FIPS java/util/jar/JarFile/SignedJarPendingBlock.java SecurityException: System.exit() forbidden by JT Harness

JasonFengJ9 commented 10 months ago

Failure link

From an internal build(rhel8x86-svl-rtfips7-1):

openjdk version "17.0.10" 2024-01-16
IBM Semeru Runtime Open Edition 17.0.10.0-m1 (build 17.0.10+5)
Eclipse OpenJ9 VM 17.0.10.0-m1 (build v0.43.0-release-9b2a42f8f, JRE 17 Linux amd64-64-Bit Compressed References 20240116_622 (JIT enabled, AOT enabled)
OpenJ9   - 9b2a42f8f
OMR      - d810fcb98
JCL      - 10ccdceee3c based on jdk-17.0.10+5)

Rerun in Grinder - Change TARGET to run only the failed test targets.

Optional info

Failure output (captured from console output)

[2023-12-03T20:08:33.934Z] variation: -Xdump:system:none -Xdump:heap:none -Xdump:system:events=gpf+abort+traceassert+corruptcache Mode650
[2023-12-03T20:08:33.934Z] JVM_OPTIONS:  -Xdump:system:none -Xdump:heap:none -Xdump:system:events=gpf+abort+traceassert+corruptcache -XX:-UseCompressedOops -Xverbosegclog  -Dsemeru.fips=true

[2023-12-03T20:13:10.331Z] TEST: java/util/jar/JarFile/SignedJarPendingBlock.java

[2023-12-03T20:13:10.332Z] STDERR:
[2023-12-03T20:13:10.332Z] Generating 2,048 bit RSA key pair and self-signed certificate (SHA256withRSA) with a validity of 90 days
[2023-12-03T20:13:10.332Z]  for: CN=SIGNER
[2023-12-03T20:13:10.332Z] java.lang.SecurityException: System.exit() forbidden by JT Harness
[2023-12-03T20:13:10.332Z]  at com.sun.javatest.regtest.agent.JavaTestSecurityManager.checkExit(JavaTestSecurityManager.java:117)
[2023-12-03T20:13:10.332Z]  at java.base/java.lang.Runtime.exit(Runtime.java:113)
[2023-12-03T20:13:10.332Z]  at java.base/java.lang.System.exit(System.java:517)
[2023-12-03T20:13:10.332Z]  at java.base/sun.security.tools.keytool.Main.run(Main.java:431)
[2023-12-03T20:13:10.332Z]  at java.base/sun.security.tools.keytool.Main.main(Main.java:416)
[2023-12-03T20:13:10.332Z]  at SignedJarPendingBlock.signJarFile(SignedJarPendingBlock.java:135)
[2023-12-03T20:13:10.332Z]  at SignedJarPendingBlock.main(SignedJarPendingBlock.java:49)
[2023-12-03T20:13:10.332Z]  at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
[2023-12-03T20:13:10.332Z]  at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
[2023-12-03T20:13:10.332Z]  at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
[2023-12-03T20:13:10.332Z]  at java.base/java.lang.reflect.Method.invoke(Method.java:574)
[2023-12-03T20:13:10.332Z]  at com.sun.javatest.regtest.agent.MainActionHelper$AgentVMRunnable.run(MainActionHelper.java:333)
[2023-12-03T20:13:10.332Z]  at java.base/java.lang.Thread.run(Thread.java:857)
[2023-12-03T20:13:10.332Z] 
[2023-12-03T20:13:10.332Z] JavaTest Message: Test threw exception: java.lang.SecurityException

[2023-12-03T20:23:26.776Z] jdk_util_1_FAILED

Also seen in an earlier issue

https://github.com/eclipse-openj9/openj9/issues/15863

KostasTsiounis commented 8 months ago

The original exception was keytool error: java.security.KeyStoreException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_GENERAL_ERROR.

Within the catch block that starts here, the original exception is printed and a System.exit(1) is attempted, which apparently is not allowed by JT Harness.

