Closed JasonFengJ9 closed 8 months ago
java version "11.0.22-beta" 2024-01-16
IBM Semeru Runtime Certified Edition 11.0.22+4-202311250206 (build 11.0.22-beta+4-202311250206)
Eclipse OpenJ9 VM 11.0.22+4-202311250206 (build master-e89fd87bb, JRE 11 Mac OS X aarch64-64-Bit 20231124_435 (JIT enabled, AOT enabled)
OpenJ9 - e89fd87bb
OMR - 8b19b8082
JCL - 82742a9898 based on jdk-11.0.22+4)
[2023-11-25T02:57:04.848Z] STDERR:
[2023-11-25T02:57:04.848Z] java.lang.NullPointerException
[2023-11-25T02:57:04.848Z] at ValidatePathWithURL.<init>(ValidatePathWithURL.java:64)
[2023-11-25T02:57:04.848Z] at CAInterop.validate(CAInterop.java:631)
[2023-11-25T02:57:04.848Z] at CAInterop.main(CAInterop.java:576)
[2023-11-25T02:57:04.848Z] at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
[2023-11-25T02:57:04.848Z] at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
[2023-11-25T02:57:04.848Z] at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
[2023-11-25T02:57:04.848Z] at java.base/java.lang.reflect.Method.invoke(Method.java:572)
[2023-11-25T02:57:04.848Z] at com.sun.javatest.regtest.agent.MainWrapper$MainThread.run(MainWrapper.java:127)
[2023-11-25T02:57:04.848Z] at java.base/java.lang.Thread.run(Thread.java:839)
[2023-11-25T02:57:04.848Z]
[2023-11-25T02:57:04.848Z] JavaTest Message: Test threw exception: java.lang.NullPointerException
[2023-11-25T02:57:12.680Z] jdk_security_infra_1_FAILED
security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#actalisauthenticationrootca.CAInterop_actalisauthenticationrootca
security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#affirmtrustcommercialca.CAInterop_affirmtrustcommercialca
security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#affirmtrustnetworkingca.CAInterop_affirmtrustnetworkingca
security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#affirmtrustpremiumca.CAInterop_affirmtrustpremiumca
security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#affirmtrustpremiumeccca.CAInterop_affirmtrustpremiumeccca
security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#amazonrootca1.CAInterop_amazonrootca1
security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#amazonrootca2.CAInterop_amazonrootca2
security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#amazonrootca3.CAInterop_amazonrootca3
security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#amazonrootca4.CAInterop_amazonrootca4
security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#buypassclass2ca.CAInterop_buypassclass2ca
security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#buypassclass3ca.CAInterop_buypassclass3ca
security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#certignarootca.CAInterop_certignarootca
security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#comodoeccca.CAInterop_comodoeccca
security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#comodorsaca.CAInterop_comodorsaca
security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#entrustrootcaec1.CAInterop_entrustrootcaec1
security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#entrustrootcag4.CAInterop_entrustrootcag4
security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#globalsigneccrootcar4.CAInterop_globalsigneccrootcar4
security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#globalsignrootcar6.CAInterop_globalsignrootcar6
security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#godaddyrootg2ca.CAInterop_godaddyrootg2ca
security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#gtsrootcar1.CAInterop_gtsrootcar1
security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#gtsrootcar2.CAInterop_gtsrootcar2
security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#gtsrootecccar3.CAInterop_gtsrootecccar3
security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#gtsrootecccar4.CAInterop_gtsrootecccar4
security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#letsencryptisrgx1.CAInterop_letsencryptisrgx1
security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#letsencryptisrgx2.CAInterop_letsencryptisrgx2
security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#microsoftecc2017.CAInterop_microsoftecc2017
security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#microsoftrsa2017.CAInterop_microsoftrsa2017
security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#quovadisrootca1g3.CAInterop_quovadisrootca1g3
security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#quovadisrootca2g3.CAInterop_quovadisrootca2g3
security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#quovadisrootca3g3.CAInterop_quovadisrootca3g3
security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#sslrooteccca.CAInterop_sslrooteccca
security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#sslrootevrsaca.CAInterop_sslrootevrsaca
security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#sslrootrsaca.CAInterop_sslrootrsaca
security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#starfieldrootg2ca.CAInterop_starfieldrootg2ca
security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#teliarootcav2.CAInterop_teliarootcav2
security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#teliasonerarootcav1.CAInterop_teliasonerarootcav1
security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#twcaglobalrootca.CAInterop_twcaglobalrootca
security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#usertrusteccca.CAInterop_usertrusteccca
security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#usertrustrsaca.CAInterop_usertrustrsaca
JDK17 aarch64_mac(macaarch64rt6
)
openjdk version "17.0.10" 2024-01-16
IBM Semeru Runtime Open Edition 17.0.10.0-m1 (build 17.0.10+5)
Eclipse OpenJ9 VM 17.0.10.0-m1 (build v0.43.0-release-9b2a42f8f, JRE 17 Mac OS X aarch64-64-Bit 20240116_466 (JIT enabled, AOT enabled)
OpenJ9 - 9b2a42f8f
OMR - d810fcb98
JCL - 10ccdceee3c based on jdk-17.0.10+5)
[2023-12-01T20:03:18.777Z] TEST: security/infra/java/security/cert/CertPathValidator/certification/EmSignRootG2CA.java
[2023-12-01T20:03:18.781Z] STDERR:
[2023-12-01T20:03:18.781Z] certpath: PKIXCertPathValidator.engineValidate()...
