/CertPathBuilder/targetConstraints

#section:script_messages
----------messages:(10/592)----------
JDK under test: /root/jdk/jdk17/latestJDK17/jdk
openjdk version "17.0.5-internal" 2022-10-18
OpenJDK Runtime Environment (build 17.0.5-internal+0-adhoc.jenkins.BuildJDK17x86-64linuxPersonal)
Eclipse OpenJ9 VM (build master-53c0b4dbbab, JRE 17 Linux amd64-64-Bit Compressed References 20221025_772 (JIT enabled, AOT enabled)
OpenJ9   - 53c0b4dbbab
OMR      - f6bafc5fa7b
JCL      - 82eb91db8e0 based on jdk-17.0.5+8)
Library /test/lib; kind: packages
   source directory: /root/jtreg/test/openj9-openjdk-jdk17/test/lib
   class directory: /root/jtreg/test/jtreg_result/work/classes/0/test/lib

#section:build
----------messages:(7/236)----------
command: build BuildEEBasicConstraints
reason: Named class compiled on demand
started: Wed Oct 26 10:49:06 PDT 2022
Test directory:
  compile: BuildEEBasicConstraints
finished: Wed Oct 26 10:49:08 PDT 2022
elapsed time (seconds): 2.537
result: Passed. Build successful

#section:compile
----------messages:(7/329)----------
command: compile /root/jtreg/test/openj9-openjdk-jdk17/test/jdk/java/security/cert/CertPathBuilder/targetConstraints/BuildEEBasicConstraints.java
reason: .class file out of date or does not exist
started: Wed Oct 26 10:49:06 PDT 2022
Mode: agentvm
Agent id: 1
finished: Wed Oct 26 10:49:08 PDT 2022
elapsed time (seconds): 2.527
----------configuration:(12/793)----------
Boot Layer (javac runtime environment)
  class path: /root/jtreg/test/jtreg/build/images/jtreg/lib/javatest.jar 
              /root/jtreg/test/jtreg/build/images/jtreg/lib/jtreg.jar 
  patch:      java.base /root/jtreg/test/jtreg_result/work/patches/java.base

javac compilation environment
  source path: /root/jtreg/test/openj9-openjdk-jdk17/test/jdk/java/security/cert/CertPathBuilder/targetConstraints
               /root/jtreg/test/openj9-openjdk-jdk17/test/lib
  class path:  /root/jtreg/test/openj9-openjdk-jdk17/test/jdk/java/security/cert/CertPathBuilder/targetConstraints
               /root/jtreg/test/jtreg_result/work/classes/0/java/security/cert/CertPathBuilder/targetConstraints/BuildEEBasicConstraints.d
               /root/jtreg/test/jtreg_result/work/classes/0/test/lib

----------rerun:(30/2927)*----------
cd /root/jtreg/test/jtreg_result/work/scratch/0 && \\
HOME=/root \\
LANG=en_CA.UTF-8 \\
PATH=/bin:/usr/bin:/usr/sbin \\
    /root/jdk/jdk17/latestJDK17/jdk/bin/javac \\
        -J-ea \\
        -J-esa \\
        -J-Xmx512m \\
        -J-XX:+UseCompressedOops \\
        -J-Dsemeru.fips=true \\
        -J-Djava.security.debug=access \\
        -J-Dsemeru.fips=true \\
        -J-Dtest.vm.opts='-ea -esa -Xmx512m -XX:+UseCompressedOops -Dsemeru.fips=true -Djava.security.debug=access -Dsemeru.fips=true' \\
        -J-Dtest.tool.vm.opts='-J-ea -J-esa -J-Xmx512m -J-XX:+UseCompressedOops -J-Dsemeru.fips=true -J-Djava.security.debug=access -J-Dsemeru.fips=true' \\
        -J-Dtest.compiler.opts= \\
        -J-Dtest.java.opts= \\
        -J-Dtest.jdk=/root/jdk/jdk17/latestJDK17/jdk \\
        -J-Dcompile.jdk=/root/jdk/jdk17/latestJDK17/jdk \\
        -J-Dtest.timeout.factor=1.0 \\
        -J-Dtest.root=/root/jtreg/test/openj9-openjdk-jdk17/test/jdk \\
        -J-Dtest.name=java/security/cert/CertPathBuilder/targetConstraints/BuildEEBasicConstraints.java \\
        -J-Dtest.file=/root/jtreg/test/openj9-openjdk-jdk17/test/jdk/java/security/cert/CertPathBuilder/targetConstraints/BuildEEBasicConstraints.java \\
        -J-Dtest.src=/root/jtreg/test/openj9-openjdk-jdk17/test/jdk/java/security/cert/CertPathBuilder/targetConstraints \\
        -J-Dtest.src.path=/root/jtreg/test/openj9-openjdk-jdk17/test/jdk/java/security/cert/CertPathBuilder/targetConstraints:/root/jtreg/test/openj9-openjdk-jdk17/test/lib \\
        -J-Dtest.classes=/root/jtreg/test/jtreg_result/work/classes/0/java/security/cert/CertPathBuilder/targetConstraints/BuildEEBasicConstraints.d \\
        -J-Dtest.class.path=/root/jtreg/test/jtreg_result/work/classes/0/java/security/cert/CertPathBuilder/targetConstraints/BuildEEBasicConstraints.d:/root/jtreg/test/jtreg_result/work/classes/0/test/lib \\
        -J-Dtest.class.path.prefix=/root/jtreg/test/jtreg_result/work/classes/0/java/security/cert/CertPathBuilder/targetConstraints/BuildEEBasicConstraints.d:/root/jtreg/test/openj9-openjdk-jdk17/test/jdk/java/security/cert/CertPathBuilder/targetConstraints:/root/jtreg/test/jtreg_result/work/classes/0/test/lib \\
        -d /root/jtreg/test/jtreg_result/work/classes/0/java/security/cert/CertPathBuilder/targetConstraints/BuildEEBasicConstraints.d \\
        -sourcepath /root/jtreg/test/openj9-openjdk-jdk17/test/jdk/java/security/cert/CertPathBuilder/targetConstraints:/root/jtreg/test/openj9-openjdk-jdk17/test/lib \\
        -classpath /root/jtreg/test/openj9-openjdk-jdk17/test/jdk/java/security/cert/CertPathBuilder/targetConstraints:/root/jtreg/test/jtreg_result/work/classes/0/java/security/cert/CertPathBuilder/targetConstraints/BuildEEBasicConstraints.d:/root/jtreg/test/jtreg_result/work/classes/0/test/lib /root/jtreg/test/openj9-openjdk-jdk17/test/jdk/java/security/cert/CertPathBuilder/targetConstraints/BuildEEBasicConstraints.java
----------stderr:(4/442)----------
WARNING: A terminally deprecated method in java.lang.System has been called
WARNING: System::setSecurityManager has been called by com.sun.javatest.regtest.agent.RegressionSecurityManager (file:/root/jtreg/test/jtreg/build/images/jtreg/lib/jtreg.jar)
WARNING: Please consider reporting this to the maintainers of com.sun.javatest.regtest.agent.RegressionSecurityManager
WARNING: System::setSecurityManager will be removed in a future release
----------direct:(2/179)----------
Note: /root/jtreg/test/openj9-openjdk-jdk17/test/lib/jdk/test/lib/security/CertUtils.java uses or overrides a deprecated API.
Note: Recompile with -Xlint:deprecation for details.
result: Passed. Compilation successful

