jdk_security3_0 FAILED sun/security/ssl/X509TrustManagerImpl/Entrust/Distrust.java ValidatorException: No trusted certificate

[JasonFengJ9]

Failure link

From internal Test_openjdk8_j9_extended.openjdk_aarch64_linux_testList_0 (rtj-ubu24aarch64-svl-test-e58xx-1)

openjdk version "1.8.0_442"
IBM Semeru Runtime Open Edition (build 1.8.0_442-b06)
Eclipse OpenJ9 VM (build v0.49.0-release-3c3d179854, JRE 1.8.0 Linux aarch64-64-Bit Compressed References 20250123_1102 (JIT enabled, AOT enabled)
OpenJ9   - 3c3d179854
OMR      - e49875871
JCL      - 61f83383b8 based on jdk8u442-b06)

Rerun in Grinder - Change TARGET to run only the failed test targets

Optional info

Failure output (captured from console output)

[2025-01-24T20:36:37.047Z] variation: Mode150
[2025-01-24T20:36:37.047Z] JVM_OPTIONS:  -XX:+UseCompressedOops -Xverbosegclog 

[2025-01-24T20:51:07.075Z] TEST: sun/security/ssl/X509TrustManagerImpl/Entrust/Distrust.java

[2025-01-24T20:51:07.085Z] STDERR:
[2025-01-24T20:51:07.085Z] Testing entrustevca
[2025-01-24T20:51:07.085Z] Testing entrustrootcaec1
[2025-01-24T20:51:07.085Z] Testing entrustrootcag2
[2025-01-24T20:51:07.085Z] Testing entrustrootcag4
[2025-01-24T20:51:07.085Z] sun.security.validator.ValidatorException: No trusted certificate found
[2025-01-24T20:51:07.085Z] 	at sun.security.validator.SimpleValidator.buildTrustedChain(SimpleValidator.java:398)
[2025-01-24T20:51:07.085Z] 	at sun.security.validator.SimpleValidator.engineValidate(SimpleValidator.java:135)
[2025-01-24T20:51:07.085Z] 	at sun.security.validator.Validator.validate(Validator.java:271)
[2025-01-24T20:51:07.085Z] 	at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:315)
[2025-01-24T20:51:07.085Z] 	at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:234)
[2025-01-24T20:51:07.086Z] 	at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:110)
[2025-01-24T20:51:07.086Z] 	at Distrust.testTM(Distrust.java:131)
[2025-01-24T20:51:07.086Z] 	at Distrust.main(Distrust.java:92)
[2025-01-24T20:51:07.086Z] 	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
[2025-01-24T20:51:07.086Z] 	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
[2025-01-24T20:51:07.086Z] 	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
[2025-01-24T20:51:07.086Z] 	at java.lang.reflect.Method.invoke(Method.java:503)
[2025-01-24T20:51:07.087Z] 	at com.sun.javatest.regtest.agent.MainWrapper$MainThread.run(MainWrapper.java:127)
[2025-01-24T20:51:07.087Z] 	at java.lang.Thread.run(Thread.java:822)
[2025-01-24T20:51:07.087Z] java.lang.Exception: Unexpected exception: sun.security.validator.ValidatorException: No trusted certificate found
[2025-01-24T20:51:07.087Z] 	at Distrust.testTM(Distrust.java:149)
[2025-01-24T20:51:07.087Z] 	at Distrust.main(Distrust.java:92)
[2025-01-24T20:51:07.087Z] 	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
[2025-01-24T20:51:07.087Z] 	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
[2025-01-24T20:51:07.088Z] 	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
[2025-01-24T20:51:07.088Z] 	at java.lang.reflect.Method.invoke(Method.java:503)
[2025-01-24T20:51:07.088Z] 	at com.sun.javatest.regtest.agent.MainWrapper$MainThread.run(MainWrapper.java:127)
[2025-01-24T20:51:07.088Z] 	at java.lang.Thread.run(Thread.java:822)
[2025-01-24T20:51:07.088Z] 
[2025-01-24T20:51:07.088Z] JavaTest Message: Test threw exception: java.lang.Exception: Unexpected exception: sun.security.validator.ValidatorException: No trusted certificate found
[2025-01-24T20:51:07.088Z] JavaTest Message: shutting down test

[2025-01-24T20:51:07.093Z] TEST RESULT: Failed. Execution failed: `main' threw exception: java.lang.Exception: Unexpected exception: sun.security.validator.ValidatorException: No trusted certificate found
[2025-01-24T20:51:07.093Z] --------------------------------------------------
[2025-01-24T21:05:08.794Z] Test results: passed: 611; failed: 1
[2025-01-24T21:05:08.794Z] Report written to /home/jenkins/workspace/Test_openjdk8_j9_extended.openjdk_aarch64_linux_testList_0/aqa-tests/TKG/output_17377481954353/jdk_security3_0/report/html/report.html
[2025-01-24T21:05:08.794Z] Results written to /home/jenkins/workspace/Test_openjdk8_j9_extended.openjdk_aarch64_linux_testList_0/aqa-tests/TKG/output_17377481954353/jdk_security3_0/work
[2025-01-24T21:05:08.795Z] Error: Some tests failed or other problems occurred.
[2025-01-24T21:05:08.795Z] -----------------------------------
[2025-01-24T21:05:08.795Z] jdk_security3_0_FAILED

5x internal Grinder - all failed

5x internal Grinder w/ RI - 4/5 passed, the failure is different - PKCS11Exception: CKR_USER_TYPE_INVALID.

Across platforms:
openjdk8_j9_extended.openjdk_ppc64_aix
openjdk8_j9_extended.openjdk_ppc64le_linux

[pshipton]

@jasonkatonica pls take a look.

[jasonkatonica]

This test is failing on this line of the test since the expected exception thrown does not indicate that an untrusted certificate was encountered, instead in Semeru it returns "no trusted certificate found" at all ( no root certificate found ).

The test makes use of the cacerts file that contains various CAs root certificates that are included with the SDK. The test expects to find the 4096 key size Entrust root CA certificate to establish a certificate chain and then it should fail throwing the exception on this line since the Entrust CA certificates are no longer allowed by policy. In the Semeru case we do not find one of the root ca certifictes for entrust ( 4096 key size ) in the cacerts file at all instead the code thows an exception indicating no certificate found, thus causing the change in behavior.

I downloaded the just released Temurin build and compared the cacerts file contents as follows:

keytool -list -v -keystore ./semeru-jdk8u442-b06/jre/lib/security/cacerts > semerucacerts.txt 2>&1

Resulting in this file:

semerucacerts.txt

And

keytool -list -v -keystore ./temurin-jdk8u442-b06/jre/lib/security/cacerts > temurincacerts.txt 2>&1

Resulting in this file:

temurincacerts.txt

Comparing these files the Semeru build is missing the certificate used by the failing test :

( Notice the matching serial between the comment in pem and the listing of the cacerts file )

In total there are 3 missing certificates in the cacerts file within Semeru with the following aliases ( the first alias being the one used by these tests ):

Alias name: cn=entrust_root_certification_authority_-_g4,ou=(c)_2015_entrust__inc._-_for_authorized_use_only,ou=see_www.entrust.net/legal-terms,o=entrust__inc.,c=us

Alias name: cn=securesign_rootca11,o=japan_certification_services__inc.,c=jp

Alias name: cn=security_communication_rootca3,o=secom_trust_systems_co._ltd.,c=jp

@AdamBrousseau I believe the expectation here at this point in time is that the cacerts file should match the contents of the Temurin cacerts file? Perhaps the Semeru build pipeline does not exactly replicate the logic for how temurin is building its cacerts file?

[AdamBrousseau]

I compared what we have in our branch of temurin-build vs what Adopt has and the content is the same.

https://raw.githubusercontent.com/ibmruntimes/temurin-build/refs/heads/ibm/security/certdata.txt
vs
https://raw.githubusercontent.com/adoptium/temurin-build/refs/heads/master/security/certdata.txt

I checked the java -version from the orginal link.
8.0.442 rc1

/home/jenkins/workspace/Test_openjdk8_j9_extended.openjdk_aarch64_linux_testList_0/jdkbinary/j2sdk-image/bin/java -version
00:00:49.928  =JAVA VERSION OUTPUT BEGIN=
00:00:49.928  openjdk version "1.8.0_442"
00:00:49.928  IBM Semeru Runtime Open Edition (build 1.8.0_442-b06)
00:00:49.928  Eclipse OpenJ9 VM (build v0.49.0-release-3c3d179854, JRE 1.8.0 Linux aarch64-64-Bit Compressed References 20250123_1102 (JIT enabled, AOT enabled)
00:00:49.928  OpenJ9   - 3c3d179854
00:00:49.928  OMR      - e49875871
00:00:49.928  JCL      - 61f83383b8 based on jdk8u442-b06)

Built using

00:00:49.942  BUILD_SOURCE="git:52d751629793498b9ece44004e3b35cb960b7e2d"
00:00:49.942  BUILD_SOURCE_REPO="https://github.com/ibmruntimes/temurin-build.git"

Which is the current HEAD commit in our repo, containing the last change to cacerts.txt.
ibmruntimes/temurin-build@52d7516

Perhaps the build is processing that file for Temurin different than Semeru. Will have to dig into it.

[pshipton]

"Entrust Root Certification Authority - G4" is in ibmruntimes/temurin-build@52d7516 with the same fingerprints as the cert in Temurin. If it's in the file, not sure why it's not in Semeru.
https://github.com/ibmruntimes/temurin-build/blob/ibm/security/certdata.txt#L14713

The other two missing certs are not there.

[AdamBrousseau]

I see this certs build arg (bolded) being passed to the adopt build script.

/home/jenkins/workspace/build-scripts/jobs/jdk8u/jdk8u-linux-aarch64-openj9/build-farm/../makejdk-any-platform.sh --clean-git-repo --jdk-boot-dir /usr/lib/jvm/java-1.7.0-openjdk --configure-args --with-openssl=fetched --with-product-name="IBM Semeru Runtime" --with-product-suffix="Open Edition" --target-file-name ibm-semeru-open-jdk_aarch64_linux_8u442b06_openj9-0.49.0-rc1.tar.gz --release --clean-libs --disable-shallow-git-clone -b v0.49.0-release --ssh --vendor-version "8.0.442.0-rc1" --skip-freetype --use-jep319-certs --create-debug-image --create-jre-image --build-variant openj9 jdk8u

But it seems to be obsolete

--use-jep319-certs
Use certs defined in JEP319 in Java 8/9. Deprecated, has no effect.

I compared the build log from a temurin nightly to our build that produced the sdk above. Seems only the bash set x setting is different.

$ diff cert.process.temurin cert.process.semeru 
1c1
< Generating cacerts from Mozilla's bundle
---
> + ./mk-cacerts.sh --keytool /usr/lib/jvm/java-1.7.0-openjdk/bin/keytool
adam:temurin-build$ diff cert.process.temurin cert.process.semeru 
0a1
> + echo 'Generating cacerts from Mozilla'\''s bundle'
1a3,5
> + cd /home/jenkins/workspace/build-scripts/jobs/jdk8u/jdk8u-linux-aarch64-openj9/sbin/../security
> + [[ 8 -ge 17 ]]
> + ./mk-cacerts.sh --keytool /usr/lib/jvm/java-1.7.0-openjdk/bin/keytool

The rest of the cert process lines are identical up until (and including)

12:17:33  Certificate was added to keystore
12:17:33  Number of certs processed: 149

[AdamBrousseau]

Probably this?

00:03:58.701  Skipping: Entrust Root Certification Authority is not trusted anymore
00:03:58.701  Parsing: Entrust Root Certification Authority
...
00:03:58.703  Skipping: Entrust Root Certification Authority - G2 is not trusted anymore
00:03:58.703  Parsing: Entrust Root Certification Authority - G2
00:03:58.703  Skipping: Entrust Root Certification Authority - EC1 is not trusted anymore
00:03:58.703  Parsing: Entrust Root Certification Authority - EC1
...
00:03:58.704  Skipping: Entrust Root Certification Authority - G4

[AdamBrousseau]

Does this sdk produce same or different list?
https://ci.adoptium.net/job/build-scripts/job/jobs/job/jdk8u/job/jdk8u-linux-aarch64-temurin/482/artifact/workspace/target/OpenJDK8U-jdk_aarch64_linux_hotspot_2025-01-20-17-13.tar.gz

[jasonkatonica]

Does this sdk produce same or different list?
https://ci.adoptium.net/job/build-scripts/job/jobs/job/jdk8u/job/jdk8u-linux-aarch64-temurin/482/artifact/workspace/target/OpenJDK8U-jdk_aarch64_linux_hotspot_2025-01-20-17-13.tar.gz

I was able to list the contents of the cacerts file on linux x86 platform even though the build is a linux aarch64 build. The contents listed seem to match what we have with the RC1 Semeru build ( Ignoring the creation dates for each trusted cert entry in the file ).

keytool -list -v -keystore /root/data/issue650_entrustdistrust/temurin-2025-01-20-17-13-jdk8u442-b05/jre/lib/security/cacerts > temurin-2025-01-20-17-13-jdk8u442-b05.txt 2>&1

temurin-2025-01-20-17-13-jdk8u442-b05.txt

This seems to be different then the Temurin GA build I downloaded earlier at https://adoptium.net/temurin/releases/?version=8 for linux x86.

[JasonFengJ9]

Also occurred at openjdk11_j9_extended.openjdk_aarch64_linux

[AdamBrousseau]

Adopt is now using release branches for their infra code. As a result, they've built with an older level of cacerts
https://github.com/adoptium/temurin-build/blob/v2025.01.01/security/certdata.txt
vs
https://github.com/adoptium/temurin-build/blob/605f4cb/security/certdata.txt

[JasonFengJ9]

openjdk17_j9_extended.openjdk_aarch64_linux

[2025-01-28T17:56:13.488Z] variation: Mode150
[2025-01-28T17:56:13.488Z] JVM_OPTIONS:  -XX:+UseCompressedOops -Xverbosegclog

[2025-01-28T18:29:30.700Z] TEST: sun/security/ssl/X509TrustManagerImpl/distrust/Entrust.java

[2025-01-28T18:29:30.709Z] STDERR:
[2025-01-28T18:29:30.709Z] Testing entrustevca
[2025-01-28T18:29:30.709Z] Testing entrustrootcaec1
[2025-01-28T18:29:30.709Z] Testing entrustrootcag2
[2025-01-28T18:29:30.709Z] Testing entrustrootcag4
[2025-01-28T18:29:30.709Z] sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
[2025-01-28T18:29:30.709Z] 	at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
[2025-01-28T18:29:30.709Z] 	at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
[2025-01-28T18:29:30.709Z] 	at java.base/sun.security.validator.Validator.validate(Validator.java:264)
[2025-01-28T18:29:30.709Z] 	at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:242)
[2025-01-28T18:29:30.709Z] 	at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:113)
[2025-01-28T18:29:30.709Z] 	at Distrust.testTM(Distrust.java:125)
[2025-01-28T18:29:30.709Z] 	at Distrust.testCertificateChain(Distrust.java:82)
[2025-01-28T18:29:30.709Z] 	at Entrust.main(Entrust.java:66)
[2025-01-28T18:29:30.709Z] 	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
[2025-01-28T18:29:30.709Z] 	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
[2025-01-28T18:29:30.709Z] 	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
[2025-01-28T18:29:30.710Z] 	at java.base/java.lang.reflect.Method.invoke(Method.java:575)
[2025-01-28T18:29:30.710Z] 	at com.sun.javatest.regtest.agent.MainWrapper$MainTask.run(MainWrapper.java:138)
[2025-01-28T18:29:30.710Z] 	at java.base/java.lang.Thread.run(Thread.java:853)
[2025-01-28T18:29:30.710Z] Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
[2025-01-28T18:29:30.710Z] 	at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:148)
[2025-01-28T18:29:30.710Z] 	at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:129)
[2025-01-28T18:29:30.710Z] 	at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
[2025-01-28T18:29:30.710Z] 	at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)
[2025-01-28T18:29:30.710Z] 	... 13 more
[2025-01-28T18:29:30.710Z] java.lang.RuntimeException: Unexpected exception: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
[2025-01-28T18:29:30.710Z] 	at Distrust.testTM(Distrust.java:138)
[2025-01-28T18:29:30.710Z] 	at Distrust.testCertificateChain(Distrust.java:82)
[2025-01-28T18:29:30.710Z] 	at Entrust.main(Entrust.java:66)
[2025-01-28T18:29:30.710Z] 	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
[2025-01-28T18:29:30.710Z] 	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
[2025-01-28T18:29:30.710Z] 	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
[2025-01-28T18:29:30.710Z] 	at java.base/java.lang.reflect.Method.invoke(Method.java:575)
[2025-01-28T18:29:30.711Z] 	at com.sun.javatest.regtest.agent.MainWrapper$MainTask.run(MainWrapper.java:138)
[2025-01-28T18:29:30.711Z] 	at java.base/java.lang.Thread.run(Thread.java:853)

[2025-01-28T18:43:04.647Z] jdk_security3_0_FAILED

[pshipton]

@jasonkatonica do you think we should be using the older level of cacerts to match Adoptium, or continue taking the latest?