[2023-12-01T20:03:18.781Z] certpath: X509CertSelector.match(SN: cbe
[2023-12-01T20:03:18.781Z] Issuer: CN=TWCA Global Root CA, OU=Root CA, O=TAIWAN-CA, C=TW
[2023-12-01T20:03:18.781Z] Subject: CN=TWCA Global Root CA, OU=Root CA, O=TAIWAN-CA, C=TW)
[2023-12-01T20:03:18.781Z] certpath: X509CertSelector.match: subject DNs don't match
[2023-12-01T20:03:18.781Z] java.lang.RuntimeException: TEST FAILED: couldn't determine EE certificate status
[2023-12-01T20:03:18.781Z] at ValidatePathWithParams.validate(ValidatePathWithParams.java:177)
[2023-12-01T20:03:18.781Z] at EmSignRootG2CA.main(EmSignRootG2CA.java:171)
[2023-12-01T20:03:18.781Z] at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
[2023-12-01T20:03:18.781Z] at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
[2023-12-01T20:03:18.781Z] at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
[2023-12-01T20:03:18.781Z] at java.base/java.lang.reflect.Method.invoke(Method.java:574)
[2023-12-01T20:03:18.781Z] at com.sun.javatest.regtest.agent.MainWrapper$MainTask.run(MainWrapper.java:138)
[2023-12-01T20:03:18.781Z] at java.base/java.lang.Thread.run(Thread.java:857)
[2023-12-01T20:03:18.781Z] Caused by: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
[2023-12-01T20:03:18.781Z] at java.base/sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:157)
[2023-12-01T20:03:18.782Z] at java.base/sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:83)
[2023-12-01T20:03:18.782Z] at java.base/java.security.cert.CertPathValidator.validate(CertPathValidator.java:309)
[2023-12-01T20:03:18.782Z] at ValidatePathWithParams.doCertPathValidate(ValidatePathWithParams.java:288)
[2023-12-01T20:03:18.782Z] at ValidatePathWithParams.validate(ValidatePathWithParams.java:142)
[2023-12-01T20:03:18.782Z] ... 7 more
[2023-12-01T20:03:18.782Z]
[2023-12-01T20:03:18.782Z] JavaTest Message: Test threw exception: java.lang.RuntimeException: TEST FAILED: couldn't determine EE certificate status
[2023-12-01T20:03:27.652Z] jdk_security_infra_1_FAILED
RI JDK17 aarch64_mac - same failure RI JDK17 x86-64_linux - same failure
@KostasTsiounis @jasonkatonica this needs investigation
The failing test is CAInterop
, which was introduced as part of this commit.
Said test substitutes a number of tests that had hard-coded certificates to test. The new test loads the certificates from the cacerts
file and tries to then retrieve them from the created KeyStore
.
The certificates examined, and expected to be in the KeyStore
, are the OpenJDK
certificates. However, the Semeru Certified Edition
contains a different set of Adoptium
certificates derived from Mozilla
certificates, as @pshipton informed me. So, when the test tries to cacerts.getCertificate(alias)
, the result is null, leading to the produced NullPointerException
.
This was verified by substituting the cacerts
file with one created through an OpenJ9
build, which led to the test succeeding.
@pshipton What do you think our next steps should be?
@LongyuZhang @sophia-guo what is Adoptium doing about all these failing security_infra tests?
Same failure in jdk_security_infra at Adoptium on Dec 25th, 2023: https://ci.adoptium.net/job/Test_openjdk17_hs_extended.openjdk_aarch64_linux_testList_1/45/tapResults/
From what I can see, the last green extended.openjdk on aarch64_linux was on Sep 1st, 2023: https://ci.adoptium.net/job/Test_openjdk17_hs_extended.openjdk_aarch64_linux/
@llxia The CAInterop
test was added on the upstream on September 28, 2023.
This should be resolved via https://github.com/adoptium/aqa-tests/pull/4955, or an OpenJ9 update derived from it.
We just tested 21 as we also had this issue.
I don't know the background on why we've been generating the cacerts file and replacing the one thats built by default, however if you run the tests with the default cacert then the tests pass (we confirmed that the alias being searched for is in the default cacert file and not the one generated from the mozilla source
I don't know (again because of the background) which cacert file (if any) would be needed for TCK
Failure link
From [an internal build]()(
https://hyc-runtimes-jenkins.swg-devops.com/job/Test_openjdk17_j9_extended.openjdk_aarch64_linux/135/
):Rerun in Grinder - Change TARGET to run only the failed test targets.
Optional info
Failure output (captured from console output)
50x internal grinder - all failed
JDK17 aarch64_linux JDK17 ppc64le_linux
RI JDK17 aarch64_linux - failed as well