#section:main
----------messages:(6/253)----------
command: main BuildEEBasicConstraints
reason: User specified action: run main/othervm BuildEEBasicConstraints 
started: Wed Oct 26 10:49:08 PDT 2022
Mode: othervm [/othervm specified]
finished: Wed Oct 26 10:49:09 PDT 2022
elapsed time (seconds): 0.666
----------configuration:(0/0)----------
----------System.out:(0/0)----------
----------System.err:(1/15)----------
STATUS:Passed.
----------rerun:(29/2777)*----------
cd /root/jtreg/test/jtreg_result/work/scratch/0 && \\
HOME=/root \\
LANG=en_CA.UTF-8 \\
PATH=/bin:/usr/bin:/usr/sbin \\
CLASSPATH=/root/jtreg/test/jtreg_result/work/classes/0/java/security/cert/CertPathBuilder/targetConstraints/BuildEEBasicConstraints.d:/root/jtreg/test/openj9-openjdk-jdk17/test/jdk/java/security/cert/CertPathBuilder/targetConstraints:/root/jtreg/test/jtreg_result/work/classes/0/test/lib:/root/jtreg/test/openj9-openjdk-jdk17/test/lib:/root/jtreg/test/jtreg/build/images/jtreg/lib/javatest.jar:/root/jtreg/test/jtreg/build/images/jtreg/lib/jtreg.jar \\
    /root/jdk/jdk17/latestJDK17/jdk/bin/java \\
        -Dtest.vm.opts='-ea -esa -Xmx512m -XX:+UseCompressedOops -Dsemeru.fips=true -Djava.security.debug=access -Dsemeru.fips=true' \\
        -Dtest.tool.vm.opts='-J-ea -J-esa -J-Xmx512m -J-XX:+UseCompressedOops -J-Dsemeru.fips=true -J-Djava.security.debug=access -J-Dsemeru.fips=true' \\
        -Dtest.compiler.opts= \\
        -Dtest.java.opts= \\
        -Dtest.jdk=/root/jdk/jdk17/latestJDK17/jdk \\
        -Dcompile.jdk=/root/jdk/jdk17/latestJDK17/jdk \\
        -Dtest.timeout.factor=1.0 \\
        -Dtest.root=/root/jtreg/test/openj9-openjdk-jdk17/test/jdk \\
        -Dtest.name=java/security/cert/CertPathBuilder/targetConstraints/BuildEEBasicConstraints.java \\
        -Dtest.file=/root/jtreg/test/openj9-openjdk-jdk17/test/jdk/java/security/cert/CertPathBuilder/targetConstraints/BuildEEBasicConstraints.java \\
        -Dtest.src=/root/jtreg/test/openj9-openjdk-jdk17/test/jdk/java/security/cert/CertPathBuilder/targetConstraints \\
        -Dtest.src.path=/root/jtreg/test/openj9-openjdk-jdk17/test/jdk/java/security/cert/CertPathBuilder/targetConstraints:/root/jtreg/test/openj9-openjdk-jdk17/test/lib \\
        -Dtest.classes=/root/jtreg/test/jtreg_result/work/classes/0/java/security/cert/CertPathBuilder/targetConstraints/BuildEEBasicConstraints.d \\
        -Dtest.class.path=/root/jtreg/test/jtreg_result/work/classes/0/java/security/cert/CertPathBuilder/targetConstraints/BuildEEBasicConstraints.d:/root/jtreg/test/jtreg_result/work/classes/0/test/lib \\
        -Dtest.class.path.prefix=/root/jtreg/test/jtreg_result/work/classes/0/java/security/cert/CertPathBuilder/targetConstraints/BuildEEBasicConstraints.d:/root/jtreg/test/openj9-openjdk-jdk17/test/jdk/java/security/cert/CertPathBuilder/targetConstraints:/root/jtreg/test/jtreg_result/work/classes/0/test/lib \\
        -ea \\
        -esa \\
        -Xmx512m \\
        -XX:+UseCompressedOops \\
        -Dsemeru.fips=true \\
        -Djava.security.debug=access \\
        -Dsemeru.fips=true \\
        com.sun.javatest.regtest.agent.MainWrapper /root/jtreg/test/jtreg_result/work/java/security/cert/CertPathBuilder/targetConstraints/BuildEEBasicConstraints.d/main.0.jta
result: Passed. Execution successful

test result: Passed. Execution successful

Same for java/security/cert/CertPathBuilder/zeroLengthPath/ZeroLengthPath.java.ZeroLengthPath java/security/cert/PKIXRevocationChecker/UnitTest.java.UnitTest java/security/cert/pkix/policyChanges/TestPolicy.java.TestPolicy

babsingh commented 2 years ago

Another one seen in https://github.com/eclipse-openj9/openj9/pull/16285#issuecomment-1307404172. It is similar to the one reported in https://github.com/eclipse-openj9/openj9/issues/15967#issuecomment-1261311705. Exception messages: Remote host terminated the handshake and SSL peer shut down incorrectly highlight the source of the issue.

WilburZjh commented 2 years ago

I have more failures with this Could not create RSA public key & sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ATTRIBUTE_VALUE_INVALID issue for JDK17 in Jenkins at rhel8x64-fips4-1.fyre.ibm.com.

WilburZjh commented 1 year ago

Also, <<api/java_security/cert/X509Certificate/RSAX509CertByteTests.html.RSAX509CertByteTests>> in rhel8x64-fips2-1.fyre.ibm.com

JasonFengJ9 commented 1 year ago

JDK11 0.36 build(rhel9lert-2)

java version "11.0.18" 2023-01-17
IBM Semeru Runtime Certified Edition 11.0.18.0-rc1 (build 11.0.18+10)
Eclipse OpenJ9 VM 11.0.18.0-rc1 (build v0.36.0-release-e68fb241f, JRE 11 Linux ppc64le-64-Bit Compressed References 20230119_486 (JIT enabled, AOT enabled)
OpenJ9   - e68fb241f
OMR      - f491bbf6f
JCL      - d19b1e858d based on jdk-11.0.18+10)
jasonkatonica commented 1 year ago

Attaching a remote debugger to TestKeyFactory.java, which is the original test reported failing above, I was able to see the failing pattern while executing the test. Whenever a key was being imported using PKCS11, and the key was not 1024bit length or higher, the test would fail with CKR_ATTRIBUTE_VALUE_INVALID. For this particular test I was able to fix it by deleting all the 512 key sized RSA keys from the keystore that we were importing keys from. For example:

keytool -delete -alias rsa512a -keystore /root/builds/openj9-openjdk-jdk11-personal/test/jdk/sun/security/pkcs11/rsa/rsakeys.ks

keytool -delete -alias rsa512b -keystore /root/builds/openj9-openjdk-jdk11-personal/test/jdk/sun/security/pkcs11/rsa/rsakeys.ks

keytool -list -keystore /root/builds/openj9-openjdk-jdk11-personal/test/jdk/sun/security/pkcs11/rsa/rsakeys.ks

Another problem in the same package could be fixed by changing this line

From:

int[] keyLengths = {512, 512, 1024};

To:

int[] keyLengths = {1024, 1024, 2048};

I was then able to run all the tests in the sun/security/pkcs11/rsa/ package without failing:

sun/security/pkcs11/rsa/KeyWrap.java                         Passed. Execution successful
sun/security/pkcs11/rsa/TestCACerts.java                     Passed. Execution successful
sun/security/pkcs11/rsa/TestKeyFactory.java                  Passed. Execution successful
sun/security/pkcs11/rsa/TestKeyPairGenerator.java            Passed. Execution successful
sun/security/pkcs11/rsa/TestP11KeyFactoryGetRSAKeySpec.java  Passed. Execution successful
sun/security/pkcs11/rsa/TestSignatures.java                  Passed. Execution successful
jasonkatonica commented 1 year ago

I was able to fix all the tests in the package /sun/security/pkcs11/Signature by making similar updates:

Increased the value from 512 to 2048 here: https://github.com/ibmruntimes/openj9-openjdk-jdk11/blob/d89db392f756e98f6ec55a86862b2131f7e0a585/test/jdk/sun/security/pkcs11/Signature/ByteBuffers.java#L73

Increased the value from 512 to 2048 here: https://github.com/ibmruntimes/openj9-openjdk-jdk11/blob/d89db392f756e98f6ec55a86862b2131f7e0a585/test/jdk/sun/security/pkcs11/Signature/ReinitSignature.java#L366

Increased the value from 512 to 2048 and removed the algorithm "SHA512withRSA" a few lines above this: https://github.com/ibmruntimes/openj9-openjdk-jdk11/blob/d89db392f756e98f6ec55a86862b2131f7e0a585/test/jdk/sun/security/pkcs11/Signature/TestRSAKeyLength.java#L72

sun/security/pkcs11/Signature/ByteBuffers.java               Passed. Execution successful
sun/security/pkcs11/Signature/InitAgainPSS.java              Passed. Execution successful
sun/security/pkcs11/Signature/KeyAndParamCheckForPSS.java    Passed. Execution successful
sun/security/pkcs11/Signature/ReinitSignature.java           Passed. Execution successful
sun/security/pkcs11/Signature/SigInteropPSS.java             Passed. Execution successful
sun/security/pkcs11/Signature/SignatureTestPSS.java          Passed. Execution successful
sun/security/pkcs11/Signature/TestDSA.java                   Passed. Execution successful
sun/security/pkcs11/Signature/TestDSA2.java                  Passed. Execution successful
sun/security/pkcs11/Signature/TestDSAKeyLength.java          Passed. Execution successful
sun/security/pkcs11/Signature/TestRSAKeyLength.java          Passed. Execution successful
sun/security/pkcs11/rsa/KeyWrap.java                         Passed. Execution successful
sun/security/pkcs11/rsa/TestCACerts.java                     Passed. Execution successful
sun/security/pkcs11/rsa/TestKeyFactory.java                  Passed. Execution successful
sun/security/pkcs11/rsa/TestKeyPairGenerator.java            Passed. Execution successful
sun/security/pkcs11/rsa/TestP11KeyFactoryGetRSAKeySpec.java  Passed. Execution successful
sun/security/pkcs11/rsa/TestSignatures.java                  Passed. Execution successful
pshipton commented 1 year ago

Is that going to cause any problems on older platforms we still support?

jasonkatonica commented 1 year ago

We may also be seeing a system by system difference in behavior here since the allowable key length settings could potentially be configured different in the NSS library for each system.

jasonkatonica commented 1 year ago

Is that going to cause any problems on older platforms we still support?

Key sizes of 2048 have been supported for a long period of time in various libraries and versions of Java so I wouldnt anticipate too many problems from that perspective. I am unsure the history with NSS support for various key sizes though so older systems running on older versions of NSS could potentially have different behavior.

pshipton commented 1 year ago

Do you think NSS would be running on the machines we use for testing, other than the FIPS machines?

Our oldest system are rhel 6 jdk8 (only), but may drop that, also centos/rhel 7, sles 12. Currently Ubuntu 18 but it's going out of support so those machines will be removed soon.

jasonkatonica commented 1 year ago

I do know that NSS can run on RHEL systems in fips or non fips modes. Some of the differences we are seeing with allowable key sizes could easily be associated with NSS running in FIPS or non FIPS modes. I can try to find some documentation on how to find out what key sizes are configured on RHEL.

Id have to log into the other platforms to check what PKCS11 libraries are installed there. If there is a PKCS11 dll available I would think it would have to be super old to not support a 2048 key size. Id assume we would have other tests failing where we are using other key sizes like 2048.....

JasonFengJ9 commented 1 year ago

JDK11 x86-64_linux 0.40.0 milestone 1(cent8x86-rtp-rt1-1)

openjdk version "11.0.20" 2023-07-18
IBM Semeru Runtime Open Edition 11.0.20.0-m1 (build 11.0.20+5)
Eclipse OpenJ9 VM 11.0.20.0-m1 (build v0.40.0-release-936ec5450, JRE 11 Linux amd64-64-Bit Compressed References 20230607_768 (JIT enabled, AOT enabled)
OpenJ9   - 936ec5450
OMR      - 0e572348b
JCL      - 3dcd507cc6 based on jdk-11.0.20+5)

[2023-06-07T20:30:35.298Z] variation: Mode150
[2023-06-07T20:30:35.298Z] JVM_OPTIONS:  -XX:+UseCompressedOops 

[2023-06-07T20:41:45.191Z] TEST: sun/security/pkcs11/Signature/ByteBuffers.java

[2023-06-07T20:41:45.192Z] STDERR:
[2023-06-07T20:41:45.192Z] java.security.InvalidParameterException: RSA key must be at least 1023 bits. The specific key size 512 is not supported
[2023-06-07T20:41:45.192Z]  at jdk.crypto.cryptoki/sun.security.pkcs11.P11KeyPairGenerator.initialize(P11KeyPairGenerator.java:148)
[2023-06-07T20:41:45.192Z]  at java.base/java.security.KeyPairGenerator$Delegate.initialize(KeyPairGenerator.java:665)
[2023-06-07T20:41:45.192Z]  at java.base/java.security.KeyPairGenerator.initialize(KeyPairGenerator.java:376)
[2023-06-07T20:41:45.192Z]  at ByteBuffers.main(ByteBuffers.java:73)
[2023-06-07T20:41:45.192Z]  at PKCS11Test.premain(PKCS11Test.java:224)
[2023-06-07T20:41:45.192Z]  at PKCS11Test.testNSS(PKCS11Test.java:600)
[2023-06-07T20:41:45.192Z]  at PKCS11Test.main(PKCS11Test.java:260)
[2023-06-07T20:41:45.192Z]  at ByteBuffers.main(ByteBuffers.java:46)
[2023-06-07T20:41:45.192Z]  at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
[2023-06-07T20:41:45.192Z]  at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
[2023-06-07T20:41:45.192Z]  at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
[2023-06-07T20:41:45.192Z]  at java.base/java.lang.reflect.Method.invoke(Method.java:566)
[2023-06-07T20:41:45.192Z]  at com.sun.javatest.regtest.agent.MainWrapper$MainThread.run(MainWrapper.java:127)
[2023-06-07T20:41:45.192Z]  at java.base/java.lang.Thread.run(Thread.java:839)
[2023-06-07T20:41:45.192Z] Caused by: java.security.InvalidAlgorithmParameterException: RSA key must be at least 1023 bits. The specific key size 512 is not supported
[2023-06-07T20:41:45.192Z]  at jdk.crypto.cryptoki/sun.security.pkcs11.P11KeyPairGenerator.checkKeySize(P11KeyPairGenerator.java:240)
[2023-06-07T20:41:45.192Z]  at jdk.crypto.cryptoki/sun.security.pkcs11.P11KeyPairGenerator.initialize(P11KeyPairGenerator.java:146)
[2023-06-07T20:41:45.192Z]  ... 13 more
[2023-06-07T20:41:45.192Z] 
[2023-06-07T20:41:45.192Z] JavaTest Message: Test threw exception: java.security.InvalidParameterException: RSA key must be at least 1023 bits. The specific key size 512 is not supported

