[8u] RFR: [TESTBUG] Some ssl jtreg tests fail due to usage of a secp256k1 ECDSA certificate
Andrew John Hughes
gnu.andrew at redhat.com
Mon Jan 13 21:08:24 UTC 2020
On 13/01/2020 20:32, David Alvarez wrote:
>
>
> On 2020-01-13 12:19, Andrew John Hughes wrote:
>> On 17/12/2019 21:51, David Alvarez wrote:
>>> Hi Severin,
>>>
>>> You're right the same cert is in 11u, but I don't think it is being used
>>> anymore. The same certificate store contains another certificate with
>>> alias ecdsasecp256r1 serial number 46646443, and that one is being used
>>> for the two jtreg tests I mentioned in the bug that fail. As the alias
>>> indicates, the certificate is based on curve secp256r1, that was not
>>> disabled. That certificate was added by 8196584: TLS 1.3 Implementation [1].
>>>
>>> David
>>>
>>> --
>>> [1] https://bugs.openjdk.java.net/browse/JDK-8196584
>>>
>>> On 2019-12-17 06:42, Severin Gehwolf wrote:
>>>> Hi David,
>>>>
>>>> On Fri, 2019-11-08 at 13:24 -0800, David Alvarez wrote:
>>>>> Hi,
>>>>>
>>>>> Requesting review for:
>>>>>
>>>>> JBS: https://bugs.openjdk.java.net/browse/JDK-8233864
>>>>> Webrev: http://cr.openjdk.java.net/~alvdavi/webrevs/8233864/webrev.8u.00/
>>>>>
>>>>> After 8u232, certain Tier2 jtreg ssl tests started to fail as they were
>>>>> relying on a certificate based on curve secp256k1. That curve is no
>>>>> longer enabled for ssl (disabled by JDK-8228825 [1]).
>>>>>
>>>>> The specific certificate is located in:
>>>>> test/sun/security/ssl/etc/keystore
>>>>> and
>>>>> test/sun/security/ssl/etc/truststore
>>>>>
>>>>> This patch fixes those tests by recreating the certificate stores with
>>>>> new certificates. The generated ECDSA certificate uses secp256r1. These
>>>>> certificates are v3 instead of v1 as the originals, but we have seen no
>>>>> failures caused by this.
>>>>>
>>>>> This change includes binary changes. A patch file with binary changes is
>>>>> located here:
>>>>> http://cr.openjdk.java.net/~alvdavi/patches/8233864.8u.00.patch
>>>>
>>>> Why is this a problem specific to 8u? I see the same cert in 11u's
>>>> keystore, Serial number: 57399c1d, alias dummyecdsa.
>>>>
>>>> For the time being I'll remove the jdk8u-fix-request label until it's
>>>> clear this is actually an 8u only problem.
>>>>
>>>> Thanks,
>>>> Severin
>>>>
>>>>> Thanks,
>>>>> --
>>>>> David Alvarez
>>>>>
>>>>> [1] http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/5456f24496f4#l1.18
>>>>>
>>>>
>>>
>>
>> Is it not possible to backport the additional 11u certificate rather
>> than creating new ones?
>>
>> But generally, I agree this needs to be fixed. We've been seeing such
>> failures downstream for a long time, as we've generally only shipped
>> secp256r1, secp384r1 & secp521r1, so it would be good to see this fixed.
>>
>> Thanks,
>>
>
> Sure, I will update the webrev this week with the jdk11
> truststore/keystore certificates this week and confirm there are no issues
>
> David
>
Thanks, that'd be great! I just want to keep things as close as possible
between OpenJDK versions rather than introducing something new.
--
Andrew :)
Senior Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)
PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net)
Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222
https://keybase.io/gnu_andrew
More information about the jdk8u-dev
mailing list