JDK-8224954 : Test failures with NoSuchAlgorithmException: Unsupported mode GCM after JDK-8223482
  • Type: Bug
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Affected Version: 13
  • Priority: P3
  • Status: Closed
  • Resolution: Not an Issue
  • OS: windows
  • Submitted: 2019-05-29
  • Updated: 2019-08-14
  • Resolved: 2019-08-14
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 14
14Resolved
Related Reports
Relates :  
JDK-8224981 - Problemlist test/jdk/sun/security/pkcs11/tls/tls12/FipsModeTLS12.java
Relates :  
JDK-8223482 - Unsupported ciphersuites may be offered by a TLS client
Description
open/test/jdk/sun/security/pkcs11/tls/tls12/FipsModeTLS12.java

Windows

----------System.err:(38/2918)----------
javax.net.ssl.SSLException: Algorithm missing:  
	at java.base/sun.security.ssl.ChangeCipherSpec$T10ChangeCipherSpecProducer.produce(ChangeCipherSpec.java:105)
	at java.base/sun.security.ssl.Finished$T12FinishedProducer.onProduceFinished(Finished.java:395)
	at java.base/sun.security.ssl.Finished$T12FinishedProducer.produce(Finished.java:379)
	at java.base/sun.security.ssl.SSLHandshake.produce(SSLHandshake.java:436)
	at java.base/sun.security.ssl.ServerHelloDone$ServerHelloDoneConsumer.consume(ServerHelloDone.java:173)
	at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
	at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443)
	at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1231)
	at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1218)
	at java.base/java.security.AccessController.doPrivileged(AccessController.java:690)
	at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1163)
	at FipsModeTLS12$testTLS12SunPKCS11Communication.runDelegatedTasks(FipsModeTLS12.java:370)
	at FipsModeTLS12$testTLS12SunPKCS11Communication.run(FipsModeTLS12.java:317)
	at FipsModeTLS12.main(FipsModeTLS12.java:99)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.base/java.lang.reflect.Method.invoke(Method.java:567)
	at com.sun.javatest.regtest.agent.MainWrapper$MainThread.run(MainWrapper.java:127)
	at java.base/java.lang.Thread.run(Thread.java:830)
Caused by: java.security.NoSuchAlgorithmException: Cannot find any provider supporting AES/GCM/NoPadding
	at java.base/javax.crypto.Cipher.getInstance(Cipher.java:574)
	at java.base/sun.security.ssl.SSLCipher$T12GcmWriteCipherGenerator$GcmWriteCipher.<init>(SSLCipher.java:1725)
	at java.base/sun.security.ssl.SSLCipher$T12GcmWriteCipherGenerator.createCipher(SSLCipher.java:1707)
	at java.base/sun.security.ssl.SSLCipher.createWriteCipher(SSLCipher.java:565)
	at java.base/sun.security.ssl.ChangeCipherSpec$T10ChangeCipherSpecProducer.produce(ChangeCipherSpec.java:99)
	... 19 more
Caused by: java.security.NoSuchAlgorithmException: Unsupported mode GCM
	at jdk.crypto.cryptoki/sun.security.pkcs11.P11Cipher.engineSetMode(P11Cipher.java:214)
	at java.base/javax.crypto.Cipher$Transform.setModePadding(Cipher.java:388)
	at java.base/javax.crypto.Cipher.getInstance(Cipher.java:567)
	... 23 more
Comments
No an issue any more. The test case was removed from the problem list, and GCM is a part of the SunPKCS11 provider (See JDK-8080462).
14-08-2019
@John: no, this issue was not solved by JDK-8223482 (in fact, JDK-8223482 is previous to this one). This issue may have been solved (or, is going to be solved) by the support of GCM in SunPKCS11.
18-07-2019
sun/security/pkcs11/tls/tls12/FipsModeTLS12.java passes with jdk13+23 on windows. Was this issue resolved by JDK-8223482?
11-07-2019
Here is a attempt to fix the issue, but not actually work because the initSecmod() dependence. http://cr.openjdk.java.net/~xuelei/8224954/webrev.00/
13-06-2019
The initSecmod() in the test need to load SunJSSE provider to get the NSS lib. As requires a JCE provider. If SunJSSE provider is used, the SunJSSE is loaded with SunJSSE. Then the SunPKCS11 provider will not be used to initialize the SSLContext. It is not the expected behavior of the test. Before the SunPKCS11 provider get configured, it cannot be used for the initSecmod() method. Having this test on platforms other than Windows is sufficient now. As soon as GCM is supported in SunPKCS11, we should try again. Retargeted to JDK 14. Will keep it in the ProblemList so as to remind us to modify the test when SunPKCS11 GCM mode is ready.
13-06-2019
Thanks Xuelei for providing this information. It means that the hypothesis on my first comment was on the right path. Looks to me that ArtifactResolver::resolve takes a different path in your testing environment because JIB_HOME env variable is set. I'm not exactly sure of what this is but looks like a resource is obtained through an HTTPS connection and that initializes the JSSE engine ahead of time. I could not find ConfigFactory.java and JibServiceFactory.java files in OpenJDK. Is this something internal to Oracle?
12-06-2019
The security configuration for the SunJSSE provider should carry on before the first load of it. The FipsModeTLS12.initialize()#getSunPKCS11() could load the SunJSSE provider. Therefore, the following provider configuration in the test case cannot work. javax.net.ssl|DEBUG|0E|MainThread|2019-06-12 15:44:12.226 GMT|SSLCipher.java:512|Transformation AES/GCM/NoPadding provider is SunJCE version 13 ( "throwable" : { java.lang.Exception: isTransformationAvailable() at java.base/sun.security.ssl.SSLCipher.isTransformationAvailable(SSLCipher.java:512) at java.base/sun.security.ssl.SSLCipher.<init>(SSLCipher.java:499) at java.base/sun.security.ssl.SSLCipher.<clinit>(SSLCipher.java:268) at java.base/sun.security.ssl.CipherSuite.<clinit>(CipherSuite.java:69) at java.base/sun.security.ssl.SSLContextImpl.getApplicableSupportedCipherSuites(SSLContextImpl.java:340) at java.base/sun.security.ssl.SSLContextImpl$AbstractTLSContext.<clinit>(SSLContextImpl.java:555) at java.base/java.lang.Class.forName0(Native Method) at java.base/java.lang.Class.forName(Class.java:333) at java.base/java.security.Provider$Service.getImplClass(Provider.java:1842) at java.base/java.security.Provider$Service.newInstance(Provider.java:1818) at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:236) at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:164) at java.base/javax.net.ssl.SSLContext.getInstance(SSLContext.java:184) at java.base/javax.net.ssl.SSLContext.getDefault(SSLContext.java:110) at java.base/javax.net.ssl.SSLSocketFactory.getDefault(SSLSocketFactory.java:83) at java.base/javax.net.ssl.HttpsURLConnection.getDefaultSSLSocketFactory(HttpsURLConnection.java:334) at java.base/javax.net.ssl.HttpsURLConnection.<init>(HttpsURLConnection.java:291) at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.<init>(HttpsURLConnectionImpl.java:76) at java.base/sun.net.www.protocol.https.Handler.openConnection(Handler.java:62) at java.base/sun.net.www.protocol.https.Handler.openConnection(Handler.java:57) at java.base/java.net.URL.openConnection(URL.java:1074) at com.oracle.jib.cli.ConfigFactory.lambda$getActiveArtifactoryConfig$0(ConfigFactory.java:277) at com.oracle.java.infra.utils.RetryUtility.doRetry(RetryUtility.java:149) at com.oracle.java.infra.utils.RetryUtility.retry(RetryUtility.java:134) at com.oracle.jib.cli.ConfigFactory.getActiveArtifactoryConfig(ConfigFactory.java:280) at com.oracle.jib.cli.ConfigFactory.getActiveArtifactoryConfig(ConfigFactory.java:194) at com.oracle.jib.cli.ConfigFactory.getConfig(ConfigFactory.java:168) at com.oracle.jib.api.JibServiceFactory.createJibArtifactInstaller(JibServiceFactory.java:52) at com.oracle.jib.api.JibServiceFactory.createJibArtifactInstaller(JibServiceFactory.java:74) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:567) at jdk.test.lib.artifacts.JibArtifactManager.newInstance(JibArtifactManager.java:80) at jdk.test.lib.artifacts.ArtifactResolver.resolve(ArtifactResolver.java:38) at PKCS11Test.fetchNssLib(PKCS11Test.java:890) at PKCS11Test.fetchNssLib(PKCS11Test.java:877) at PKCS11Test.getPreferableNssLibPaths(PKCS11Test.java:729) at PKCS11Test.getNssLibPaths(PKCS11Test.java:714) at PKCS11Test.getNSSLibPath(PKCS11Test.java:327) at PKCS11Test.getNSSLibDir(PKCS11Test.java:310) at PKCS11Test.getNSSLibDir(PKCS11Test.java:306) at SecmodTest.initSecmod(SecmodTest.java:45) at FipsModeTLS12.initialize(FipsModeTLS12.java:453) at FipsModeTLS12.main(FipsModeTLS12.java:85) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:567) at com.sun.javatest.regtest.agent.MainWrapper$MainThread.run(MainWrapper.java:127) at java.base/java.lang.Thread.run(Thread.java:830)}
12-06-2019
GCM mode is not supported per the test code configuration. However, it is selected for the negotiation. It implies that GCM mode might be available (SSLCipher.isAvailable()).
03-06-2019
I could not reproduce in my local Windows environment and I'm not sure of what's going on. One hypothesis is that SSLCipher is initialized before security providers are set in "initialize" function (FipsModeTLS12.java). But I would need to reproduce to confirm or discard.
31-05-2019