[2023-06-07T21:03:04.877Z] TEST RESULT: Failed. Execution failed: `main' threw exception: java.lang.RuntimeException: Expected to get exit value of [0]
[2023-06-07T21:03:04.877Z] --------------------------------------------------
[2023-06-07T21:09:31.794Z] Test results: passed: 766; failed: 3
[2023-06-07T21:09:31.794Z] Report written to /home/jenkins/workspace/Test_openjdk11_j9_extended.openjdk_x86-64_linux/aqa-tests/TKG/output_1686165081166/jdk_security3_0/report/html/report.html
[2023-06-07T21:09:31.794Z] Results written to /home/jenkins/workspace/Test_openjdk11_j9_extended.openjdk_x86-64_linux/aqa-tests/TKG/output_1686165081166/jdk_security3_0/work
[2023-06-07T21:09:31.794Z] Error: Some tests failed or other problems occurred.
[2023-06-07T21:09:31.794Z] -----------------------------------
[2023-06-07T21:09:31.794Z] jdk_security3_0_FAILED
JasonFengJ9 commented 1 year ago

JDK11 s390x_linux milestone 2(rhel8s390x-rt-1)

17:04:54  openjdk version "11.0.20" 2023-07-18
17:04:54  IBM Semeru Runtime Open Edition 11.0.20.0-m2 (build 11.0.20+7)
17:04:54  Eclipse OpenJ9 VM 11.0.20.0-m2 (build v0.40.0-release-6eed0535c, JRE 11 Linux s390x-64-Bit Compressed References 20230628_681 (JIT enabled, AOT enabled)
17:04:54  OpenJ9   - 6eed0535c
17:04:54  OMR      - e80bff83b
17:04:54  JCL      - 20e0e53157 based on jdk-11.0.20+7)

17:56:28  variation: Mode150
17:56:28  JVM_OPTIONS:  -XX:+UseCompressedOops 

18:09:25  TEST: sun/security/pkcs11/Signature/ByteBuffers.java

18:09:25  STDERR:
18:09:25  java.security.InvalidParameterException: RSA key must be at least 1023 bits. The specific key size 512 is not supported
18:09:25    at jdk.crypto.cryptoki/sun.security.pkcs11.P11KeyPairGenerator.initialize(P11KeyPairGenerator.java:148)
18:09:25    at java.base/java.security.KeyPairGenerator$Delegate.initialize(KeyPairGenerator.java:665)
18:09:25    at java.base/java.security.KeyPairGenerator.initialize(KeyPairGenerator.java:376)
18:09:25    at ByteBuffers.main(ByteBuffers.java:73)
18:09:25    at PKCS11Test.premain(PKCS11Test.java:224)
18:09:25    at PKCS11Test.testNSS(PKCS11Test.java:600)
18:09:25    at PKCS11Test.main(PKCS11Test.java:260)
18:09:25    at ByteBuffers.main(ByteBuffers.java:46)
18:09:25    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
18:09:25    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
18:09:25    at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
18:09:25    at java.base/java.lang.reflect.Method.invoke(Method.java:566)
18:09:25    at com.sun.javatest.regtest.agent.MainWrapper$MainThread.run(MainWrapper.java:127)
18:09:25    at java.base/java.lang.Thread.run(Thread.java:839)
18:09:25  Caused by: java.security.InvalidAlgorithmParameterException: RSA key must be at least 1023 bits. The specific key size 512 is not supported
18:09:25    at jdk.crypto.cryptoki/sun.security.pkcs11.P11KeyPairGenerator.checkKeySize(P11KeyPairGenerator.java:240)
18:09:25    at jdk.crypto.cryptoki/sun.security.pkcs11.P11KeyPairGenerator.initialize(P11KeyPairGenerator.java:146)
18:09:25    ... 13 more
18:09:25  
18:09:25  JavaTest Message: Test threw exception: java.security.InvalidParameterException: RSA key must be at least 1023 bits. The specific key size 512 is not supported

18:09:25  TEST: sun/security/pkcs11/Signature/ReinitSignature.java

18:09:25  Caused by: java.security.InvalidAlgorithmParameterException: RSA key must be at least 1023 bits. The specific key size 512 is not supported
18:09:25    at jdk.crypto.cryptoki/sun.security.pkcs11.P11KeyPairGenerator.checkKeySize(P11KeyPairGenerator.java:240)
18:09:25    at jdk.crypto.cryptoki/sun.security.pkcs11.P11KeyPairGenerator.initialize(P11KeyPairGenerator.java:146)
18:09:25    ... 14 more

18:39:26  TEST: sun/security/tools/keytool/fakegen/DefaultSignatureAlgorithm.java

18:39:26  STDERR:
18:39:26   stdout: [keytool error: java.lang.UnsupportedOperationException
18:39:26  ];
18:39:26   stderr: []
18:39:26   exitValue = 1
18:39:26  
18:39:26  java.lang.RuntimeException: Expected to get exit value of [0]
18:39:26  
18:39:26    at jdk.test.lib.process.OutputAnalyzer.shouldHaveExitValue(OutputAnalyzer.java:431)
18:39:26    at DefaultSignatureAlgorithm.check(DefaultSignatureAlgorithm.java:79)
18:39:26    at DefaultSignatureAlgorithm.main(DefaultSignatureAlgorithm.java:63)
18:39:26    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
18:39:26    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
18:39:26    at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
18:39:26    at java.base/java.lang.reflect.Method.invoke(Method.java:566)
18:39:26    at com.sun.javatest.regtest.agent.MainWrapper$MainThread.run(MainWrapper.java:127)
18:39:26    at java.base/java.lang.Thread.run(Thread.java:839)
18:39:26  
18:39:26  JavaTest Message: Test threw exception: java.lang.RuntimeException: Expected to get exit value of [0]

18:39:26  TEST RESULT: Failed. Execution failed: `main' threw exception: java.lang.RuntimeException: Expected to get exit value of [0]
18:39:26  --------------------------------------------------
18:47:02  Test results: passed: 764; failed: 3
18:47:02  Report written to /home/jenkins/workspace/Test_openjdk11_j9_extended.openjdk_s390x_linux/aqa-tests/TKG/output_16881593718696/jdk_security3_0/report/html/report.html
18:47:02  Results written to /home/jenkins/workspace/Test_openjdk11_j9_extended.openjdk_s390x_linux/aqa-tests/TKG/output_16881593718696/jdk_security3_0/work
18:47:02  Error: Some tests failed or other problems occurred.
18:47:02  -----------------------------------
18:47:02  jdk_security3_0_FAILED
JasonFengJ9 commented 1 year ago

JDK11 x86-64_linux rc1(rhel9x86-rt1-1)

[2023-07-19T20:13:38.101Z] variation: Mode150
[2023-07-19T20:13:38.101Z] JVM_OPTIONS:  -XX:+UseCompressedOops 

