8311644: Server should not send bad_certificate alert when the client does not send any certificates

[amosshi]

Backport of JDK-8311644

Testing

• Local: Test passed on MacOS 14.6.1 on Apple M1 Max
  • CertMsgCheck.java: Test results: passed: 1
  • CheckSessionContext.java: Test results: passed: 1
  • LegacyDHEKeyExchange.java: Test results: passed: 1
  • SigAlgosExtTestWithTLS12.java: Test results: passed: 1
  • SigAlgosExtTestWithTLS13.java: Test results: passed: 1
• Pipeline: All checks have passed
• Testing Machine:

---

Progress

• Change must not contain extraneous whitespace
• Commit message must refer to an issue
• JDK-8311644 needs maintainer approval

Issue

• JDK-8311644: Server should not send bad_certificate alert when the client does not send any certificates (Bug - P3)

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk21u-dev.git pull/932/head:pull/932
$ git checkout pull/932

Update a local copy of the PR:
$ git checkout pull/932
$ git pull https://git.openjdk.org/jdk21u-dev.git pull/932/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 932

View PR using the GUI difftool:
$ git pr show -t 932

Using diff file

Download this PR as a diff file:
https://git.openjdk.org/jdk21u-dev/pull/932.diff

Webrev

Link to Webrev Comment

[bridgekeeper]

👋 Welcome back ashi! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

[openjdk]

❗ This change is not yet ready to be integrated.
See the Progress checklist in the description for automated requirements.

[openjdk]

This backport pull request has now been updated with issue from the original commit.

[openjdk]

⚠️ @amosshi This change is now ready for you to apply for maintainer approval. This can be done directly in each associated issue or by using the /approval command.

[mlbridge]

Webrevs

• 00: Full (cfa18d51)

[amosshi]

Testing Machine note on 2024-08-18

• javax/net/ssl/SSLSession/CertMsgCheck.jtr
  • on linuxaarch64
  • on linuxx86_64
  • on linuxppc64le

----------System.err:(73/5183)----------
Server ready on port 34603
Client connected using port 32780
(write)client(SSLSocket[hostname=localhost, port=34603, Session(1724013817426|SSL_NULL_WITH_NULL_NULL)]): Hello
javax.net.ssl.SSLHandshakeException: (certificate_required) Received fatal alert: certificate_required
	at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:130)
	at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:365)
	at java.base/sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:287)
	at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:204)
	at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172)
	at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1509)
	at java.base/sun.security.ssl.SSLSocketImpl.readApplicationRecord(SSLSocketImpl.java:1480)
	at java.base/sun.security.ssl.SSLSocketImpl$AppInputStream.read(SSLSocketImpl.java:1066)
	at java.base/sun.nio.cs.StreamDecoder.readBytes(StreamDecoder.java:350)
	at java.base/sun.nio.cs.StreamDecoder.implRead(StreamDecoder.java:393)
	at java.base/sun.nio.cs.StreamDecoder.lockedRead(StreamDecoder.java:217)
	at java.base/sun.nio.cs.StreamDecoder.read(StreamDecoder.java:171)
	at java.base/java.io.InputStreamReader.read(InputStreamReader.java:188)
	at java.base/java.io.BufferedReader.fill(BufferedReader.java:160)
	at java.base/java.io.BufferedReader.implReadLine(BufferedReader.java:370)
	at java.base/java.io.BufferedReader.readLine(BufferedReader.java:347)
	at java.base/java.io.BufferedReader.readLine(BufferedReader.java:436)
	at TLSBase.read(TLSBase.java:82)
	at TLSBase$Client.read(TLSBase.java:351)
	at TLSBase$Client.connect(TLSBase.java:342)
	at TLSBase$Client.<init>(TLSBase.java:328)
	at CertMsgCheck.main(CertMsgCheck.java:42)
	at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103)
	at java.base/java.lang.reflect.Method.invoke(Method.java:580)
	at com.sun.javatest.regtest.agent.MainWrapper$MainTask.run(MainWrapper.java:138)
	at java.base/java.lang.Thread.run(Thread.java:1583)
javax.net.ssl.SSLHandshakeException: (certificate_required) Empty client certificate chain
	at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:130)
	at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:365)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:321)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:312)
	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1157)
	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1144)
	at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:393)
	at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:476)
	at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:447)
	at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:201)
	at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172)
	at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1506)
	at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1421)
	at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:455)
	at java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:922)
	at java.base/sun.security.ssl.SSLSocketImpl$AppInputStream.read(SSLSocketImpl.java:1013)
	at java.base/sun.nio.cs.StreamDecoder.readBytes(StreamDecoder.java:350)
	at java.base/sun.nio.cs.StreamDecoder.implRead(StreamDecoder.java:393)
	at java.base/sun.nio.cs.StreamDecoder.lockedRead(StreamDecoder.java:217)
	at java.base/sun.nio.cs.StreamDecoder.read(StreamDecoder.java:171)
	at java.base/java.io.InputStreamReader.read(InputStreamReader.java:188)
	at java.base/java.io.BufferedReader.fill(BufferedReader.java:160)
	at java.base/java.io.BufferedReader.implReadLine(BufferedReader.java:370)
	at java.base/java.io.BufferedReader.readLine(BufferedReader.java:347)
	at java.base/java.io.BufferedReader.readLine(BufferedReader.java:436)
	at TLSBase.read(TLSBase.java:82)
	at TLSBase$Server.lambda$new$0(TLSBase.java:178)
	at java.base/java.lang.Thread.run(Thread.java:1583)
Server ready on port 34603
java.lang.Exception: Failed to find expected alert: certificate_required
	at CertMsgCheck.main(CertMsgCheck.java:56)
	at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103)
	at java.base/java.lang.reflect.Method.invoke(Method.java:580)
	at com.sun.javatest.regtest.agent.MainWrapper$MainTask.run(MainWrapper.java:138)
	at java.base/java.lang.Thread.run(Thread.java:1583)

JavaTest Message: Test threw exception: java.lang.Exception: Failed to find expected alert: certificate_required
JavaTest Message: shutting down test

[Harry-Junhua-Huang]

Test on local linux machine

System info

• tail /etc/lsb-release

DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=22.04
DISTRIB_CODENAME=jammy
DISTRIB_DESCRIPTION="Ubuntu 22.04.4 LTS"

• lscpu

Architecture:            x86_64
  CPU op-mode(s):        32-bit, 64-bit
  Address sizes:         48 bits physical, 48 bits virtual
  Byte Order:            Little Endian
CPU(s):                  16
  On-line CPU(s) list:   0-15
Vendor ID:               AuthenticAMD
  Model name:            AMD Ryzen 7 5800H with Radeon Graphics
    CPU family:          25
    Model:               80
    Thread(s) per core:  2
    Core(s) per socket:  8
    Socket(s):           1
    Stepping:            0
    BogoMIPS:            6387.77

Test result: All passed

• Passed: javax/net/ssl/SSLSession/CertMsgCheck.java
• Passed: javax/net/ssl/SSLSession/CheckSessionContext.java
• Passed: sun/security/ssl/DHKeyExchange/LegacyDHEKeyExchange.java
• Passed: sun/security/ssl/SignatureScheme/SigAlgosExtTestWithTLS12.java
• Passed: sun/security/ssl/SignatureScheme/SigAlgosExtTestWithTLS13.java

[bridgekeeper]

@amosshi This pull request has been inactive for more than 4 weeks and will be automatically closed if another 4 weeks passes without any activity. To avoid this, simply add a new comment to the pull request. Feel free to ask for assistance if you need help with progressing this pull request towards integration!