Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security Certificate Tests fail in JDK 1.8.0_292 due to JDK bug #75571

Closed
pgomulka opened this issue Jul 21, 2021 · 9 comments
Closed

Security Certificate Tests fail in JDK 1.8.0_292 due to JDK bug #75571

pgomulka opened this issue Jul 21, 2021 · 9 comments
Assignees
Labels
:Delivery/Build Build or test infrastructure :Security/Security Security issues without another label Team:Delivery Meta label for Delivery team Team:Security Meta label for security team >test-failure Triaged test failures from CI

Comments

@pgomulka
Copy link
Contributor

pgomulka commented Jul 21, 2021

I (@tvernum) have renamed & updated this issue to be an umbrella issue for all occurrences of this particular problem.

JDK 1.8.0_292 is affected by https://bugs.openjdk.java.net/browse/JDK-8266279 which sometimes causes failures like:

 java.security.KeyStoreException: Key protection  algorithm not found: java.security.UnrecoverableKeyException: Encrypt Private Key failed: unrecognized algorithm name: PBEWithSHA1AndDESede

Some of our tests that deal with X.509 certificates (e.g. TLS & SAML signing test cases) are failing due to this error.

Since this is a JDK bug that affects a specific build, is scheduled to be fixed in an upcoming release, we are actively muting the affect tests for that specific JDK build with:

        assumeFalse("JDK bug JDK-8266279, https://github.com/elastic/elasticsearch/issues/75571",
            "1.8.0_292".equals(System.getProperty("java.version")));

We're linking all of them to this issue so that we can find & handle all such test-mutes in bulk when the next JDK build is added to CI.

Because this is an issue for JDK8, it only affects 7.x and 6.8. We do not run CI for the master (8.0) branch on JDK8.

@pgomulka pgomulka added :Delivery/Build Build or test infrastructure >test-failure Triaged test failures from CI :Security/Security Security issues without another label labels Jul 21, 2021
@elasticmachine elasticmachine added Team:Delivery Meta label for Delivery team Team:Security Meta label for security team labels Jul 21, 2021
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-delivery (Team:Delivery)

@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security (Team:Security)

@mark-vieira
Copy link
Contributor

Should we mute this given we are waiting on a new Java 8 JDK release?

@tvernum
Copy link
Contributor

tvernum commented Jul 26, 2021

I think we should mute them. My preference is to mute them (technically, assumeFalse) explicitly for the current JDK build so they turn on automatically when we run on a newer build, but I'm OK if we have some other way to track what needs to be turned back on when a new JDK8 build ships.

@mark-vieira
Copy link
Contributor

My preference is to mute them (technically, assumeFalse) explicitly for the current JDK build so they turn on automatically when we run on a newer build

👍 Is someone taking care of this?

@tvernum
Copy link
Contributor

tvernum commented Jul 27, 2021

I will open a PR today.

@tvernum tvernum self-assigned this Jul 27, 2021
tvernum added a commit to tvernum/elasticsearch that referenced this issue Jul 27, 2021
This commit adds some `assumeFalse` (or modifies exising ones) to mute
tests on JDK 1.8.0_292 due to JDK-8266279

On this JDK build, a race condition sometimes causes the
PBEWithSHA1AndDESede algorithm to appear as though it is unavailable.

Relates: elastic#75571, elastic#75417, elastic#75379, elastic#72639, elastic#72359
tvernum added a commit that referenced this issue Jul 27, 2021
This commit adds some `assumeFalse` (or modifies exising ones) to mute
tests on JDK 1.8.0_292 due to JDK-8266279

On this JDK build, a race condition sometimes causes the
PBEWithSHA1AndDESede algorithm to appear as though it is unavailable.

Relates: #75571, #75417, #75379, #72639, #72359
tvernum added a commit to tvernum/elasticsearch that referenced this issue Jul 27, 2021
This commit adds some `assumeFalse` (or modifies exising ones) to mute
tests on JDK 1.8.0_292 due to JDK-8266279

On this JDK build, a race condition sometimes causes the
PBEWithSHA1AndDESede algorithm to appear as though it is unavailable.

