Closed JasonFengJ9 closed 7 months ago
@jasonkatonica can someone look at this pls.
The problem occurs at the part of the test where it tries to verify certificates with incorrect signatures (https://github.com/KostasTsiounis/openj9-openjdk-jdk17/blob/a9eedbbd76a3b207d8b467a63733551482b23109/test/jdk/sun/security/pkcs11/ec/ReadCertificates.java#L167). Two certificates are selected randomly, making sure they are not the same or their key algorithms don't match. In any other case, an expected exception is thrown, which is caught and the test succeeds.
The failure happens because there is a finally
block (https://github.com/KostasTsiounis/openj9-openjdk-jdk17/blob/a9eedbbd76a3b207d8b467a63733551482b23109/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Signature.java#L775) that tries to cancel the operation after the exception is thrown. In cases where certificate and signer both use secp
curves and the certificate's curve length is greater than the signer's, the cancelOperation()
method's attempt to do another verify (https://github.com/KostasTsiounis/openj9-openjdk-jdk17/blob/a9eedbbd76a3b207d8b467a63733551482b23109/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Signature.java#L319) causes NSS to reply with a different return code (CKR_DATA_LEN_RANGE
) that is not expected (https://github.com/KostasTsiounis/openj9-openjdk-jdk17/blob/a9eedbbd76a3b207d8b467a63733551482b23109/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Signature.java#L340). Said code leads to an also unexpected ProviderException
that is not caught (https://github.com/KostasTsiounis/openj9-openjdk-jdk17/blob/a9eedbbd76a3b207d8b467a63733551482b23109/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Signature.java#L346).
This issue is only happening in s390x
. When I tried it in x86
, it either succeeds or the return code is an expected one (CKR_SIGNATURE_LEN_RANGE
) that is handled and the appropriate exception is thrown.
I think this might be an issue with the NSS library in s390x. There are 3 available solutions:
catch
block to account for the ProviderException
(https://github.com/KostasTsiounis/openj9-openjdk-jdk17/blob/a9eedbbd76a3b207d8b467a63733551482b23109/test/jdk/sun/security/pkcs11/ec/ReadCertificates.java#L187). (I tried that and it works)CKR_DATA_LEN_RANGE
return code too.If user's may be caught out by the difference, doing Change the SunPKCS11 code to account for CKR_DATA_LEN_RANGE return code too.
seems like the way to proceed.
Moving this forward as it's too late for 0.43.
Failure link
From an internal build(
rhel8s390x-svl-rt7-1
):Rerun in Grinder - Change TARGET to run only the failed test targets.
Optional info
Failure output (captured from console output)
50x internal grinder - 24/50 failed -Xint 50x internal grinder - reproduced w/ -Xint