search

google / tsunami-security-scanner

Tsunami is a general purpose network security scanner with an extensible plugin system for detecting high severity vulnerabilities with high confidence.
Apache License 2.0
8.27k stars 889 forks source link

Docker build fails on Rapsberry Pi. javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed #78

Open frakman1 opened 3 years ago

frakman1 commented 3 years ago

When attempting to do a docker build on Raspberry Pi running latest components, I get this error

pi@raspberrypi:~/tsunami/tsunami-security-scanner$ docker build -t tsunami .
Sending build context to Docker daemon  823.3kB
Step 1/16 : FROM adoptopenjdk/openjdk13:debianslim
 ---> 7c717fa469de
Step 2/16 : RUN apt-get update  && apt-get install -y --no-install-recommends git ca-certificates
 ---> Using cache
 ---> 9b79bccc75c0
Step 3/16 : WORKDIR /usr/tsunami/repos
 ---> Using cache
 ---> aa7ac15ef819
Step 4/16 : RUN git clone --depth 1 "https://github.com/google/tsunami-security-scanner-plugins"
 ---> Using cache
 ---> f67e7c9387d3
Step 5/16 : WORKDIR /usr/tsunami/repos/tsunami-security-scanner-plugins/google
 ---> Using cache
 ---> 2d1764626137
Step 6/16 : RUN chmod +x build_all.sh     && ./build_all.sh
 ---> Running in 385af0fc8450

Building detectors/credentials/cve20177615 ...
Downloading https://services.gradle.org/distributions/gradle-6.5-bin.zip

Exception in thread "main" javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
        at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:324)
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:267)
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:262)
        at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:645)
        at java.base/sun.security.ssl.CertificateStatus$CertificateStatusConsumer.consume(CertificateStatus.java:295)
        at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396)
        at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
        at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:422)
        at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:181)
        at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
        at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1460)
        at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1368)
        at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:437)
        at java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:567)
        at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:171)
        at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1587)
        at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1515)
        at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:224)
        at org.gradle.wrapper.Download.downloadInternal(Download.java:83)
        at org.gradle.wrapper.Download.download(Download.java:66)
        at org.gradle.wrapper.Install$1.call(Install.java:68)
        at org.gradle.wrapper.Install$1.call(Install.java:48)
        at org.gradle.wrapper.ExclusiveFileAccessManager.access(ExclusiveFileAccessManager.java:69)
        at org.gradle.wrapper.Install.createDist(Install.java:48)
        at org.gradle.wrapper.WrapperExecutor.execute(WrapperExecutor.java:107)
        at org.gradle.wrapper.GradleWrapperMain.main(GradleWrapperMain.java:63)
Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
        at java.base/sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:368)
        at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:274)
        at java.base/sun.security.validator.Validator.validate(Validator.java:264)
        at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
        at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132)
        at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:629)
        ... 22 more
Caused by: java.security.cert.CertPathValidatorException: signature check failed
        at java.base/sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135)
        at java.base/sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:237)
        at java.base/sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:145)
        at java.base/sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:84)
        at java.base/java.security.cert.CertPathValidator.validate(CertPathValidator.java:309)
        at java.base/sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:363)
        ... 27 more
Caused by: java.security.SignatureException: Signature does not match.
        at java.base/sun.security.x509.X509CertImpl.verify(X509CertImpl.java:450)
        at java.base/sun.security.provider.certpath.BasicChecker.verifySignature(BasicChecker.java:166)
        at java.base/sun.security.provider.certpath.BasicChecker.check(BasicChecker.java:147)
        at java.base/sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125)
        ... 32 more
The command '/bin/sh -c chmod +x build_all.sh     && ./build_all.sh' returned a non-zero code: 1

pi@raspberrypi:~/tsunami/tsunami-security-scanner$ java --version
openjdk 11.0.9.1 2020-11-04
OpenJDK Runtime Environment (build 11.0.9.1+1-post-Raspbian-1deb10u2)
OpenJDK Server VM (build 11.0.9.1+1-post-Raspbian-1deb10u2, mixed mode)

pi@raspberrypi:~/tsunami/tsunami-security-scanner$ gradle --version
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by org.codehaus.groovy.reflection.CachedClass (file:/usr/share/java/groovy-all.jar) to method java.lang.Object.finalize()
WARNING: Please consider reporting this to the maintainers of org.codehaus.groovy.reflection.CachedClass
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release

------------------------------------------------------------
Gradle 4.4.1
------------------------------------------------------------

Build time:   2012-12-21 00:00:00 UTC
Revision:     none

Groovy:       2.4.16
Ant:          Apache Ant(TM) version 1.10.5 compiled on August 27 2018
JVM:          11.0.9.1 (Raspbian 11.0.9.1+1-post-Raspbian-1deb10u2)
OS:           Linux 5.10.17-v7l+ arm

$ cat /etc/os-release 
PRETTY_NAME="Raspbian GNU/Linux 10 (buster)"
NAME="Raspbian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=raspbian
ID_LIKE=debian
HOME_URL="http://www.raspbian.org/"
SUPPORT_URL="http://www.raspbian.org/RaspbianForums"
BUG_REPORT_URL="http://www.raspbian.org/RaspbianBugs"

$ docker --version
Docker version 20.10.5, build 55c4c88
magl0 commented 3 years ago

Looks like there is certificate verification issue during gradle build. Can you please check this thread to see if it helps?

frakman1 commented 3 years ago

Thank you for the link but unfortunatley, it does not apply.

I ended up making a fork of the tsunami-security-scanner-plugins repo and making changes there to affect the build script change that uses that repo.

The thread in your link mentions proxies etc so I tried this again on a Pi from home and not behind a company firewall and it also failed, so I don't think this applies.

I also tried with gradle 6.8.3 on the home Pi with the same result. I don't know enough about gradle to troubleshoot further but I did try to add the certificate from the services.gradle.org website to the keystore with no luck.

Update. Apparently openjdk13:debianslim is no longer supported by the team that releases them and moving to openjdk15 variants is advised.