[8u] RFR: [TESTBUG] Some ssl jtreg tests fail due to usage of a secp256k1 ECDSA certificate

[David Alvarez]

Hi Severin,

You're right the same cert is in 11u, but I don't think it is being used
anymore. The same certificate store contains another certificate with
alias ecdsasecp256r1 serial number 46646443, and that one is being used
for the two jtreg tests I mentioned in the bug that fail. As the alias
indicates, the certificate is based on curve secp256r1, that was not
disabled. That certificate was added by 8196584: TLS 1.3 Implementation [1].

David

--
[1] https://bugs.openjdk.java.net/browse/JDK-8196584

On 2019-12-17 06:42, Severin Gehwolf wrote:
> Hi David,
> 
> On Fri, 2019-11-08 at 13:24 -0800, David Alvarez wrote:
>> Hi,
>>
>> Requesting review for:
>>
>> JBS: https://bugs.openjdk.java.net/browse/JDK-8233864
>> Webrev: http://cr.openjdk.java.net/~alvdavi/webrevs/8233864/webrev.8u.00/
>>
>> After 8u232, certain Tier2 jtreg ssl tests started to fail as they were
>> relying on a certificate based on curve secp256k1. That curve is no
>> longer enabled for ssl (disabled by JDK-8228825 [1]).
>>
>> The specific certificate is located in:
>> test/sun/security/ssl/etc/keystore
>> and
>> test/sun/security/ssl/etc/truststore
>>
>> This patch fixes those tests by recreating the certificate stores with
>> new certificates. The generated ECDSA certificate uses secp256r1. These
>> certificates are v3 instead of v1 as the originals, but we have seen no
>> failures caused by this.
>>
>> This change includes binary changes. A patch file with binary changes is
>> located here:
>> http://cr.openjdk.java.net/~alvdavi/patches/8233864.8u.00.patch
> 
> Why is this a problem specific to 8u? I see the same cert in 11u's
> keystore, Serial number: 57399c1d, alias dummyecdsa.
> 
> For the time being I'll remove the jdk8u-fix-request label until it's
> clear this is actually an 8u only problem.
> 
> Thanks,
> Severin
> 
>> Thanks,
>> --
>> David Alvarez
>>
>> [1] http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/5456f24496f4#l1.18
>>
>