RFR JDK-8029661: JDK-Support TLS v1.2 algorithm in SunPKCS11 provider

Valerie Peng valerie.peng at oracle.com
Tue Sep 18 23:52:09 UTC 2018 

Test update looks fine and regression test run is clear. I have no more 
comments.

Thanks,
Valerie

On 9/12/2018 4:22 AM, Martin Balao wrote:
> Hi Valerie,
>
> Thanks for your answer.
>
> Webrev.09:
>
>  * 
> http://cr.openjdk.java.net/~mbalao/webrevs/8029661/8029661.webrev.09/ 
> <http://cr.openjdk.java.net/%7Embalao/webrevs/8029661/8029661.webrev.09/>
>  * 
> http://cr.openjdk.java.net/~mbalao/webrevs/8029661/8029661.webrev.09.zip 
> <http://cr.openjdk.java.net/%7Embalao/webrevs/8029661/8029661.webrev.09.zip>
>
> In TestTLS12.java, we now capture any exception during initialization 
> phase and skip test execution if that happens.
>
> Kind regards,
> Martin.-
>
> On Wed, Sep 12, 2018 at 2:20 AM, Valerie Peng <valerie.peng at oracle.com 
> <mailto:valerie.peng at oracle.com>> wrote:
>
>     Hi, Martin,
>
>     I am ok with your option#1.
>     Note that your test fails at different places of the code, so you
>     will need to check and skip test execution before those exception
>     are thrown.
>
>     Valerie
>
>
>     On 9/11/2018 7:54 AM, Martin Balao wrote:
>>     Hi Valerie,
>>
>>     On Fri, Aug 31, 2018 at 9:16 PM, Valerie Peng
>>     <valerie.peng at oracle.com <mailto:valerie.peng at oracle.com>> wrote:
>>
>>         Hi Martin,
>>
>>         In TestTLS12.java, you call the initSecmod() inside
>>         initialize() and when initSecmod() returns false, you return
>>         from initialize() and continue down the main(). Is this
>>         intentional? Other tests seems to be skipping execution when
>>         initSecmod() return false.
>>
>>
>>     This test skips execution too. That's because shouldRun method
>>     returns false if sunPKCS11NSSProvider variable is null (which it
>>     is if initSecmod returns false).
>>
>>
>>         Changes in webrev.08 resolves 2 out of the 4 failure cases
>>         for TestTLS12.java. However, when I submit the changes for
>>         testing, it failed on some OS (see below):
>>
>>         macosx-x64:
>>
>>             jib > STDOUT:
>>             jib > nssLibDir:
>>             /scratch/mesos/jib-master/install/jpg/tests/jdk/nsslib/nsslib-macosx_x64/3.35/nsslib-macosx_x64-3.35.zip/nsslib/
>>             jib > STDERR:
>>             jib > java.security.ProviderException: Could not
>>             initialize NSS
>>             jib >   at
>>             jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:218)
>>             jib >   at
>>             jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunPKCS11.java:113)
>>             jib >   at
>>             jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunPKCS11.java:110)
>>             jib >   at
>>             java.base/java.security.AccessController.doPrivileged(Native
>>             Method)
>>             jib >   at
>>             jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.configure(SunPKCS11.java:110)
>>             jib >   at PKCS11Test.getSunPKCS11(PKCS11Test.java:156)
>>             jib >   at TestTLS12.initialize(TestTLS12.java:416)
>>             jib >   at TestTLS12.main(TestTLS12.java:84)
>>             jib >   at
>>             java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
>>             Method)
>>             jib >   at
>>             java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>>             jib >   at
>>             java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>             jib >   at java.base/java.lang.reflect.Me
>>             <http://java.lang.reflect.Me>thod.invoke(Method.java:566)
>>             jib >   at
>>             com.sun.javatest.regtest.agent.MainWrapper$MainThread.run(MainWrapper.java:127)
>>             jib >   at java.base/java.lang.Thread.run(Thread.java:834)
>>             jib > Caused by: java.io.IOException: NSS initialization
>>             failed
>>             jib >   at
>>             jdk.crypto.cryptoki/sun.security.pkcs11.Secmod.initialize(Secmod.java:234)
>>             jib >   at
>>             jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:213)
>>             jib >   ... 13 more
>>             jib >
>>             jib > JavaTest Message: Test threw exception:
>>             java.security.ProviderException: Could not initialize NSS
>>
>>
>>         windows-x64:
>>
>>             jib > STDOUT:
>>             jib > nssLibDir:
>>             C:\ADE\mesos\work_dir\jib-master\install\jpg\tests\jdk\nsslib\nsslib-windows_x64\3.35\nsslib-windows_x64-3.35.zip\nsslib\
>>             jib > SunPKCS11 provider: SunPKCS11-NSSKeyStore version 12
>>             jib > STDERR:
>>             jib > java.security.ProviderException: SunJSSE already
>>             initialized in non-FIPS mode
>>             jib >   at
>>             java.base/sun.security.ssl.SunJSSE.ensureFIPS(SunJSSE.java:94)
>>             jib >   at
>>             java.base/sun.security.ssl.SunJSSE.<init>(SunJSSE.java:146)
>>             jib >   at
>>             java.base/sun.security.ssl.SunJSSE.<init>(SunJSSE.java:118)
>>             jib >   at
>>             java.base/com.sun.net.ssl.internal.ssl.Provider.<init>(Provider.java:47)
>>             jib >   at TestTLS12.initialize(TestTLS12.java:424)
>>             jib >   at TestTLS12.main(TestTLS12.java:84)
>>             jib >   at
>>             java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
>>             Method)
>>             jib >   at
>>             java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>>             jib >   at
>>             java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>             jib >   at java.base/java.lang.reflect.Me
>>             <http://java.lang.reflect.Me>thod.invoke(Method.java:566)
>>             jib >   at
>>             com.sun.javatest.regtest.agent.MainWrapper$MainThread.run(MainWrapper.java:127)
>>             jib >   at java.base/java.lang.Thread.run(Thread.java:834)
>>             jib >
>>             jib > JavaTest Message: Test threw exception:
>>             java.security.ProviderException: SunJSSE already
>>             initialized in non-FIPS mode
>>
>>
>>
>>     The 2 tests that initialize NSS in FIPS mode (TrustManagerTest
>>     and ClientJSSEServerJSSE) only run on Solaris. My guess is that
>>     these failures are not particular to TestTLS12 but to NSS + FIPS
>>     support on these setups. I won't be able to reproduce the macOS
>>     failure and I'm not sure if I'll be able to reproduce in my
>>     Windows x86_64 environment.
>>
>>     I propose the following options:
>>
>>      1) Make the test skip macOS & Windows x86_64 (and any other
>>     platform that fails to initialize the SunPKCS11 provider)
>>
>>      2) If you can provide access to a testing environment where I
>>     can reproduce these failures, I can see what's happening
>>
>>     I intentionally want to use FIPS in NSS configuration because it
>>     represents a real use case, and is what motivated us to support
>>     TLS 1.2 in SunPKCS11. So, even though removing FIPS would be an
>>     option, I prefer not to take it.
>>
>>     Kind regards,
>>     Martin.-
>>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20180918/ccc6f564/attachment.htm>

More information about the security-dev mailing list