After changing the flags passed to the keytool, I got the original exception which is:

java.security.KeyStoreException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_GENERAL_ERROR
    at jdk.crypto.cryptoki/sun.security.pkcs11.P11KeyStore.engineSetEntry(P11KeyStore.java:1113)
    at jdk.crypto.cryptoki/sun.security.pkcs11.P11KeyStore.engineSetKeyEntry(P11KeyStore.java:458)
    at java.base/java.security.KeyStore.setKeyEntry(KeyStore.java:1167)
    at java.base/sun.security.tools.keytool.Main.doGenKeyPair(Main.java:2053)
    at java.base/sun.security.tools.keytool.Main.doCommands(Main.java:1186)
    at java.base/sun.security.tools.keytool.Main.run(Main.java:423)
    at java.base/sun.security.tools.keytool.Main.main(Main.java:416)
    at SignedJarPendingBlock.signJarFile(SignedJarPendingBlock.java:139)
    at SignedJarPendingBlock.main(SignedJarPendingBlock.java:53)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
    at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.base/java.lang.reflect.Method.invoke(Method.java:574)
    at com.sun.javatest.regtest.agent.MainActionHelper$AgentVMRunnable.run(MainActionHelper.java:333)
    at java.base/java.lang.Thread.run(Thread.java:857)
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_GENERAL_ERROR
    at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.importKey(SunPKCS11.java:639)
    at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11$InnerPKCS11.C_CreateObject(PKCS11.java:191)
    at jdk.crypto.cryptoki/sun.security.pkcs11.P11KeyStore.storePkey(P11KeyStore.java:1805)
    at jdk.crypto.cryptoki/sun.security.pkcs11.P11KeyStore.engineSetEntry(P11KeyStore.java:1109)
    ... 14 more

KostasTsiounis commented 8 months ago

This appears to be the same as https://github.com/eclipse-openj9/openj9/issues/17672, which was attributed to a change in NSS behaviour that the OpenJDK hasn't picked up yet.

KostasTsiounis commented 8 months ago

Apparently, the issue is not the same as https://github.com/eclipse-openj9/openj9/issues/17672. SunPKCS11 is using CKR_GENERAL_ERROR to mask a variety of exception that may arise in that section. After adding additional debug information, I got the exception that was the actual cause of this failure. It occurs here and is the following:

sun.security.pkcs11.wrapper.PKCS11Exception: CKR_SESSION_READ_ONLY
     at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11.C_UnwrapKey(Native Method)
     at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.importKey(SunPKCS11.java:637)
     at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11$InnerPKCS11.C_CreateObject(PKCS11.java:191)
     at jdk.crypto.cryptoki/sun.security.pkcs11.P11KeyStore.storePkey(P11KeyStore.java:1833)
     at jdk.crypto.cryptoki/sun.security.pkcs11.P11KeyStore.engineSetEntry(P11KeyStore.java:1109)
     at jdk.crypto.cryptoki/sun.security.pkcs11.P11KeyStore.engineSetKeyEntry(P11KeyStore.java:458)
     at java.base/java.security.KeyStore.setKeyEntry(KeyStore.java:1167)
     at java.base/sun.security.tools.keytool.Main.doGenKeyPair(Main.java:2053)
     at java.base/sun.security.tools.keytool.Main.doCommands(Main.java:1186)
     at java.base/sun.security.tools.keytool.Main.run(Main.java:423)
     at java.base/sun.security.tools.keytool.Main.main(Main.java:416)
     at SignedJarPendingBlock.signJarFile(SignedJarPendingBlock.java:139)
     at SignedJarPendingBlock.main(SignedJarPendingBlock.java:53)
     at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
     at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
     at java.base/java.lang.reflect.Method.invoke(Method.java:574)
     at com.sun.javatest.regtest.agent.MainActionHelper$AgentVMRunnable.run(MainActionHelper.java:333)
     at java.base/java.lang.Thread.run(Thread.java:857)

KostasTsiounis commented 8 months ago

After further investigation, it looks like the test is trying to create a PKCS12 keystore, which is the default in non-FIPS scenarios, generate RSA keys and then retrieve them and sign a jar.

The problem is that in FIPS settings, the default type of keystore is PKCS11. Said keystores need to be handled differently. The flags for the keytool, the configuration, the permissions, as well as other nuances, are distinct.

Due to that, the test cannot be run when FIPS is enabled and should most likely be excluded.

eclipse-openj9 / openj9