RFR JDK-8029661: JDK-Support TLS v1.2 algorithm in SunPKCS11 provider

Martin Balao mbalao at redhat.com
Tue Sep 11 14:54:01 UTC 2018 

Hi Valerie,

On Fri, Aug 31, 2018 at 9:16 PM, Valerie Peng <valerie.peng at oracle.com>
wrote:

> Hi Martin,
>
> In TestTLS12.java, you call the initSecmod() inside initialize() and when
> initSecmod() returns false, you return from initialize() and continue down
> the main(). Is this intentional? Other tests seems to be skipping execution
> when initSecmod() return false.
>

This test skips execution too. That's because shouldRun method returns
false if sunPKCS11NSSProvider variable is null (which it is if initSecmod
returns false).


>
> Changes in webrev.08 resolves 2 out of the 4 failure cases for
> TestTLS12.java. However, when I submit the changes for testing, it failed
> on some OS (see below):
>
> macosx-x64:
>
> jib > STDOUT:
>> jib > nssLibDir: /scratch/mesos/jib-master/inst
>> all/jpg/tests/jdk/nsslib/nsslib-macosx_x64/3.35/nsslib-macos
>> x_x64-3.35.zip/nsslib/
>> jib > STDERR:
>> jib > java.security.ProviderException: Could not initialize NSS
>> jib >   at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.<init>(
>> SunPKCS11.java:218)
>> jib >   at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(
>> SunPKCS11.java:113)
>> jib >   at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(
>> SunPKCS11.java:110)
>> jib >   at java.base/java.security.AccessController.doPrivileged(Native
>> Method)
>> jib >   at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.configure(
>> SunPKCS11.java:110)
>> jib >   at PKCS11Test.getSunPKCS11(PKCS11Test.java:156)
>> jib >   at TestTLS12.initialize(TestTLS12.java:416)
>> jib >   at TestTLS12.main(TestTLS12.java:84)
>> jib >   at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
>> Method)
>> jib >   at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invo
>> ke(NativeMethodAccessorImpl.java:62)
>> jib >   at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.
>> invoke(DelegatingMethodAccessorImpl.java:43)
>> jib >   at java.base/java.lang.reflect.Method.invoke(Method.java:566)
>> jib >   at com.sun.javatest.regtest.agent.MainWrapper$MainThread.run(
>> MainWrapper.java:127)
>> jib >   at java.base/java.lang.Thread.run(Thread.java:834)
>> jib > Caused by: java.io.IOException: NSS initialization failed
>> jib >   at jdk.crypto.cryptoki/sun.security.pkcs11.Secmod.initialize(
>> Secmod.java:234)
>> jib >   at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.<init>(
>> SunPKCS11.java:213)
>> jib >   ... 13 more
>> jib >
>> jib > JavaTest Message: Test threw exception:
>> java.security.ProviderException: Could not initialize NSS
>>
>


> windows-x64:
>
> jib > STDOUT:
>> jib > nssLibDir: C:\ADE\mesos\work_dir\jib-mast
>> er\install\jpg\tests\jdk\nsslib\nsslib-windows_x64\3.35\
>> nsslib-windows_x64-3.35.zip\nsslib\
>> jib > SunPKCS11 provider: SunPKCS11-NSSKeyStore version 12
>> jib > STDERR:
>> jib > java.security.ProviderException: SunJSSE already initialized in
>> non-FIPS mode
>> jib >   at java.base/sun.security.ssl.SunJSSE.ensureFIPS(SunJSSE.java:94)
>> jib >   at java.base/sun.security.ssl.SunJSSE.<init>(SunJSSE.java:146)
>> jib >   at java.base/sun.security.ssl.SunJSSE.<init>(SunJSSE.java:118)
>> jib >   at java.base/com.sun.net.ssl.internal.ssl.Provider.<init>(Provi
>> der.java:47)
>> jib >   at TestTLS12.initialize(TestTLS12.java:424)
>> jib >   at TestTLS12.main(TestTLS12.java:84)
>> jib >   at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
>> Method)
>> jib >   at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invo
>> ke(NativeMethodAccessorImpl.java:62)
>> jib >   at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.
>> invoke(DelegatingMethodAccessorImpl.java:43)
>> jib >   at java.base/java.lang.reflect.Method.invoke(Method.java:566)
>> jib >   at com.sun.javatest.regtest.agent.MainWrapper$MainThread.run(
>> MainWrapper.java:127)
>> jib >   at java.base/java.lang.Thread.run(Thread.java:834)
>> jib >
>> jib > JavaTest Message: Test threw exception:
>> java.security.ProviderException: SunJSSE already initialized in non-FIPS
>> mode
>>
>
>
The 2 tests that initialize NSS in FIPS mode (TrustManagerTest and
ClientJSSEServerJSSE) only run on Solaris. My guess is that these failures
are not particular to TestTLS12 but to NSS + FIPS support on these setups.
I won't be able to reproduce the macOS failure and I'm not sure if I'll be
able to reproduce in my Windows x86_64 environment.

I propose the following options:

 1) Make the test skip macOS & Windows x86_64 (and any other platform that
fails to initialize the SunPKCS11 provider)

 2) If you can provide access to a testing environment where I can
reproduce these failures, I can see what's happening

I intentionally want to use FIPS in NSS configuration because it represents
a real use case, and is what motivated us to support TLS 1.2 in SunPKCS11.
So, even though removing FIPS would be an option, I prefer not to take it.

Kind regards,
Martin.-
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20180911/6cee9053/attachment.htm>

More information about the security-dev mailing list