Relates: elastic#75571, elastic#75417, elastic#75379, elastic#72639, elastic#72359
Backport of: elastic#75718
tvernum added a commit that referenced this issue Jul 27, 2021
This commit adds some `assumeFalse` (or modifies exising ones) to mute
tests on JDK 1.8.0_292 due to JDK-8266279

On this JDK build, a race condition sometimes causes the
PBEWithSHA1AndDESede algorithm to appear as though it is unavailable.

Relates: #75571, #75417, #75379, #72639, #72359
Backport of: #75718
tvernum added a commit to tvernum/elasticsearch that referenced this issue Jul 28, 2021
This commit adds some `assumeFalse` (or modifies exising ones) to mute
tests on JDK 1.8.0_292 due to JDK-8266279

On this JDK build, a race condition sometimes causes the
PBEWithSHA1AndDESede algorithm to appear as though it is unavailable.

Relates: elastic#75571, elastic#75417, elastic#75379, elastic#72639, elastic#72359
Backport of: elastic#75718
tvernum added a commit to tvernum/elasticsearch that referenced this issue Jul 28, 2021
This commit adds some `assumeFalse` (or modifies exising ones) to mute
tests on JDK 1.8.0_292 due to JDK-8266279

On this JDK build, a race condition sometimes causes the
PBEWithSHA1AndDESede algorithm to appear as though it is unavailable.

Relates: elastic#75571, elastic#75417, elastic#75379, elastic#72639, elastic#72359
Backport of: elastic#75718
elasticsearchmachine pushed a commit that referenced this issue Jul 28, 2021
* Mute some security tests on problematic JDK8 build

This commit adds some `assumeFalse` (or modifies exising ones) to mute
tests on JDK 1.8.0_292 due to JDK-8266279

On this JDK build, a race condition sometimes causes the
PBEWithSHA1AndDESede algorithm to appear as though it is unavailable.

Relates: #75571, #75417, #75379, #72639, #72359
Backport of: #75718

* Fix import
elasticsearchmachine pushed a commit that referenced this issue Jul 28, 2021
This commit adds some `assumeFalse` (or modifies exising ones) to mute
tests on JDK 1.8.0_292 due to JDK-8266279

On this JDK build, a race condition sometimes causes the
PBEWithSHA1AndDESede algorithm to appear as though it is unavailable.

Relates: #75571, #75417, #75379, #72639, #72359
Backport of: #75718
tvernum added a commit to tvernum/elasticsearch that referenced this issue Aug 3, 2021
JDK 1.8.0_292 has a race condition that sometimes causes the
PBEWithSHA1AndDESede algorithm to appear as unavailable.

This change mutes additional tests on this JDK build

Relates: elastic#75952, elastic#75571, elastic#75718
@tvernum tvernum changed the title SamlRealmTests.testCreateEncryptionCredentialFromKeyStore fails in jdk8u292 Security Certificate Tests fail in JDK 1.8.0_292 due to JDK bug Aug 3, 2021
@tvernum
Copy link
Contributor

tvernum commented Aug 3, 2021

This was the original issue description


Looks like the problem will be fixed in latest jdk update
https://bugs.openjdk.java.net/browse/JDK-8266279
fails on jdk8.u292 in CI

Build scan:
https://gradle-enterprise.elastic.co/s/5s657scdqzsz2
Repro line:
./gradlew ':x-pack:plugin:security:unitTest' -Dtests.seed=9915999ED6C30B91 -Dtests.class=org.elasticsearch.xpack.security.authc.saml.SamlRealmTests -Dtests.method="testCreateSigningCredentialFromKeyStoreFailureScenarios" -Dtests.security.manager=true -Dtests.locale=ar-DZ -Dtests.timezone=Asia/Anadyr -Dcompiler.java=11 -Druntime.java=8
Reproduces locally?:
no
passes locally on adoptopenjdk 1.8.0_275
and passes locally on AdoptOpenJDK 1.8.0_292 [OpenJDK 64-Bit Server VM 25.292-b10]