[2023-07-19T20:28:33.651Z] TEST: sun/security/pkcs11/ec/TestECDH.java

[2023-07-19T20:28:33.652Z] STDERR:
[2023-07-19T20:28:33.652Z] java.security.spec.InvalidKeySpecException: Could not create EC public key
[2023-07-19T20:28:33.652Z]  at jdk.crypto.cryptoki/sun.security.pkcs11.P11ECKeyFactory.engineGeneratePublic(P11ECKeyFactory.java:173)
[2023-07-19T20:28:33.652Z]  at java.base/java.security.KeyFactory.generatePublic(KeyFactory.java:346)
[2023-07-19T20:28:33.652Z]  at TestECDH.test(TestECDH.java:149)
[2023-07-19T20:28:33.652Z]  at TestECDH.main(TestECDH.java:127)
[2023-07-19T20:28:33.652Z]  at PKCS11Test.premain(PKCS11Test.java:224)
[2023-07-19T20:28:33.652Z]  at PKCS11Test.testNSS(PKCS11Test.java:600)
[2023-07-19T20:28:33.652Z]  at PKCS11Test.main(PKCS11Test.java:260)
[2023-07-19T20:28:33.652Z]  at TestECDH.main(TestECDH.java:180)
[2023-07-19T20:28:33.652Z] Caused by: java.security.InvalidKeyException: Could not create EC public key
[2023-07-19T20:28:33.652Z]  at jdk.crypto.cryptoki/sun.security.pkcs11.P11ECKeyFactory.implTranslatePublicKey(P11ECKeyFactory.java:130)
[2023-07-19T20:28:33.652Z]  at jdk.crypto.cryptoki/sun.security.pkcs11.P11ECKeyFactory.engineGeneratePublic(P11ECKeyFactory.java:171)
[2023-07-19T20:28:33.652Z]  ... 13 more
[2023-07-19T20:28:33.652Z] Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_DOMAIN_PARAMS_INVALID
[2023-07-19T20:28:33.652Z]  at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11.C_CreateObject(Native Method)
[2023-07-19T20:28:33.652Z]  at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11$InnerPKCS11.C_CreateObject(PKCS11.java:191)
[2023-07-19T20:28:33.652Z]  at jdk.crypto.cryptoki/sun.security.pkcs11.P11ECKeyFactory.generatePublic(P11ECKeyFactory.java:254)
[2023-07-19T20:28:33.652Z]  at jdk.crypto.cryptoki/sun.security.pkcs11.P11ECKeyFactory.implTranslatePublicKey(P11ECKeyFactory.java:110)
[2023-07-19T20:28:33.652Z]  ... 14 more
[2023-07-19T20:28:33.652Z] 
[2023-07-19T20:28:33.652Z] JavaTest Message: Test threw exception: java.security.spec.InvalidKeySpecException: Could not create EC public key

[2023-07-19T20:28:33.655Z] TEST: sun/security/pkcs11/ec/TestECGenSpec.java

[2023-07-19T20:28:33.656Z] STDERR:
[2023-07-19T20:28:33.656Z] java.security.InvalidAlgorithmParameterException: EC key must be at least 256 bits. The specific key size 192 is not supported
[2023-07-19T20:28:33.656Z]  at jdk.crypto.cryptoki/sun.security.pkcs11.P11KeyPairGenerator.checkKeySize(P11KeyPairGenerator.java:240)
[2023-07-19T20:28:33.656Z]  at jdk.crypto.cryptoki/sun.security.pkcs11.P11KeyPairGenerator.initialize(P11KeyPairGenerator.java:223)
[2023-07-19T20:28:33.656Z]  at java.base/java.security.KeyPairGenerator$Delegate.initialize(KeyPairGenerator.java:692)
[2023-07-19T20:28:33.656Z]  at java.base/java.security.KeyPairGenerator.initialize(KeyPairGenerator.java:436)
[2023-07-19T20:28:33.656Z]  at TestECGenSpec.main(TestECGenSpec.java:93)
[2023-07-19T20:28:33.656Z]  at PKCS11Test.premain(PKCS11Test.java:224)
[2023-07-19T20:28:33.656Z]  at PKCS11Test.testNSS(PKCS11Test.java:600)
[2023-07-19T20:28:33.656Z]  at PKCS11Test.main(PKCS11Test.java:260)
[2023-07-19T20:28:33.656Z]  at TestECGenSpec.main(TestECGenSpec.java:46)
[2023-07-19T20:28:33.656Z] 
[2023-07-19T20:28:33.656Z] JavaTest Message: Test threw exception: java.security.InvalidAlgorithmParameterException: EC key must be at least 256 bits. The specific key size 192 is not supported

[2023-07-19T20:44:59.437Z] TEST: sun/security/pkcs11/KeyStore/ClientAuth.java

[2023-07-19T20:44:59.440Z] java.io.IOException: load failed
[2023-07-19T20:44:59.440Z]  at jdk.crypto.cryptoki/sun.security.pkcs11.P11KeyStore.engineLoad(P11KeyStore.java:765)
[2023-07-19T20:44:59.440Z]  at java.base/java.security.KeyStore.load(KeyStore.java:1479)
[2023-07-19T20:44:59.440Z]  at ClientAuth.doClientSide(ClientAuth.java:198)
[2023-07-19T20:44:59.440Z]  at ClientAuth.lambda$startClient$1(ClientAuth.java:380)
[2023-07-19T20:44:59.440Z]  at java.base/java.lang.Thread.run(Thread.java:839)
[2023-07-19T20:44:59.440Z] Caused by: javax.security.auth.login.LoginException
[2023-07-19T20:44:59.440Z]  at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.login(SunPKCS11.java:1685)
[2023-07-19T20:44:59.440Z]  at jdk.crypto.cryptoki/sun.security.pkcs11.P11KeyStore.login(P11KeyStore.java:865)
[2023-07-19T20:44:59.440Z]  at jdk.crypto.cryptoki/sun.security.pkcs11.P11KeyStore.engineLoad(P11KeyStore.java:752)
[2023-07-19T20:44:59.440Z]  ... 4 more
[2023-07-19T20:44:59.440Z] Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_USER_TYPE_INVALID
[2023-07-19T20:44:59.440Z]  at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11.C_Login(Native Method)
[2023-07-19T20:44:59.440Z]  at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.login(SunPKCS11.java:1669)
[2023-07-19T20:44:59.440Z]  ... 6 more
[2023-07-19T20:44:59.440Z] Client died...

[2023-07-19T20:44:59.440Z] TEST: sun/security/pkcs11/Provider/Login.java

[2023-07-19T20:44:59.441Z] test Login.testLogin(): failure
[2023-07-19T20:44:59.441Z] java.security.ProviderException: Initialization failed
[2023-07-19T20:44:59.441Z]  at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:469)
[2023-07-19T20:44:59.441Z]  at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunPKCS11.java:148)
[2023-07-19T20:44:59.441Z]  at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunPKCS11.java:145)
[2023-07-19T20:44:59.441Z]  at java.base/java.security.AccessController.doPrivileged(AccessController.java:746)
[2023-07-19T20:44:59.441Z]  at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.configure(SunPKCS11.java:145)
[2023-07-19T20:44:59.441Z]  at PKCS11Test.getSunPKCS11(PKCS11Test.java:200)
[2023-07-19T20:44:59.441Z]  at PKCS11Test.getSunPKCS11(PKCS11Test.java:192)
[2023-07-19T20:44:59.441Z]  at PKCS11Test.testNSS(PKCS11Test.java:599)
[2023-07-19T20:44:59.441Z]  at PKCS11Test.main(PKCS11Test.java:260)
[2023-07-19T20:44:59.441Z]  at Login.testLogin(Login.java:58)
[2023-07-19T20:44:59.442Z] Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: 0xCE534351
[2023-07-19T20:44:59.442Z]  at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11.C_Initialize(Native Method)
[2023-07-19T20:44:59.442Z]  at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11$SynchronizedPKCS11.C_Initialize(PKCS11.java:1689)
[2023-07-19T20:44:59.442Z]  at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11.getInstance(PKCS11.java:224)
[2023-07-19T20:44:59.442Z]  at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:372)
[2023-07-19T20:44:59.442Z]  ... 42 more

[2023-07-19T20:45:04.908Z] TEST: sun/security/pkcs11/Signature/ByteBuffers.java

[2023-07-19T20:45:04.909Z] STDERR:
[2023-07-19T20:45:04.909Z] java.security.InvalidParameterException: RSA key must be at least 1023 bits. The specific key size 512 is not supported
[2023-07-19T20:45:04.909Z]  at jdk.crypto.cryptoki/sun.security.pkcs11.P11KeyPairGenerator.initialize(P11KeyPairGenerator.java:148)
[2023-07-19T20:45:04.909Z]  at java.base/java.security.KeyPairGenerator$Delegate.initialize(KeyPairGenerator.java:665)
[2023-07-19T20:45:04.909Z]  at java.base/java.security.KeyPairGenerator.initialize(KeyPairGenerator.java:376)
[2023-07-19T20:45:04.909Z]  at ByteBuffers.main(ByteBuffers.java:73)
[2023-07-19T20:45:04.909Z]  at PKCS11Test.premain(PKCS11Test.java:224)
[2023-07-19T20:45:04.909Z]  at PKCS11Test.testNSS(PKCS11Test.java:600)
[2023-07-19T20:45:04.909Z]  at PKCS11Test.main(PKCS11Test.java:260)
[2023-07-19T20:45:04.909Z]  at ByteBuffers.main(ByteBuffers.java:46)
[2023-07-19T20:45:04.909Z]  at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
[2023-07-19T20:45:04.909Z] Caused by: java.security.InvalidAlgorithmParameterException: RSA key must be at least 1023 bits. The specific key size 512 is not supported
[2023-07-19T20:45:04.909Z]  at jdk.crypto.cryptoki/sun.security.pkcs11.P11KeyPairGenerator.checkKeySize(P11KeyPairGenerator.java:240)
[2023-07-19T20:45:04.909Z]  at jdk.crypto.cryptoki/sun.security.pkcs11.P11KeyPairGenerator.initialize(P11KeyPairGenerator.java:146)
[2023-07-19T20:45:04.909Z]  ... 13 more

[2023-07-19T21:17:23.644Z] Test results: passed: 757; failed: 11; error: 1
[2023-07-19T21:17:28.507Z] Report written to /home/jenkins/workspace/Test_openjdk11_j9_extended.openjdk_x86-64_linux/aqa-tests/TKG/output_16897925209163/jdk_security3_0/report/html/report.html
[2023-07-19T21:17:28.507Z] Results written to /home/jenkins/workspace/Test_openjdk11_j9_extended.openjdk_x86-64_linux/aqa-tests/TKG/output_16897925209163/jdk_security3_0/work
[2023-07-19T21:17:28.507Z] Error: Some tests failed or other problems occurred.
[2023-07-19T21:17:28.507Z] -----------------------------------
[2023-07-19T21:17:28.507Z] jdk_security3_0_FAILED
JasonFengJ9 commented 1 year ago

JDK8 0.41 milestone 1 - ppc64le_linux(rhel8le-rtp-rt1-1)

openjdk version "1.8.0_392"
IBM Semeru Runtime Open Edition (build 1.8.0_392-b03)
Eclipse OpenJ9 VM (build v0.41.0-release-87d042a68, JRE 1.8.0 Linux ppc64le-64-Bit Compressed References 20230906_726 (JIT enabled, AOT enabled)
OpenJ9   - 87d042a68
OMR      - fa7b6ddc7
JCL      - 04ddaa8f70 based on jdk8u392-b03)

[2023-09-06T20:13:10.696Z] variation: Mode150
[2023-09-06T20:13:10.696Z] JVM_OPTIONS:  -XX:+UseCompressedOops 

[2023-09-06T20:21:47.760Z] TEST: sun/security/pkcs11/rsa/TestKeyFactory.java
[2023-09-06T20:21:47.760Z] STDERR:
[2023-09-06T20:21:47.760Z] java.security.InvalidKeyException: Could not create RSA public key
[2023-09-06T20:21:47.760Z]  at sun.security.pkcs11.P11RSAKeyFactory.implTranslatePublicKey(P11RSAKeyFactory.java:71)
[2023-09-06T20:21:47.760Z]  at sun.security.pkcs11.P11KeyFactory.engineTranslateKey(P11KeyFactory.java:127)
[2023-09-06T20:21:47.760Z]  at java.security.KeyFactory.translateKey(KeyFactory.java:452)
[2023-09-06T20:21:47.760Z]  at TestKeyFactory.testPublic(TestKeyFactory.java:80)
[2023-09-06T20:21:47.761Z]  at TestKeyFactory.test(TestKeyFactory.java:124)
[2023-09-06T20:21:47.761Z]  at TestKeyFactory.main(TestKeyFactory.java:144)
[2023-09-06T20:21:47.761Z]  at PKCS11Test.premain(PKCS11Test.java:125)
[2023-09-06T20:21:47.761Z]  at PKCS11Test.testNSS(PKCS11Test.java:487)
[2023-09-06T20:21:47.761Z]  at PKCS11Test.main(PKCS11Test.java:156)
[2023-09-06T20:21:47.761Z]  at TestKeyFactory.main(TestKeyFactory.java:131)
[2023-09-06T20:21:47.761Z] Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ATTRIBUTE_VALUE_INVALID
[2023-09-06T20:21:47.761Z]  at sun.security.pkcs11.wrapper.PKCS11$InnerPKCS11.C_CreateObject(PKCS11.java:196)
[2023-09-06T20:21:47.761Z]  at sun.security.pkcs11.P11RSAKeyFactory.generatePublic(P11RSAKeyFactory.java:198)
[2023-09-06T20:21:47.761Z]  at sun.security.pkcs11.P11RSAKeyFactory.implTranslatePublicKey(P11RSAKeyFactory.java:57)
[2023-09-06T20:21:47.761Z]  ... 15 more

[2023-09-06T20:21:47.761Z] TEST: sun/security/pkcs11/rsa/TestSignatures.java
[2023-09-06T20:21:47.762Z] Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ATTRIBUTE_VALUE_INVALID

[2023-09-06T20:21:47.762Z] TEST: sun/security/pkcs11/Signature/ByteBuffers.java
[2023-09-06T20:21:47.763Z] java.security.InvalidParameterException: RSA key must be at least 1023 bits. The specific key size 512 is not supported

[2023-09-06T20:21:47.763Z] TEST: sun/security/pkcs11/Signature/ReinitSignature.java
[2023-09-06T20:21:47.765Z] java.security.InvalidParameterException: RSA key must be at least 1023 bits. The specific key size 512 is not supported

