Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Docker build fails on Rapsberry Pi. javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed #78

Open
frakman1 opened this issue Mar 15, 2021 · 2 comments
Open

Docker build fails on Rapsberry Pi. javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed #78

frakman1 opened this issue Mar 15, 2021 · 2 comments
Labels
bug Something isn't working

Comments

@frakman1
Copy link

frakman1 commented Mar 15, 2021
edited
Loading

When attempting to do a docker build on Raspberry Pi running latest components, I get this error

pi@raspberrypi:~/tsunami/tsunami-security-scanner$ docker build -t tsunami .
Sending build context to Docker daemon  823.3kB
Step 1/16 : FROM adoptopenjdk/openjdk13:debianslim
 ---> 7c717fa469de
Step 2/16 : RUN apt-get update  && apt-get install -y --no-install-recommends git ca-certificates
 ---> Using cache
 ---> 9b79bccc75c0
Step 3/16 : WORKDIR /usr/tsunami/repos
 ---> Using cache
 ---> aa7ac15ef819
Step 4/16 : RUN git clone --depth 1 "https://github.com/google/tsunami-security-scanner-plugins"
 ---> Using cache
 ---> f67e7c9387d3
Step 5/16 : WORKDIR /usr/tsunami/repos/tsunami-security-scanner-plugins/google
 ---> Using cache
 ---> 2d1764626137
Step 6/16 : RUN chmod +x build_all.sh     && ./build_all.sh
 ---> Running in 385af0fc8450

Building detectors/credentials/cve20177615 ...
Downloading https://services.gradle.org/distributions/gradle-6.5-bin.zip

Exception in thread "main" javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
        at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:324)
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:267)
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:262)
        at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:645)
        at java.base/sun.security.ssl.CertificateStatus$CertificateStatusConsumer.consume(CertificateStatus.java:295)
        at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396)
        at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
        at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:422)
        at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:181)
        at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
        at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1460)
        at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1368)
        at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:437)
        at java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:567)
        at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:171)
        at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1587)
        at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1515)
        at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:224)
        at org.gradle.wrapper.Download.downloadInternal(Download.java:83)
        at org.gradle.wrapper.Download.download(Download.java:66)
        at org.gradle.wrapper.Install$1.call(Install.java:68)
        at org.gradle.wrapper.Install$1.call(Install.java:48)
        at org.gradle.wrapper.ExclusiveFileAccessManager.access(ExclusiveFileAccessManager.java:69)
        at org.gradle.wrapper.Install.createDist(Install.java:48)
        at org.gradle.wrapper.WrapperExecutor.execute(WrapperExecutor.java:107)
        at org.gradle.wrapper.GradleWrapperMain.main(GradleWrapperMain.java:63)
Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
        at java.base/sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:368)
        at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:274)
        at java.base/sun.security.validator.Validator.validate(Validator.java:264)
        at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
        at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132)
        at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:629)
        ... 22 more
Caused by: java.security.cert.CertPathValidatorException: signature check failed
        at java.base/sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135)
        at java.base/sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:237)
        at java.base/sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:145)
        at java.base/sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:84)
        at java.base/java.security.cert.CertPathValidator.validate(CertPathValidator.java:309)
        at java.base/sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:363)
        ... 27 more
Caused by: java.security.SignatureException: Signature does not match.
        at java.base/sun.security.x509.X509CertImpl.verify(X509CertImpl.java:450)
        at java.base/sun.security.provider.certpath.BasicChecker.verifySignature(BasicChecker.java:166)
        at java.base/sun.security.provider.certpath.BasicChecker.check(BasicChecker.java:147)
        at java.base/sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125)
        ... 32 more
The command '/bin/sh -c chmod +x build_all.sh     && ./build_all.sh' returned a non-zero code: 1

pi@raspberrypi:~/tsunami/tsunami-security-scanner$ java --version
openjdk 11.0.9.1 2020-11-04
OpenJDK Runtime Environment (build 11.0.9.1+1-post-Raspbian-1deb10u2)
OpenJDK Server VM (build 11.0.9.1+1-post-Raspbian-1deb10u2, mixed mode)

pi@raspberrypi:~/tsunami/tsunami-security-scanner$ gradle --version
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by org.codehaus.groovy.reflection.CachedClass (file:/usr/share/java/groovy-all.jar) to method java.lang.Object.finalize()
WARNING: Please consider reporting this to the maintainers of org.codehaus.groovy.reflection.CachedClass
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release

------------------------------------------------------------
Gradle 4.4.1
------------------------------------------------------------

Build time:   2012-12-21 00:00:00 UTC
Revision:     none

Groovy:       2.4.16
Ant:          Apache Ant(TM) version 1.10.5 compiled on August 27 2018
JVM:          11.0.9.1 (Raspbian 11.0.9.1+1-post-Raspbian-1deb10u2)
OS:           Linux 5.10.17-v7l+ arm

$ cat /etc/os-release 
PRETTY_NAME="Raspbian GNU/Linux 10 (buster)"
NAME="Raspbian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=raspbian
ID_LIKE=debian
HOME_URL="http://www.raspbian.org/"
SUPPORT_URL="http://www.raspbian.org/RaspbianForums"
BUG_REPORT_URL="http://www.raspbian.org/RaspbianBugs"

$ docker --version
Docker version 20.10.5, build 55c4c88
@frakman1 frakman1 mentioned this issue Mar 16, 2021
Closed
@magl0
Copy link
Collaborator

magl0 commented Mar 16, 2021

Looks like there is certificate verification issue during gradle build. Can you please check this thread to see if it helps?

@frakman1
Copy link
Author

frakman1 commented Mar 17, 2021
edited
Loading

Thank you for the link but unfortunatley, it does not apply.

I ended up making a fork of the tsunami-security-scanner-plugins repo and making changes there to affect the build script change that uses that repo.

The thread in your link mentions proxies etc so I tried this again on a Pi from home and not behind a company firewall and it also failed, so I don't think this applies.

I also tried with gradle 6.8.3 on the home Pi with the same result. I don't know enough about gradle to troubleshoot further but I did try to add the certificate from the services.gradle.org website to the keystore with no luck.

Update. Apparently openjdk13:debianslim is no longer supported by the team that releases them and moving to openjdk15 variants is advised.

@tooryx tooryx added the bug Something isn't working label Jan 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tooryx @frakman1 @magl0