search

eclipse-openj9 / openj9

Eclipse OpenJ9: A Java Virtual Machine for OpenJDK that's optimized for small footprint, fast start-up, and high throughput. Builds on Eclipse OMR (https://github.com/eclipse/omr) and combines with the Extensions for OpenJDK for OpenJ9 repo.
Other
3.27k stars 721 forks source link

jdk_security_infra_0_FAILED NullPointerException: Cannot invoke "java.security.cert.X509Certificate.getSubjectX500Principal()" because "this.rootCertificate" is null #18447

Closed JasonFengJ9 closed 8 months ago

JasonFengJ9 commented 10 months ago

Failure link

From [an internal build]()(https://hyc-runtimes-jenkins.swg-devops.com/job/Test_openjdk17_j9_extended.openjdk_aarch64_linux/135/):

java version "17.0.10-beta" 2024-01-16
IBM Semeru Runtime Certified Edition 17.0.10+2-202311111534 (build 17.0.10-beta+2-202311111534)
Eclipse OpenJ9 VM 17.0.10+2-202311111534 (build master-f1d8ad75f, JRE 17 Linux aarch64-64-Bit Compressed References 20231111_524 (JIT enabled, AOT enabled)
OpenJ9   - f1d8ad75f
OMR      - 9bc6e08c9
JCL      - eaba573278 based on jdk-17.0.10+2)

Rerun in Grinder - Change TARGET to run only the failed test targets.

Optional info

Failure output (captured from console output)

[2023-11-11T19:56:06.157Z] variation: Mode150
[2023-11-11T19:56:06.157Z] JVM_OPTIONS:  -XX:+UseCompressedOops 

[2023-11-11T19:56:33.750Z] TEST: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#affirmtrustnetworkingca

[2023-11-11T19:56:33.752Z] STDERR:
[2023-11-11T19:56:33.752Z] java.lang.NullPointerException: Cannot invoke "java.security.cert.X509Certificate.getSubjectX500Principal()" because "this.rootCertificate" is null
[2023-11-11T19:56:33.752Z]  at ValidatePathWithURL.<init>(ValidatePathWithURL.java:64)
[2023-11-11T19:56:33.752Z]  at CAInterop.validate(CAInterop.java:619)
[2023-11-11T19:56:33.752Z]  at CAInterop.main(CAInterop.java:564)
[2023-11-11T19:56:33.752Z]  at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
[2023-11-11T19:56:33.752Z]  at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
[2023-11-11T19:56:33.752Z]  at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
[2023-11-11T19:56:33.752Z]  at java.base/java.lang.reflect.Method.invoke(Method.java:568)
[2023-11-11T19:56:33.752Z]  at com.sun.javatest.regtest.agent.MainWrapper$MainTask.run(MainWrapper.java:138)
[2023-11-11T19:56:33.752Z]  at java.base/java.lang.Thread.run(Thread.java:857)
[2023-11-11T19:56:33.752Z] 
[2023-11-11T19:56:33.752Z] JavaTest Message: Test threw exception: java.lang.NullPointerException: Cannot invoke "java.security.cert.X509Certificate.getSubjectX500Principal()" because "this.rootCertificate" is null
[2023-11-11T19:56:33.752Z] JavaTest Message: shutting down test

[2023-11-11T19:57:54.592Z] jdk_security_infra_0_FAILED

50x internal grinder - all failed

JDK17 aarch64_linux JDK17 ppc64le_linux

RI JDK17 aarch64_linux - failed as well

JasonFengJ9 commented 9 months ago

JDK11 aarch64_mac

java version "11.0.22-beta" 2024-01-16
IBM Semeru Runtime Certified Edition 11.0.22+4-202311250206 (build 11.0.22-beta+4-202311250206)
Eclipse OpenJ9 VM 11.0.22+4-202311250206 (build master-e89fd87bb, JRE 11 Mac OS X aarch64-64-Bit 20231124_435 (JIT enabled, AOT enabled)
OpenJ9   - e89fd87bb
OMR      - 8b19b8082
JCL      - 82742a9898 based on jdk-11.0.22+4)

[2023-11-25T02:57:04.848Z] STDERR:
[2023-11-25T02:57:04.848Z] java.lang.NullPointerException
[2023-11-25T02:57:04.848Z]  at ValidatePathWithURL.<init>(ValidatePathWithURL.java:64)
[2023-11-25T02:57:04.848Z]  at CAInterop.validate(CAInterop.java:631)
[2023-11-25T02:57:04.848Z]  at CAInterop.main(CAInterop.java:576)
[2023-11-25T02:57:04.848Z]  at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
[2023-11-25T02:57:04.848Z]  at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
[2023-11-25T02:57:04.848Z]  at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
[2023-11-25T02:57:04.848Z]  at java.base/java.lang.reflect.Method.invoke(Method.java:572)
[2023-11-25T02:57:04.848Z]  at com.sun.javatest.regtest.agent.MainWrapper$MainThread.run(MainWrapper.java:127)
[2023-11-25T02:57:04.848Z]  at java.base/java.lang.Thread.run(Thread.java:839)
[2023-11-25T02:57:04.848Z] 
[2023-11-25T02:57:04.848Z] JavaTest Message: Test threw exception: java.lang.NullPointerException

[2023-11-25T02:57:12.680Z] jdk_security_infra_1_FAILED
security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#actalisauthenticationrootca.CAInterop_actalisauthenticationrootca
security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#affirmtrustcommercialca.CAInterop_affirmtrustcommercialca
security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#affirmtrustnetworkingca.CAInterop_affirmtrustnetworkingca
security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#affirmtrustpremiumca.CAInterop_affirmtrustpremiumca
security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#affirmtrustpremiumeccca.CAInterop_affirmtrustpremiumeccca
security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#amazonrootca1.CAInterop_amazonrootca1
security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#amazonrootca2.CAInterop_amazonrootca2
security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#amazonrootca3.CAInterop_amazonrootca3
security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#amazonrootca4.CAInterop_amazonrootca4
security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#buypassclass2ca.CAInterop_buypassclass2ca
security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#buypassclass3ca.CAInterop_buypassclass3ca
security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#certignarootca.CAInterop_certignarootca
security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#comodoeccca.CAInterop_comodoeccca
security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#comodorsaca.CAInterop_comodorsaca
security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#entrustrootcaec1.CAInterop_entrustrootcaec1
security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#entrustrootcag4.CAInterop_entrustrootcag4
security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#globalsigneccrootcar4.CAInterop_globalsigneccrootcar4
security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#globalsignrootcar6.CAInterop_globalsignrootcar6
security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#godaddyrootg2ca.CAInterop_godaddyrootg2ca
security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#gtsrootcar1.CAInterop_gtsrootcar1
security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#gtsrootcar2.CAInterop_gtsrootcar2
security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#gtsrootecccar3.CAInterop_gtsrootecccar3
security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#gtsrootecccar4.CAInterop_gtsrootecccar4
security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#letsencryptisrgx1.CAInterop_letsencryptisrgx1
security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#letsencryptisrgx2.CAInterop_letsencryptisrgx2
security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#microsoftecc2017.CAInterop_microsoftecc2017
security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#microsoftrsa2017.CAInterop_microsoftrsa2017
security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#quovadisrootca1g3.CAInterop_quovadisrootca1g3
security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#quovadisrootca2g3.CAInterop_quovadisrootca2g3
security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#quovadisrootca3g3.CAInterop_quovadisrootca3g3
security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#sslrooteccca.CAInterop_sslrooteccca
security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#sslrootevrsaca.CAInterop_sslrootevrsaca
security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#sslrootrsaca.CAInterop_sslrootrsaca
security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#starfieldrootg2ca.CAInterop_starfieldrootg2ca
security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#teliarootcav2.CAInterop_teliarootcav2
security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#teliasonerarootcav1.CAInterop_teliasonerarootcav1
security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#twcaglobalrootca.CAInterop_twcaglobalrootca
security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#usertrusteccca.CAInterop_usertrusteccca
security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#usertrustrsaca.CAInterop_usertrustrsaca
JasonFengJ9 commented 9 months ago

JDK17 aarch64_mac(macaarch64rt6)

openjdk version "17.0.10" 2024-01-16
IBM Semeru Runtime Open Edition 17.0.10.0-m1 (build 17.0.10+5)
Eclipse OpenJ9 VM 17.0.10.0-m1 (build v0.43.0-release-9b2a42f8f, JRE 17 Mac OS X aarch64-64-Bit 20240116_466 (JIT enabled, AOT enabled)
OpenJ9   - 9b2a42f8f
OMR      - d810fcb98
JCL      - 10ccdceee3c based on jdk-17.0.10+5)

[2023-12-01T20:03:18.777Z] TEST: security/infra/java/security/cert/CertPathValidator/certification/EmSignRootG2CA.java

