[PATCH FOR REVIEW]: Improve error output for NSS provider

Andrew John Hughes ahughes at redhat.com
Fri Apr 16 02:24:56 PDT 2010


On 16 April 2010 00:06, Bradford Wetmore <bradford.wetmore at oracle.com> wrote:
> Hi Andrew,
>
> I couldn't tell for sure if this was for OpenJDK 7 or OpenJDK 6.  I'm
> assuming the former?
>

You're correct.  I should have made it clearer in the initial e-mail,
though I did ask if it was ok to push it to tl which is 7 only.  The
patch does apply to both, so I'll ask Joe Darcy about backporting it
once it's in 7.

> Looks good.  I checked for any remaining missing CKR_* values in the
> PKCS11 spec version 2.20, this covers all the missing values.
>

Thanks.  These are all the values used by the current version of NSS
(3.12.3 IIRC).

> I've filed:
>
> 6944361: Missing CKR_ values in PKCS11Exception
>
> Our reviewer names would be wetmore, valeriep.
>

Thanks.  Pushed: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/c444651077d2

>> http://cr.openjdk.java.net/~andrew/nss/webrev.01/jdk.patch
>
> Specifying just the top level of the webrev is preferred.
>

Whoops!  Sorry, I usually do post the right URL.  Must have copied the
wrong one.

> Thanks!
>
> Brad
>
>
> On 4/12/2010 8:49 AM, Andrew John Hughes wrote:
>> Hi,
>>
>> I'm trying to debug an issue with the NSS provider crashing on a
>> number of JTreg tests.  See
>> http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=469
>>
>> I found a couple of issues in doing so:
>>
>> * The stack trace is incomplete as a couple of exceptions are thrown
>> using only the message without including the cause
>> * The NSS wrapper can't handle a couple of newer NSS error codes
>>
>> This patch:
>>
>> http://cr.openjdk.java.net/~andrew/nss/webrev.01/jdk.patch
>>
>> fixes both issues and extends:
>>
>> java.security.cert.CertificateParsingException: java.io.IOException: subject
>> key, Could not create EC public key
>>         at sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:171)
>>         at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1747)
>>         at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:320)
>>         at sun.security.provider.X509Factory.parseX509orPKCS7Cert(X509Factory.java:550)
>>         at sun.security.provider.X509Factory.engineGenerateCertificates(X509Factory.java:434)
>>         at java.security.cert.CertificateFactory.generateCertificates(CertificateFactory.java:444)
>>         at ReadCertificates.readCertificates(ReadCertificates.java:51)
>>         at ReadCertificates.main(ReadCertificates.java:86)
>>         at PKCS11Test.premain(PKCS11Test.java:79)
>>         at PKCS11Test.testDefault(PKCS11Test.java:113)
>>         at PKCS11Test.main(PKCS11Test.java:86)
>>         at ReadCertificates.main(ReadCertificates.java:57)
>>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>         at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>>         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>         at java.lang.reflect.Method.invoke(Method.java:616)
>>         at com.sun.javatest.regtest.MainAction$SameVMThread.run(MainAction.java:595)
>>         at java.lang.Thread.run(Thread.java:636)
>> Caused by: java.io.IOException: subject key, Could not create EC public key
>>         at sun.security.x509.X509Key.parse(X509Key.java:174)
>>         at sun.security.x509.CertificateX509Key.<init>(CertificateX509Key.java:75)
>>         at sun.security.x509.X509CertInfo.parse(X509CertInfo.java:705)
>>         at sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:169)
>>         ... 17 more
>>
>> with:
>>
>> Caused by: java.security.InvalidKeyException: Could not create EC public key
>>         at sun.security.x509.X509Key.buildX509Key(X509Key.java:227)
>>         at sun.security.x509.X509Key.parse(X509Key.java:170)
>>         ... 20 more
>> Caused by: java.security.spec.InvalidKeySpecException: Could not create EC
>> public key
>>         at sun.security.pkcs11.P11ECKeyFactory.engineGeneratePublic(P11ECKeyFactory.java:154)
>>         at java.security.KeyFactory.generatePublic(KeyFactory.java:321)
>>         at sun.security.x509.X509Key.buildX509Key(X509Key.java:223)
>>         ... 21 more
>> Caused by: java.security.InvalidKeyException: Could not create EC public key
>>         at sun.security.pkcs11.P11ECKeyFactory.implTranslatePublicKey(P11ECKeyFactory.java:117)
>>         at sun.security.pkcs11.P11ECKeyFactory.engineGeneratePublic(P11ECKeyFactory.java:152)
>>         ... 23 more
>> Caused by: sun.security.pkcs11.wrapper.PKCS11Exception:
>> CKR_DOMAIN_PARAMS_INVALID
>>         at sun.security.pkcs11.wrapper.PKCS11.C_CreateObject(Native Method)
>>         at sun.security.pkcs11.P11ECKeyFactory.generatePublic(P11ECKeyFactory.java:229)
>>         at sun.security.pkcs11.P11ECKeyFactory.implTranslatePublicKey(P11ECKeyFactory.java:103)
>>         ... 24 more
>>
>> allowing the native NSS error to be seen.
>>
>> Ok to push to tl? If so, can I have a bug ID for this change?
>>
>> Thanks,
>



-- 
Andrew :-)

Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)

Support Free Java!
Contribute to GNU Classpath and the OpenJDK
http://www.gnu.org/software/classpath
http://openjdk.java.net

PGP Key: 94EFD9D8 (http://subkeys.pgp.net)
Fingerprint: F8EF F1EA 401E 2E60 15FA  7927 142C 2591 94EF D9D8



More information about the security-dev mailing list