Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Windows Embedded JDK is not able to use Windows certificate keystore (Windows-Root) #15305

Closed
foxandi opened this issue Apr 21, 2022 · 2 comments
Closed

Windows Embedded JDK is not able to use Windows certificate keystore (Windows-Root) #15305

foxandi opened this issue Apr 21, 2022 · 2 comments
Assignees
@meteorcloudy
Labels
area-Windows Windows-specific issues and feature requests P2 We'll consider working on this in future. (Assignee optional) team-OSS Issues for the Bazel OSS team: installation, release processBazel packaging, website type: feature request

Comments

@foxandi
Copy link
Contributor

foxandi commented Apr 21, 2022
edited
Loading

Description of the feature request:

Enable using the Windows host keystore for certificates instead of the keystore of the bundeled JDK.

To achieve this, the module jdk.crypto.mscapi needs to be added to the Windows minimal embedded JDK.
This module (windows specific) is required to access the truststore of Windows. Which in term will allow to use the hosts keystore by adding startup --host_jvm_args=-Djavax.net.ssl.trustStoreType=WINDOWS-ROOT.
Without this module the startup option results in an exception when creating the SSLContext on bazel startup (see attached log output).

Adding the module increases the embedded JDK's size by ~38kb.

What underlying problem are you trying to solve with this feature?

Allow usage of (self-)signed or enterprise root cerrtificates (SSL) for e.g. remote-cache servers, where the sigining certificate is not part of the embedded JDK's truststore but part of the Windows hosts truststore.

Which operating system are you running Bazel on?

Windows 10

What is the output of bazel info release?

release 5.1.1

Have you found anything relevant by searching the web?

https://groups.google.com/g/bazel-discuss/c/qeZwI_BUa8w
https://stackoverflow.com/questions/69971542/ssl-access-failure
#5741

Any other information, logs, or outputs that you want to share?

220421 09:40:44.057:I 22 [com.google.devtools.build.lib.runtime.BlazeCommandDispatcher.exec] Exit status was DetailedExitCode{exitCode=BLAZE_INTERNAL_ERROR, failureDetail=message: "Crashed: (java.lang.RuntimeException) javax.net.ssl.SSLException: unable to setup trustmanager, (javax.net.ssl.SSLException) unable to setup trustmanager, (java.security.KeyStoreException) problem accessing trust store, (java.security.KeyStoreException) WINDOWS-ROOT not found, (java.security.NoSuchAlgorithmException) WINDOWS-ROOT KeyStore not available"
crash {
  causes {
    throwable_class: "java.lang.RuntimeException"
    message: "javax.net.ssl.SSLException: unable to setup trustmanager"
    stack_trace: "com.google.devtools.build.lib.remote.RemoteCacheClientFactory.createHttp(RemoteCacheClientFactory.java:117)"
    stack_trace: "com.google.devtools.build.lib.remote.RemoteCacheClientFactory.create(RemoteCacheClientFactory.java:67)"
    stack_trace: "com.google.devtools.build.lib.remote.RemoteModule.initHttpAndDiskCache(RemoteModule.java:231)"
    stack_trace: "com.google.devtools.build.lib.remote.RemoteModule.beforeCommand(RemoteModule.java:331)"
    stack_trace: "com.google.devtools.build.lib.runtime.BlazeCommandDispatcher.execExclusively(BlazeCommandDispatcher.java:386)"
    stack_trace: "com.google.devtools.build.lib.runtime.BlazeCommandDispatcher.exec(BlazeCommandDispatcher.java:231)"
    stack_trace: "com.google.devtools.build.lib.server.GrpcServerImpl.executeCommand(GrpcServerImpl.java:550)"
    stack_trace: "com.google.devtools.build.lib.server.GrpcServerImpl.lambda$run$1(GrpcServerImpl.java:614)"
    stack_trace: "io.grpc.Context$1.run(Context.java:579)"
    stack_trace: "java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)"
    stack_trace: "java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)"
    stack_trace: "java.base/java.lang.Thread.run(Unknown Source)"
  }
  causes {
    throwable_class: "javax.net.ssl.SSLException"
    message: "unable to setup trustmanager"
    stack_trace: "io.netty.handler.ssl.ReferenceCountedOpenSslClientContext.newSessionContext(ReferenceCountedOpenSslClientContext.java:166)"
    stack_trace: "io.netty.handler.ssl.OpenSslClientContext.<init>(OpenSslClientContext.java:196)"
    stack_trace: "io.netty.handler.ssl.SslContext.newClientContextInternal(SslContext.java:831)"
    stack_trace: "io.netty.handler.ssl.SslContextBuilder.build(SslContextBuilder.java:611)"
    stack_trace: "com.google.devtools.build.lib.remote.http.HttpCacheClient.<init>(HttpCacheClient.java:244)"
    stack_trace: "com.google.devtools.build.lib.remote.http.HttpCacheClient.create(HttpCacheClient.java:156)"
    stack_trace: "com.google.devtools.build.lib.remote.RemoteCacheClientFactory.createHttp(RemoteCacheClientFactory.java:107)"
    stack_trace: "com.google.devtools.build.lib.remote.RemoteCacheClientFactory.create(RemoteCacheClientFactory.java:67)"
    stack_trace: "com.google.devtools.build.lib.remote.RemoteModule.initHttpAndDiskCache(RemoteModule.java:231)"
    stack_trace: "com.google.devtools.build.lib.remote.RemoteModule.beforeCommand(RemoteModule.java:331)"
    stack_trace: "com.google.devtools.build.lib.runtime.BlazeCommandDispatcher.execExclusively(BlazeCommandDispatcher.java:386)"
    stack_trace: "com.google.devtools.build.lib.runtime.BlazeCommandDispatcher.exec(BlazeCommandDispatcher.java:231)"
    stack_trace: "com.google.devtools.build.lib.server.GrpcServerImpl.executeCommand(GrpcServerImpl.java:550)"
    stack_trace: "com.google.devtools.build.lib.server.GrpcServerImpl.lambda$run$1(GrpcServerImpl.java:614)"
    stack_trace: "io.grpc.Context$1.run(Context.java:579)"
    stack_trace: "java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)"
    stack_trace: "java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)"
    stack_trace: "java.base/java.lang.Thread.run(Unknown Source)"
  }
  causes {
    throwable_class: "java.security.KeyStoreException"
    message: "problem accessing trust store"
    stack_trace: "java.base/sun.security.ssl.TrustManagerFactoryImpl.engineInit(Unknown Source)"
    stack_trace: "java.base/javax.net.ssl.TrustManagerFactory.init(Unknown Source)"
    stack_trace: "io.netty.handler.ssl.ReferenceCountedOpenSslClientContext.newSessionContext(ReferenceCountedOpenSslClientContext.java:151)"
    stack_trace: "io.netty.handler.ssl.OpenSslClientContext.<init>(OpenSslClientContext.java:196)"
    stack_trace: "io.netty.handler.ssl.SslContext.newClientContextInternal(SslContext.java:831)"
    stack_trace: "io.netty.handler.ssl.SslContextBuilder.build(SslContextBuilder.java:611)"
    stack_trace: "com.google.devtools.build.lib.remote.http.HttpCacheClient.<init>(HttpCacheClient.java:244)"
    stack_trace: "com.google.devtools.build.lib.remote.http.HttpCacheClient.create(HttpCacheClient.java:156)"
    stack_trace: "com.google.devtools.build.lib.remote.RemoteCacheClientFactory.createHttp(RemoteCacheClientFactory.java:107)"
    stack_trace: "com.google.devtools.build.lib.remote.RemoteCacheClientFactory.create(RemoteCacheClientFactory.java:67)"
    stack_trace: "com.google.devtools.build.lib.remote.RemoteModule.initHttpAndDiskCache(RemoteModule.java:231)"
    stack_trace: "com.google.devtools.build.lib.remote.RemoteModule.beforeCommand(RemoteModule.java:331)"
    stack_trace: "com.google.devtools.build.lib.runtime.BlazeCommandDispatcher.execExclusively(BlazeCommandDispatcher.java:386)"
    stack_trace: "com.google.devtools.build.lib.runtime.BlazeCommandDispatcher.exec(BlazeCommandDispatcher.java:231)"
    stack_trace: "com.google.devtools.build.lib.server.GrpcServerImpl.executeCommand(GrpcServerImpl.java:550)"
    stack_trace: "com.google.devtools.build.lib.server.GrpcServerImpl.lambda$run$1(GrpcServerImpl.java:614)"
    stack_trace: "io.grpc.Context$1.run(Context.java:579)"
    stack_trace: "java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)"
    stack_trace: "java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)"
    stack_trace: "java.base/java.lang.Thread.run(Unknown Source)"
  }
  causes {
    throwable_class: "java.security.KeyStoreException"
    message: "WINDOWS-ROOT not found"
    stack_trace: "java.base/java.security.KeyStore.getInstance(Unknown Source)"
    stack_trace: "java.base/sun.security.ssl.TrustStoreManager$TrustAnchorManager.loadKeyStore(Unknown Source)"
    stack_trace: "java.base/sun.security.ssl.TrustStoreManager$TrustAnchorManager.getTrustedCerts(Unknown Source)"
    stack_trace: "java.base/sun.security.ssl.TrustStoreManager.getTrustedCerts(Unknown Source)"
    stack_trace: "java.base/sun.security.ssl.TrustManagerFactoryImpl.engineInit(Unknown Source)"
    stack_trace: "java.base/javax.net.ssl.TrustManagerFactory.init(Unknown Source)"
    stack_trace: "io.netty.handler.ssl.ReferenceCountedOpenSslClientContext.newSessionContext(ReferenceCountedOpenSslClientContext.java:151)"
    stack_trace: "io.netty.handler.ssl.OpenSslClientContext.<init>(OpenSslClientContext.java:196)"
    stack_trace: "io.netty.handler.ssl.SslContext.newClientContextInternal(SslContext.java:831)"
    stack_trace: "io.netty.handler.ssl.SslContextBuilder.build(SslContextBuilder.java:611)"
    stack_trace: "com.google.devtools.build.lib.remote.http.HttpCacheClient.<init>(HttpCacheClient.java:244)"
    stack_trace: "com.google.devtools.build.lib.remote.http.HttpCacheClient.create(HttpCacheClient.java:156)"
    stack_trace: "com.google.devtools.build.lib.remote.RemoteCacheClientFactory.createHttp(RemoteCacheClientFactory.java:107)"
    stack_trace: "com.google.devtools.build.lib.remote.RemoteCacheClientFactory.create(RemoteCacheClientFactory.java:67)"
    stack_trace: "com.google.devtools.build.lib.remote.RemoteModule.initHttpAndDiskCache(RemoteModule.java:231)"
    stack_trace: "com.google.devtools.build.lib.remote.RemoteModule.beforeCommand(RemoteModule.java:331)"
    stack_trace: "com.google.devtools.build.lib.runtime.BlazeCommandDispatcher.execExclusively(BlazeCommandDispatcher.java:386)"
    stack_trace: "com.google.devtools.build.lib.runtime.BlazeCommandDispatcher.exec(BlazeCommandDispatcher.java:231)"
    stack_trace: "com.google.devtools.build.lib.server.GrpcServerImpl.executeCommand(GrpcServerImpl.java:550)"
    stack_trace: "com.google.devtools.build.lib.server.GrpcServerImpl.lambda$run$1(GrpcServerImpl.java:614)"
    stack_trace: "io.grpc.Context$1.run(Context.java:579)"
    stack_trace: "java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)"
    stack_trace: "java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)"
    stack_trace: "java.base/java.lang.Thread.run(Unknown Source)"
  }
  causes {
    throwable_class: "java.security.NoSuchAlgorithmException"
    message: "WINDOWS-ROOT KeyStore not available"
    stack_trace: "java.base/sun.security.jca.GetInstance.getInstance(Unknown Source)"
    stack_trace: "java.base/java.security.Security.getImpl(Unknown Source)"
    stack_trace: "java.base/java.security.KeyStore.getInstance(Unknown Source)"
    stack_trace: "java.base/sun.security.ssl.TrustStoreManager$TrustAnchorManager.loadKeyStore(Unknown Source)"
    stack_trace: "java.base/sun.security.ssl.TrustStoreManager$TrustAnchorManager.getTrustedCerts(Unknown Source)"
    stack_trace: "java.base/sun.security.ssl.TrustStoreManager.getTrustedCerts(Unknown Source)"
    stack_trace: "java.base/sun.security.ssl.TrustManagerFactoryImpl.engineInit(Unknown Source)"
    stack_trace: "java.base/javax.net.ssl.TrustManagerFactory.init(Unknown Source)"
    stack_trace: "io.netty.handler.ssl.ReferenceCountedOpenSslClientContext.newSessionContext(ReferenceCountedOpenSslClientContext.java:151)"
    stack_trace: "io.netty.handler.ssl.OpenSslClientContext.<init>(OpenSslClientContext.java:196)"
    stack_trace: "io.netty.handler.ssl.SslContext.newClientContextInternal(SslContext.java:831)"
    stack_trace: "io.netty.handler.ssl.SslContextBuilder.build(SslContextBuilder.java:611)"
    stack_trace: "com.google.devtools.build.lib.remote.http.HttpCacheClient.<init>(HttpCacheClient.java:244)"
    stack_trace: "com.google.devtools.build.lib.remote.http.HttpCacheClient.create(HttpCacheClient.java:156)"
    stack_trace: "com.google.devtools.build.lib.remote.RemoteCacheClientFactory.createHttp(RemoteCacheClientFactory.java:107)"
    stack_trace: "com.google.devtools.build.lib.remote.RemoteCacheClientFactory.create(RemoteCacheClientFactory.java:67)"
    stack_trace: "com.google.devtools.build.lib.remote.RemoteModule.initHttpAndDiskCache(RemoteModule.java:231)"
    stack_trace: "com.google.devtools.build.lib.remote.RemoteModule.beforeCommand(RemoteModule.java:331)"
    stack_trace: "com.google.devtools.build.lib.runtime.BlazeCommandDispatcher.execExclusively(BlazeCommandDispatcher.java:386)"
    stack_trace: "com.google.devtools.build.lib.runtime.BlazeCommandDispatcher.exec(BlazeCommandDispatcher.java:231)"
    stack_trace: "com.google.devtools.build.lib.server.GrpcServerImpl.executeCommand(GrpcServerImpl.java:550)"
    stack_trace: "com.google.devtools.build.lib.server.GrpcServerImpl.lambda$run$1(GrpcServerImpl.java:614)"
    stack_trace: "io.grpc.Context$1.run(Context.java:579)"
    stack_trace: "java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)"
    stack_trace: "java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)"
    stack_trace: "java.base/java.lang.Thread.run(Unknown Source)"
  }
}
foxandi added a commit to foxandi/bazel that referenced this issue Apr 21, 2022
@foxandi
Include jdk.crypto.mscapi in minimized Windows embedded JDK
330efca 
Fixes: bazelbuild#15305
@foxandi foxandi mentioned this issue Apr 21, 2022
Closed
@sgowroji sgowroji added type: feature request area-Windows Windows-specific issues and feature requests untriaged team-OSS Issues for the Bazel OSS team: installation, release processBazel packaging, website labels Apr 22, 2022
@meteorcloudy meteorcloudy added P2 We'll consider working on this in future. (Assignee optional) and removed untriaged labels Apr 22, 2022
foxandi added a commit to foxandi/bazel that referenced this issue Apr 26, 2022
@foxandi
Include jdk.crypto.mscapi in minimized Windows embedded JDK
f444a1b 
Fixes: bazelbuild#15305

Closes bazelbuild#15306.

PiperOrigin-RevId: 443624925
@foxandi foxandi mentioned this issue Apr 26, 2022
Merged
ckolli5 pushed a commit that referenced this issue Apr 28, 2022
@foxandi
Include jdk.crypto.mscapi in minimized Windows embedded JDK (#15342)
4fd7983 
Fixes: #15305

Closes #15306.

PiperOrigin-RevId: 443624925
@hacki11
Copy link

hacki11 commented Apr 4, 2023

I'm experiencing this issue with 6.1.0 again.
Using WINDOWS-ROOT as a trustStoreType results in

java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext)

which is in detail the same as initially mentioned:

trustStore type is: WINDOWS-ROOT
trustStore provider is:
the last modified time is: Fri Apr 01 15:32:27 CEST 2033
javax.net.ssl|DEBUG|01 2B|skyframe-evaluator-2|2023-04-04 16:33:48.723 CEST|null:-1|Reload the trust store
javax.net.ssl|DEBUG|01 2B|skyframe-evaluator-2|2023-04-04 16:33:48.725 CEST|null:-1|SunX509: skip default keystore (
"throwable" : {
  java.security.KeyStoreException: WINDOWS-ROOT not found
        at java.base/java.security.KeyStore.getInstance(Unknown Source)
        at java.base/sun.security.ssl.TrustStoreManager$TrustAnchorManager.loadKeyStore(Unknown Source)
        at java.base/sun.security.ssl.TrustStoreManager$TrustAnchorManager.getTrustedCerts(Unknown Source)
        at java.base/sun.security.ssl.TrustStoreManager.getTrustedCerts(Unknown Source)
        at java.base/sun.security.ssl.TrustManagerFactoryImpl.engineInit(Unknown Source)
        at java.base/javax.net.ssl.TrustManagerFactory.init(Unknown Source)
        at java.base/sun.security.ssl.SSLContextImpl$DefaultManagersHolder.getTrustManagers(Unknown Source)
        at java.base/sun.security.ssl.SSLContextImpl$DefaultManagersHolder.<clinit>(Unknown Source)
        at java.base/sun.security.ssl.SSLContextImpl$DefaultSSLContext.<init>(Unknown Source)
        at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
        at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
        at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
        at java.base/java.lang.reflect.Constructor.newInstance(Unknown Source)
        at java.base/java.security.Provider.newInstanceUtil(Unknown Source)
        at java.base/java.security.Provider$Service.newInstance(Unknown Source)
        at java.base/sun.security.jca.GetInstance.getInstance(Unknown Source)
        at java.base/sun.security.jca.GetInstance.getInstance(Unknown Source)
        at java.base/javax.net.ssl.SSLContext.getInstance(Unknown Source)
        at java.base/javax.net.ssl.SSLContext.getDefault(Unknown Source)
        at java.base/javax.net.ssl.SSLSocketFactory.getDefault(Unknown Source)
        at java.base/javax.net.ssl.HttpsURLConnection.getDefaultSSLSocketFactory(Unknown Source)
        at java.base/javax.net.ssl.HttpsURLConnection.<init>(Unknown Source)
        at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.<init>(Unknown Source)
        at java.base/sun.net.www.protocol.https.Handler.openConnection(Unknown Source)
        at java.base/java.net.URL.openConnection(Unknown Source)
        at com.google.devtools.build.lib.bazel.repository.downloader.HttpConnector.connect(HttpConnector.java:113)
        at com.google.devtools.build.lib.bazel.repository.downloader.HttpConnectorMultiplexer.connect(HttpConnectorMultiplexer.java:107)
        at com.google.devtools.build.lib.bazel.repository.downloader.HttpDownloader.download(HttpDownloader.java:85)
        at com.google.devtools.build.lib.bazel.repository.downloader.DelegatingDownloader.download(DelegatingDownloader.java:62)
        at com.google.devtools.build.lib.bazel.repository.downloader.DownloadManager.download(DownloadManager.java:258)
        at com.google.devtools.build.lib.bazel.repository.starlark.StarlarkBaseExternalContext.downloadAndExtract(StarlarkBaseExternalContext.java:687)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
        at java.base/java.lang.reflect.Method.invoke(Unknown Source)
        at net.starlark.java.eval.MethodDescriptor.call(MethodDescriptor.java:162)
        at net.starlark.java.eval.BuiltinFunction.fastcall(BuiltinFunction.java:77)
        at net.starlark.java.eval.Starlark.fastcall(Starlark.java:638)
        at net.starlark.java.eval.Eval.evalCall(Eval.java:682)
        at net.starlark.java.eval.Eval.eval(Eval.java:497)
        at net.starlark.java.eval.Eval.execAssignment(Eval.java:109)
        at net.starlark.java.eval.Eval.exec(Eval.java:268)
        at net.starlark.java.eval.Eval.execStatements(Eval.java:82)
        at net.starlark.java.eval.Eval.execFunctionBody(Eval.java:66)
        at net.starlark.java.eval.StarlarkFunction.fastcall(StarlarkFunction.java:173)
        at net.starlark.java.eval.Starlark.fastcall(Starlark.java:638)
        at net.starlark.java.eval.Starlark.call(Starlark.java:604)
        at com.google.devtools.build.lib.bazel.repository.starlark.StarlarkRepositoryFunction.fetch(StarlarkRepositoryFunction.java:220)
        at com.google.devtools.build.lib.rules.repository.RepositoryDelegatorFunction.fetchRepository(RepositoryDelegatorFunction.java:413)
        at com.google.devtools.build.lib.rules.repository.RepositoryDelegatorFunction.compute(RepositoryDelegatorFunction.java:344)
        at com.google.devtools.build.skyframe.AbstractParallelEvaluator$Evaluate.run(AbstractParallelEvaluator.java:571)
        at com.google.devtools.build.lib.concurrent.AbstractQueueVisitor$WrappedRunnable.run(AbstractQueueVisitor.java:382)
        at java.base/java.util.concurrent.ForkJoinTask$RunnableExecuteAction.exec(Unknown Source)
        at java.base/java.util.concurrent.ForkJoinTask.doExec(Unknown Source)
        at java.base/java.util.concurrent.ForkJoinPool$WorkQueue.topLevelExec(Unknown Source)
        at java.base/java.util.concurrent.ForkJoinPool.scan(Unknown Source)
        at java.base/java.util.concurrent.ForkJoinPool.runWorker(Unknown Source)
        at java.base/java.util.concurrent.ForkJoinWorkerThread.run(Unknown Source)
  Caused by: java.security.NoSuchAlgorithmException: WINDOWS-ROOT KeyStore not available
        at java.base/sun.security.jca.GetInstance.getInstance(Unknown Source)
        at java.base/java.security.Security.getImpl(Unknown Source)
        ... 58 more}

)

If i switch to my own jdk like

startup --server_javabase='C:/Program Files/Amazon Corretto/jdk17.0.2_8'

it is working well.

@meteorcloudy
Copy link
Member

/cc @comius @cushon

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@meteorcloudy meteorcloudy

Labels
area-Windows Windows-specific issues and feature requests P2 We'll consider working on this in future. (Assignee optional) team-OSS Issues for the Bazel OSS team: installation, release processBazel packaging, website type: feature request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Include jdk.crypto.mscapi in minimized Windows embedded JDK foxandi/bazel
4 participants
@meteorcloudy @hacki11 @foxandi @sgowroji