[jdk11u-dev] RFR: 8296631: NSS tests failing on OL9 linux-aarch64 hosts [v2]

Taizo Kurashige duke at openjdk.org
Thu Nov 7 13:13:11 UTC 2024 

On Wed, 6 Nov 2024 08:49:42 GMT, Andrew Haley <aph at openjdk.org> wrote:

>> Taizo Kurashige has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains three additional commits since the last revision:
>> 
>>  - Merge branch 'openjdk:master' into backport-8296631
>>  - Backport 6e1aacdfba5a32f7b071eea8039888d275827e83
>>  - Backport 6e1aacdfba5a32f7b071eea8039888d275827e83
>
> Why are the two sets of files key4.db and cert9.db different?
> 
> 
> zarquon:Downloads $ shasum cert9*.db
> 41eed34f2505f3a549cb85542ae58b2f239c593e  cert9(1).db
> b0e2a3aa1c884de00a342e01d5c2aa4c4ca1d801  cert9.db
> zarquon:Downloads $ shasum key4*.db
> c06ef63d0a2e960bbe91744c2fe1b8e7cd2bd841  key4(1).db
> 0a48f27990384fbae2d70dc9a496d08b6b5ea0f3  key4.db
> 
> 
> dbtool can't read the files in fips/. Are they a different kind of database?

@theRealAph 

> Why are the two sets of files key4.db and cert9.db different?

The reason key4.db and cert9.db are different is that they are newly created by me using the "modutil" command.
I created them with reference to [jdk/test/jdk/sun/security/pkcs11/Secmod/README-SQLITE](https://github.com/openjdk/jdk/blob/ac82a8f89c7066fb1d379b12bcfd68053cb39ba4/test/jdk/sun/security/pkcs11/Secmod/README-SQLITE) and manually copied pkcs11.txt from [jdk/test/jdk/sun/security/pkcs11/Secmod/pkcs11.txt](https://github.com/openjdk/jdk/blob/f0b251d76078e8d5b47e967b0449c4cbdcb5a005/test/jdk/sun/security/pkcs11/Secmod/pkcs11.txt). However, after receiving your comment, I realized that the README-SQLITE procedure does not correspond to the contents of pkcs11.txt. So I recreated key4.db ,cert9.db and pkcs11.txt using the following steps:


$ mkdir ./tmpdb
$ modutil -create -force -dbdir sql:./tmpdb
$ modutil -enable "NSS Internal PKCS #11 Module" -dbdir sql:./tmpdb

WARNING: Performing this operation while the browser is running could cause
corruption of your security databases. If the browser is currently running,
you should exit browser before continuing this operation. Type
'q <enter>' to abort, or <enter> to continue:

Slot "NSS Internal Cryptographic Services" enabled.
Slot "NSS User Private Key and Certificate Services" enabled.
$ modutil -undefault "NSS Internal PKCS #11 Module" -mechanisms SHA256:SHA512:Camellia:SEED:ECC -force -dbdir sql:./tmpdb -secmod secmod.db
Successfully changed defaults.
$ modutil -add "Builtin Roots Module" -libfile libnssckbi.so -dbdir sql:./tmpdb

WARNING: Performing this operation while the browser is running could cause
corruption of your security databases. If the browser is currently running,
you should exit browser before continuing this operation. Type
'q <enter>' to abort, or <enter> to continue:


WARNING: Manually adding a module while p11-kit is enabled could cause
duplicate module registration in your security database. It is suggested
to configure the module through p11-kit configuration file instead.

Type 'q <enter>' to abort, or <enter> to continue:

Module "Builtin Roots Module" added to database.
$ echo "" > ./tmpdb/1
$ echo "test12" > ./tmpdb/2
$ modutil -changepw "NSS Certificate DB" -force -dbdir sql:./tmpdb/ -pwfile ./tmpdb/1 -newpwfile ./tmpdb/2
Token "NSS Certificate DB" password changed successfully.

$ ls tmpdb/
1  2  cert9.db  key4.db  pkcs11.txt
$ cat tmpdb/pkcs11.txt
library=
name=NSS Internal PKCS #11 Module
parameters=configdir='sql:./tmpdb' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription=''
NSS=trustOrder=75 cipherOrder=100 slotParams={0x00000001=[slotFlags=RSA,RC4,RC2,DES,DH,SHA1,MD5,MD2,SSL,TLS,AES,RANDOM askpw=any timeout=30 ] }  Flags=internal,critical

library=libnssckbi.so
name=Builtin Roots Module
NSS=trustOrder=100


I then verified again that the tests in pkcs11/fips/pass.

> dbtool can't read the files in fips/. Are they a different kind of database?

Please check if dbtool can't read the db files in fips/ again because I recreated   as above.
I didn't intend to use a different kind of database.
If dbtool can't read them, it would be helpful if you could provide an error message. In some cases, I will replace the db files in pkcs11/fips with the db files in pkcs11/KeyStore/ClientAuthData.

-------------

PR Comment: https://git.openjdk.org/jdk11u-dev/pull/2955#issuecomment-2462197616

More information about the jdk-updates-dev mailing list