You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Rainer Jung <ra...@kippdata.de> on 2022/05/12 19:13:13 UTC
New test in TestPEMFile fails ...
... for me with Java 1.8.0 332 (various OpenJDK builds) on TC 9.0.63 and
10.0.21, platform various Linuxes and also Solaris Sparc. It does not
fail for Java 11 and also not for Oracle Java 1.8.0 331.
Testsuite: org.apache.tomcat.util.net.jsse.TestPEMFile
Tests run: 5, Failures: 0, Errors: 1, Skipped: 0, Time elapsed: 0.947 sec
Testcase: testKeyEncryptedPkcs1DesEde3Cbc took 0.59 sec
Testcase: testKeyEncryptedPkcs8 took 0.196 sec
Caused an ERROR
Cannot retrieve the PKCS8EncodedKeySpec
java.security.spec.InvalidKeySpecException: Cannot retrieve the
PKCS8EncodedKeySpec
at
javax.crypto.EncryptedPrivateKeyInfo.getKeySpec(EncryptedPrivateKeyInfo.java:258)
at
org.apache.tomcat.util.net.jsse.PEMFile$Part.toPrivateKey(PEMFile.java:212)
at org.apache.tomcat.util.net.jsse.PEMFile.<init>(PEMFile.java:143)
at org.apache.tomcat.util.net.jsse.PEMFile.<init>(PEMFile.java:98)
at
org.apache.tomcat.util.net.jsse.TestPEMFile.testKey(TestPEMFile.java:74)
at
org.apache.tomcat.util.net.jsse.TestPEMFile.testKeyEncrypted(TestPEMFile.java:69)
at
org.apache.tomcat.util.net.jsse.TestPEMFile.testKeyEncryptedPkcs8(TestPEMFile.java:64)
Caused by: javax.crypto.BadPaddingException: Given final block not
properly padded. Such issues can arise if a bad key is used during
decryption.
at com.sun.crypto.provider.CipherCore.unpad(CipherCore.java:975)
at
com.sun.crypto.provider.CipherCore.fillOutputBuffer(CipherCore.java:1056)
at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:853)
at
com.sun.crypto.provider.PBES2Core.engineDoFinal(PBES2Core.java:323)
at javax.crypto.Cipher.doFinal(Cipher.java:2168)
at
javax.crypto.EncryptedPrivateKeyInfo.getKeySpec(EncryptedPrivateKeyInfo.java:253)
Testcase: testKeyPkcs1 took 0.004 sec
Testcase: testKeyEncryptedPkcs1Aes256 took 0.035 sec
Testcase: testKeyEncryptedPkcs1DesCbc took 0.023 sec
Best regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: New test in TestPEMFile fails ...
Posted by Rainer Jung <ra...@kippdata.de>.
Am 13.05.2022 um 15:20 schrieb Mark Thomas:
> On 13/05/2022 12:16, Mark Thomas wrote:
>> This looks like a bug to me.
>
> Confirmed. It is this one:
> https://bugs.openjdk.java.net/browse/JDK-8245169
>
> This has been fixed in jdk8u-dev as part of this issue:
> https://bugs.openjdk.java.net/browse/JDK-8076190
>
> The merged PR is this one:
> https://git.openjdk.java.net/jdk8u-dev/pull/12
>
> on 17 March 2022.
>
> jdk8u342b00 was tagged on 28/02/2022 so it didn't include that fix.
>
> The issue has the jdk8u-fix-yes tag so it should be pulled in for 342b01.
>
> I don't see anything more we can do at this point apart from wait for
> the next release.
+1, great investigation!
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: New test in TestPEMFile fails ...
Posted by Mark Thomas <ma...@apache.org>.
On 13/05/2022 12:16, Mark Thomas wrote:
> This looks like a bug to me.
Confirmed. It is this one:
https://bugs.openjdk.java.net/browse/JDK-8245169
This has been fixed in jdk8u-dev as part of this issue:
https://bugs.openjdk.java.net/browse/JDK-8076190
The merged PR is this one:
https://git.openjdk.java.net/jdk8u-dev/pull/12
on 17 March 2022.
jdk8u342b00 was tagged on 28/02/2022 so it didn't include that fix.
The issue has the jdk8u-fix-yes tag so it should be pulled in for 342b01.
I don't see anything more we can do at this point apart from wait for
the next release.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: New test in TestPEMFile fails ...
Posted by Mark Thomas <ma...@apache.org>.
On 13/05/2022 10:15, Mark Thomas wrote:
> To add my results:
>
> Linux
> - Oracle 1.8.0
> - 321 passes
> - 331 passes
> - 333 passes
> - Temurin 1.8.0
> - 312 fails
> - 332 fails
> - Temurin 11
> - 11.0.15 passes
>
> Adding these to Rainer's results, it looks like this feature depends on
> something in Java 8 that is Oracle specific and not part of the open
> source distributions until Java 11 (or maybe 9).
>
> I'll see if I can figure out exactly what is going wrong and if there is
> a way to get this working with the open source Java 8 releases.
This looks like a bug to me.
With Temurin JDK 8 302_b08 the test fails at line 204 with:
java.io.IOException: ObjectIdentifier() -- data isn't an object ID (tag
= 48)
at sun.security.util.ObjectIdentifier.<init>(ObjectIdentifier.java:285)
at sun.security.util.DerInputStream.getOID(DerInputStream.java:320)
at
com.sun.crypto.provider.PBES2Parameters.engineInit(PBES2Parameters.java:267)
at java.security.AlgorithmParameters.init(AlgorithmParameters.java:293)
at sun.security.x509.AlgorithmId.decodeParams(AlgorithmId.java:151)
at sun.security.x509.AlgorithmId.<init>(AlgorithmId.java:133)
t sun.security.x509.AlgorithmId.parse(AlgorithmId.java:413)
at
javax.crypto.EncryptedPrivateKeyInfo.<init>(EncryptedPrivateKeyInfo.java:95)
at
org.apache.tomcat.util.net.jsse.PEMFile$Part.toPrivateKey(PEMFile.java:204)
With Temurin JDK 8 302_b08 the test fails at line 212 with:
java.security.spec.InvalidKeySpecException: Cannot retrieve the
PKCS8EncodedKeySpec
at
javax.crypto.EncryptedPrivateKeyInfo.getKeySpec(EncryptedPrivateKeyInfo.java:258)
at
org.apache.tomcat.util.net.jsse.PEMFile$Part.toPrivateKey(PEMFile.java:212)
The issue is that the wrong algorithm is identified. It should be
PBEWithHmacSHA256AndAES_256 but the Temurin JDK selects
PBEWithHmacSHA1AndAES_256.
I think things are going wrong back at line 204. I'm still digging for
the root cause.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: New test in TestPEMFile fails ...
Posted by Mark Thomas <ma...@apache.org>.
To add my results:
Linux
- Oracle 1.8.0
- 321 passes
- 331 passes
- 333 passes
- Temurin 1.8.0
- 312 fails
- 332 fails
- Temurin 11
- 11.0.15 passes
Adding these to Rainer's results, it looks like this feature depends on
something in Java 8 that is Oracle specific and not part of the open
source distributions until Java 11 (or maybe 9).
I'll see if I can figure out exactly what is going wrong and if there is
a way to get this working with the open source Java 8 releases.
Mark
On 13/05/2022 09:32, Mark Thomas wrote:
> On 12/05/2022 23:25, Rainer Jung wrote:
>> Am 12.05.2022 um 22:57 schrieb Rémy Maucherat:
>>> On Thu, May 12, 2022 at 9:14 PM Rainer Jung <ra...@kippdata.de>
>>> wrote:
>>>>
>>>> ... for me with Java 1.8.0 332 (various OpenJDK builds) on TC 9.0.63
>>>> and
>>>> 10.0.21, platform various Linuxes and also Solaris Sparc. It does not
>>>> fail for Java 11 and also not for Oracle Java 1.8.0 331.
>>>
>>> The funny thing is it is the support that was already there in PEMFile
>>> that is failing, and that code is apparently completely unchanged.
>>>
>>> So I don't quite understand or maybe it simply never worked (I don't
>>> know the reason why obviously) as the test was not there before.
>>
>> That's likely. I didn't yet have the opportunity to run the test with
>> older versions, but like you I don't see an obvious reason, why the
>> problem should be new.
>
> I was going to see if I can figure out what is going on with this today.
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: New test in TestPEMFile fails ...
Posted by Mark Thomas <ma...@apache.org>.
On 12/05/2022 23:25, Rainer Jung wrote:
> Am 12.05.2022 um 22:57 schrieb Rémy Maucherat:
>> On Thu, May 12, 2022 at 9:14 PM Rainer Jung <ra...@kippdata.de>
>> wrote:
>>>
>>> ... for me with Java 1.8.0 332 (various OpenJDK builds) on TC 9.0.63 and
>>> 10.0.21, platform various Linuxes and also Solaris Sparc. It does not
>>> fail for Java 11 and also not for Oracle Java 1.8.0 331.
>>
>> The funny thing is it is the support that was already there in PEMFile
>> that is failing, and that code is apparently completely unchanged.
>>
>> So I don't quite understand or maybe it simply never worked (I don't
>> know the reason why obviously) as the test was not there before.
>
> That's likely. I didn't yet have the opportunity to run the test with
> older versions, but like you I don't see an obvious reason, why the
> problem should be new.
I was going to see if I can figure out what is going on with this today.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: New test in TestPEMFile fails ...
Posted by Rainer Jung <ra...@kippdata.de>.
Am 12.05.2022 um 22:57 schrieb Rémy Maucherat:
> On Thu, May 12, 2022 at 9:14 PM Rainer Jung <ra...@kippdata.de> wrote:
>>
>> ... for me with Java 1.8.0 332 (various OpenJDK builds) on TC 9.0.63 and
>> 10.0.21, platform various Linuxes and also Solaris Sparc. It does not
>> fail for Java 11 and also not for Oracle Java 1.8.0 331.
>
> The funny thing is it is the support that was already there in PEMFile
> that is failing, and that code is apparently completely unchanged.
>
> So I don't quite understand or maybe it simply never worked (I don't
> know the reason why obviously) as the test was not there before.
That's likely. I didn't yet have the opportunity to run the test with
older versions, but like you I don't see an obvious reason, why the
problem should be new.
Best regards,
Rainer
> Rémy
>
>> Testsuite: org.apache.tomcat.util.net.jsse.TestPEMFile
>> Tests run: 5, Failures: 0, Errors: 1, Skipped: 0, Time elapsed: 0.947 sec
>>
>> Testcase: testKeyEncryptedPkcs1DesEde3Cbc took 0.59 sec
>> Testcase: testKeyEncryptedPkcs8 took 0.196 sec
>> Caused an ERROR
>> Cannot retrieve the PKCS8EncodedKeySpec
>> java.security.spec.InvalidKeySpecException: Cannot retrieve the
>> PKCS8EncodedKeySpec
>> at
>> javax.crypto.EncryptedPrivateKeyInfo.getKeySpec(EncryptedPrivateKeyInfo.java:258)
>> at
>> org.apache.tomcat.util.net.jsse.PEMFile$Part.toPrivateKey(PEMFile.java:212)
>> at org.apache.tomcat.util.net.jsse.PEMFile.<init>(PEMFile.java:143)
>> at org.apache.tomcat.util.net.jsse.PEMFile.<init>(PEMFile.java:98)
>> at
>> org.apache.tomcat.util.net.jsse.TestPEMFile.testKey(TestPEMFile.java:74)
>> at
>> org.apache.tomcat.util.net.jsse.TestPEMFile.testKeyEncrypted(TestPEMFile.java:69)
>> at
>> org.apache.tomcat.util.net.jsse.TestPEMFile.testKeyEncryptedPkcs8(TestPEMFile.java:64)
>> Caused by: javax.crypto.BadPaddingException: Given final block not
>> properly padded. Such issues can arise if a bad key is used during
>> decryption.
>> at com.sun.crypto.provider.CipherCore.unpad(CipherCore.java:975)
>> at
>> com.sun.crypto.provider.CipherCore.fillOutputBuffer(CipherCore.java:1056)
>> at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:853)
>> at
>> com.sun.crypto.provider.PBES2Core.engineDoFinal(PBES2Core.java:323)
>> at javax.crypto.Cipher.doFinal(Cipher.java:2168)
>> at
>> javax.crypto.EncryptedPrivateKeyInfo.getKeySpec(EncryptedPrivateKeyInfo.java:253)
>>
>> Testcase: testKeyPkcs1 took 0.004 sec
>> Testcase: testKeyEncryptedPkcs1Aes256 took 0.035 sec
>> Testcase: testKeyEncryptedPkcs1DesCbc took 0.023 sec
>>
>> Best regards,
>>
>> Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: New test in TestPEMFile fails ...
Posted by Rémy Maucherat <re...@apache.org>.
On Thu, May 12, 2022 at 9:14 PM Rainer Jung <ra...@kippdata.de> wrote:
>
> ... for me with Java 1.8.0 332 (various OpenJDK builds) on TC 9.0.63 and
> 10.0.21, platform various Linuxes and also Solaris Sparc. It does not
> fail for Java 11 and also not for Oracle Java 1.8.0 331.
The funny thing is it is the support that was already there in PEMFile
that is failing, and that code is apparently completely unchanged.
So I don't quite understand or maybe it simply never worked (I don't
know the reason why obviously) as the test was not there before.
Rémy
> Testsuite: org.apache.tomcat.util.net.jsse.TestPEMFile
> Tests run: 5, Failures: 0, Errors: 1, Skipped: 0, Time elapsed: 0.947 sec
>
> Testcase: testKeyEncryptedPkcs1DesEde3Cbc took 0.59 sec
> Testcase: testKeyEncryptedPkcs8 took 0.196 sec
> Caused an ERROR
> Cannot retrieve the PKCS8EncodedKeySpec
> java.security.spec.InvalidKeySpecException: Cannot retrieve the
> PKCS8EncodedKeySpec
> at
> javax.crypto.EncryptedPrivateKeyInfo.getKeySpec(EncryptedPrivateKeyInfo.java:258)
> at
> org.apache.tomcat.util.net.jsse.PEMFile$Part.toPrivateKey(PEMFile.java:212)
> at org.apache.tomcat.util.net.jsse.PEMFile.<init>(PEMFile.java:143)
> at org.apache.tomcat.util.net.jsse.PEMFile.<init>(PEMFile.java:98)
> at
> org.apache.tomcat.util.net.jsse.TestPEMFile.testKey(TestPEMFile.java:74)
> at
> org.apache.tomcat.util.net.jsse.TestPEMFile.testKeyEncrypted(TestPEMFile.java:69)
> at
> org.apache.tomcat.util.net.jsse.TestPEMFile.testKeyEncryptedPkcs8(TestPEMFile.java:64)
> Caused by: javax.crypto.BadPaddingException: Given final block not
> properly padded. Such issues can arise if a bad key is used during
> decryption.
> at com.sun.crypto.provider.CipherCore.unpad(CipherCore.java:975)
> at
> com.sun.crypto.provider.CipherCore.fillOutputBuffer(CipherCore.java:1056)
> at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:853)
> at
> com.sun.crypto.provider.PBES2Core.engineDoFinal(PBES2Core.java:323)
> at javax.crypto.Cipher.doFinal(Cipher.java:2168)
> at
> javax.crypto.EncryptedPrivateKeyInfo.getKeySpec(EncryptedPrivateKeyInfo.java:253)
>
> Testcase: testKeyPkcs1 took 0.004 sec
> Testcase: testKeyEncryptedPkcs1Aes256 took 0.035 sec
> Testcase: testKeyEncryptedPkcs1DesCbc took 0.023 sec
>
> Best regards,
>
> Rainer
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org