[jdk8u-dev] RFR: 8195607: sun/security/pkcs11/Secmod/TestNssDbSqlite.java failed with "NSS initialization failed" on NSS 3.34.1 [v2]
Andrew John Hughes
andrew at openjdk.org
Thu Sep 1 01:15:27 UTC 2022
On Fri, 26 Aug 2022 21:47:10 GMT, Martin Balao <mbalao at openjdk.org> wrote:
>> Hi,
>>
>> I'd like to propose the backport of the JDK-8195607 fix to 8u because this release is affected by this issue. Given that the legacy NSS DB has been deprecated for a long time and it's increasingly replaced by SQLite DBs, the chances that JDK-8 builds hit this problem are now higher.
>>
>> The 11u backport applies cleanly, once paths are fixed.
>>
>> To minimize risks, I manually debugged the OpenJDK code that connected to an NSS DB using the sql: prefix and everything was as expected.
>>
>> I also run all the tests under the jdk/sun/security/pkcs11 category and noticed no-regressions strictly related to this fix. The test 'jdk/sun/security/pkcs11/Secmod/TrustAnchors.java' requires a special note, though. This test passes if run standalone but fails when run as part of a group. The reason is because when run as part of a group, other tests copy the file 'pkcs11.txt' to the temporary nssdb directory which is shared between all of them. This DB does not register the trust anchors module called 'Builtin Roots Module', which was available in the old secmod.db and is required by the test (which expects to see a Secmod$Module of TRUSTANCHOR type). While the test leaves the sun.security.pkcs11.SecmodTest::useSqlite field set to false and tries to access the legacy DB (also contained in the shared temporary nssdb directory), NSS realizes that there is a new SQLite DB in the same directory and reads the configuration from pkcs11.txt. Otherwise, if pkcs11.txt does not exist (as
when the test is run standalone), it creates one with the information in secmod.db and it registers the 'Builtin Roots Module' module. All these findings have been verified with the 'modutil -list' command. While the issue is unrelated to what JDK-8195607 fixes, it has been uncovered by the existence of the pkcs11.txt file introduced with this change.
>>
>> Why newer releases are not affected? Because jtreg runs tests (including TrustAnchors.java) in separated directories, so they don't share the nssdb temporary directory. In newer releases, TEST.ROOT has a requiredVersion attribute [1] indicating to jtreg that this can be done [2].
>>
>> I've analyzed several ways to fix this issue but the one that I'd like to propose is to clean up the temporary nssdb directory for every test and avoid conflicts, giving every test the isolation that jtreg does when it sets test.classes uniquely per test in newer JDK releases.
>>
>> Thanks,
>> Martin.-
>>
>> --
>> [1] - https://github.com/openjdk/jdk11u/blob/master/test/jdk/TEST.ROOT#L61
>> [2] - https://github.com/openjdk/jtreg/blob/jtreg-6.2%2B1/src/share/classes/com/sun/javatest/regtest/config/Locations.java#L174
>
> Martin Balao has updated the pull request incrementally with one additional commit since the last revision:
>
> Revert "Clean the temporary nssdb directory so every test gets complete isolation (no interference from old files causing unreliability)." as required in the PR review.
>
> This reverts commit 22c1df05d2ab51a400ebdc69566e84fdaf32efec.
8u-dev is open again. Feel free to integrate.
-------------
PR: https://git.openjdk.org/jdk8u-dev/pull/106
More information about the jdk8u-dev
mailing list