Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Quarkus 1.11.0.Final, bouncycastle-fips-jsse module #197

Closed
Karm opened this issue Jan 21, 2021 · 3 comments
Closed

Quarkus 1.11.0.Final, bouncycastle-fips-jsse module #197

Karm opened this issue Jan 21, 2021 · 3 comments
Labels

Comments

@Karm
Copy link
Collaborator

Karm commented Jan 21, 2021

Hello, looking at the ts results, it seems we are having an issue with sun.security.provider.NativePRNG$Blocking init. The area of seed init etc. is notorious, so I believe this might be more on the Graal/Mandrel side of things. Let's close this and reopen on Quarkus side if you feel differently.

[INFO] [io.quarkus.deployment.pkg.steps.NativeImageBuildStep] Running Quarkus native-image plugin on GraalVM Version 21.0.0.0.Final (Mandrel Distribution) (Java Version 11.0.10+9)
[INFO] [io.quarkus.deployment.pkg.steps.NativeImageBuildStep] /home/jenkins/jenkins/workspace/mandrel-linux-quarkus-tests/99e406d2/archive/mandrel-java11-21.0.0.0.Final/bin/native-image -J-Djava.util.logging.manager=org.jboss.logmanager.LogManager -J-Dsun.nio.ch.maxUpdateArraySize=100 -J-Dio.netty.leakDetection.level=DISABLED -J-Dio.netty.allocator.maxOrder=1 -J-Dvertx.logger-delegate-factory-class-name=io.quarkus.vertx.core.runtime.VertxLogDelegateFactory -J-Dvertx.disableDnsResolver=true -J-Duser.language=en -J-Dfile.encoding=UTF-8 -H:IncludeResources=.*.jks --initialize-at-build-time= -H:InitialCollectionPolicy=com.oracle.svm.core.genscavenge.CollectionPolicy\$BySpaceAndTime -H:+JNI -H:+AllowFoldMethods -jar quarkus-integration-test-bouncycastle-fips-jsse-1.11.0.Final-runner.jar -H:FallbackThreshold=0 -H:+ReportExceptionStackTraces -H:-AddAllCharsets -H:EnableURLProtocols=http,https --enable-all-security-services -H:NativeLinkerOption=-no-pie -H:-UseServiceLoaderFeature -H:+StackTrace quarkus-integration-test-bouncycastle-fips-jsse-1.11.0.Final-runner
[quarkus-integration-test-bouncycastle-fips-jsse-1.11.0.Final-runner:339455]    classlist:   2,323.48 ms,  0.96 GB
[quarkus-integration-test-bouncycastle-fips-jsse-1.11.0.Final-runner:339455]        (cap):     617.39 ms,  1.19 GB
[quarkus-integration-test-bouncycastle-fips-jsse-1.11.0.Final-runner:339455]        setup:   2,141.59 ms,  1.19 GB
14:30:41,955 INFO  [org.bou.jss.pro.PropertyUtils] Found boolean security property [keystore.type.compat]: true
14:30:43,153 INFO  [org.bou.jss.pro.ProvKeyManagerFactorySpi] Initializing empty key store
14:30:43,155 INFO  [org.bou.jss.pro.ProvTrustManagerFactorySpi] Initializing with trust store at path: /home/jenkins/jenkins/workspace/mandrel-linux-quarkus-tests/99e406d2/archive/mandrel-java11-21.0.0.0.Final/lib/security/cacerts
14:30:43,160 INFO  [org.bou.jss.pro.PropertyUtils] Found string security property [jdk.tls.disabledAlgorithms]: SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, include jdk.disabled.namedCurves
14:30:43,161 WARNING [org.bou.jss.pro.DisabledAlgorithmConstraints] Ignoring unsupported entry in 'jdk.tls.disabledAlgorithms': include jdk.disabled.namedCurves
14:30:43,161 INFO  [org.bou.jss.pro.PropertyUtils] Found string security property [jdk.certpath.disabledAlgorithms]: MD2, MD5, SHA1 jdkCA & usage TLSServer, RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224, include jdk.disabled.namedCurves
14:30:43,161 WARNING [org.bou.jss.pro.DisabledAlgorithmConstraints] Ignoring unsupported entry in 'jdk.certpath.disabledAlgorithms': SHA1 jdkCA & usage TLSServer
14:30:43,161 WARNING [org.bou.jss.pro.DisabledAlgorithmConstraints] Ignoring unsupported entry in 'jdk.certpath.disabledAlgorithms': include jdk.disabled.namedCurves
14:30:55,111 INFO  [org.jbo.threads] JBoss Threads version 3.2.0.Final
14:30:58,729 INFO  [org.bou.jss.pro.ProvTrustManagerFactorySpi] Initializing with trust store at path: /home/jenkins/jenkins/workspace/mandrel-linux-quarkus-tests/99e406d2/archive/mandrel-java11-21.0.0.0.Final/lib/security/cacerts
14:30:59,314 INFO  [org.bou.jss.pro.ProvTrustManagerFactorySpi] Initializing with trust store at path: /home/jenkins/jenkins/workspace/mandrel-linux-quarkus-tests/99e406d2/archive/mandrel-java11-21.0.0.0.Final/lib/security/cacerts
14:30:59,948 INFO  [org.bou.jss.pro.ProvTrustManagerFactorySpi] Initializing with trust store at path: /home/jenkins/jenkins/workspace/mandrel-linux-quarkus-tests/99e406d2/archive/mandrel-java11-21.0.0.0.Final/lib/security/cacerts
[quarkus-integration-test-bouncycastle-fips-jsse-1.11.0.Final-runner:339455]     (clinit):     927.70 ms,  5.03 GB
[quarkus-integration-test-bouncycastle-fips-jsse-1.11.0.Final-runner:339455]   (typeflow):  17,583.47 ms,  5.03 GB
[quarkus-integration-test-bouncycastle-fips-jsse-1.11.0.Final-runner:339455]    (objects):  31,775.90 ms,  5.03 GB
[quarkus-integration-test-bouncycastle-fips-jsse-1.11.0.Final-runner:339455]   (features):   1,301.85 ms,  5.03 GB
[quarkus-integration-test-bouncycastle-fips-jsse-1.11.0.Final-runner:339455]     analysis:  52,823.90 ms,  5.03 GB
Error: No instances of sun.security.provider.NativePRNG$Blocking are allowed in the image heap as this class should be initialized at image runtime. To see how this object got instantiated use --trace-object-instantiation=sun.security.provider.NativePRNG$Blocking.
Detailed message:
Trace: Object was reached by 
	reading field java.security.SecureRandom.secureRandomSpi of
		constant java.security.SecureRandom@5e195751 reached by 
	reading field org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider.entropySource of
		constant org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider@161149b2 reached by 
	reading field sun.security.jca.ProviderConfig.provider of
		constant sun.security.jca.ProviderConfig@29e76ef5 reached by 
	indexing into array
		constant sun.security.jca.ProviderConfig[]@6632c104 reached by 
	reading field sun.security.jca.ProviderList.configs of
		constant sun.security.jca.ProviderList@3644b6eb reached by 
	reading field sun.security.jca.Providers.providerList

