[8u] RFR: [TESTBUG] Some ssl jtreg tests fail due to usage of a secp256k1 ECDSA certificate

Andrew John Hughes gnu.andrew at redhat.com
Mon Jan 13 20:19:42 UTC 2020 

On 17/12/2019 21:51, David Alvarez wrote:
> Hi Severin,
> 
> You're right the same cert is in 11u, but I don't think it is being used
> anymore. The same certificate store contains another certificate with
> alias ecdsasecp256r1 serial number 46646443, and that one is being used
> for the two jtreg tests I mentioned in the bug that fail. As the alias
> indicates, the certificate is based on curve secp256r1, that was not
> disabled. That certificate was added by 8196584: TLS 1.3 Implementation [1].
> 
> David
> 
> --
> [1] https://bugs.openjdk.java.net/browse/JDK-8196584
> 
> On 2019-12-17 06:42, Severin Gehwolf wrote:
>> Hi David,
>>
>> On Fri, 2019-11-08 at 13:24 -0800, David Alvarez wrote:
>>> Hi,
>>>
>>> Requesting review for:
>>>
>>> JBS: https://bugs.openjdk.java.net/browse/JDK-8233864
>>> Webrev: http://cr.openjdk.java.net/~alvdavi/webrevs/8233864/webrev.8u.00/
>>>
>>> After 8u232, certain Tier2 jtreg ssl tests started to fail as they were
>>> relying on a certificate based on curve secp256k1. That curve is no
>>> longer enabled for ssl (disabled by JDK-8228825 [1]).
>>>
>>> The specific certificate is located in:
>>> test/sun/security/ssl/etc/keystore
>>> and
>>> test/sun/security/ssl/etc/truststore
>>>
>>> This patch fixes those tests by recreating the certificate stores with
>>> new certificates. The generated ECDSA certificate uses secp256r1. These
>>> certificates are v3 instead of v1 as the originals, but we have seen no
>>> failures caused by this.
>>>
>>> This change includes binary changes. A patch file with binary changes is
>>> located here:
>>> http://cr.openjdk.java.net/~alvdavi/patches/8233864.8u.00.patch
>>
>> Why is this a problem specific to 8u? I see the same cert in 11u's
>> keystore, Serial number: 57399c1d, alias dummyecdsa.
>>
>> For the time being I'll remove the jdk8u-fix-request label until it's
>> clear this is actually an 8u only problem.
>>
>> Thanks,
>> Severin
>>
>>> Thanks,
>>> --
>>> David Alvarez
>>>
>>> [1] http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/5456f24496f4#l1.18
>>>
>>
> 

Is it not possible to backport the additional 11u certificate rather
than creating new ones?

But generally, I agree this needs to be fixed. We've been seeing such
failures downstream for a long time, as we've generally only shipped
secp256r1, secp384r1 & secp521r1, so it would be good to see this fixed.

Thanks,
-- 
Andrew :)

Senior Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)

PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net)
Fingerprint = 5132 579D D154 0ED2 3E04  C5A0 CFDA 0F9B 3596 4222
https://keybase.io/gnu_andrew

More information about the jdk8u-dev mailing list