8325766: Extend CertificateBuilder to create trust and end entity certificates programmatically

[gnu-andrew]

This is the same as openjdk/jdk11u-dev#3222 except I combined the test updates in the last two commits.

This change backports enhancements to the CertificateBuilder test library to allow automated generation of certificates. It also replaces the static certificate in IPIdentities.java and is a pre-requisite for backporting JDK-8384815

The change actually backports fairly cleanly. There are just a few context differences because of the absence of JDK-8350807, which makes IPIdentities.java explicitly use TLSv1.2, and JDK-8349501 which moves CertificateBuilder into the regular jdk.test.lib namespace.

A number of follow-ups, included as follow-on commits, are then needed to make IPIdentities.java pass, and then to make other CertificateBuilder-using classes pass again.

1. IPIdentities.java needs to have @library and @build lines added to use CertificateBuilder. This is based on its usage in existing test classes in 11u that already use it.
2. 11u does not have SecureRandom.nextLong(long) so I ported this from java.util.random.RandomGenerator and jdk.internal.util.random.RandomSupport in 17u to jdk.test.lib.Utils. It is currently used by IPIdentities.java and CertificateBuilder.java and placing it in the library leaves the option open for other tests to use it.
3. JDK-8179502 is an enhancement change we don't want to backport, but it does update CertificateBuilder to actually consistently work to the Builder pattern, returning itself from its methods. This is necessary both for the usage introduced in this patch in IPIdentities.java and for the changes in 8384815, so builder invocations can be changed. I only included the return type changes from 8179502 and not the change to one of the methods.
4. Because CertificateBuilder now needs Utils from jdk.test.lib.Utils, a few tests that already used CertificateBuilder need to reference /test/lib.

I did start looking at backporting 8349501 but it is quite involved and has its own pre-requisites to explore. I wanted to make sure this and the follow-on could make the upcoming release and fix the currently broken test, so I worked around its absence for now. I do intend to backport it for the October release and this should clean up the dual library usage this change introduces by putting everything in jdk.test.lib.

Results for the tests which use CertificateBuilder look good with all passing after this patch.

$ make -C $HOME/builder/11u run-test TEST="jtreg:sun/net/www/protocol/https jtreg:javax/net/ssl/Stapling jtreg:java/security/cert/CertPathValidator jtreg:test/jdk/sun/security/ssl/Stapling"
==============================
Test summary
==============================
   TEST                                              TOTAL  PASS  FAIL ERROR   
   jtreg:test/jdk/sun/net/www/protocol/https            27    27     0     0   
   jtreg:test/jdk/javax/net/ssl/Stapling                 4     4     0     0   
   jtreg:test/jdk/java/security/cert/CertPathValidator
                                                        14    14     0     0   
   jtreg:test/jdk/sun/security/ssl/Stapling              1     1     0     0   
==============================
TEST SUCCESS

---

• I confirm that I make this contribution in accordance with the OpenJDK Interim AI Policy.

---

Progress

• Change must be properly reviewed (1 review required, with at least 1 Reviewer)
• Change must not contain extraneous whitespace
• Commit message must refer to an issue
• JDK-8325766 needs maintainer approval

Issue

• JDK-8325766: Extend CertificateBuilder to create trust and end entity certificates programmatically (Enhancement - P4 - Approved)

Reviewers

• Severin Gehwolf (@jerboaa - Reviewer)

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk11u.git pull/120/head:pull/120
$ git checkout pull/120

Update a local copy of the PR:
$ git checkout pull/120
$ git pull https://git.openjdk.org/jdk11u.git pull/120/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 120

View PR using the GUI difftool:
$ git pr show -t 120

Using diff file

Download this PR as a diff file:
https://git.openjdk.org/jdk11u/pull/120.diff

Using Webrev

Link to Webrev Comment

[bridgekeeper]

👋 Welcome back andrew! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

[openjdk]

@gnu-andrew This change now passes all automated pre-integration checks.

After integration, the commit message for the final commit will be:

8325766: Extend CertificateBuilder to create trust and end entity certificates programmatically

Reviewed-by: sgehwolf

You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed.

At the time when this comment was updated there had been no new commits pushed to the master branch. If another commit should be pushed before you perform the /integrate command, your PR will be automatically rebased. If you prefer to avoid any potential automatic rebasing, please check the documentation for the /integrate command for further details.

➡️ To integrate this PR with the above commit message to the master branch, type /integrate in a new comment.

[openjdk]

This backport pull request has now been updated with issue from the original commit.

[mlbridge]

Webrevs

• 01: Full - Incremental (88835d7a)
• 00: Full (5c540a7c)

[jerboaa]

@gnu-andrew Please merge master and this should make the windows build failures go away. Thanks!

[gnu-andrew]

@gnu-andrew Please merge master and this should make the windows build failures go away. Thanks!

Yeah, will do. I should have waited a few hours for that to be merged to begin with.

[jerboaa]

GHA failures in the serviceability area on macosx-x64 are intermittent:

TEST: serviceability/sa/ClhsdbFindPC.java#id1
TEST: serviceability/sa/ClhsdbFindPC.java#id3

[jerboaa]

Confirmed it being the same as openjdk/jdk11u-dev#3222 plus the extra test change.

[openjdk]

⚠️ @gnu-andrew This change is now ready for you to apply for maintainer approval. This can be done directly in each associated issue or by using the /approval command.

[gnu-andrew]

/approval request Test only backport to bring in the infrastructure to generate security certificates automatically rather than having static ones which eventually expire. Requesting this during rampdown so that it and 8384815 can be integrated to fix the failing PreferredKey tests in the upcoming release. The patch was pretty clean codewise but required some alterations to fit within the current test infrastructure of 8u. The patch was reviewed by Severin Gehwolf.

[openjdk]

@gnu-andrew
8325766: The approval request has been created successfully.

[jerboaa]

/approve yes

[openjdk]

@jerboaa
8325766: The approval request has been approved.

[gnu-andrew]

/integrate

[openjdk]

Going to push as commit e85e42b.

[openjdk]

@gnu-andrew Pushed as commit e85e42b.

💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored.