Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CA interoperability tests fail #4808

Closed
sophia-guo opened this issue Oct 11, 2023 · 10 comments
Closed

CA interoperability tests fail #4808

sophia-guo opened this issue Oct 11, 2023 · 10 comments
Assignees
Labels
JBS issue need to report to JBS or reopen the issue in JBS release triage

Comments

@sophia-guo
Copy link
Contributor

sophia-guo commented Oct 11, 2023

CA interoperability tests fail on all platforms with error message

**Execution failed: `main' threw exception: java.lang.NullPointerException: Cannot invoke "java.security.cert.X509Certificate.getSubjectX500Principal()" because "this.rootCertificate" is null

https://ci.adoptium.net/job/Test_openjdk21_hs_extended.openjdk_x86-64_linux_testList_1/24/testReport/junit/security_infra_java_security_cert_CertPathValidator_certification_CAInterop/java_amazonrootca1/CAInterop_amazonrootca1/

The new framework for interoperability testing https://bugs.openjdk.org/browse/JDK-8308592.

Similar https://bugs.openjdk.org/browse/JDK-8316381

@sophia-guo sophia-guo added the JBS issue need to report to JBS or reopen the issue in JBS label Oct 11, 2023
@smlambert
Copy link
Contributor

These tests should get excluded if the new framework has not been delivered to our upstream mirrors. We should not be going into another release period with all of these tests failing as it makes it very difficult to see other unknown, misunderstood failures.

@sophia-guo
Copy link
Contributor Author

sophia-guo commented Jan 10, 2024

Tests failed as the new framework merged. May need to open the issue in JBS. Will exclude in this release.

@sophia-guo
Copy link
Contributor Author

Those 44 tests are in one file. It is currently not possible to exclude all the tests in a file with a single entry. See CODETOOLS-7902265. Have to exclude one by one

@sophia-guo
Copy link
Contributor Author

same for 11, 17

@sophia-guo sophia-guo moved this from Todo to In Progress in 2024 1Q Adoptium Plan Jan 10, 2024
@sophia-guo sophia-guo self-assigned this Jan 10, 2024
@sophia-guo sophia-guo changed the title jdk21: CA interoperability tests fail CA interoperability tests fail Jan 10, 2024
@smlambert
Copy link
Contributor

There are 45 testcases in the jdk_security_infra target, 44 are failing. We can exclude the entire jdk_security_infra target in the playlist and should link to an upstream bug that gets raised to report the issue (assuming it is an upstream issue and not our mirror failing to pick up the new framework).

From recent TAP file https://ci.adoptium.net/job/Test_openjdk21_hs_extended.openjdk_x86-64_linux_testList_1/33/tapResults/:

Failed test cases: 
TEST: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#amazonrootca1
TEST: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#emsignrootcag1
TEST: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#certignarootca
TEST: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#amazonrootca3
TEST: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#affirmtrustpremiumeccca
TEST: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#globalsigneccrootcar4
TEST: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#affirmtrustpremiumca
TEST: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#comodorsaca
TEST: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#globalsignrootcar6
TEST: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#actalisauthenticationrootca
TEST: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#buypassclass2ca
TEST: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#comodoeccca
TEST: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#affirmtrustcommercialca
TEST: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#affirmtrustnetworkingca
TEST: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#digicerttlsrsarootg5
TEST: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#amazonrootca4
TEST: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#gtsrootcar2
TEST: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#godaddyrootg2ca
TEST: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#buypassclass3ca
TEST: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#entrustrootcaec1
TEST: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#entrustrootcag4
TEST: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#digicerttlseccrootg5
TEST: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#teliarootcav2
TEST: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#quovadisrootca3g3
TEST: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#starfieldrootg2ca
TEST: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#teliasonerarootcav1
TEST: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#emsigneccrootcag3
TEST: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#usertrusteccca
TEST: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#microsoftrsa2017
TEST: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#quovadisrootca2g3
TEST: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#gtsrootecccar4
TEST: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#letsencryptisrgx1
TEST: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#microsoftecc2017
TEST: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#twcaglobalrootca
TEST: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#usertrustrsaca
TEST: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#sslrootrsaca
TEST: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#letsencryptisrgx2
TEST: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#gtsrootecccar3
TEST: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#quovadisrootca1g3
TEST: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#sslrooteccca
TEST: security/infra/java/security/cert/CertPathValidator/certification/DigicertCSRootG5.java
TEST: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#sslrootevrsaca
TEST: security/infra/java/security/cert/CertPathValidator/certification/EmSignRootG2CA.java
TEST: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#gtsrootcar1
TEST: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#amazonrootca2
Test results: passed: 1; failed: 45

@smlambert
Copy link
Contributor

Ok, I see you went the ProblemList route, now I see your PR.

@macarte
Copy link

macarte commented Jan 10, 2024

We just tested 21 as we also had this issue.

I don't know the background on why we've been generating the cacerts file and replacing the one thats built by default, however if you run the tests with the default cacert then the tests pass (we confirmed that the alias being searched for is in the default cacert file and not the one generated from the mozilla source

I don't know (again because of the background) which cacert file (if any) would be needed for TCK

@smlambert
Copy link
Contributor

We will see what happens in our dry run tomorrow. These jtreg tests will be excluded and investigated (sounds like an area of improvement upstream to be able to support or skip in the event of other cacerts in use).

@sophia-guo
Copy link
Contributor Author

Note for now we might just disable those tests for Temurin as https://github.com/adoptium/temurin-build/tree/master/security

@smlambert
Copy link
Contributor

Given these test cases are not valid for any vendor (including Adoptium) who has their own CA certs, this may become a permanent exclude (where we track it against a closed issue with no intention to re-enable).

@github-project-automation github-project-automation bot moved this from In Progress to Done in 2024 1Q Adoptium Plan Jan 26, 2024
sophia-guo added a commit to sophia-guo/openjdk-tests that referenced this issue Jan 29, 2024
sophia-guo added a commit that referenced this issue Jan 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
JBS issue need to report to JBS or reopen the issue in JBS release triage
Projects
Status: Done
Development

No branches or pull requests

3 participants