JDK-8293808: mscapi destroyKeyContainer enhance KeyStoreException: Access is denied exception

[MBaesken]

Currently we see on various Windows machines the following exception :
https://bugs.openjdk.org/browse/JDK-8293097

java.security.KeyStoreException: Access is denied.

This should probably be enhanced a bit so that the exception tell us more about what went wrong exactly.

---

Progress

• Change must be properly reviewed (1 review required, with at least 1 Reviewer)
• Change must not contain extraneous whitespace
• Commit message must refer to an issue

Issue

• JDK-8293808: mscapi destroyKeyContainer enhance KeyStoreException: Access is denied exception

Reviewers

• Weijun Wang (@wangweij - Reviewer)

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk pull/10280/head:pull/10280
$ git checkout pull/10280

Update a local copy of the PR:
$ git checkout pull/10280
$ git pull https://git.openjdk.org/jdk pull/10280/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 10280

View PR using the GUI difftool:
$ git pr show -t 10280

Using diff file

Download this PR as a diff file:
https://git.openjdk.org/jdk/pull/10280.diff

[bridgekeeper]

👋 Welcome back mbaesken! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

[openjdk]

@MBaesken The following label will be automatically applied to this pull request:

• security

When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing list. If you would like to change these labels, use the /label pull request command.

[mlbridge]

Webrevs

• 02: Full - Incremental (b909aa64)
• 01: Full - Incremental (edeaaefa)
• 00: Full (0dd4bcdc)

[wangweij]

This is not a fix for the bug itself, therefore I suggest either create a new issue or create a subtask for this code change.

Also, how about we enhance the existing ThrowException function to include the error code in the output as well.

Finally, with this change, do you have more clues on the "Access is denied" problem?

[MBaesken]

This is not a fix for the bug itself, therefore I suggest either create a new issue or create a subtask for this code change.

Hi, this one is just for the better/more detailed exception . For the real issue we still have JDK-8293097 .

Also, how about we enhance the existing ThrowException function to include the error code in the output as well.

Sounds like a good idea.

Finally, with this change, do you have more clues on the "Access is denied" problem?

Still not 100% sure whats happening there, it might be related to some special properties or missing privileges of the user executing those tests.

[MBaesken]

Still not 100% sure whats happening there, it might be related to some special properties or missing privileges of the user >executing those tests.

After looking into a number of logs it looks more and more like some crappy (or awfully configured?) "security product" causes these "Access is denied" problems on a number of our Windows test machines.

Having a detailed error message is of course good in this case , but it won't (and probably can't) tell you the reason / root cause of the issue.

[wangweij]

This is not a fix for the bug itself, therefore I suggest either create a new issue or create a subtask for this code change.

Hi, this one is just for the better/more detailed exception . For the real issue we still have JDK-8293097 .

I see. Sorry.

[wangweij]

After looking into a number of logs it looks more and more like some crappy (or awfully configured?) "security product" causes these "Access is denied" problems on a number of our Windows test machines.

Is it possible to find a Windows command that tries to do something similar and shows the same error? If yes, then it's safe to say it's not an issue in JDK and we may even be able to add more info in the exception message.

[openjdk]

@MBaesken This change now passes all automated pre-integration checks.

ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details.

After integration, the commit message for the final commit will be:

8293808: mscapi destroyKeyContainer enhance KeyStoreException: Access is denied exception

Reviewed-by: weijun

You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed.

At the time when this comment was updated there had been 27 new commits pushed to the master branch:

• f42caef: 8293550: Optionally add get-task-allow entitlement to macos binaries
• 5feca68: 8293840: RISC-V: Remove cbuf parameter from far_call/far_jump/trampoline_call
• 39cd163: 8293578: Duplicate ldc generated by javac
• 7765942: 8290367: Update default value and extend the scope of com.sun.jndi.ldap.object.trustSerialData system property
• 11e7d53: 8293819: sun/util/logging/PlatformLoggerTest.java failed with "RuntimeException: Retrieved backing PlatformLogger level null is not the expected CONFIG"
• 141d5f5: 8293767: AWT test TestSinhalaChar.java has old SCCS markings
• 3beca2d: 8291600: [vectorapi] vector cast op check is not always needed for vector mask cast
• 9a40b76: 8293842: IPv6-only systems throws UnsupportedOperationException for several socket/TCP options
• bb9aa4e: 8293813: ProblemList com/sun/jdi/JdbLastErrorTest.java on windows-x64 in Xcomp mode
• 4cec141: 8291509: Minor cleanup could be done in sun.security
• ... and 17 more: https://git.openjdk.org/jdk/compare/211fab8d361822bbd1a34a88626853bf4a029af5...master

As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details.

➡️ To integrate this PR with the above commit message to the master branch, type /integrate in a new comment.

[MBaesken]

Thanks for the review !

...we may even be able to add more info in the exception message.

Unfortunately the "Access denied" can show up also in other situations like missing permissions etc. of the user running the JDK so it is not completely clear what it means. Regarding "finding a Windows tool" showing the same issues, so far I am not aware of one unfortunately.

[wangweij]

Oops, find an issue. msg on line 165 is not defined.

[wangweij]

msg is from nowhere.

[MBaesken]

Sorry, had to remove msg you are correct of course ...

[wangweij]

Looks good to me. Thanks.

[MBaesken]

/integrate

[openjdk]

Going to push as commit 36c9034.
Since your change was applied there have been 43 commits pushed to the master branch:

• cbd0688: 8293851: hs_err should print more stack in hex dump
• 04d7b7d: 8293503: gc/metaspace/TestMetaspacePerfCounters.java#Epsilon-64 failed assertGreaterThanOrEqual: expected MMM >= NNN
• d77c464: 8293891: gc/g1/mixedgc/TestOldGenCollectionUsage.java (still) assumes that GCs take 1ms minimum
• d7c1a76: 8293861: G1: Disable preventive GCs by default
• 43f7f47: 8293499: Provide jmod --compress option
• 26e08cf: 8293844: C2: Verify Location::{oop,normal} types in PhaseOutput::FillLocArray
• 357a2cc: 8293937: x86: Drop LP64 conditions from clearly x86_32 code
• b1ed40a: 8293466: libjsig should ignore non-modifying sigaction calls
• b6ff8fa: 8292073: NMT: remove unused constructor parameter from MallocHeader
• cfd44bb: 8293218: serviceability/tmtools/jstat/GcNewTest.java fails with "Error in the percent calculation"
• ... and 33 more: https://git.openjdk.org/jdk/compare/211fab8d361822bbd1a34a88626853bf4a029af5...master

Your commit was automatically rebased without conflicts.

[openjdk]

@MBaesken Pushed as commit 36c9034.

💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored.