[PATCH FOR REVIEW] Allow multiple initialisation of NSS with different library directories to be a non-criticial error
Vincent Ryan
vincent.x.ryan at oracle.com
Tue Nov 27 20:38:14 UTC 2012
Adapting an existing test sounds good. There are several PKCS11 tests
that exercise NSS. They look in the usual places for the NSS libraries
and fail gracefully when NSS is not present.
On 27/11/2012 20:09, Andrew Hughes wrote:
> ----- Original Message -----
>> Hello Andrew,
>>
>> The code changes look fine. I will open a bug for this issue.
>> Is there a testcase available for this new option?
>>
>
> Hi Vincent,
>
> Sorry for the delayed reply. There isn't a testcase as such and
> I've been meaning to find time to write one, but still haven't got
> round to it. The problem where PKCS11 is initialised twice is
> actually shown by the current jtreg tests if PKCS11 is configured in
> java.security, so it may be possible to just adapt that test to explicitly
> try loading a second library. But I guess it would have to assume
> the presence of a system NSS install. It's one of those bugs that's
> easy to reproduce when you know the system and JDK configuration, but
> not just from a test :-)
>
>> Thanks.
>>
>>
>> On 7 Nov 2012, at 18:45, Andrew Hughes wrote:
>>
>>> The PKCS11 provider has an option in its configuration file,
>>> "handleStartupErrors"
>>> that can be used to make different types of failure non-critical
>>> (throwing a
>>> UnsupportedOperationException rather than a ProviderException). By
>>> default,
>>> all failures are critical.
>>>
>>> This option is not available for the failure resulting from an
>>> attempt to try to
>>> load a provider with a different library directory to one that has
>>> already been
>>> loaded; such a failure is always critical.
>>>
>>> This webrev:
>>>
>>> http://cr.openjdk.java.net/~andrew/pkcs11-multiinit/webrev.01/
>>>
>>> simply extends the existing option so that this failure can be made
>>> non-critical.
>>> Both the existing IGNORE_ALL setting and the new IGNORE_MULTI_INIT
>>> setting will
>>> turn the failure into one which throws
>>> UnsupportedOperationException, resulting
>>> in the provider not being loaded rather than an JVM crash.
>>>
>>> This allows a default PKCS11 setup to be specified, which is then
>>> silently dropped
>>> if the user tries to load a conflicting setup (e.g. their own local
>>> NSS library).
>>>
>>> The patch is against tl at present. I'll need a bug ID to push
>>> this if it looks ok.
>>>
>>> Thanks,
>>> --
>>> Andrew :)
>>>
>>> Free Java Software Engineer
>>> Red Hat, Inc. (http://www.redhat.com)
>>>
>>> PGP Key: 248BDC07 (https://keys.indymedia.org/)
>>> Fingerprint = EC5A 1F5E C0AD 1D15 8F1F 8F91 3B96 A578 248B DC07
>>>
>>
>>
>
More information about the security-dev
mailing list