[2023-09-06T20:21:51.053Z] TEST: sun/security/pkcs11/Signature/TestRSAKeyLength.java
[2023-09-06T20:21:51.053Z] java.security.InvalidParameterException: RSA key must be at least 1023 bits. The specific key size 512 is not supported

[2023-09-06T20:42:13.081Z] TEST: sun/security/tools/keytool/autotest.sh
[2023-09-06T20:42:13.081Z] Exception in thread "main" java.lang.IllegalArgumentException: RSA key must be at least 1023 bits. The specific key size 512 is not supported

[2023-09-06T20:49:42.191Z] Test results: passed: 601; failed: 6
[2023-09-06T20:49:42.191Z] Report written to /home/jenkins/workspace/Test_openjdk8_j9_extended.openjdk_ppc64le_linux/aqa-tests/TKG/output_16940267562428/jdk_security3_0/report/html/report.html
[2023-09-06T20:49:42.191Z] Results written to /home/jenkins/workspace/Test_openjdk8_j9_extended.openjdk_ppc64le_linux/aqa-tests/TKG/output_16940267562428/jdk_security3_0/work
[2023-09-06T20:49:42.191Z] Error: Some tests failed or other problems occurred.
[2023-09-06T20:49:42.191Z] -----------------------------------
[2023-09-06T20:49:42.192Z] jdk_security3_0_FAILED

JDK8 0.41 milestone 1 s390x_linux(rhel9s390xrt-1)

openjdk version "1.8.0_392"
IBM Semeru Runtime Open Edition (build 1.8.0_392-b03)
Eclipse OpenJ9 VM (build v0.41.0-release-87d042a68, JRE 1.8.0 Linux s390x-64-Bit Compressed References 20230906_725 (JIT enabled, AOT enabled)
OpenJ9   - 87d042a68
OMR      - fa7b6ddc7
JCL      - 04ddaa8f70 based on jdk8u392-b03)

[2023-09-06T22:39:11.494Z] variation: Mode650
[2023-09-06T22:39:11.494Z] JVM_OPTIONS:  -XX:-UseCompressedOops 

[2023-09-06T23:08:51.635Z] TEST: sun/security/tools/keytool/autotest.sh

[2023-09-06T23:08:51.635Z] Exception in thread "main" java.io.IOException: load failed
[2023-09-06T23:08:51.635Z]  at sun.security.pkcs11.P11KeyStore.engineLoad(P11KeyStore.java:764)
[2023-09-06T23:08:51.635Z]  at java.security.KeyStore.load(KeyStore.java:1445)
[2023-09-06T23:08:51.635Z]  at sun.security.tools.keytool.Main.doCommands(Main.java:869)
[2023-09-06T23:08:51.635Z]  at sun.security.tools.keytool.Main.run(Main.java:378)
[2023-09-06T23:08:51.635Z]  at sun.security.tools.keytool.Main.main(Main.java:371)
[2023-09-06T23:08:51.635Z]  at KeyToolTest.test(KeyToolTest.java:159)
[2023-09-06T23:08:51.635Z]  at KeyToolTest.test(KeyToolTest.java:127)
[2023-09-06T23:08:51.635Z]  at KeyToolTest.testOK(KeyToolTest.java:182)
[2023-09-06T23:08:51.635Z]  at KeyToolTest.testPKCS11(KeyToolTest.java:525)
[2023-09-06T23:08:51.635Z]  at KeyToolTest.main(KeyToolTest.java:1345)
[2023-09-06T23:08:51.635Z] Caused by: javax.security.auth.login.LoginException
[2023-09-06T23:08:51.635Z]  at sun.security.pkcs11.SunPKCS11.login(SunPKCS11.java:1534)
[2023-09-06T23:08:51.635Z]  at sun.security.pkcs11.P11KeyStore.login(P11KeyStore.java:864)
[2023-09-06T23:08:51.635Z]  at sun.security.pkcs11.P11KeyStore.engineLoad(P11KeyStore.java:751)
[2023-09-06T23:08:51.635Z]  ... 9 more
[2023-09-06T23:08:51.635Z] Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_USER_TYPE_INVALID
[2023-09-06T23:08:51.635Z]  at sun.security.pkcs11.SunPKCS11.login(SunPKCS11.java:1518)

[2023-09-06T23:14:03.421Z] Test results: passed: 606; failed: 1
[2023-09-06T23:14:04.664Z] Report written to /home/jenkins/workspace/Test_openjdk8_j9_extended.openjdk_s390x_linux/aqa-tests/TKG/output_16940295179844/jdk_security3_1/report/html/report.html
[2023-09-06T23:14:04.664Z] Results written to /home/jenkins/workspace/Test_openjdk8_j9_extended.openjdk_s390x_linux/aqa-tests/TKG/output_16940295179844/jdk_security3_1/work
[2023-09-06T23:14:04.664Z] Error: Some tests failed or other problems occurred.
[2023-09-06T23:14:04.664Z] -----------------------------------
[2023-09-06T23:14:04.664Z] jdk_security3_1_FAILED
JasonFengJ9 commented 7 months ago

JDK11 ppc64le_linux(rhel9lert-1)

openjdk version "11.0.23" 2024-04-16
IBM Semeru Runtime Open Edition 11.0.23.0-m1 (build 11.0.23+6)
Eclipse OpenJ9 VM 11.0.23.0-m1 (build v0.44.0-release-747f86c91, JRE 11 Linux ppc64le-64-Bit Compressed References 20240319_904 (JIT enabled, AOT enabled)
OpenJ9   - 747f86c91
OMR      - 254af5a04
JCL      - b59f8e52b5 based on jdk-11.0.23+6)

[2024-03-20T20:42:57.325Z] variation: Mode650
[2024-03-20T20:42:57.325Z] JVM_OPTIONS:  -XX:-UseCompressedOops -Xverbosegclog 

[2024-03-20T20:53:19.529Z] TEST: sun/security/pkcs11/ec/TestECDH.java

[2024-03-20T20:53:19.530Z] STDERR:
[2024-03-20T20:53:19.530Z] java.security.spec.InvalidKeySpecException: Could not create EC public key
[2024-03-20T20:53:19.530Z]  at jdk.crypto.cryptoki/sun.security.pkcs11.P11ECKeyFactory.engineGeneratePublic(P11ECKeyFactory.java:173)
[2024-03-20T20:53:19.530Z]  at java.base/java.security.KeyFactory.generatePublic(KeyFactory.java:346)
[2024-03-20T20:53:19.530Z]  at TestECDH.test(TestECDH.java:149)
[2024-03-20T20:53:19.530Z]  at TestECDH.main(TestECDH.java:127)
[2024-03-20T20:53:19.530Z]  at PKCS11Test.premain(PKCS11Test.java:224)
[2024-03-20T20:53:19.530Z]  at PKCS11Test.testNSS(PKCS11Test.java:600)
[2024-03-20T20:53:19.530Z]  at PKCS11Test.main(PKCS11Test.java:260)
[2024-03-20T20:53:19.530Z]  at TestECDH.main(TestECDH.java:180)

[2024-03-20T20:53:19.530Z] Caused by: java.security.InvalidKeyException: Could not create EC public key
[2024-03-20T20:53:19.530Z]  at jdk.crypto.cryptoki/sun.security.pkcs11.P11ECKeyFactory.implTranslatePublicKey(P11ECKeyFactory.java:130)
[2024-03-20T20:53:19.530Z]  at jdk.crypto.cryptoki/sun.security.pkcs11.P11ECKeyFactory.engineGeneratePublic(P11ECKeyFactory.java:171)
[2024-03-20T20:53:19.530Z]  ... 13 more
[2024-03-20T20:53:19.530Z] Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_DOMAIN_PARAMS_INVALID
[2024-03-20T20:53:19.530Z]  at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11.C_CreateObject(Native Method)
[2024-03-20T20:53:19.530Z]  at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11$InnerPKCS11.C_CreateObject(PKCS11.java:191)
[2024-03-20T20:53:19.530Z]  at jdk.crypto.cryptoki/sun.security.pkcs11.P11ECKeyFactory.generatePublic(P11ECKeyFactory.java:254)
[2024-03-20T20:53:19.530Z]  at jdk.crypto.cryptoki/sun.security.pkcs11.P11ECKeyFactory.implTranslatePublicKey(P11ECKeyFactory.java:110)
[2024-03-20T20:53:19.530Z]  ... 14 more
[2024-03-20T20:53:19.530Z] 
[2024-03-20T20:53:19.530Z] JavaTest Message: Test threw exception: java.security.spec.InvalidKeySpecException: Could not create EC public key

[2024-03-20T20:53:19.532Z] TEST: sun/security/pkcs11/ec/TestECGenSpec.java
[2024-03-20T20:53:19.532Z] STDERR:
[2024-03-20T20:53:19.532Z] java.security.InvalidAlgorithmParameterException: EC key must be at least 256 bits. The specific key size 192 is not supported
[2024-03-20T20:53:19.532Z]  at jdk.crypto.cryptoki/sun.security.pkcs11.P11KeyPairGenerator.checkKeySize(P11KeyPairGenerator.java:240)
[2024-03-20T20:53:19.532Z]  at jdk.crypto.cryptoki/sun.security.pkcs11.P11KeyPairGenerator.initialize(P11KeyPairGenerator.java:223)
[2024-03-20T20:53:19.532Z]  at java.base/java.security.KeyPairGenerator$Delegate.initialize(KeyPairGenerator.java:692)
[2024-03-20T20:53:19.532Z]  at java.base/java.security.KeyPairGenerator.initialize(KeyPairGenerator.java:436)
[2024-03-20T20:53:19.532Z]  at TestECGenSpec.main(TestECGenSpec.java:93)
[2024-03-20T20:53:19.532Z]  at PKCS11Test.premain(PKCS11Test.java:224)
[2024-03-20T20:53:19.532Z]  at PKCS11Test.testNSS(PKCS11Test.java:600)
[2024-03-20T20:53:19.532Z]  at PKCS11Test.main(PKCS11Test.java:260)
[2024-03-20T20:53:19.532Z]  at TestECGenSpec.main(TestECGenSpec.java:46)

[2024-03-20T20:53:42.580Z] TEST: sun/security/pkcs11/KeyStore/SecretKeysBasic.java

[2024-03-20T20:53:42.580Z] libsoftokn3 version not found, set to 0.0: /usr/lib64/libsoftokn3.so
[2024-03-20T20:53:42.580Z] libnss3 version not found, set to 0.0: /usr/lib64/libsoftokn3.so
[2024-03-20T20:53:42.580Z] test SecretKeysBasic.testBasic(): failure
[2024-03-20T20:53:42.580Z] java.io.IOException: load failed
[2024-03-20T20:53:42.580Z]  at jdk.crypto.cryptoki/sun.security.pkcs11.P11KeyStore.engineLoad(P11KeyStore.java:765)
[2024-03-20T20:53:42.580Z]  at java.base/java.security.KeyStore.load(KeyStore.java:1479)
[2024-03-20T20:53:42.580Z]  at SecretKeysBasic.doTest(SecretKeysBasic.java:172)
[2024-03-20T20:53:42.580Z]  at SecretKeysBasic.main(SecretKeysBasic.java:102)
[2024-03-20T20:53:42.580Z]  at PKCS11Test.premain(PKCS11Test.java:224)
[2024-03-20T20:53:42.580Z]  at PKCS11Test.testNSS(PKCS11Test.java:600)
[2024-03-20T20:53:42.580Z]  at PKCS11Test.main(PKCS11Test.java:260)
[2024-03-20T20:53:42.580Z]  at PKCS11Test.main(PKCS11Test.java:236)
[2024-03-20T20:53:42.580Z]  at SecretKeysBasic.testBasic(SecretKeysBasic.java:65)

[2024-03-20T20:53:42.581Z] Caused by: javax.security.auth.login.LoginException
[2024-03-20T20:53:42.581Z]  at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.login(SunPKCS11.java:1645)
[2024-03-20T20:53:42.581Z]  at jdk.crypto.cryptoki/sun.security.pkcs11.P11KeyStore.login(P11KeyStore.java:865)
[2024-03-20T20:53:42.581Z]  at jdk.crypto.cryptoki/sun.security.pkcs11.P11KeyStore.engineLoad(P11KeyStore.java:752)
[2024-03-20T20:53:42.581Z]  ... 41 more
[2024-03-20T20:53:42.581Z] Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_USER_TYPE_INVALID
[2024-03-20T20:53:42.581Z]  at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11.C_Login(Native Method)
[2024-03-20T20:53:42.581Z]  at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.login(SunPKCS11.java:1629)
[2024-03-20T20:53:42.581Z]  ... 43 more
[2024-03-20T20:53:42.581Z] 

[2024-03-20T20:53:57.001Z] TEST: sun/security/pkcs11/Provider/Login.java
[2024-03-20T20:53:57.001Z] test Login.testLogin(): failure
[2024-03-20T20:53:57.001Z] java.security.ProviderException: Initialization failed
[2024-03-20T20:53:57.001Z]  at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:470)
[2024-03-20T20:53:57.001Z]  at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunPKCS11.java:149)
[2024-03-20T20:53:57.001Z]  at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunPKCS11.java:146)
[2024-03-20T20:53:57.001Z]  at java.base/java.security.AccessController.doPrivileged(AccessController.java:746)
[2024-03-20T20:53:57.001Z]  at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.configure(SunPKCS11.java:146)
[2024-03-20T20:53:57.001Z]  at PKCS11Test.getSunPKCS11(PKCS11Test.java:200)
[2024-03-20T20:53:57.001Z]  at PKCS11Test.getSunPKCS11(PKCS11Test.java:192)
[2024-03-20T20:53:57.001Z]  at PKCS11Test.testNSS(PKCS11Test.java:599)
[2024-03-20T20:53:57.001Z]  at PKCS11Test.main(PKCS11Test.java:260)
[2024-03-20T20:53:57.001Z]  at Login.testLogin(Login.java:58)

[2024-03-20T20:53:57.001Z] Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: 0xCE534351
[2024-03-20T20:53:57.001Z]  at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11.C_Initialize(Native Method)
[2024-03-20T20:53:57.001Z]  at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11$SynchronizedPKCS11.C_Initialize(PKCS11.java:1689)
[2024-03-20T20:53:57.001Z]  at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11.getInstance(PKCS11.java:224)
[2024-03-20T20:53:57.001Z]  at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:373)
[2024-03-20T20:53:57.001Z]  ... 42 more

[2024-03-20T21:22:20.176Z] jdk_security3_1_FAILED