TS failure: io.quarkus.grpc.examples.hello.HelloWorld*Tls* fail: Algorithm constraints check failed SHA1withRSA

[Karm]

Describe the bug

These tests io.quarkus.grpc.examples.hello.HelloWorld*Tls* pass on RHEL 8 while they fail on RHEL 9, with the same Quarkus and Mandrel (Java) version used. NSS version / crypto policy thing likely? We might need to ditch SHA1wthRSA as dated... @sberyozkin WDYT?

While using Mandrel, this is not native specific.

Expected behavior

These tests pass the same way as they pass on RHEL 8:

io.quarkus.grpc.examples.hello.HelloWorldMutualTlsEndpointTest.testHelloWorldServiceUsingBlockingStub
io.quarkus.grpc.examples.hello.HelloWorldMutualTlsEndpointTest.testHelloWorldServiceUsingMutinyStub
io.quarkus.grpc.examples.hello.HelloWorldMutualTlsServiceTest.testHelloWorldServiceUsingBlockingStub
io.quarkus.grpc.examples.hello.HelloWorldMutualTlsServiceTest.testHelloWorldServiceUsingMutinyStub
io.quarkus.grpc.examples.hello.HelloWorldTlsEndpointTest.testHelloWorldServiceUsingBlockingStub
io.quarkus.grpc.examples.hello.HelloWorldTlsEndpointTest.testHelloWorldServiceUsingMutinyStub
io.quarkus.grpc.examples.hello.HelloWorldTlsServiceTest.testHelloWorldServiceUsingBlockingStub
io.quarkus.grpc.examples.hello.HelloWorldTlsServiceTest.testHelloWorldServiceUsingMutinyStub

Actual behavior

All aforementioned tests fails with the undesirable algorithm as it cause, e.g.

2022-01-21 12:49:09,456 INFO  [io.quarkus] (main) Quarkus 2.7.0.CR1 on JVM started in 2.350s. Listening on: http://localhost:8081
2022-01-21 12:49:09,457 INFO  [io.quarkus] (main) Profile test activated. 
2022-01-21 12:49:09,457 INFO  [io.quarkus] (main) Installed features: [cdi, grpc-client, grpc-server, resteasy, resteasy-mutiny, smallrye-context-propagation, vertx]
2022-01-21 12:49:11,150 ERROR [io.qua.grp.run.sto.GrpcLoadBalancerProvider] (grpc-nio-worker-ELG-2-3) gRPC Sub Channel failed: javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on signature algorithm: SHA1withRSA
	at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:352)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:295)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:290)
	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1357)
	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1232)
	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1175)
	at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
	at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443)
	at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1074)
	at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1061)
	at java.base/java.security.AccessController.doPrivileged(Native Method)
	at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1008)
	at io.netty.handler.ssl.SslHandler$SslTasksRunner.run(SslHandler.java:1785)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
	at java.base/java.lang.Thread.run(Thread.java:829)
Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on signature algorithm: SHA1withRSA
	at java.base/sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:369)
	at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:275)
	at java.base/sun.security.validator.Validator.validate(Validator.java:264)
	at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313)
	at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:276)
	at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:141)
	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1335)
	... 12 more
Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on signature algorithm: SHA1withRSA
	at java.base/sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135)
	at java.base/sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:224)
	at java.base/sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:144)
	at java.base/sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:83)
	at java.base/java.security.cert.CertPathValidator.validate(CertPathValidator.java:309)
	at java.base/sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:364)
	... 18 more
Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on signature algorithm: SHA1withRSA
	at java.base/sun.security.provider.certpath.AlgorithmChecker.check(AlgorithmChecker.java:237)
	at java.base/sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125)
	... 23 more

How to Reproduce?

./mvnw install -Dquickly
./mvnw verify -f integration-tests/pom.xml --fail-at-end --batch-mode -Dno-format -DfailIfNoTests=false -Dnative -pl '!bouncycastle-fips-jsse,!container-image/quarkus-standard-way,!devtools,!google-cloud-functions,!google-cloud-functions-http,!gradle,!kubernetes-client,!kubernetes/maven-invoker-way,!maven,!mongodb-rest-data-panache,!smallrye-opentracing'

Output of uname -a or ver

RHEL 9

Output of java -version

Java Version 11.0.14+9-LTS

GraalVM version (if different from Java)

native-image 21.3.1.0 Mandrel Distribution

Quarkus version or git rev

2.7.0.CR1

Build tool (ie. output of mvnw --version or gradlew --version)

No response

Additional information

No response

[quarkus-bot]

/cc @cescoffier, @galderz, @geoand, @iocanel, @michalszynkiewicz, @zakkak

[sberyozkin]

Perhaps the keys used by these tests should be regenerated using SHA256withRSA ?

[stuartwdouglas]

That does not sound like the algorithm is missing though, CertPathValidatorException sounds like the self signed cert cannot be validated.

[sberyozkin]

Yeah, it is not missing but it may be now disabled at the policy level as Karm suggested, similar error is dicussed at https://stackoverflow.com/questions/21218217/ssl-handshake-exception-algorithm-constraints-check-failed-md5withrsa

[Karm]

I will generate new ones and see how the rest of the toolchain down the rabbit hole likes it.

[cescoffier]

@Karm there are REDMEs with the instruction to regenerate the files. From what I can see, it just uses the default algorithm (nothing odd), but maybe the default when I generated them was not right.