Description of the feature request:
Enable using the Windows host keystore for certificates instead of the keystore of the bundeled JDK.
To achieve this, the module jdk.crypto.mscapi needs to be added to the Windows minimal embedded JDK.
This module (windows specific) is required to access the truststore of Windows. Which in term will allow to use the hosts keystore by adding startup --host_jvm_args=-Djavax.net.ssl.trustStoreType=WINDOWS-ROOT.
Without this module the startup option results in an exception when creating the SSLContext on bazel startup (see attached log output).
Adding the module increases the embedded JDK's size by ~38kb.
What underlying problem are you trying to solve with this feature?
Allow usage of (self-)signed or enterprise root cerrtificates (SSL) for e.g. remote-cache servers, where the sigining certificate is not part of the embedded JDK's truststore but part of the Windows hosts truststore.
Which operating system are you running Bazel on?
Windows 10
What is the output of bazel info release?
release 5.1.1
Have you found anything relevant by searching the web?
https://groups.google.com/g/bazel-discuss/c/qeZwI_BUa8w
https://stackoverflow.com/questions/69971542/ssl-access-failure
#5741
Any other information, logs, or outputs that you want to share?
220421 09:40:44.057:I 22 [com.google.devtools.build.lib.runtime.BlazeCommandDispatcher.exec] Exit status was DetailedExitCode{exitCode=BLAZE_INTERNAL_ERROR, failureDetail=message: "Crashed: (java.lang.RuntimeException) javax.net.ssl.SSLException: unable to setup trustmanager, (javax.net.ssl.SSLException) unable to setup trustmanager, (java.security.KeyStoreException) problem accessing trust store, (java.security.KeyStoreException) WINDOWS-ROOT not found, (java.security.NoSuchAlgorithmException) WINDOWS-ROOT KeyStore not available"
crash {
causes {
throwable_class: "java.lang.RuntimeException"
message: "javax.net.ssl.SSLException: unable to setup trustmanager"
stack_trace: "com.google.devtools.build.lib.remote.RemoteCacheClientFactory.createHttp(RemoteCacheClientFactory.java:117)"
stack_trace: "com.google.devtools.build.lib.remote.RemoteCacheClientFactory.create(RemoteCacheClientFactory.java:67)"
stack_trace: "com.google.devtools.build.lib.remote.RemoteModule.initHttpAndDiskCache(RemoteModule.java:231)"
stack_trace: "com.google.devtools.build.lib.remote.RemoteModule.beforeCommand(RemoteModule.java:331)"
stack_trace: "com.google.devtools.build.lib.runtime.BlazeCommandDispatcher.execExclusively(BlazeCommandDispatcher.java:386)"
stack_trace: "com.google.devtools.build.lib.runtime.BlazeCommandDispatcher.exec(BlazeCommandDispatcher.java:231)"
stack_trace: "com.google.devtools.build.lib.server.GrpcServerImpl.executeCommand(GrpcServerImpl.java:550)"
stack_trace: "com.google.devtools.build.lib.server.GrpcServerImpl.lambda$run$1(GrpcServerImpl.java:614)"
stack_trace: "io.grpc.Context$1.run(Context.java:579)"
stack_trace: "java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)"
stack_trace: "java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)"
stack_trace: "java.base/java.lang.Thread.run(Unknown Source)"
}
causes {
throwable_class: "javax.net.ssl.SSLException"
message: "unable to setup trustmanager"
stack_trace: "io.netty.handler.ssl.ReferenceCountedOpenSslClientContext.newSessionContext(ReferenceCountedOpenSslClientContext.java:166)"
stack_trace: "io.netty.handler.ssl.OpenSslClientContext.<init>(OpenSslClientContext.java:196)"
stack_trace: "io.netty.handler.ssl.SslContext.newClientContextInternal(SslContext.java:831)"
stack_trace: "io.netty.handler.ssl.SslContextBuilder.build(SslContextBuilder.java:611)"
stack_trace: "com.google.devtools.build.lib.remote.http.HttpCacheClient.<init>(HttpCacheClient.java:244)"
stack_trace: "com.google.devtools.build.lib.remote.http.HttpCacheClient.create(HttpCacheClient.java:156)"
stack_trace: "com.google.devtools.build.lib.remote.RemoteCacheClientFactory.createHttp(RemoteCacheClientFactory.java:107)"
stack_trace: "com.google.devtools.build.lib.remote.RemoteCacheClientFactory.create(RemoteCacheClientFactory.java:67)"
stack_trace: "com.google.devtools.build.lib.remote.RemoteModule.initHttpAndDiskCache(RemoteModule.java:231)"
stack_trace: "com.google.devtools.build.lib.remote.RemoteModule.beforeCommand(RemoteModule.java:331)"
stack_trace: "com.google.devtools.build.lib.runtime.BlazeCommandDispatcher.execExclusively(BlazeCommandDispatcher.java:386)"
stack_trace: "com.google.devtools.build.lib.runtime.BlazeCommandDispatcher.exec(BlazeCommandDispatcher.java:231)"
stack_trace: "com.google.devtools.build.lib.server.GrpcServerImpl.executeCommand(GrpcServerImpl.java:550)"
stack_trace: "com.google.devtools.build.lib.server.GrpcServerImpl.lambda$run$1(GrpcServerImpl.java:614)"
stack_trace: "io.grpc.Context$1.run(Context.java:579)"
stack_trace: "java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)"
stack_trace: "java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)"
stack_trace: "java.base/java.lang.Thread.run(Unknown Source)"
}
causes {
throwable_class: "java.security.KeyStoreException"
message: "problem accessing trust store"
stack_trace: "java.base/sun.security.ssl.TrustManagerFactoryImpl.engineInit(Unknown Source)"
stack_trace: "java.base/javax.net.ssl.TrustManagerFactory.init(Unknown Source)"
stack_trace: "io.netty.handler.ssl.ReferenceCountedOpenSslClientContext.newSessionContext(ReferenceCountedOpenSslClientContext.java:151)"
stack_trace: "io.netty.handler.ssl.OpenSslClientContext.<init>(OpenSslClientContext.java:196)"
stack_trace: "io.netty.handler.ssl.SslContext.newClientContextInternal(SslContext.java:831)"
stack_trace: "io.netty.handler.ssl.SslContextBuilder.build(SslContextBuilder.java:611)"
stack_trace: "com.google.devtools.build.lib.remote.http.HttpCacheClient.<init>(HttpCacheClient.java:244)"
stack_trace: "com.google.devtools.build.lib.remote.http.HttpCacheClient.create(HttpCacheClient.java:156)"
stack_trace: "com.google.devtools.build.lib.remote.RemoteCacheClientFactory.createHttp(RemoteCacheClientFactory.java:107)"
stack_trace: "com.google.devtools.build.lib.remote.RemoteCacheClientFactory.create(RemoteCacheClientFactory.java:67)"
stack_trace: "com.google.devtools.build.lib.remote.RemoteModule.initHttpAndDiskCache(RemoteModule.java:231)"
stack_trace: "com.google.devtools.build.lib.remote.RemoteModule.beforeCommand(RemoteModule.java:331)"
stack_trace: "com.google.devtools.build.lib.runtime.BlazeCommandDispatcher.execExclusively(BlazeCommandDispatcher.java:386)"
stack_trace: "com.google.devtools.build.lib.runtime.BlazeCommandDispatcher.exec(BlazeCommandDispatcher.java:231)"
stack_trace: "com.google.devtools.build.lib.server.GrpcServerImpl.executeCommand(GrpcServerImpl.java:550)"
stack_trace: "com.google.devtools.build.lib.server.GrpcServerImpl.lambda$run$1(GrpcServerImpl.java:614)"
stack_trace: "io.grpc.Context$1.run(Context.java:579)"
stack_trace: "java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)"
stack_trace: "java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)"
stack_trace: "java.base/java.lang.Thread.run(Unknown Source)"
}
causes {
throwable_class: "java.security.KeyStoreException"
message: "WINDOWS-ROOT not found"
stack_trace: "java.base/java.security.KeyStore.getInstance(Unknown Source)"
stack_trace: "java.base/sun.security.ssl.TrustStoreManager$TrustAnchorManager.loadKeyStore(Unknown Source)"
stack_trace: "java.base/sun.security.ssl.TrustStoreManager$TrustAnchorManager.getTrustedCerts(Unknown Source)"
stack_trace: "java.base/sun.security.ssl.TrustStoreManager.getTrustedCerts(Unknown Source)"
stack_trace: "java.base/sun.security.ssl.TrustManagerFactoryImpl.engineInit(Unknown Source)"
stack_trace: "java.base/javax.net.ssl.TrustManagerFactory.init(Unknown Source)"
stack_trace: "io.netty.handler.ssl.ReferenceCountedOpenSslClientContext.newSessionContext(ReferenceCountedOpenSslClientContext.java:151)"
stack_trace: "io.netty.handler.ssl.OpenSslClientContext.<init>(OpenSslClientContext.java:196)"
stack_trace: "io.netty.handler.ssl.SslContext.newClientContextInternal(SslContext.java:831)"
stack_trace: "io.netty.handler.ssl.SslContextBuilder.build(SslContextBuilder.java:611)"
stack_trace: "com.google.devtools.build.lib.remote.http.HttpCacheClient.<init>(HttpCacheClient.java:244)"
stack_trace: "com.google.devtools.build.lib.remote.http.HttpCacheClient.create(HttpCacheClient.java:156)"
stack_trace: "com.google.devtools.build.lib.remote.RemoteCacheClientFactory.createHttp(RemoteCacheClientFactory.java:107)"
stack_trace: "com.google.devtools.build.lib.remote.RemoteCacheClientFactory.create(RemoteCacheClientFactory.java:67)"
stack_trace: "com.google.devtools.build.lib.remote.RemoteModule.initHttpAndDiskCache(RemoteModule.java:231)"
stack_trace: "com.google.devtools.build.lib.remote.RemoteModule.beforeCommand(RemoteModule.java:331)"
stack_trace: "com.google.devtools.build.lib.runtime.BlazeCommandDispatcher.execExclusively(BlazeCommandDispatcher.java:386)"
stack_trace: "com.google.devtools.build.lib.runtime.BlazeCommandDispatcher.exec(BlazeCommandDispatcher.java:231)"
stack_trace: "com.google.devtools.build.lib.server.GrpcServerImpl.executeCommand(GrpcServerImpl.java:550)"
stack_trace: "com.google.devtools.build.lib.server.GrpcServerImpl.lambda$run$1(GrpcServerImpl.java:614)"
stack_trace: "io.grpc.Context$1.run(Context.java:579)"
stack_trace: "java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)"
stack_trace: "java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)"
stack_trace: "java.base/java.lang.Thread.run(Unknown Source)"
}
causes {
throwable_class: "java.security.NoSuchAlgorithmException"
message: "WINDOWS-ROOT KeyStore not available"
stack_trace: "java.base/sun.security.jca.GetInstance.getInstance(Unknown Source)"
stack_trace: "java.base/java.security.Security.getImpl(Unknown Source)"
stack_trace: "java.base/java.security.KeyStore.getInstance(Unknown Source)"
stack_trace: "java.base/sun.security.ssl.TrustStoreManager$TrustAnchorManager.loadKeyStore(Unknown Source)"
stack_trace: "java.base/sun.security.ssl.TrustStoreManager$TrustAnchorManager.getTrustedCerts(Unknown Source)"
stack_trace: "java.base/sun.security.ssl.TrustStoreManager.getTrustedCerts(Unknown Source)"
stack_trace: "java.base/sun.security.ssl.TrustManagerFactoryImpl.engineInit(Unknown Source)"
stack_trace: "java.base/javax.net.ssl.TrustManagerFactory.init(Unknown Source)"
stack_trace: "io.netty.handler.ssl.ReferenceCountedOpenSslClientContext.newSessionContext(ReferenceCountedOpenSslClientContext.java:151)"
stack_trace: "io.netty.handler.ssl.OpenSslClientContext.<init>(OpenSslClientContext.java:196)"
stack_trace: "io.netty.handler.ssl.SslContext.newClientContextInternal(SslContext.java:831)"
stack_trace: "io.netty.handler.ssl.SslContextBuilder.build(SslContextBuilder.java:611)"
stack_trace: "com.google.devtools.build.lib.remote.http.HttpCacheClient.<init>(HttpCacheClient.java:244)"
stack_trace: "com.google.devtools.build.lib.remote.http.HttpCacheClient.create(HttpCacheClient.java:156)"
stack_trace: "com.google.devtools.build.lib.remote.RemoteCacheClientFactory.createHttp(RemoteCacheClientFactory.java:107)"
stack_trace: "com.google.devtools.build.lib.remote.RemoteCacheClientFactory.create(RemoteCacheClientFactory.java:67)"
stack_trace: "com.google.devtools.build.lib.remote.RemoteModule.initHttpAndDiskCache(RemoteModule.java:231)"
stack_trace: "com.google.devtools.build.lib.remote.RemoteModule.beforeCommand(RemoteModule.java:331)"
stack_trace: "com.google.devtools.build.lib.runtime.BlazeCommandDispatcher.execExclusively(BlazeCommandDispatcher.java:386)"
stack_trace: "com.google.devtools.build.lib.runtime.BlazeCommandDispatcher.exec(BlazeCommandDispatcher.java:231)"
stack_trace: "com.google.devtools.build.lib.server.GrpcServerImpl.executeCommand(GrpcServerImpl.java:550)"
stack_trace: "com.google.devtools.build.lib.server.GrpcServerImpl.lambda$run$1(GrpcServerImpl.java:614)"
stack_trace: "io.grpc.Context$1.run(Context.java:579)"
stack_trace: "java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)"
stack_trace: "java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)"
stack_trace: "java.base/java.lang.Thread.run(Unknown Source)"
}
}
Description of the feature request:
Enable using the Windows host keystore for certificates instead of the keystore of the bundeled JDK.
To achieve this, the module
jdk.crypto.mscapineeds to be added to the Windows minimal embedded JDK.This module (windows specific) is required to access the truststore of Windows. Which in term will allow to use the hosts keystore by adding
startup --host_jvm_args=-Djavax.net.ssl.trustStoreType=WINDOWS-ROOT.Without this module the startup option results in an exception when creating the SSLContext on bazel startup (see attached log output).
Adding the module increases the embedded JDK's size by ~38kb.
What underlying problem are you trying to solve with this feature?
Allow usage of (self-)signed or enterprise root cerrtificates (SSL) for e.g. remote-cache servers, where the sigining certificate is not part of the embedded JDK's truststore but part of the Windows hosts truststore.
Which operating system are you running Bazel on?
Windows 10
What is the output of
bazel info release?release 5.1.1
Have you found anything relevant by searching the web?
https://groups.google.com/g/bazel-discuss/c/qeZwI_BUa8w
https://stackoverflow.com/questions/69971542/ssl-access-failure
#5741
Any other information, logs, or outputs that you want to share?