RFR[11] JDK-8206258: [Test Error] sun/security/pkcs11 tests fail if NSS libs not found

sha.jiang at oracle.com sha.jiang at oracle.com
Tue Jul 24 06:10:26 UTC 2018


Hi Valerie,
Thanks for your review!
Please take a look at this new webrev: 
http://cr.openjdk.java.net/~jjiang/8206258/webrev.02

On 2018/7/24 06:18, Valerie Peng wrote:
> Hi John,
>
> Changes look fine.
>
> I just have one nit, perhaps add more information reporting when 
> skipping tests, e.g.
>
> PKCS11Test: line 163
Different tests may have different reasons for skipping testing.
So, it would be better to output the info in PKCS11Test's child classes.
In fact, the tests overriding the method PKCS11Test::skipTest already 
report the reasons respectively.

> TestNssDbSqlite.java: line 68.
Add the below line
120             System.out.println("Cannot init security module 
database, skipping");

Best regards,
John Jiang
>
> Thanks,
> Valerie
>
> On 7/9/2018 12:38 AM, sha.jiang at oracle.com wrote:
>> Hi Thomas,
>> Thanks for your testing.
>>
>> I'm not sure that's a reasonable case.
>> From my view, PKCS11Test.java simply checks if the NSS library 
>> directory exists.
>> But it looks unnecessary to check every library file.
>> In fact, if removing libnss3 or libsoftokn3's dependencies, like 
>> libnssutil3, the test also fails.
>>
>> However, I still re-checked my previous solution, and made a new 
>> webrev [1].
>> The constant badNSSVersion in PKCS11Test.java may not be fine.
>> The static field nss_library in PKCS11Test.java can be softokn3 or 
>> nss3 for different tests.
>> badNSSVersion should be checked after the target nss library is 
>> determined.
>> And this checking should happen before the real testing, especially 
>> before security manager is enabled.
>> So, a new extension method, exactly PKCS11Test::skipTest, was 
>> introduced, and the affected tests were modified accordingly.
>>
>> [1] http://cr.openjdk.java.net/~jjiang/8206258/webrev.01/
>>
>> Best regards,
>> John Jiang
>>
>> On 2018/7/4 14:15, Thomas Stüfe wrote:
>>> Hi,
>>>
>>> Unfortunately this is not enough.
>>>
>>> Running tests with your patch and NSS libs disabled (I renamed
>>> libsoftokn3.so) yields the following errors:
>>>
>>> sun/security/pkcs11/Secmod/AddPrivateKey.java
>>>                                                   Failed. Execution
>>> failed: `main' threw exception: java.security.ProviderException: Could
>>> not initialize NSS
>>> sun/security/pkcs11/Secmod/AddTrustedCert.java
>>>                                                   Failed. Execution
>>> failed: `main' threw exception: java.security.ProviderException: Could
>>> not initialize NSS
>>> sun/security/pkcs11/Secmod/Crypto.java
>>>                                                   Failed. Execution
>>> failed: `main' threw exception: java.security.ProviderException: Could
>>> not initialize NSS
>>> sun/security/pkcs11/Secmod/GetPrivateKey.java
>>>                                                   Failed. Execution
>>> failed: `main' threw exception: java.security.ProviderException: Could
>>> not initialize NSS
>>> sun/security/pkcs11/Secmod/JksSetPrivateKey.java
>>>                                                   Failed. Execution
>>> failed: `main' threw exception: java.security.ProviderException: Could
>>> not initialize NSS
>>> sun/security/pkcs11/Secmod/LoadKeystore.java
>>>                                                   Failed. Execution
>>> failed: `main' threw exception: java.security.ProviderException: Could
>>> not initialize NSS
>>> sun/security/pkcs11/Secmod/TestNssDbSqlite.java
>>>                                                   Failed. Execution
>>> failed: `main' threw exception: java.security.ProviderException: Could
>>> not initialize NSS
>>> sun/security/pkcs11/Secmod/TrustAnchors.java
>>>                                                   Failed. Execution
>>> failed: `main' threw exception: java.security.ProviderException: Could
>>> not initialize NSS
>>>
>>>
>>> Excerpt from TestNssDbSqlite.jtr:
>>>
>>> ----------messages:(3/98)----------
>>> command: build TestNssDbSqlite
>>> reason: Named class compiled on demand
>>> elapsed time (seconds): 0.0
>>> result: Passed. All files up to date
>>>
>>> #section:main
>>> ----------messages:(5/721)----------
>>> command: main TestNssDbSqlite
>>> reason: User specified action: run main/othervm/timeout=120 
>>> TestNssDbSqlite
>>> Mode: othervm [/othervm specified]
>>> Additional options from @modules: --add-modules
>>> java.base,jdk.crypto.cryptoki --add-exports
>>> java.base/sun.security.rsa=ALL-UNNAMED --add-exports
>>> java.base/sun.security.provider=ALL-UNNAMED --add-exports
>>> java.base/sun.security.jca=ALL-UNNAMED --add-exports
>>> java.base/sun.security.tools.keytool=ALL-UNNAMED --add-exports
>>> java.base/sun.security.x509=ALL-UNNAMED --add-exports
>>> java.base/com.sun.crypto.provider=ALL-UNNAMED --add-exports
>>> jdk.crypto.cryptoki/sun.security.pkcs11=ALL-UNNAMED --add-opens
>>> jdk.crypto.cryptoki/sun.security.pkcs11=ALL-UNNAMED
>>> elapsed time (seconds): 0.445
>>> ----------configuration:(11/604)----------
>>> Boot Layer
>>>    add modules: java.base jdk.crypto.cryptoki
>>>    add exports: java.base/com.sun.crypto.provider ALL-UNNAMED
>>>                 java.base/sun.security.jca ALL-UNNAMED
>>>                 java.base/sun.security.provider ALL-UNNAMED
>>>                 java.base/sun.security.rsa ALL-UNNAMED
>>>                 java.base/sun.security.tools.keytool ALL-UNNAMED
>>>                 java.base/sun.security.x509 ALL-UNNAMED
>>>                 jdk.crypto.cryptoki/sun.security.pkcs11 ALL-UNNAMED
>>>    add opens:   jdk.crypto.cryptoki/sun.security.pkcs11 ALL-UNNAMED
>>>
>>> ----------System.out:(1/64)----------
>>> Warning: can't find NSS librarys on this machine, skipping test
>>> ----------System.err:(25/1633)----------
>>> java.security.ProviderException: Could not initialize NSS
>>> at 
>>> jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:218)
>>> at 
>>> jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunPKCS11.java:113)
>>> at 
>>> jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunPKCS11.java:110)
>>> at java.base/java.security.AccessController.doPrivileged(Native Method)
>>> at 
>>> jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.configure(SunPKCS11.java:110)
>>> at PKCS11Test.getSunPKCS11(PKCS11Test.java:152)
>>> at TestNssDbSqlite.initializeProvider(TestNssDbSqlite.java:121)
>>> at TestNssDbSqlite.initialize(TestNssDbSqlite.java:112)
>>> at TestNssDbSqlite.main(TestNssDbSqlite.java:67)
>>> at 
>>> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
>>> Method)
>>> at 
>>> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>>> at 
>>> java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>> at java.base/java.lang.reflect.Method.invoke(Method.java:566)
>>> at 
>>> com.sun.javatest.regtest.agent.MainWrapper$MainThread.run(MainWrapper.java:115)
>>> at java.base/java.lang.Thread.run(Thread.java:834)
>>> Caused by: java.io.IOException: NSS initialization failed
>>> at 
>>> jdk.crypto.cryptoki/sun.security.pkcs11.Secmod.initialize(Secmod.java:234)
>>> at 
>>> jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:213)
>>> ... 14 more
>>>
>>> Kind Regards, Thomas
>>>
>>>
>>> On Wed, Jul 4, 2018 at 7:36 AM,  <sha.jiang at oracle.com> wrote:
>>>> Hi,
>>>> If NSS libs are unavailable, PKCS11 tests fail when checking NSS 
>>>> version.
>>>> This patch tries to fix this issue.
>>>>
>>>> JBS: https://bugs.openjdk.java.net/browse/JDK-8206258
>>>> Webrev: http://cr.openjdk.java.net/~jjiang/8206258/webrev.00/
>>>>
>>>> Best regards,
>>>> John Jiang
>>>>
>>
>
>



More information about the security-dev mailing list