RFR JDK-8029661: JDK-Support TLS v1.2 algorithm in SunPKCS11 provider
Valerie Peng
valerie.peng at oracle.com
Fri Aug 31 19:16:40 UTC 2018
Hi Martin,
In TestTLS12.java, you call the initSecmod() inside initialize() and
when initSecmod() returns false, you return from initialize() and
continue down the main(). Is this intentional? Other tests seems to be
skipping execution when initSecmod() return false.
Changes in webrev.08 resolves 2 out of the 4 failure cases for
TestTLS12.java. However, when I submit the changes for testing, it
failed on some OS (see below):
macosx-x64:
> jib > STDOUT:
> jib > nssLibDir: /scratch/mesos/jib-master/install/jpg/tests/jdk/nsslib/nsslib-macosx_x64/3.35/nsslib-macosx_x64-3.35.zip/nsslib/
> jib > STDERR:
> jib > java.security.ProviderException: Could not initialize NSS
> jib > at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:218)
> jib > at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunPKCS11.java:113)
> jib > at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunPKCS11.java:110)
> jib > at java.base/java.security.AccessController.doPrivileged(Native Method)
> jib > at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.configure(SunPKCS11.java:110)
> jib > at PKCS11Test.getSunPKCS11(PKCS11Test.java:156)
> jib > at TestTLS12.initialize(TestTLS12.java:416)
> jib > at TestTLS12.main(TestTLS12.java:84)
> jib > at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> jib > at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> jib > at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> jib > at java.base/java.lang.reflect.Method.invoke(Method.java:566)
> jib > at com.sun.javatest.regtest.agent.MainWrapper$MainThread.run(MainWrapper.java:127)
> jib > at java.base/java.lang.Thread.run(Thread.java:834)
> jib > Caused by: java.io.IOException: NSS initialization failed
> jib > at jdk.crypto.cryptoki/sun.security.pkcs11.Secmod.initialize(Secmod.java:234)
> jib > at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:213)
> jib > ... 13 more
> jib >
> jib > JavaTest Message: Test threw exception: java.security.ProviderException: Could not initialize NSS
windows-x64:
> jib > STDOUT:
> jib > nssLibDir: C:\ADE\mesos\work_dir\jib-master\install\jpg\tests\jdk\nsslib\nsslib-windows_x64\3.35\nsslib-windows_x64-3.35.zip\nsslib\
> jib > SunPKCS11 provider: SunPKCS11-NSSKeyStore version 12
> jib > STDERR:
> jib > java.security.ProviderException: SunJSSE already initialized in non-FIPS mode
> jib > at java.base/sun.security.ssl.SunJSSE.ensureFIPS(SunJSSE.java:94)
> jib > at java.base/sun.security.ssl.SunJSSE.<init>(SunJSSE.java:146)
> jib > at java.base/sun.security.ssl.SunJSSE.<init>(SunJSSE.java:118)
> jib > at java.base/com.sun.net.ssl.internal.ssl.Provider.<init>(Provider.java:47)
> jib > at TestTLS12.initialize(TestTLS12.java:424)
> jib > at TestTLS12.main(TestTLS12.java:84)
> jib > at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> jib > at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> jib > at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> jib > at java.base/java.lang.reflect.Method.invoke(Method.java:566)
> jib > at com.sun.javatest.regtest.agent.MainWrapper$MainThread.run(MainWrapper.java:127)
> jib > at java.base/java.lang.Thread.run(Thread.java:834)
> jib >
> jib > JavaTest Message: Test threw exception: java.security.ProviderException: SunJSSE already initialized in non-FIPS mode
Thanks,
Valerie
On 8/24/2018 5:00 AM, Martin Balao wrote:
> Hi Valerie,
>
> Thanks for your feedback.
>
> Webrev.08:
>
> * http://cr.openjdk.java.net/~mbalao/webrevs/8029661/8029661.webrev.08
> * http://cr.openjdk.java.net/~mbalao/webrevs/8029661/8029661.webrev.08.zip
>
> New in Webrev.08:
>
> * Rebased to latest JDK (rev fa378e035b81)
>
> * Test max lines length is now 80
>
> * Test now checks if SunPKCS11 provider initialization fails or if TLS
> 1.2 algorithms are not supported and exit without failing in that case
>
> Kind regards,
> Martin.-
>
More information about the security-dev
mailing list