RFR JDK-8029661: JDK-Support TLS v1.2 algorithm in SunPKCS11 provider
Martin Balao
mbalao at redhat.com
Wed Sep 12 11:22:58 UTC 2018
Hi Valerie,
Thanks for your answer.
Webrev.09:
* http://cr.openjdk.java.net/~mbalao/webrevs/8029661/8029661.webrev.09/
* http://cr.openjdk.java.net/~mbalao/webrevs/8029661/8029661.webrev.09.zip
In TestTLS12.java, we now capture any exception during initialization phase
and skip test execution if that happens.
Kind regards,
Martin.-
On Wed, Sep 12, 2018 at 2:20 AM, Valerie Peng <valerie.peng at oracle.com>
wrote:
> Hi, Martin,
> I am ok with your option#1.
> Note that your test fails at different places of the code, so you will
> need to check and skip test execution before those exception are thrown.
>
> Valerie
>
>
> On 9/11/2018 7:54 AM, Martin Balao wrote:
>
> Hi Valerie,
>
> On Fri, Aug 31, 2018 at 9:16 PM, Valerie Peng <valerie.peng at oracle.com>
> wrote:
>
>> Hi Martin,
>>
>> In TestTLS12.java, you call the initSecmod() inside initialize() and when
>> initSecmod() returns false, you return from initialize() and continue down
>> the main(). Is this intentional? Other tests seems to be skipping execution
>> when initSecmod() return false.
>>
>
> This test skips execution too. That's because shouldRun method returns
> false if sunPKCS11NSSProvider variable is null (which it is if initSecmod
> returns false).
>
>
>>
>> Changes in webrev.08 resolves 2 out of the 4 failure cases for
>> TestTLS12.java. However, when I submit the changes for testing, it failed
>> on some OS (see below):
>>
>> macosx-x64:
>>
>> jib > STDOUT:
>>> jib > nssLibDir: /scratch/mesos/jib-master/inst
>>> all/jpg/tests/jdk/nsslib/nsslib-macosx_x64/3.35/nsslib-macos
>>> x_x64-3.35.zip/nsslib/
>>> jib > STDERR:
>>> jib > java.security.ProviderException: Could not initialize NSS
>>> jib > at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.<init>(Sun
>>> PKCS11.java:218)
>>> jib > at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunP
>>> KCS11.java:113)
>>> jib > at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunP
>>> KCS11.java:110)
>>> jib > at java.base/java.security.AccessController.doPrivileged(Native
>>> Method)
>>> jib > at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.configure(
>>> SunPKCS11.java:110)
>>> jib > at PKCS11Test.getSunPKCS11(PKCS11Test.java:156)
>>> jib > at TestTLS12.initialize(TestTLS12.java:416)
>>> jib > at TestTLS12.main(TestTLS12.java:84)
>>> jib > at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
>>> Method)
>>> jib > at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invo
>>> ke(NativeMethodAccessorImpl.java:62)
>>> jib > at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.
>>> invoke(DelegatingMethodAccessorImpl.java:43)
>>> jib > at java.base/java.lang.reflect.Method.invoke(Method.java:566)
>>> jib > at com.sun.javatest.regtest.agent.MainWrapper$MainThread.run(Ma
>>> inWrapper.java:127)
>>> jib > at java.base/java.lang.Thread.run(Thread.java:834)
>>> jib > Caused by: java.io.IOException: NSS initialization failed
>>> jib > at jdk.crypto.cryptoki/sun.security.pkcs11.Secmod.initialize(Se
>>> cmod.java:234)
>>> jib > at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.<init>(Sun
>>> PKCS11.java:213)
>>> jib > ... 13 more
>>> jib >
>>> jib > JavaTest Message: Test threw exception:
>>> java.security.ProviderException: Could not initialize NSS
>>>
>>
>
>
>> windows-x64:
>>
>> jib > STDOUT:
>>> jib > nssLibDir: C:\ADE\mesos\work_dir\jib-mast
>>> er\install\jpg\tests\jdk\nsslib\nsslib-windows_x64\3.35\nssl
>>> ib-windows_x64-3.35.zip\nsslib\
>>> jib > SunPKCS11 provider: SunPKCS11-NSSKeyStore version 12
>>> jib > STDERR:
>>> jib > java.security.ProviderException: SunJSSE already initialized in
>>> non-FIPS mode
>>> jib > at java.base/sun.security.ssl.SunJSSE.ensureFIPS(SunJSSE.java:9
>>> 4)
>>> jib > at java.base/sun.security.ssl.SunJSSE.<init>(SunJSSE.java:146)
>>> jib > at java.base/sun.security.ssl.SunJSSE.<init>(SunJSSE.java:118)
>>> jib > at java.base/com.sun.net.ssl.internal.ssl.Provider.<init>(Provi
>>> der.java:47)
>>> jib > at TestTLS12.initialize(TestTLS12.java:424)
>>> jib > at TestTLS12.main(TestTLS12.java:84)
>>> jib > at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
>>> Method)
>>> jib > at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invo
>>> ke(NativeMethodAccessorImpl.java:62)
>>> jib > at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.
>>> invoke(DelegatingMethodAccessorImpl.java:43)
>>> jib > at java.base/java.lang.reflect.Method.invoke(Method.java:566)
>>> jib > at com.sun.javatest.regtest.agent.MainWrapper$MainThread.run(Ma
>>> inWrapper.java:127)
>>> jib > at java.base/java.lang.Thread.run(Thread.java:834)
>>> jib >
>>> jib > JavaTest Message: Test threw exception:
>>> java.security.ProviderException: SunJSSE already initialized in
>>> non-FIPS mode
>>>
>>
>>
> The 2 tests that initialize NSS in FIPS mode (TrustManagerTest and
> ClientJSSEServerJSSE) only run on Solaris. My guess is that these failures
> are not particular to TestTLS12 but to NSS + FIPS support on these setups.
> I won't be able to reproduce the macOS failure and I'm not sure if I'll be
> able to reproduce in my Windows x86_64 environment.
>
> I propose the following options:
>
> 1) Make the test skip macOS & Windows x86_64 (and any other platform that
> fails to initialize the SunPKCS11 provider)
>
> 2) If you can provide access to a testing environment where I can
> reproduce these failures, I can see what's happening
>
> I intentionally want to use FIPS in NSS configuration because it
> represents a real use case, and is what motivated us to support TLS 1.2 in
> SunPKCS11. So, even though removing FIPS would be an option, I prefer not
> to take it.
>
> Kind regards,
> Martin.-
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20180912/1c318182/attachment.htm>
More information about the security-dev
mailing list