Open JasonFengJ9 opened 10 months ago
The original exception was keytool error: java.security.KeyStoreException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_GENERAL_ERROR
.
Within the catch block that starts here, the original exception is printed and a System.exit(1)
is attempted, which apparently is not allowed by JT Harness
.
After changing the flags passed to the keytool
, I got the original exception which is:
java.security.KeyStoreException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_GENERAL_ERROR
at jdk.crypto.cryptoki/sun.security.pkcs11.P11KeyStore.engineSetEntry(P11KeyStore.java:1113)
at jdk.crypto.cryptoki/sun.security.pkcs11.P11KeyStore.engineSetKeyEntry(P11KeyStore.java:458)
at java.base/java.security.KeyStore.setKeyEntry(KeyStore.java:1167)
at java.base/sun.security.tools.keytool.Main.doGenKeyPair(Main.java:2053)
at java.base/sun.security.tools.keytool.Main.doCommands(Main.java:1186)
at java.base/sun.security.tools.keytool.Main.run(Main.java:423)
at java.base/sun.security.tools.keytool.Main.main(Main.java:416)
at SignedJarPendingBlock.signJarFile(SignedJarPendingBlock.java:139)
at SignedJarPendingBlock.main(SignedJarPendingBlock.java:53)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:574)
at com.sun.javatest.regtest.agent.MainActionHelper$AgentVMRunnable.run(MainActionHelper.java:333)
at java.base/java.lang.Thread.run(Thread.java:857)
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_GENERAL_ERROR
at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.importKey(SunPKCS11.java:639)
at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11$InnerPKCS11.C_CreateObject(PKCS11.java:191)
at jdk.crypto.cryptoki/sun.security.pkcs11.P11KeyStore.storePkey(P11KeyStore.java:1805)
at jdk.crypto.cryptoki/sun.security.pkcs11.P11KeyStore.engineSetEntry(P11KeyStore.java:1109)
... 14 more
This appears to be the same as https://github.com/eclipse-openj9/openj9/issues/17672, which was attributed to a change in NSS
behaviour that the OpenJDK
hasn't picked up yet.
Apparently, the issue is not the same as https://github.com/eclipse-openj9/openj9/issues/17672. SunPKCS11
is using CKR_GENERAL_ERROR
to mask a variety of exception that may arise in that section. After adding additional debug information, I got the exception that was the actual cause of this failure. It occurs here and is the following:
sun.security.pkcs11.wrapper.PKCS11Exception: CKR_SESSION_READ_ONLY
at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11.C_UnwrapKey(Native Method)
at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.importKey(SunPKCS11.java:637)
at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11$InnerPKCS11.C_CreateObject(PKCS11.java:191)
at jdk.crypto.cryptoki/sun.security.pkcs11.P11KeyStore.storePkey(P11KeyStore.java:1833)
at jdk.crypto.cryptoki/sun.security.pkcs11.P11KeyStore.engineSetEntry(P11KeyStore.java:1109)
at jdk.crypto.cryptoki/sun.security.pkcs11.P11KeyStore.engineSetKeyEntry(P11KeyStore.java:458)
at java.base/java.security.KeyStore.setKeyEntry(KeyStore.java:1167)
at java.base/sun.security.tools.keytool.Main.doGenKeyPair(Main.java:2053)
at java.base/sun.security.tools.keytool.Main.doCommands(Main.java:1186)
at java.base/sun.security.tools.keytool.Main.run(Main.java:423)
at java.base/sun.security.tools.keytool.Main.main(Main.java:416)
at SignedJarPendingBlock.signJarFile(SignedJarPendingBlock.java:139)
at SignedJarPendingBlock.main(SignedJarPendingBlock.java:53)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:574)
at com.sun.javatest.regtest.agent.MainActionHelper$AgentVMRunnable.run(MainActionHelper.java:333)
at java.base/java.lang.Thread.run(Thread.java:857)
After further investigation, it looks like the test is trying to create a PKCS12
keystore, which is the default in non-FIPS
scenarios, generate RSA
keys and then retrieve them and sign a jar.
The problem is that in FIPS
settings, the default type of keystore is PKCS11
. Said keystores need to be handled differently. The flags for the keytool
, the configuration, the permissions, as well as other nuances, are distinct.
Due to that, the test cannot be run when FIPS
is enabled and should most likely be excluded.
Failure link
From an internal build(
rhel8x86-svl-rtfips7-1
):Rerun in Grinder - Change TARGET to run only the failed test targets.
Optional info
Failure output (captured from console output)
Also seen in an earlier issue