Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

jdk_security_infra test failed with certificate status issues #2074

Open
LongyuZhang opened this issue Nov 27, 2020 · 2 comments
Open

jdk_security_infra test failed with certificate status issues #2074

LongyuZhang opened this issue Nov 27, 2020 · 2 comments
Labels
bug

Comments

@LongyuZhang
Copy link
Contributor

LongyuZhang commented Nov 27, 2020
edited
Loading

Describe the bug
jdk_security_infra test failed several sub-tests due to certificate status:

  • BuypassCA and QuoVadisCA failed because the certificates have been revoked, for both openj9 and hotspot with jdk 11+. These two issues have been opened on Openjdk Bug Systems, and reported to CA to wait for the certificates update: https://bugs.openjdk.java.net/browse/JDK-8243543 and https://bugs.openjdk.java.net/browse/JDK-8248899.
  • LuxTrustCA failed for both openj9 and hotspot with jdk 11+, because "java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors".
  • GlobalSignR6CA failed for both openj9 and hotspot with jdk 15, because "Certificate has been revoked, reason: CESSATION_OF_OPERATION".
  • LetsEncryptCA failed for both openj9 and hotspot, because "java.security.cert.CertPathValidatorException: OCSP response error: UNAUTHORIZED".

To Reproduce
BuypassCA failure
openj9
hotspot

=====================================================
CONFIGURATION
=====================================================
http.proxyHost :null
http.proxyPort :null
https.proxyHost :null
https.proxyPort :null
https.socksProxyHost :null
https.socksProxyPort :null
jdk.certpath.disabledAlgorithms :MD2, MD5, SHA1 jdkCA & usage TLSServer, RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224, include jdk.disabled.namedCurves
Revocation options :[NO_FALLBACK]
OCSP responder set :null
Trusted root set: false
Expected EE Status:GOOD
=====================================================
Received exception: java.security.cert.CertPathValidatorException: Certificate has been revoked, reason: SUPERSEDED, revocation date: Tue Apr 21 07:02:18 UTC 2020, authority: CN=Buypass OCSP, O=Buypass AS-983163327, C=NO, extension OIDs: []
Expected Certificate status: GOOD
Certificate status after validation: REVOKED

QuoVadisCA failure:
openj9
hotspot

=====================================================
CONFIGURATION
=====================================================
http.proxyHost :null
http.proxyPort :null
https.proxyHost :null
https.proxyPort :null
https.socksProxyHost :null
https.socksProxyPort :null
jdk.certpath.disabledAlgorithms :MD2, MD5, SHA1 jdkCA & usage TLSServer, RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224, include jdk.disabled.namedCurves
Revocation options :[NO_FALLBACK]
OCSP responder set :null
Trusted root set: false
Expected EE Status:GOOD
=====================================================
Received exception: java.security.cert.CertPathValidatorException: Certificate has been revoked, reason: SUPERSEDED, revocation date: Fri Jul 03 18:50:28 UTC 2020, authority: CN=QuoVadis OCSP Authority Signature, OU=OCSP Responder, O=QuoVadis Limited, C=BM, extension OIDs: []
Expected Certificate status: GOOD
Certificate status after validation: REVOKED

LuxTrustCA:

Stacktrace
Execution failed: `main' threw exception: java.lang.RuntimeException: TEST FAILED: couldn't determine EE certificate status    
Standard Output
=====================================================
CONFIGURATION
=====================================================
http.proxyHost :null
http.proxyPort :null
https.proxyHost :null
https.proxyPort :null
https.socksProxyHost :null
https.socksProxyPort :null
jdk.certpath.disabledAlgorithms :MD2, MD5, SHA1 jdkCA & usage TLSServer, RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224, include jdk.disabled.namedCurves
Revocation options :[NO_FALLBACK]
OCSP responder set :null
Trusted root set: false
Expected EE Status:GOOD
=====================================================
Received exception: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors

GlobalSignR6CA

Execution failed: `main' threw exception: java.lang.RuntimeException: TEST FAILED: unexpected status of EE certificate    
Standard Output
=====================================================
CONFIGURATION
=====================================================
http.proxyHost :null
http.proxyPort :null
https.proxyHost :null
https.proxyPort :null
https.socksProxyHost :null
https.socksProxyPort :null
jdk.certpath.disabledAlgorithms :MD2, MD5, SHA1 jdkCA & usage TLSServer, RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224, include jdk.disabled.namedCurves
Revocation options :[NO_FALLBACK]
OCSP responder set :null
Trusted root set: false
Expected EE Status:GOOD
=====================================================
Received exception: java.security.cert.CertPathValidatorException: Certificate has been revoked, reason: CESSATION_OF_OPERATION, revocation date: Wed Jul 08 17:00:00 IST 2020, authority: CN=GlobalSign OCSP for Root R6 - Signer 1.2, O=GlobalSign nv-sa, C=BE, extension OIDs: []
Expected Certificate status: GOOD
Certificate status after validation: REVOKED

LetsEncryptCA:

=====================================================
CONFIGURATION
=====================================================
http.proxyHost :null
http.proxyPort :null
https.proxyHost :null
https.proxyPort :null
https.socksProxyHost :null
https.socksProxyPort :null
jdk.certpath.disabledAlgorithms :MD2, MD5, SHA1 jdkCA & usage TLSServer, RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224, include jdk.disabled.namedCurves
Revocation options :[NO_FALLBACK]
OCSP responder set :null
Trusted root set: true
Validation Date:Tue Jun 15 00:00:00 CDT 2021
Expected EE Status:REVOKED
Expected EE Revocation Date:Thu Apr 08 19:05:26 CDT 2021
=====================================================
Received exception: java.security.cert.CertPathValidatorException: OCSP response error: UNAUTHORIZED

Additional context
Related to Issue: eclipse-openj9/openj9#10757
@karianna karianna added the bug label Nov 30, 2020
@LongyuZhang LongyuZhang changed the title jdk_security_infra test failed BuypassCA and QuoVadisCA with Certificate Revoked issue jdk_security_infra test failed with certificate status issues Dec 2, 2020
@LongyuZhang LongyuZhang mentioned this issue Dec 3, 2020
Merged
@smlambert smlambert mentioned this issue Sep 15, 2021
Closed
@karianna karianna mentioned this issue Oct 20, 2021
Closed
@Haroon-Khel Haroon-Khel mentioned this issue Oct 21, 2021
Open
@karianna karianna mentioned this issue Jan 19, 2022
Closed
@sophia-guo sophia-guo mentioned this issue Jun 29, 2022
Closed
This was referenced Jul 7, 2022
Closed
Closed
@sophia-guo
Copy link
Contributor

https://ci.adoptium.net/job/Test_openjdk20_hs_extended.openjdk_aarch64_linux/24/#showFailuresLink
security/infra/java/security/cert/CertPathValidator/certification/ActalisCA.java

@sophia-guo sophia-guo mentioned this issue Mar 15, 2023
Closed
pshipton added a commit to pshipton/openjdk-tests that referenced this issue Apr 18, 2023
@pshipton
Exclude security/infra certification/ActalisCA on OpenJ9 jdk20
a5df417 
It's already excluded for other platforms via
adoptium#2074

See also eclipse-openj9/openj9#16966

Signed-off-by: Peter Shipton <[email protected]>
@pshipton pshipton mentioned this issue Apr 18, 2023
Merged
sophia-guo pushed a commit that referenced this issue Apr 18, 2023
@pshipton
Exclude security/infra certification/ActalisCA on OpenJ9 jdk20 (#4516)
6b3daa6 
It's already excluded for other platforms via
#2074

See also eclipse-openj9/openj9#16966

Signed-off-by: Peter Shipton <[email protected]>
@smlambert
Copy link
Contributor

smlambert commented Jul 6, 2023
edited
Loading

security/infra/java/security/cert/CertPathValidator/certification/AmazonCA.java started failing due to an expired cert too.

Related: https://bugs.openjdk.org/browse/JDK-8309088 (this should get excluded against hotspot until a fix is delivered upstream & backported to various repos).

And hoping that all related excludes will be able to be reincluded upon this PR:
openjdk/jdk#14252

@smlambert smlambert mentioned this issue Jul 6, 2023
Merged
@smlambert smlambert mentioned this issue Jul 19, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
Adoptium Backlog
Status: Todo
Milestone
No milestone
Development

No branches or pull requests
4 participants
@karianna @smlambert @sophia-guo @LongyuZhang