[PATCH FOR REVIEW]: Improve error output for NSS provider
Hi, I'm trying to debug an issue with the NSS provider crashing on a number of JTreg tests. See http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=469 I found a couple of issues in doing so: * The stack trace is incomplete as a couple of exceptions are thrown using only the message without including the cause * The NSS wrapper can't handle a couple of newer NSS error codes This patch: http://cr.openjdk.java.net/~andrew/nss/webrev.01/jdk.patch fixes both issues and extends: java.security.cert.CertificateParsingException: java.io.IOException: subject key, Could not create EC public key at sun.security.x509.X509CertInfo.(X509CertInfo.java:171) at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1747) at sun.security.x509.X509CertImpl.(X509CertImpl.java:320) at sun.security.provider.X509Factory.parseX509orPKCS7Cert(X509Factory.java:550) at sun.security.provider.X509Factory.engineGenerateCertificates(X509Factory.java:434) at java.security.cert.CertificateFactory.generateCertificates(CertificateFactory.java:444) at ReadCertificates.readCertificates(ReadCertificates.java:51) at ReadCertificates.main(ReadCertificates.java:86) at PKCS11Test.premain(PKCS11Test.java:79) at PKCS11Test.testDefault(PKCS11Test.java:113) at PKCS11Test.main(PKCS11Test.java:86) at ReadCertificates.main(ReadCertificates.java:57) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:616) at com.sun.javatest.regtest.MainAction$SameVMThread.run(MainAction.java:595) at java.lang.Thread.run(Thread.java:636) Caused by: java.io.IOException: subject key, Could not create EC public key at sun.security.x509.X509Key.parse(X509Key.java:174) at sun.security.x509.CertificateX509Key.(CertificateX509Key.java:75) at sun.security.x509.X509CertInfo.parse(X509CertInfo.java:705) at sun.security.x509.X509CertInfo.(X509CertInfo.java:169) ... 17 more with: Caused by: java.security.InvalidKeyException: Could not create EC public key at sun.security.x509.X509Key.buildX509Key(X509Key.java:227) at sun.security.x509.X509Key.parse(X509Key.java:170) ... 20 more Caused by: java.security.spec.InvalidKeySpecException: Could not create EC public key at sun.security.pkcs11.P11ECKeyFactory.engineGeneratePublic(P11ECKeyFactory.java:154) at java.security.KeyFactory.generatePublic(KeyFactory.java:321) at sun.security.x509.X509Key.buildX509Key(X509Key.java:223) ... 21 more Caused by: java.security.InvalidKeyException: Could not create EC public key at sun.security.pkcs11.P11ECKeyFactory.implTranslatePublicKey(P11ECKeyFactory.java:117) at sun.security.pkcs11.P11ECKeyFactory.engineGeneratePublic(P11ECKeyFactory.java:152) ... 23 more Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_DOMAIN_PARAMS_INVALID at sun.security.pkcs11.wrapper.PKCS11.C_CreateObject(Native Method) at sun.security.pkcs11.P11ECKeyFactory.generatePublic(P11ECKeyFactory.java:229) at sun.security.pkcs11.P11ECKeyFactory.implTranslatePublicKey(P11ECKeyFactory.java:103) ... 24 more allowing the native NSS error to be seen. Ok to push to tl? If so, can I have a bug ID for this change? Thanks, -- Andrew :-) Free Java Software Engineer Red Hat, Inc. (http://www.redhat.com) Support Free Java! Contribute to GNU Classpath and the OpenJDK http://www.gnu.org/software/classpath http://openjdk.java.net PGP Key: 94EFD9D8 (http://subkeys.pgp.net) Fingerprint: F8EF F1EA 401E 2E60 15FA 7927 142C 2591 94EF D9D8
hg: jdk7/tl/jdk: 6942707: nwe Big5.map for HKSCS2008 missed 5 codepoints
Changeset: 507cd94489e7 Author:sherman Date: 2010-04-12 10:57 -0700 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/507cd94489e7 6942707: nwe Big5.map for HKSCS2008 missed 5 codepoints Summary: updated the Big5.map table to add 5 entries Reviewed-by: okutsu - make/tools/CharsetMapping/Big5.c2b ! make/tools/CharsetMapping/Big5.map
hg: jdk7/tl/jdk: 2 new changesets
Changeset: 6b641c576e77 Author:valeriep Date: 2010-04-07 17:20 -0700 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/6b641c576e77 6918573: sun.security.pkcs11.P11RSACipher.finalize() is a scalability blocker Summary: Removed the finalize() methods and use PhantomReference in Session to do auto clean up. Reviewed-by: wetmore ! src/share/classes/sun/security/pkcs11/P11Cipher.java ! src/share/classes/sun/security/pkcs11/P11Digest.java ! src/share/classes/sun/security/pkcs11/P11Key.java ! src/share/classes/sun/security/pkcs11/P11Mac.java ! src/share/classes/sun/security/pkcs11/P11RSACipher.java ! src/share/classes/sun/security/pkcs11/P11Signature.java ! src/share/classes/sun/security/pkcs11/Session.java ! src/share/classes/sun/security/pkcs11/SessionManager.java Changeset: a45217204978 Author:valeriep Date: 2010-04-12 15:53 -0700 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/a45217204978 Merge - make/tools/CharsetMapping/Big5.c2b
Re: CR 6939248/7 Created, P4 java/classes_secu Jarsigner can't extract Extended Key Usage from Timestamp Reply currectly
Hi Xuelei and Sean Please take a review on the fix for OpenJDK: http://cr.openjdk.java.net/~weijun/6939248/webrev.00 Note that I've added some check: 1. response cert null check 2. extension isCritical check About the test: 1. Since keytool can now generate extensions, binary keystore is changed to scripts and now moved from closed test to open 2. -J-Djava.security.egd=file:/dev/./urandom is added to jarsigner so that it does not hang on linux Thanks Max > *Synopsis*: Jarsigner can't extract Extended Key Usage from Timestamp Reply > currectly > > *Change Request ID*: 6939248/7 > > === *Description* > PKCS #7 block includes a set of certificates and several signerinfos. To > locate the certificate for a given signer, one should first look for a > reference in the signerinfo, and then try to locate one in the certificates > set. > > Currently, jarsigner, when validating certificate for a timestamping service, > simply looks for a non-CA cert inside the certificate set. This is not > correct. > > *** (#1 of 1): 2010-04-12 07:04:14 GMT+00:00 weijun.w...@sun.com
Re: CR 6939248/7 Created, P4 java/classes_secu Jarsigner can't extract Extended Key Usage from Timestamp Reply currectly
Looks fine to me. Xuelei On 4/13/2010 10:47 AM, Weijun Wang wrote: > Hi Xuelei and Sean > > Please take a review on the fix for OpenJDK: > >http://cr.openjdk.java.net/~weijun/6939248/webrev.00 > > Note that I've added some check: > > 1. response cert null check > 2. extension isCritical check > > About the test: > > 1. Since keytool can now generate extensions, binary keystore is changed to > scripts and now moved from closed test to open > 2. -J-Djava.security.egd=file:/dev/./urandom is added to jarsigner so that it > does not hang on linux > > Thanks > Max > >> *Synopsis*: Jarsigner can't extract Extended Key Usage from Timestamp Reply >> currectly >> >> *Change Request ID*: 6939248/7 >> >> === *Description* >> >> PKCS #7 block includes a set of certificates and several signerinfos. To >> locate the certificate for a given signer, one should first look for a >> reference in the signerinfo, and then try to locate one in the certificates >> set. >> >> Currently, jarsigner, when validating certificate for a timestamping >> service, simply looks for a non-CA cert inside the certificate set. This is >> not correct. >> >> *** (#1 of 1): 2010-04-12 07:04:14 GMT+00:00 weijun.w...@sun.com >