Applicable branches:
6.8
Failure history:
https://build-stats.elastic.co/app/kibana#/discover?_g=(refreshInterval:(pause:!t,value:0),time:(from:now-30d,mode:quick,to:now))&_a=(columns:!(_source),filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:b646ed00-7efc-11e8-bf69-63c8ef516157,key:process.status,negate:!f,params:(query:FAILURE,type:phrase),type:phrase,value:FAILURE),query:(match:(process.status:(query:FAILURE,type:phrase))))),index:b646ed00-7efc-11e8-bf69-63c8ef516157,interval:auto,query:(language:lucene,query:testCreateSigningCredentialFromKeyStoreFailureScenarios),sort:!(process.time-start,desc))

Failure excerpt:
| SamlRealmTests.testCreateEncryptionCredentialFromKeyStore <<< FAILURES!
10:56:41 > Throwable #1: java.security.KeyStoreException: Key protection algorithm not found: java.security.UnrecoverableKeyException: Encrypt Private Key failed: unrecognized algorithm name: PBEWithSHA1AndDESede
10:56:41 > at __randomizedtesting.SeedInfo.seed([9915999ED6C30B91:CD603BE1C03300AB]:0)
10:56:41 > at sun.security.pkcs12.PKCS12KeyStore.setKeyEntry(PKCS12KeyStore.java:694)
10:56:41 > at sun.security.pkcs12.PKCS12KeyStore.engineSetKeyEntry(PKCS12KeyStore.java:594)
10:56:41 > at java.security.KeyStore.setKeyEntry(KeyStore.java:1140)
10:56:41 > at org.elasticsearch.xpack.security.authc.saml.SamlRealmTests.testCreateEncryptionCredentialFromKeyStore(SamlRealmTests.java:415)
10:56:41 > at java.lang.Thread.run(Thread.java:748)
10:56:41 > Caused by: java.security.UnrecoverableKeyException: Encrypt Private Key failed: unrecognized algorithm name: PBEWithSHA1AndDESede
10:56:41 > at sun.security.pkcs12.PKCS12KeyStore.encryptPrivateKey(PKCS12KeyStore.java:938)
10:56:41 > at sun.security.pkcs12.PKCS12KeyStore.setKeyEntry(PKCS12KeyStore.java:631)
10:56:41 > ... 40 more
10:56:41 > Caused by: java.security.NoSuchAlgorithmException: unrecognized algorithm name: PBEWithSHA1AndDESede
10:56:41 > at sun.security.x509.AlgorithmId.get(AlgorithmId.java:448)
10:56:41 > at sun.security.pkcs12.PKCS12KeyStore.mapPBEAlgorithmToOID(PKCS12KeyStore.java:955)
10:56:41 > at sun.security.pkcs12.PKCS12KeyStore.encryptPrivateKey(PKCS12KeyStore.java:912)

tvernum added a commit that referenced this issue Aug 3, 2021
JDK 1.8.0_292 has a race condition that sometimes causes the
PBEWithSHA1AndDESede algorithm to appear as unavailable.

This change mutes additional tests on this JDK build

Relates: #75952, #75571, #75718
jkakavas added a commit to jkakavas/elasticsearch that referenced this issue Feb 15, 2022
We had muted specifc tests that were hit by JDK-8266279, by not
allowing the tests to run on Java 1.8.0_292. We have since upgraded
our Java 8 version in CI to Java 1.8.0_301 so the muting is
irrelevant and can be removed

Resolves elastic#75571, elastic#75417, elastic#75379, elastic#72639, elastic#72359, elastic#75952, elastic#75718
jkakavas added a commit to jkakavas/elasticsearch that referenced this issue Feb 15, 2022
We had muted specific tests that were hit by JDK-8266279, by not
allowing the tests to run on Java 1.8.0_292. We have since upgraded
our Java 8 version in CI to Java 1.8.0_301 so the muting is
irrelevant and can be removed

Resolves elastic#75571, elastic#75417, elastic#75379, elastic#72639, elastic#72359, elastic#75952, elastic#75718
@jkakavas
Copy link
Member

Fixed in later jdk8 version

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
:Delivery/Build Build or test infrastructure :Security/Security Security issues without another label Team:Delivery Meta label for Delivery team Team:Security Meta label for security team >test-failure Triaged test failures from CI
Projects
None yet
Development

No branches or pull requests

5 participants