8308592: Framework for CA interoperability testing

[gnu-andrew]

Hi all,

This pull request contains a backport of commit da57d2a1 from the openjdk/jdk repository.

The commit being backported was authored by Rajan Halade on 19 Sep 2023 and was reviewed by Sean Mullan. It was backported to 17u on 2023-09-28 and 11u on 2023-10-11

It reworks the certificate tests to use test portals rather than having to maintain copies of the certificates in the OpenJDK repository and so should reduce the maintenance cost of these tests going forward. The fix has already been backported to 21u and Oracle-17u.

There were conflicts in the removals of ActalisCA.java, BuypassCA.java, LetsEncryptCA.java and QuoVadisCA.java, due to changes not in 8u. For the first of these, we backported JDK-8297955 (see #388) as it also contains a code change. As the other three are only test changes, we assumed these bugs to be resolved by the replacement of the individual tests with CAInterop.java.

The ValidatePathWithURL.java class had to be modified slightly to work with the 8u cacerts. These changes were based on the existing ValidatePathWithParams.java.

All tests pass with the exception of the OCSP case of certignarootca. This fails with Caused by: java.security.cert.CertPathValidatorException: Certificate does not specify OCSP responder. While not ideal, I don't think this is an issue with the testing backport so I'd suggest we look into this and fix it later, while getting this in so that pending certificate updates can go in. It seems to be 8u specific (the case passed on 11u). The CRL case does pass as does CertignaCA.java (not sure why there are two tests for this one).

---

Progress

• Change must be properly reviewed (1 review required, with at least 1 Reviewer)
• JDK-8272708 needs maintainer approval
• Change must not contain extraneous whitespace
• JDK-8288132 needs maintainer approval
• Commit message must refer to an issue
• JDK-8268678 needs maintainer approval
• JDK-8270280 needs maintainer approval
• JDK-8308592 needs maintainer approval

Issues

• JDK-8308592: Framework for CA interoperability testing (Enhancement - P3 - Approved)
• JDK-8272708: [Test]: Cleanup: test/jdk/security/infra/java/security/cert/CertPathValidator/certification/BuypassCA.java no longer needs ocspEnabled (Bug - P4 - Approved)
• JDK-8288132: Update test artifacts in QuoVadis CA interop tests (Bug - P3 - Approved)
• JDK-8268678: LetsEncryptCA.java test fails as Let’s Encrypt Authority X3 is retired (Bug - P3 - Approved)
• JDK-8270280: security/infra/java/security/cert/CertPathValidator/certification/LetsEncryptCA.java OCSP response error (Bug - P4 - Approved)

Reviewers

• Severin Gehwolf (@jerboaa - Reviewer)

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk8u-dev.git pull/390/head:pull/390
$ git checkout pull/390

Update a local copy of the PR:
$ git checkout pull/390
$ git pull https://git.openjdk.org/jdk8u-dev.git pull/390/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 390

View PR using the GUI difftool:
$ git pr show -t 390

Using diff file

Download this PR as a diff file:
https://git.openjdk.org/jdk8u-dev/pull/390.diff

Webrev

Link to Webrev Comment

[bridgekeeper]

👋 Welcome back andrew! A progress list of the required criteria for merging this PR into pr/389 will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

[openjdk]

This backport pull request has now been updated with issue from the original commit.

[gnu-andrew]

/issue add 8272708,8288132,8268678,8270280

[openjdk]

@gnu-andrew
Adding additional issue to issue list: 8272708: [Test]: Cleanup: test/jdk/security/infra/java/security/cert/CertPathValidator/certification/BuypassCA.java no longer needs ocspEnabled.

Adding additional issue to issue list: 8288132: Update test artifacts in QuoVadis CA interop tests.

Adding additional issue to issue list: 8268678: LetsEncryptCA.java test fails as Let’s Encrypt Authority X3 is retired.

Adding additional issue to issue list: 8270280: security/infra/java/security/cert/CertPathValidator/certification/LetsEncryptCA.java OCSP response error.

[gnu-andrew]

Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#actalisauthenticationrootca
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#amazonrootca1
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#amazonrootca2
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#amazonrootca3
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#amazonrootca4
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#buypassclass2ca
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#buypassclass3ca
FAILED: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#certignarootca
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#comodoeccca
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#comodorsaca
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#entrustrootcaec1
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#entrustrootcag4
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#globalsigneccrootcar4
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#globalsignrootcar6
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#godaddyrootg2ca
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#gtsrootcar1
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#gtsrootcar2
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#gtsrootecccar3
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#gtsrootecccar4
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#letsencryptisrgx1
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#microsoftecc2017
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#microsoftrsa2017
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#quovadisrootca1g3
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#quovadisrootca2g3
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#quovadisrootca3g3
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#sslrooteccca
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#sslrootevrsaca
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#sslrootrsaca
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#starfieldrootg2ca
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#teliasonerarootcav1
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#twcaglobalrootca
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#usertrusteccca
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#usertrustrsaca
Passed: security/infra/java/security/cert/CertPathValidator/certification/CertignaCA.java
Passed: security/infra/java/security/cert/CertPathValidator/certification/DTrustCA.java
Passed: security/infra/java/security/cert/CertPathValidator/certification/HaricaCA.java
Passed: security/infra/java/security/cert/CertPathValidator/certification/LuxTrustCA.java
Test results: passed: 36; failed: 1

[mlbridge]

Webrevs

• 03: Full - Incremental (1c96da7e)
• 02: Full (04ae02cb)
• 01: Full - Incremental (0dc8bad2)
• 00: Full (0dc8bad2)

[jerboaa]

This looks good. The reason why certignarootca test fails is the different defaults for jdk.tls.client.enableStatusRequestExtension between JDK 11 and JDK 8 in SSLContextImpl.java. The former has it set to true the latter to false as per the TLS 1.3 backport to 8. Without it the ClientHello won't have the status_request extension, which is required for the test to pass.

I suggest to set this to true in the affected test only (or set it to true globally in CAInterop.java). Either way I'd include this in this backport.

[openjdk]

@gnu-andrew this pull request can not be integrated into pr/389 due to one or more merge conflicts. To resolve these merge conflicts and update this pull request you can run the following commands in the local repository for your personal fork:

git checkout JDK-8308592
git fetch https://git.openjdk.org/jdk8u-dev.git pr/389
git merge FETCH_HEAD
# resolve conflicts and follow the instructions given by git merge
git commit -m "Merge pr/389"
git push

[openjdk-notifier]

The parent pull request that this pull request depends on has now been integrated and the target branch of this pull request has been updated. This means that changes from the dependent pull request can start to show up as belonging to this pull request, which may be confusing for reviewers. To remedy this situation, simply merge the latest changes from the new target branch into this pull request by running commands similar to these in the local repository for your personal fork:

git checkout JDK-8308592
git fetch https://git.openjdk.org/jdk8u-dev.git master
git merge FETCH_HEAD
# if there are conflicts, follow the instructions given by git merge
git commit -m "Merge master"
git push

[openjdk]

@gnu-andrew Please do not rebase or force-push to an active PR as it invalidates existing review comments. Note for future reference, the bots always squash all changes into a single commit automatically as part of the integration. See OpenJDK Developers’ Guide for more information.

[gnu-andrew]

This looks good. The reason why certignarootca test fails is the different defaults for jdk.tls.client.enableStatusRequestExtension between JDK 11 and JDK 8 in SSLContextImpl.java. The former has it set to true the latter to false as per the TLS 1.3 backport to 8. Without it the ClientHello won't have the status_request extension, which is required for the test to pass.

I suggest to set this to true in the affected test only (or set it to true globally in CAInterop.java). Either way I'd include this in this backport.

Good catch. Looks like all tests pass with this enabled in ValidatePathWithURL.java

Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#actalisauthenticationrootca
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#amazonrootca1
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#amazonrootca2
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#amazonrootca3
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#amazonrootca4
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#buypassclass2ca
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#buypassclass3ca
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#certignarootca
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#comodoeccca
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#comodorsaca
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#entrustrootcaec1
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#entrustrootcag4
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#globalsigneccrootcar4
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#globalsignrootcar6
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#godaddyrootg2ca
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#gtsrootcar1
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#gtsrootcar2
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#gtsrootecccar3
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#gtsrootecccar4
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#letsencryptisrgx1
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#microsoftecc2017
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#microsoftrsa2017
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#quovadisrootca1g3
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#quovadisrootca2g3
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#quovadisrootca3g3
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#sslrooteccca
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#sslrootevrsaca
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#sslrootrsaca
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#starfieldrootg2ca
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#teliasonerarootcav1
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#twcaglobalrootca
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#usertrusteccca
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#usertrustrsaca
Passed: security/infra/java/security/cert/CertPathValidator/certification/CertignaCA.java
Passed: security/infra/java/security/cert/CertPathValidator/certification/DTrustCA.java
Passed: security/infra/java/security/cert/CertPathValidator/certification/HaricaCA.java
Passed: security/infra/java/security/cert/CertPathValidator/certification/LuxTrustCA.java
Test results: passed: 37

[gnu-andrew]

@gnu-andrew Please do not rebase or force-push to an active PR as it invalidates existing review comments. Note for future reference, the bots always squash all changes into a single commit automatically as part of the integration. See OpenJDK Developers’ Guide for more information.

Yeah, I'm not going to merge over half a dozen commits manually, bot, when Git is smart enough to match them against the ones you pushed to 8u-dev and just drop them.

[jerboaa]

LGTM.

[openjdk]

⚠️ @gnu-andrew This change is now ready for you to apply for maintainer approval. This can be done directly in each associated issue or by using the /approval command.

[gnu-andrew]

/approval request This change reworks the certificate tests to use test portals rather than having to maintain copies of the certificates in the OpenJDK repository and so should reduce the maintenance cost of these tests going forward. The fix has already been backported to the other LTS JDKs (11u, 17u, 21u). The backport required manually removing some tests which were not in their latest versions, a couple of dependent backports to provide us with SkippedException and a passing Actalis test, and 8u-specific modifications (change of cacerts location and type, enable jdk.tls.client.enableStatusRequestExtension). All tests passed successfully.

[openjdk]

@gnu-andrew
8308592: The approval request has been created successfully.
8272708: The approval request has been created successfully.
8288132: The approval request has been created successfully.
8268678: The approval request has been created successfully.
8270280: The approval request has been created successfully.

[jerboaa]

/approve yes

[openjdk]

@jerboaa
8308592: The approval request has been approved.
8272708: The approval request has been approved.
8288132: The approval request has been approved.
8268678: The approval request has been approved.
8270280: The approval request has been approved.

[openjdk]

@gnu-andrew This change now passes all automated pre-integration checks.

After integration, the commit message for the final commit will be:

8308592: Framework for CA interoperability testing
8272708: [Test]: Cleanup: test/jdk/security/infra/java/security/cert/CertPathValidator/certification/BuypassCA.java no longer needs ocspEnabled
8288132: Update test artifacts in QuoVadis CA interop tests
8268678: LetsEncryptCA.java test fails as Let’s Encrypt Authority X3 is retired
8270280: security/infra/java/security/cert/CertPathValidator/certification/LetsEncryptCA.java  OCSP response error

Reviewed-by: sgehwolf

You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed.

At the time when this comment was updated there had been no new commits pushed to the master branch. If another commit should be pushed before you perform the /integrate command, your PR will be automatically rebased. If you prefer to avoid any potential automatic rebasing, please check the documentation for the /integrate command for further details.

➡️ To integrate this PR with the above commit message to the master branch, type /integrate in a new comment.

[jerboaa]

@gnu-andrew Could you please integrate this? Thanks!

[gnu-andrew]

Thought I had, sorry.
/integrate

[openjdk]

Going to push as commit b610be3.
Since your change was applied there have been 2 commits pushed to the master branch:

• b05e679: 8222323: ChildAlwaysOnTopTest.java fails with "RuntimeException: Failed to unset alwaysOnTop"
• 8cf7c96: 8021961: setAlwaysOnTop doesn't behave correctly in Linux/Solaris under certain scenarios

Your commit was automatically rebased without conflicts.

[openjdk]

@gnu-andrew Pushed as commit b610be3.

💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored.