Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

build failure with openjdk-17 #1298

Closed
jvermillard opened this issue Aug 25, 2022 · 12 comments · Fixed by #1299
Closed

build failure with openjdk-17 #1298

jvermillard opened this issue Aug 25, 2022 · 12 comments · Fixed by #1299
Labels
bug Dysfunctionnal behavior

Comments

@jvermillard
Copy link
Contributor

Using latest Debian 11 java17 :

java --version                                                                                                                                                 leshan/git/master 
openjdk 17.0.4 2022-07-19
OpenJDK Runtime Environment (build 17.0.4+8-Debian-1deb11u1)
OpenJDK 64-Bit Server VM (build 17.0.4+8-Debian-1deb11u1, mixed mode, sharing)

I have some tests falling, example:

[ERROR] Failures: 
[ERROR]   LeshanServerBuilderTest.create_server_without_psk_cipher:134
[ERROR]   LeshanBootstrapServerBuilderTest.create_server_without_psk_cipher:207

Logs for LeshanBootstrapServerBuilderTest.create_server_without_psk_cipher

11:17:45.739 [main] DEBUG org.eclipse.leshan.core.model.DDFFileParser - Parsing DDF file /models/0-1_1.xml
11:17:45.855 [main] DEBUG org.eclipse.leshan.core.model.DDFFileParser - Parsing DDF file /models/0.xml
11:17:46.033 [main] DEBUG org.eclipse.leshan.core.model.DDFFileParser - Parsing DDF file /models/1-1_0.xml
11:17:46.118 [main] DEBUG org.eclipse.leshan.core.model.DDFFileParser - Parsing DDF file /models/1-1_1.xml
11:17:46.274 [main] DEBUG org.eclipse.leshan.core.model.DDFFileParser - Parsing DDF file /models/2-1_0.xml
11:17:46.338 [main] DEBUG org.eclipse.leshan.core.model.DDFFileParser - Parsing DDF file /models/2.xml
11:17:46.403 [main] DEBUG org.eclipse.leshan.core.model.DDFFileParser - Parsing DDF file /models/3-1_0.xml
11:17:46.552 [main] DEBUG org.eclipse.leshan.core.model.DDFFileParser - Parsing DDF file /models/3-1_1.xml
11:17:46.694 [main] DEBUG org.eclipse.leshan.core.model.DDFFileParser - Parsing DDF file /models/3.xml
11:17:46.831 [main] DEBUG org.eclipse.leshan.core.model.DDFFileParser - Parsing DDF file /models/4-1_0.xml
11:17:46.921 [main] DEBUG org.eclipse.leshan.core.model.DDFFileParser - Parsing DDF file /models/4-1_1.xml
11:17:47.022 [main] DEBUG org.eclipse.leshan.core.model.DDFFileParser - Parsing DDF file /models/4-1_2.xml
11:17:47.121 [main] DEBUG org.eclipse.leshan.core.model.DDFFileParser - Parsing DDF file /models/4.xml
11:17:47.226 [main] DEBUG org.eclipse.leshan.core.model.DDFFileParser - Parsing DDF file /models/5-1_0.xml
11:17:47.317 [main] DEBUG org.eclipse.leshan.core.model.DDFFileParser - Parsing DDF file /models/5.xml
11:17:47.430 [main] DEBUG org.eclipse.leshan.core.model.DDFFileParser - Parsing DDF file /models/6.xml
11:17:47.507 [main] DEBUG org.eclipse.leshan.core.model.DDFFileParser - Parsing DDF file /models/7.xml
11:17:47.591 [main] DEBUG org.eclipse.leshan.core.model.DDFFileParser - Parsing DDF file /models/21.xml
11:17:51.088 [main] WARN org.eclipse.leshan.server.californium.bootstrap.LeshanBootstrapServerBuilder - Unable to create DTLS config and so secured endpoint.
java.lang.IllegalStateException: EC key pair is not valid!
	at org.eclipse.californium.scandium.dtls.x509.SingleCertificateProvider.setupConfigurationHelper(SingleCertificateProvider.java:198)
SingleCertificateProvider.java:198
	at org.eclipse.californium.scandium.config.DtlsConnectorConfig$Builder.build(DtlsConnectorConfig.java:2324)
DtlsConnectorConfig.java:2324
	at org.eclipse.leshan.server.californium.bootstrap.LeshanBootstrapServerBuilder.build(LeshanBootstrapServerBuilder.java:557)
LeshanBootstrapServerBuilder.java:557
	at org.eclipse.leshan.server.californium.bootstrap.LeshanBootstrapServerBuilderTest.create_server_without_psk_cipher(LeshanBootstrapServerBuilderTest.java:206)
LeshanBootstrapServerBuilderTest.java:206
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
NativeMethodAccessorImpl.java:77
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
DelegatingMethodAccessorImpl.java:43
	at java.base/java.lang.reflect.Method.invoke(Method.java:568)
Method.java:568
	at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:59)
FrameworkMethod.java:59
	at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
ReflectiveCallable.java:12
	at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:56)
FrameworkMethod.java:56
	at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)
InvokeMethod.java:17
	at org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:26)
RunBefores.java:26
	at org.junit.runners.ParentRunner$3.evaluate(ParentRunner.java:306)
ParentRunner.java:306
	at org.junit.runners.BlockJUnit4ClassRunner$1.evaluate(BlockJUnit4ClassRunner.java:100)
BlockJUnit4ClassRunner.java:100
	at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:366)
ParentRunner.java:366
	at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:103)
BlockJUnit4ClassRunner.java:103
	at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:63)
BlockJUnit4ClassRunner.java:63
	at org.junit.runners.ParentRunner$4.run(ParentRunner.java:331)
ParentRunner.java:331
	at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:79)
ParentRunner.java:79
	at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:329)
ParentRunner.java:329
	at org.junit.runners.ParentRunner.access$100(ParentRunner.java:66)
ParentRunner.java:66
	at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:293)
ParentRunner.java:293
	at org.junit.runners.ParentRunner$3.evaluate(ParentRunner.java:306)
ParentRunner.java:306
	at org.junit.runners.ParentRunner.run(ParentRunner.java:413)
ParentRunner.java:413
	at org.eclipse.jdt.internal.junit4.runner.JUnit4TestReference.run(JUnit4TestReference.java:89)
	at org.eclipse.jdt.internal.junit.runner.TestExecution.run(TestExecution.java:40)
	at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:529)
	at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:756)
	at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.run(RemoteTestRunner.java:452)
	at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.main(RemoteTestRunner.java:210)
11:17:51.346 [main] INFO org.eclipse.californium.core.network.RandomTokenGenerator - using tokens of 8 bytes in length
11:17:51.772 [main] DEBUG org.eclipse.californium.core.network.InMemoryMessageExchangeStore - [LWM2M BS Server-coap://] using TokenProvider org.eclipse.californium.core.network.RandomTokenGenerator
11:17:52.149 [main] INFO org.eclipse.californium.ban - Started.
11:17:52.204 [main] INFO org.eclipse.californium.core.network.CoapEndpoint - [LWM2M BS Server-coap://] CoapEndpoint uses udp context
11:17:52.749 [main] INFO org.eclipse.californium.core.network.stack.BlockwiseLayer - [LWM2M BS Server-coap://] BlockwiseLayer uses MAX_MESSAGE_SIZE=1024, PREFERRED_BLOCK_SIZE=512, BLOCKWISE_STATUS_LIFETIME=300000, MAX_RESOURCE_BODY_SIZE=8192, BLOCKWISE_STRICT_BLOCK2_OPTION=false
@jvermillard jvermillard added the bug Dysfunctionnal behavior label Aug 25, 2022
@sbernard31
Copy link
Contributor

This makes me think to eclipse-californium/californium#2040 (comment)

But I don't know how this could be link to java 17 🤔

@jvermillard
Copy link
Contributor Author

I tested building Cf and I have somewhat the same prob

@jvermillard
Copy link
Contributor Author

not the second time I build it 🤯

@jvermillard
Copy link
Contributor Author

ok looks like it is related, I'll take a look

@sbernard31
Copy link
Contributor

Tested on my machine get same error with openjdk 17.

Try to debug it but it the error is raised by JDK.
Of course only difference I see, in one case SunEC version 17 is used and in the other one SunEC version 1.8.

So :

  • either californium doesn't use the java API correctly but I didn't find where for now.
  • or my way to create private / public key is not good.
  • or a bug in jdk 17 ?

@jvermillard
Copy link
Contributor Author 

diff --git a/leshan-server-cf/src/test/java/org/eclipse/leshan/server/californium/LeshanServerBuilderTest.java b/leshan-server-cf/src/test/java/org/eclipse/leshan/server/californium/LeshanServerBuilderTest.java
index 9496b709..c6690c4c 100644
--- a/leshan-server-cf/src/test/java/org/eclipse/leshan/server/californium/LeshanServerBuilderTest.java
+++ b/leshan-server-cf/src/test/java/org/eclipse/leshan/server/californium/LeshanServerBuilderTest.java
@@ -18,25 +18,17 @@ package org.eclipse.leshan.server.californium;
 import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertNull;
 
-import java.math.BigInteger;
-import java.security.AlgorithmParameters;
-import java.security.KeyFactory;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
 import java.security.NoSuchAlgorithmException;
 import java.security.PrivateKey;
 import java.security.PublicKey;
 import java.security.spec.ECGenParameterSpec;
-import java.security.spec.ECParameterSpec;
-import java.security.spec.ECPoint;
-import java.security.spec.ECPrivateKeySpec;
-import java.security.spec.ECPublicKeySpec;
-import java.security.spec.InvalidKeySpecException;
-import java.security.spec.InvalidParameterSpecException;
-import java.security.spec.KeySpec;
 
 import org.eclipse.californium.elements.config.Configuration;
 import org.eclipse.californium.scandium.config.DtlsConfig;
 import org.eclipse.californium.scandium.dtls.cipher.CipherSuite;
-import org.eclipse.leshan.core.util.Hex;
 import org.eclipse.leshan.server.security.InMemorySecurityStore;
 import org.junit.Before;
 import org.junit.Test;
@@ -50,28 +42,12 @@ public class LeshanServerBuilderTest {
 
     public LeshanServerBuilderTest() {
         try {
-            // Get point values
-            byte[] publicX = Hex
-                    .decodeHex("89c048261979208666f2bfb188be1968fc9021c416ce12828c06f4e314c167b5".toCharArray());
-            byte[] publicY = Hex
-                    .decodeHex("cbf1eb7587f08e01688d9ada4be859137ca49f79394bad9179326b3090967b68".toCharArray());
-            byte[] privateS = Hex
-                    .decodeHex("e67b68d2aaeb6550f19d98cade3ad62b39532e02e6b422e1f7ea189dabaea5d2".toCharArray());
-
-            // Get Elliptic Curve Parameter spec for secp256r1
-            AlgorithmParameters algoParameters = AlgorithmParameters.getInstance("EC");
-            algoParameters.init(new ECGenParameterSpec("secp256r1"));
-            ECParameterSpec parameterSpec = algoParameters.getParameterSpec(ECParameterSpec.class);
-
-            // Create key specs
-            KeySpec publicKeySpec = new ECPublicKeySpec(new ECPoint(new BigInteger(publicX), new BigInteger(publicY)),
-                    parameterSpec);
-            KeySpec privateKeySpec = new ECPrivateKeySpec(new BigInteger(privateS), parameterSpec);
-
-            // Get keys
-            publicKey = KeyFactory.getInstance("EC").generatePublic(publicKeySpec);
-            privateKey = KeyFactory.getInstance("EC").generatePrivate(privateKeySpec);
-        } catch (InvalidKeySpecException | NoSuchAlgorithmException | InvalidParameterSpecException e) {
+            KeyPairGenerator g = KeyPairGenerator.getInstance("EC");
+            g.initialize(new ECGenParameterSpec("secp256r1"));
+            KeyPair keyPair = g.generateKeyPair();
+            publicKey = keyPair.getPublic();
+            privateKey = keyPair.getPrivate();
+        } catch (NoSuchAlgorithmException | InvalidAlgorithmParameterException e) {
             throw new IllegalStateException("Unable to create private/public keys for tests");
         }
     }
diff --git a/leshan-server-cf/src/test/java/org/eclipse/leshan/server/californium/bootstrap/LeshanBootstrapServerBuilderTest.java b/leshan-server-cf/src/test/java/org/eclipse/leshan/server/californium/bootstrap/LeshanBootstrapServerBuilderTest.java
index 25acc4d6..527bd1b6 100644
--- a/leshan-server-cf/src/test/java/org/eclipse/leshan/server/californium/bootstrap/LeshanBootstrapServerBuilderTest.java
+++ b/leshan-server-cf/src/test/java/org/eclipse/leshan/server/californium/bootstrap/LeshanBootstrapServerBuilderTest.java
@@ -18,20 +18,13 @@ package org.eclipse.leshan.server.californium.bootstrap;
 import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertNull;
 
-import java.math.BigInteger;
-import java.security.AlgorithmParameters;
-import java.security.KeyFactory;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
 import java.security.NoSuchAlgorithmException;
 import java.security.PrivateKey;
 import java.security.PublicKey;
 import java.security.spec.ECGenParameterSpec;
-import java.security.spec.ECParameterSpec;
-import java.security.spec.ECPoint;
-import java.security.spec.ECPrivateKeySpec;
-import java.security.spec.ECPublicKeySpec;
-import java.security.spec.InvalidKeySpecException;
-import java.security.spec.InvalidParameterSpecException;
-import java.security.spec.KeySpec;
 import java.util.Iterator;
 
 import org.eclipse.californium.elements.config.Configuration;
@@ -39,7 +32,6 @@ import org.eclipse.californium.scandium.config.DtlsConfig;
 import org.eclipse.californium.scandium.dtls.cipher.CipherSuite;
 import org.eclipse.leshan.core.oscore.OscoreIdentity;
 import org.eclipse.leshan.core.request.Identity;
-import org.eclipse.leshan.core.util.Hex;
 import org.eclipse.leshan.server.bootstrap.BootstrapConfig;
 import org.eclipse.leshan.server.bootstrap.BootstrapConfigStore;
 import org.eclipse.leshan.server.bootstrap.BootstrapSession;
@@ -59,28 +51,12 @@ public class LeshanBootstrapServerBuilderTest {
 
     public LeshanBootstrapServerBuilderTest() {
         try {
-            // Get point values
-            byte[] publicX = Hex
-                    .decodeHex("89c048261979208666f2bfb188be1968fc9021c416ce12828c06f4e314c167b5".toCharArray());
-            byte[] publicY = Hex
-                    .decodeHex("cbf1eb7587f08e01688d9ada4be859137ca49f79394bad9179326b3090967b68".toCharArray());
-            byte[] privateS = Hex
-                    .decodeHex("e67b68d2aaeb6550f19d98cade3ad62b39532e02e6b422e1f7ea189dabaea5d2".toCharArray());
-
-            // Get Elliptic Curve Parameter spec for secp256r1
-            AlgorithmParameters algoParameters = AlgorithmParameters.getInstance("EC");
-            algoParameters.init(new ECGenParameterSpec("secp256r1"));
-            ECParameterSpec parameterSpec = algoParameters.getParameterSpec(ECParameterSpec.class);
-
-            // Create key specs
-            KeySpec publicKeySpec = new ECPublicKeySpec(new ECPoint(new BigInteger(publicX), new BigInteger(publicY)),
-                    parameterSpec);
-            KeySpec privateKeySpec = new ECPrivateKeySpec(new BigInteger(privateS), parameterSpec);
-
-            // Get keys
-            publicKey = KeyFactory.getInstance("EC").generatePublic(publicKeySpec);
-            privateKey = KeyFactory.getInstance("EC").generatePrivate(privateKeySpec);
-        } catch (InvalidKeySpecException | NoSuchAlgorithmException | InvalidParameterSpecException e) {
+            KeyPairGenerator g = KeyPairGenerator.getInstance("EC");
+            g.initialize(new ECGenParameterSpec("secp256r1"));
+            KeyPair keyPair = g.generateKeyPair();
+            publicKey = keyPair.getPublic();
+            privateKey = keyPair.getPrivate();
+        } catch (NoSuchAlgorithmException | InvalidAlgorithmParameterException e) {
             throw new IllegalStateException("Unable to create private/public keys for tests");
         }
     }

@jvermillard
Copy link
Contributor Author

this fix the issue for those 2 tests but we also have the problem in the integration test who use the same hardcoded key

maybe a PR is the eclipse staff manage to change my email address ❓ 😂 😹

@sbernard31
Copy link
Contributor

sbernard31 commented Aug 25, 2022
edited
Loading

Yep but I would like to better understand why the previous way doesn't work anymore 🤔

@jvermillard
Copy link
Contributor Author

I guess it's the result of this fix: Improper ECDSA signature verification (Libraries, 8277233) (CVE-2022-21449)

@sbernard31 sbernard31 mentioned this issue Aug 25, 2022
Closed
@sbernard31
Copy link
Contributor

sbernard31 commented Aug 25, 2022
edited
Loading

So finally, we (mainly @boaks) guess the issue is that some of our EC points created with :

 // Get point values
byte[] publicX = Hex
        .decodeHex("fcc28728c123b155be410fc1c0651da374fc6ebe7f96606e90d927d188894a73".toCharArray());
byte[] publicY = Hex
        .decodeHex("d2ffaa73957d76984633fc1cc54d0b763ca0559a9dff9706e9f4557dacc3f52a".toCharArray());
byte[] privateS = Hex
        .decodeHex("1dae121ba406802ef07c193c1ee4df91115aabd79c1ed7f4c0ef7ef6a5449400".toCharArray());

// Get Elliptic Curve Parameter spec for secp256r1
AlgorithmParameters algoParameters = AlgorithmParameters.getInstance("EC");
algoParameters.init(new ECGenParameterSpec("secp256r1"));
ECParameterSpec parameterSpec = algoParameters.getParameterSpec(ECParameterSpec.class);

// Create key specs
KeySpec publicKeySpec = new ECPublicKeySpec(new ECPoint(new BigInteger(publicX), new BigInteger(publicY)),
        parameterSpec);
KeySpec privateKeySpec = new ECPrivateKeySpec(new BigInteger(privateS), parameterSpec);

have negative coordinates.

But EC is using Positive number.

So the right way to create BigInteger from should be :

-new BigInteger(publicX)
+new BigInteger(1, publicX)

A question remain : Why this doesn't work only with openjdk 15 or >
Probably because of : https://bugs.openjdk.org/browse/JDK-8183666

More details at : eclipse-californium/californium#2040 (comment)

Thx @boaks for your help.

sbernard31 added a commit that referenced this issue Aug 25, 2022
@sbernard31
#1298: fix issue about EC Key Pair with java 15 or higher
1564143
@sbernard31 sbernard31 mentioned this issue Aug 25, 2022
Merged
@sbernard31
Copy link
Contributor

It should be fixed by #1299

sbernard31 added a commit that referenced this issue Aug 25, 2022
@sbernard31
#1298: fix issue about EC Key Pair with java 15 or higher
a9e1741
@jvermillard
Copy link
Contributor Author

it is fixed, thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Dysfunctionnal behavior
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix issue about EC Key Pair with java 15 or higher eclipse-leshan/leshan
2 participants
@sbernard31 @jvermillard