[2023-12-01T20:03:18.781Z] STDERR:
[2023-12-01T20:03:18.781Z] certpath: PKIXCertPathValidator.engineValidate()...
[2023-12-01T20:03:18.781Z] certpath: X509CertSelector.match(SN: cbe
[2023-12-01T20:03:18.781Z]   Issuer: CN=TWCA Global Root CA, OU=Root CA, O=TAIWAN-CA, C=TW
[2023-12-01T20:03:18.781Z]   Subject: CN=TWCA Global Root CA, OU=Root CA, O=TAIWAN-CA, C=TW)
[2023-12-01T20:03:18.781Z] certpath: X509CertSelector.match: subject DNs don't match
[2023-12-01T20:03:18.781Z] java.lang.RuntimeException: TEST FAILED: couldn't determine EE certificate status
[2023-12-01T20:03:18.781Z]  at ValidatePathWithParams.validate(ValidatePathWithParams.java:177)
[2023-12-01T20:03:18.781Z]  at EmSignRootG2CA.main(EmSignRootG2CA.java:171)
[2023-12-01T20:03:18.781Z]  at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
[2023-12-01T20:03:18.781Z]  at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
[2023-12-01T20:03:18.781Z]  at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
[2023-12-01T20:03:18.781Z]  at java.base/java.lang.reflect.Method.invoke(Method.java:574)
[2023-12-01T20:03:18.781Z]  at com.sun.javatest.regtest.agent.MainWrapper$MainTask.run(MainWrapper.java:138)
[2023-12-01T20:03:18.781Z]  at java.base/java.lang.Thread.run(Thread.java:857)
[2023-12-01T20:03:18.781Z] Caused by: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
[2023-12-01T20:03:18.781Z]  at java.base/sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:157)
[2023-12-01T20:03:18.782Z]  at java.base/sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:83)
[2023-12-01T20:03:18.782Z]  at java.base/java.security.cert.CertPathValidator.validate(CertPathValidator.java:309)
[2023-12-01T20:03:18.782Z]  at ValidatePathWithParams.doCertPathValidate(ValidatePathWithParams.java:288)
[2023-12-01T20:03:18.782Z]  at ValidatePathWithParams.validate(ValidatePathWithParams.java:142)
[2023-12-01T20:03:18.782Z]  ... 7 more
[2023-12-01T20:03:18.782Z] 
[2023-12-01T20:03:18.782Z] JavaTest Message: Test threw exception: java.lang.RuntimeException: TEST FAILED: couldn't determine EE certificate status

[2023-12-01T20:03:27.652Z] jdk_security_infra_1_FAILED

RI JDK17 aarch64_mac - same failure RI JDK17 x86-64_linux - same failure

pshipton commented 9 months ago

@KostasTsiounis @jasonkatonica this needs investigation

KostasTsiounis commented 8 months ago

The failing test is CAInterop, which was introduced as part of this commit.

Said test substitutes a number of tests that had hard-coded certificates to test. The new test loads the certificates from the cacerts file and tries to then retrieve them from the created KeyStore.

The certificates examined, and expected to be in the KeyStore, are the OpenJDK certificates. However, the Semeru Certified Edition contains a different set of Adoptium certificates derived from Mozilla certificates, as @pshipton informed me. So, when the test tries to cacerts.getCertificate(alias), the result is null, leading to the produced NullPointerException.

This was verified by substituting the cacerts file with one created through an OpenJ9 build, which led to the test succeeding.

KostasTsiounis commented 8 months ago

@pshipton What do you think our next steps should be?

pshipton commented 8 months ago

@LongyuZhang @sophia-guo what is Adoptium doing about all these failing security_infra tests?

llxia commented 8 months ago

Same failure in jdk_security_infra at Adoptium on Dec 25th, 2023: https://ci.adoptium.net/job/Test_openjdk17_hs_extended.openjdk_aarch64_linux_testList_1/45/tapResults/

From what I can see, the last green extended.openjdk on aarch64_linux was on Sep 1st, 2023: https://ci.adoptium.net/job/Test_openjdk17_hs_extended.openjdk_aarch64_linux/

KostasTsiounis commented 8 months ago

@llxia The CAInterop test was added on the upstream on September 28, 2023.

pshipton commented 8 months ago

This should be resolved via https://github.com/adoptium/aqa-tests/pull/4955, or an OpenJ9 update derived from it.

macarte commented 8 months ago

We just tested 21 as we also had this issue.

I don't know the background on why we've been generating the cacerts file and replacing the one thats built by default, however if you run the tests with the default cacert then the tests pass (we confirmed that the alias being searched for is in the default cacert file and not the one generated from the mozilla source

I don't know (again because of the background) which cacert file (if any) would be needed for TCK