RFR JDK-8029661: JDK-Support TLS v1.2 algorithm in SunPKCS11 provider
Valerie Peng
valerie.peng at oracle.com
Wed Sep 12 00:20:59 UTC 2018
Hi, Martin,
I am ok with your option#1.
Note that your test fails at different places of the code, so you will
need to check and skip test execution before those exception are thrown.
Valerie
On 9/11/2018 7:54 AM, Martin Balao wrote:
> Hi Valerie,
>
> On Fri, Aug 31, 2018 at 9:16 PM, Valerie Peng <valerie.peng at oracle.com
> <mailto:valerie.peng at oracle.com>> wrote:
>
> Hi Martin,
>
> In TestTLS12.java, you call the initSecmod() inside initialize()
> and when initSecmod() returns false, you return from initialize()
> and continue down the main(). Is this intentional? Other tests
> seems to be skipping execution when initSecmod() return false.
>
>
> This test skips execution too. That's because shouldRun method returns
> false if sunPKCS11NSSProvider variable is null (which it is if
> initSecmod returns false).
>
>
> Changes in webrev.08 resolves 2 out of the 4 failure cases for
> TestTLS12.java. However, when I submit the changes for testing, it
> failed on some OS (see below):
>
> macosx-x64:
>
> jib > STDOUT:
> jib > nssLibDir:
> /scratch/mesos/jib-master/install/jpg/tests/jdk/nsslib/nsslib-macosx_x64/3.35/nsslib-macosx_x64-3.35.zip/nsslib/
> jib > STDERR:
> jib > java.security.ProviderException: Could not initialize NSS
> jib > at
> jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:218)
> jib > at
> jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunPKCS11.java:113)
> jib > at
> jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunPKCS11.java:110)
> jib > at
> java.base/java.security.AccessController.doPrivileged(Native
> Method)
> jib > at
> jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.configure(SunPKCS11.java:110)
> jib > at PKCS11Test.getSunPKCS11(PKCS11Test.java:156)
> jib > at TestTLS12.initialize(TestTLS12.java:416)
> jib > at TestTLS12.main(TestTLS12.java:84)
> jib > at
> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
> Method)
> jib > at
> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> jib > at
> java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> jib > at java.base/java.lang.reflect.Me
> <http://java.lang.reflect.Me>thod.invoke(Method.java:566)
> jib > at
> com.sun.javatest.regtest.agent.MainWrapper$MainThread.run(MainWrapper.java:127)
> jib > at java.base/java.lang.Thread.run(Thread.java:834)
> jib > Caused by: java.io.IOException: NSS initialization failed
> jib > at
> jdk.crypto.cryptoki/sun.security.pkcs11.Secmod.initialize(Secmod.java:234)
> jib > at
> jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:213)
> jib > ... 13 more
> jib >
> jib > JavaTest Message: Test threw exception:
> java.security.ProviderException: Could not initialize NSS
>
>
> windows-x64:
>
> jib > STDOUT:
> jib > nssLibDir:
> C:\ADE\mesos\work_dir\jib-master\install\jpg\tests\jdk\nsslib\nsslib-windows_x64\3.35\nsslib-windows_x64-3.35.zip\nsslib\
> jib > SunPKCS11 provider: SunPKCS11-NSSKeyStore version 12
> jib > STDERR:
> jib > java.security.ProviderException: SunJSSE already
> initialized in non-FIPS mode
> jib > at
> java.base/sun.security.ssl.SunJSSE.ensureFIPS(SunJSSE.java:94)
> jib > at
> java.base/sun.security.ssl.SunJSSE.<init>(SunJSSE.java:146)
> jib > at
> java.base/sun.security.ssl.SunJSSE.<init>(SunJSSE.java:118)
> jib > at
> java.base/com.sun.net.ssl.internal.ssl.Provider.<init>(Provider.java:47)
> jib > at TestTLS12.initialize(TestTLS12.java:424)
> jib > at TestTLS12.main(TestTLS12.java:84)
> jib > at
> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
> Method)
> jib > at
> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> jib > at
> java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> jib > at java.base/java.lang.reflect.Me
> <http://java.lang.reflect.Me>thod.invoke(Method.java:566)
> jib > at
> com.sun.javatest.regtest.agent.MainWrapper$MainThread.run(MainWrapper.java:127)
> jib > at java.base/java.lang.Thread.run(Thread.java:834)
> jib >
> jib > JavaTest Message: Test threw exception:
> java.security.ProviderException: SunJSSE already initialized
> in non-FIPS mode
>
>
>
> The 2 tests that initialize NSS in FIPS mode (TrustManagerTest and
> ClientJSSEServerJSSE) only run on Solaris. My guess is that these
> failures are not particular to TestTLS12 but to NSS + FIPS support on
> these setups. I won't be able to reproduce the macOS failure and I'm
> not sure if I'll be able to reproduce in my Windows x86_64 environment.
>
> I propose the following options:
>
> 1) Make the test skip macOS & Windows x86_64 (and any other platform
> that fails to initialize the SunPKCS11 provider)
>
> 2) If you can provide access to a testing environment where I can
> reproduce these failures, I can see what's happening
>
> I intentionally want to use FIPS in NSS configuration because it
> represents a real use case, and is what motivated us to support TLS
> 1.2 in SunPKCS11. So, even though removing FIPS would be an option, I
> prefer not to take it.
>
> Kind regards,
> Martin.-
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20180911/406b0a2a/attachment.htm>
More information about the security-dev
mailing list