com.oracle.svm.core.util.UserError$UserException: No instances of sun.security.provider.NativePRNG$Blocking are allowed in the image heap as this class should be initialized at image runtime. To see how this object got instantiated use --trace-object-instantiation=sun.security.provider.NativePRNG$Blocking.
Detailed message:
Trace: Object was reached by 
	reading field java.security.SecureRandom.secureRandomSpi of
		constant java.security.SecureRandom@5e195751 reached by 
	reading field org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider.entropySource of
		constant org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider@161149b2 reached by 
	reading field sun.security.jca.ProviderConfig.provider of
		constant sun.security.jca.ProviderConfig@29e76ef5 reached by 
	indexing into array
		constant sun.security.jca.ProviderConfig[]@6632c104 reached by 
	reading field sun.security.jca.ProviderList.configs of
		constant sun.security.jca.ProviderList@3644b6eb reached by 
	reading field sun.security.jca.Providers.providerList

	at com.oracle.svm.core.util.UserError.abort(UserError.java:82)
	at com.oracle.svm.hosted.FallbackFeature.reportAsFallback(FallbackFeature.java:233)
	at com.oracle.svm.hosted.NativeImageGenerator.runPointsToAnalysis(NativeImageGenerator.java:773)
	at com.oracle.svm.hosted.NativeImageGenerator.doRun(NativeImageGenerator.java:563)
	at com.oracle.svm.hosted.NativeImageGenerator.lambda$run$0(NativeImageGenerator.java:476)
	at java.base/java.util.concurrent.ForkJoinTask$AdaptedRunnableAction.exec(ForkJoinTask.java:1407)
	at java.base/java.util.concurrent.ForkJoinTask.doExec(ForkJoinTask.java:290)
	at java.base/java.util.concurrent.ForkJoinPool$WorkQueue.topLevelExec(ForkJoinPool.java:1020)
	at java.base/java.util.concurrent.ForkJoinPool.scan(ForkJoinPool.java:1656)
	at java.base/java.util.concurrent.ForkJoinPool.runWorker(ForkJoinPool.java:1594)
	at java.base/java.util.concurrent.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:183)
Caused by: com.oracle.graal.pointsto.constraints.UnsupportedFeatureException: No instances of sun.security.provider.NativePRNG$Blocking are allowed in the image heap as this class should be initialized at image runtime. To see how this object got instantiated use --trace-object-instantiation=sun.security.provider.NativePRNG$Blocking.
Detailed message:
Trace: Object was reached by 
	reading field java.security.SecureRandom.secureRandomSpi of
		constant java.security.SecureRandom@5e195751 reached by 
	reading field org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider.entropySource of
		constant org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider@161149b2 reached by 
	reading field sun.security.jca.ProviderConfig.provider of
		constant sun.security.jca.ProviderConfig@29e76ef5 reached by 
	indexing into array
		constant sun.security.jca.ProviderConfig[]@6632c104 reached by 
	reading field sun.security.jca.ProviderList.configs of
		constant sun.security.jca.ProviderList@3644b6eb reached by 
	reading field sun.security.jca.Providers.providerList

	at com.oracle.graal.pointsto.constraints.UnsupportedFeatures.report(UnsupportedFeatures.java:126)
	at com.oracle.svm.hosted.NativeImageGenerator.runPointsToAnalysis(NativeImageGenerator.java:770)
	... 8 more
Error: Image build request failed with exit status 1
@Karm Karm added bug Something isn't working affects/21.0 labels Jan 21, 2021
@Karm Karm added this to the 21.0.0.0.Final milestone Jan 21, 2021
@zakkak
Copy link
Collaborator

zakkak commented Jan 21, 2021

It's failing on 20.3 as well.

@zakkak zakkak removed this from the 21.0.0.0.Final milestone Jan 21, 2021
@zakkak
Copy link
Collaborator

zakkak commented Jan 21, 2021

Note however that the test is not enabled in the Quarkus TS on GH and it looks like it doesn't work in native mode.

Testing locally with GraalVM CE 20.3.0 I get the same result, so this doesn't look like a Mandrel issue.

To reproduce run:

wget https://github.com/quarkusio/quarkus/archive/1.11.0.Final.tar.gz
tar xf 1.11.0.Final.tar.gz
cd quarkus-1.11.0.Final
./mvnw package -Dnative -Dnative.surefire.skip \
  -Dquarkus.native.container-runtime=podman \
  -Dquarkus.native.container-build=true \
  -pl integration-tests/bouncycastle-fips-jsse

@Karm Karm changed the title Quarkus 1.11.0.Final, bouncycastle-fips-jsse module, Mandrel 21.0 Quarkus 1.11.0.Final, bouncycastle-fips-jsse module Jan 22, 2021
@github-actions
Copy link

This issue appears to be stale because it has been open 30 days with no activity. This issue will be closed in 7 days unless Stale label is removed, a new comment is made, or not-Stale label is added.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants