CryptoTests SunMSCAPI failing on Windows due to Access is denied

[pshipton]

https://openj9-jenkins.osuosl.org/job/Test_openjdk8_j9_extended.functional_x86-32_windows_Nightly_testList_1/465 - win2012-x86-8
CryptoTests_0
cryptotest/tests/CipherTests.java

95)	SunMSCAPI: 	RSA~RSA	 (Cipher)
cryptotest.utils.AlgorithmRunException: java.security.ProviderException: java.security.KeyException: Access is denied.

failed to use: RSA from SunMSCAPI version 1.8
Failed
96)	SunMSCAPI: 	RSA/ECB/PKCS1Padding~RSA/ECB/PKCS1Padding	 (Cipher)
cryptotest.utils.AlgorithmRunException: java.security.ProviderException: java.security.KeyException: Access is denied.

failed to use: RSA/ECB/PKCS1Padding from SunMSCAPI version 1.8
Failed
Total checks: 97, failed: 2
2 Cipher failed
** failed runs: 2 **
java.lang.Exception: 95)	SunMSCAPI: 	RSA~RSA	 (Cipher)
	at cryptotest.utils.AlgorithmTest.mainLoop(AlgorithmTest.java:83)
	at cryptotest.tests.CipherTests.main(CipherTests.java:72)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at com.sun.javatest.regtest.agent.MainWrapper$MainThread.run(MainWrapper.java:127)
	at java.lang.Thread.run(Thread.java:826)
Caused by: cryptotest.utils.AlgorithmRunException: java.security.ProviderException: java.security.KeyException: Access is denied.

	at cryptotest.tests.CipherTests.checkAlgorithm(CipherTests.java:141)
	at cryptotest.utils.AlgorithmTest.mainLoop(AlgorithmTest.java:79)
	... 7 more
Caused by: java.security.ProviderException: java.security.KeyException: Access is denied.

	at sun.security.mscapi.CKeyPairGenerator$RSA.generateKeyPair(CKeyPairGenerator.java:126)
	at java.security.KeyPairGenerator$Delegate.generateKeyPair(KeyPairGenerator.java:697)
	at java.security.KeyPairGenerator.genKeyPair(KeyPairGenerator.java:470)
	at cryptotest.utils.KeysNaiveGenerator.getRsaKeyPair(KeysNaiveGenerator.java:165)
	at cryptotest.utils.KeysNaiveGenerator.getRsaPrivateKey(KeysNaiveGenerator.java:169)
	at cryptotest.tests.CipherTests.checkAlgorithm(CipherTests.java:89)
	... 8 more
Caused by: java.security.KeyException: Access is denied.

	at sun.security.mscapi.CKeyPairGenerator$RSA.generateCKeyPair(Native Method)
	at sun.security.mscapi.CKeyPairGenerator$RSA.generateKeyPair(CKeyPairGenerator.java:121)
	... 13 more
java.lang.Exception: 96)	SunMSCAPI: 	RSA/ECB/PKCS1Padding~RSA/ECB/PKCS1Padding	 (Cipher)
	at cryptotest.utils.AlgorithmTest.mainLoop(AlgorithmTest.java:83)
	at cryptotest.tests.CipherTests.main(CipherTests.java:72)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at com.sun.javatest.regtest.agent.MainWrapper$MainThread.run(MainWrapper.java:127)
	at java.lang.Thread.run(Thread.java:826)
Caused by: cryptotest.utils.AlgorithmRunException: java.security.ProviderException: java.security.KeyException: Access is denied.

	at cryptotest.tests.CipherTests.checkAlgorithm(CipherTests.java:141)
	at cryptotest.utils.AlgorithmTest.mainLoop(AlgorithmTest.java:79)
	... 7 more
Caused by: java.security.ProviderException: java.security.KeyException: Access is denied.

	at sun.security.mscapi.CKeyPairGenerator$RSA.generateKeyPair(CKeyPairGenerator.java:126)
	at java.security.KeyPairGenerator$Delegate.generateKeyPair(KeyPairGenerator.java:697)
	at java.security.KeyPairGenerator.genKeyPair(KeyPairGenerator.java:470)
	at cryptotest.utils.KeysNaiveGenerator.getRsaKeyPair(KeysNaiveGenerator.java:165)
	at cryptotest.utils.KeysNaiveGenerator.getRsaPrivateKey(KeysNaiveGenerator.java:169)
	at cryptotest.tests.CipherTests.checkAlgorithm(CipherTests.java:89)
	... 8 more
Caused by: java.security.KeyException: Access is denied.

	at sun.security.mscapi.CKeyPairGenerator$RSA.generateCKeyPair(Native Method)
	at sun.security.mscapi.CKeyPairGenerator$RSA.generateKeyPair(CKeyPairGenerator.java:121)
	... 13 more
** failed inits: 0 **
** error runs: 0 **

FAILED: cryptotest.tests.CipherTests

[pshipton]

@AdamBrousseau @vsebe it seems something changed on the Windows machine(s) to cause the "Access is denied". CryptoTests is a new test just added. If I find failures on other machines I'll add the details.

[pshipton]

https://openj9-jenkins.osuosl.org/job/Test_openjdk8_j9_extended.functional_x86-64_windows_Nightly_testList_0/455/ - win2012-x86-1
https://openj9-jenkins.osuosl.org/job/Test_openjdk11_j9_extended.functional_x86-64_windows_Nightly_testList_1/468/ - win2012-x86-8
https://openj9-jenkins.osuosl.org/job/Test_openjdk17_j9_extended.functional_x86-64_windows_Nightly_testList_0/418/ - win2019x64-openj9-5

[pshipton]

It seems CryptoTests is a new test just added.

[pshipton]

@llxia there are also problems running these tests at Adoptium.
i.e.
https://ci.adoptopenjdk.net/job/Test_openjdk17_hs_extended.functional_x86-64_windows/254/tapResults/

[llxia]

@sophia-guo could you please take a look? Thanks

[vsebe]

Recently added test, see adoptium/aqa-tests#4319
@llxia are there any settings required for this test?

[llxia]

Afaik, the CryptoTests is from https://github.com/rh-openjdk/CryptoTest. I am not aware of any specific settings. @sophia-guo Do you have any insights?

[pshipton]

I expect there are Windows machine requirements / permissions required to use SunMSCAPI. I believe there are other issues created about this for other related failures we have seen in the past. For example #12083

[pshipton]

There are other tests excluded that would fail with the same "Access is denied" problem.
https://openj9-jenkins.osuosl.org/job/Grinder_iteration_1/212/consoleFull

java/security/KeyPairGenerator/FinalizeHalf.java #12807 windows-all
java/security/Signature/ResetAfterException.java #12807 windows-all
java/security/Signature/SignatureLength.java #12807 windows-all

[llxia]

Adoptium issue adoptium/aqa-tests#4336

[JasonFengJ9]

The Access is denied is seen at JDK17 x86-64_windows

[2023-02-15T04:34:13.528Z] variation: NoOptions
[2023-02-15T04:34:13.983Z] JVM_OPTIONS:  

[2023-02-15T04:39:08.690Z] TEST: cryptotest/tests/CipherTests.java

[2023-02-15T04:39:08.693Z] Caused by: java.security.KeyException: error 5, Access is denied.
[2023-02-15T04:39:08.693Z] 
[2023-02-15T04:39:08.693Z] 	at jdk.crypto.mscapi/sun.security.mscapi.CKeyPairGenerator$RSA.generateCKeyPair(Native Method)
[2023-02-15T04:39:08.693Z] 	at jdk.crypto.mscapi/sun.security.mscapi.CKeyPairGenerator$RSA.generateKeyPair(CKeyPairGenerator.java:121)
[2023-02-15T04:39:08.693Z] 	... 13 more
[2023-02-15T04:39:08.693Z] ** failed inits: 0 **
[2023-02-15T04:39:08.693Z] ** error runs: 0 **
[2023-02-15T04:39:08.693Z] 
[2023-02-15T04:39:08.693Z] FAILED: cryptotest.tests.CipherTests

[2023-02-15T04:56:22.663Z] TEST RESULT: Failed. Execution failed: `main' threw exception: java.lang.RuntimeException: Some tests failed: 4
[2023-02-15T04:56:22.663Z] --------------------------------------------------
[2023-02-15T04:56:22.663Z] Test results: passed: 26; failed: 5
[2023-02-15T04:56:22.663Z] Report written to C:\Users\jenkins\workspace\Test_openjdk17_j9_extended.functional_x86-64_windows_testList_2\aqa-tests\TKG\output_16764298524493\CryptoTests_0\report\html\report.html
[2023-02-15T04:56:22.663Z] Results written to C:\Users\jenkins\workspace\Test_openjdk17_j9_extended.functional_x86-64_windows_testList_2\aqa-tests\TKG\output_16764298524493\CryptoTests_0\work
[2023-02-15T04:56:22.663Z] Error: Some tests failed or other problems occurred.
[2023-02-15T04:56:22.663Z] -----------------------------------
[2023-02-15T04:56:22.663Z] CryptoTests_0_FAILED

[JasonFengJ9]

https://openj9-jenkins.osuosl.org/job/Test_openjdk8_j9_extended.functional_x86-64_windows_Nightly/471/tapResults/

at cryptotest.tests.SignatureTests.checkAlgorithm(SignatureTests.java:166)
	at cryptotest.utils.AlgorithmTest.mainLoop(AlgorithmTest.java:79)
	... 8 more
Caused by: java.security.ProviderException: java.security.KeyException: Access is denied.

	at sun.security.mscapi.CKeyPairGenerator$RSA.generateKeyPair(CKeyPairGenerator.java:126)
	at java.security.KeyPairGenerator$Delegate.generateKeyPair(KeyPairGenerator.java:697)
	at java.security.KeyPairGenerator.genKeyPair(KeyPairGenerator.java:470)
	at cryptotest.utils.KeysNaiveGenerator.getRsaKeyPair(KeysNaiveGenerator.java:165)
	at cryptotest.utils.KeysNaiveGenerator.getRsaPrivateKey(KeysNaiveGenerator.java:169)
	at cryptotest.tests.SignatureTests.checkAlgorithm(SignatureTests.java:87)
	... 9 more
Caused by: java.security.KeyException: Access is denied.

	at sun.security.mscapi.CKeyPairGenerator$RSA.generateCKeyPair(Native Method)
	at sun.security.mscapi.CKeyPairGenerator$RSA.generateKeyPair(CKeyPairGenerator.java:121)
	... 14 more
** failed inits: 0 **

[AdamBrousseau]

The Adopt issue was resolved by fixes to the tests. Seems odd we are still seeing problems.

[pshipton]

The Adopt issue was resolved by fixes to the tests. Seems odd we are still seeing problems.

Where were the fixes made, at OpenJDK or in an Adopt mirror?

[pshipton]

For the record, the tests fail every night in OpenJ9 builds. I try to keep an eye out to see if they ever pass.

[pshipton]

I see fixes rh-openjdk/CryptoTest#36 and rh-openjdk/CryptoTest#37

It's still possible OpenJ9 machines don't have the required permissions and need to be updated to take advantage of the test fixes, considering the errors are "Access is denied".

[AdamBrousseau]

Does anyone from the test team know what permissions are needed?

[vsebe]

CryptoTests_0 grinder on /win2019x64-openj9-5 (added jenkins user to Admins):
https://openj9-jenkins.osuosl.org/job/Grinder/2109/testReport/

[zzambers]

I have only now discovered this.

There was one earlier SunMSCAPI keystores issue with permissions (may be related):
rh-openjdk/CryptoTest#36

In that case, after investigating upstream jtreg tests in jdk, I have found that testing some keystore "algortihms" was conditional based on permissions. (So I have done the same for keystore tests in Cryptotest). I'll take a look, if I can find something similar for SunMSCAPI KeyPairGenerators in jtreg tests in jdk.

I checked our tests in GH on windows with Temurin builds (8,11,17,20). Same tests passed there:

...
running: cryptotest.tests.CipherTests
...
126)	SunMSCAPI: 	RSA/ECB/PKCS1Padding~RSA/ECB/PKCS1Padding	 (Cipher)
Passed
127)	SunMSCAPI: 	RSA~RSA	 (Cipher)
Passed
...
running: cryptotest.tests.KeyPairGeneratorTests
...
34)	SunMSCAPI: 	RSA~RSA	 (KeyPairGenerator)
Passed
...

It is also interesting that this problem did not show up in aqa-tests issue which found the other issue.

[zzambers]

I have found RSAEncryptDecrypt test from jdk generates RSA KeyPair using SunMSCAPI provider (this is what throws exception in CryptoTest). But I don't see any special checks there. See:
JDK8:
https://github.com/openjdk/jdk8u-dev/blob/5dc33f2c9c4de56b76ee56a3526c2fa21394aea2/jdk/test/sun/security/mscapi/RSAEncryptDecrypt.java#L43
JDK:
https://github.com/openjdk/jdk/blob/695683b5b15c69a56fe7ee1a93482fe7c3530ca8/test/jdk/sun/security/mscapi/RSAEncryptDecrypt.java#L48

Can you please check if that test passes for you on that system?
Also is this issue JDK8 specific?

[pshipton]

The RSAEncryptDecrypt test is excluded for OpenJ9, against an issue that just basically says it didn't pass.
i.e. https://github.com/adoptium/aqa-tests/blob/master/openjdk/excludes/ProblemList_openjdk11-openj9.txt#L278

Failing jdk11 grinder running sun/security/mscapi/RSAEncryptDecrypt.java
https://openj9-jenkins.osuosl.org/view/Test/job/Grinder/2119/

The failures are not jdk8 specific, the CryptoTest on Windows fails on all versions.

https://openj9-jenkins.osuosl.org/job/Test_openjdk8_j9_extended.functional_x86-32_windows_Nightly_testList_1/496
https://openj9-jenkins.osuosl.org/job/Test_openjdk8_j9_extended.functional_x86-64_windows_Nightly_testList_0/485
https://openj9-jenkins.osuosl.org/job/Test_openjdk11_j9_extended.functional_x86-64_windows_Nightly_testList_1/498
https://openj9-jenkins.osuosl.org/job/Test_openjdk17_j9_extended.functional_x86-64_windows_Nightly_testList_0/448/

[zzambers]

RSAEncryptDecrypt failure on openjdk11-openj9 looks like the same issue as this one. Hmm, then It is probably issue specific to openj9 (or openj9 test infra), it does not seem Cryptotest would be doing something wrong. Thanks

Btw I was looking at problem list for openjdk8-openj9, and test is not there:
https://github.com/adoptium/aqa-tests/blob/master/openjdk/excludes/ProblemList_openjdk8-openj9.txt
Does it mean it passes on 8 or is it just not excluded there?

[pshipton]

I agree, it seems like a machine configuration issue.

The entire security3 suite is disabled on jdk8, which contains RSAEncryptDecrypt.

[zzambers]

I got one more idea. I have realized, that I can try to switch tests in github to use jdk with OpenJ9. From what setup-java action provides, adopt-openj9 and semeru seem to be openj9 based.

So I tried those:
adopt-openj9:
https://github.com/zzambers/CryptoTest/actions/runs/4547267758
semeru:
https://github.com/zzambers/CryptoTest/actions/runs/4547323054

Cryptotest passes everywhere on both distributions, including Windows.
(Ignore JDK Latest fails, because JDK20 is not available for these distributions.)

So it seems like infrastructure problem.

[vsebe]

CryptoTests_0 grinder (run as admin) on win2019x64-openj9-5 -

Caused by: cryptotest.utils.AlgorithmRunException: java.security.ProviderException: java.security.KeyException: Access is denied.

https://openj9-jenkins.osuosl.org/job/Grinder/2210/testReport/

[llxia]

PR for exclude the test on Windows: adoptium/aqa-tests#4528