RFR [XS] 8231357: sun/security/pkcs11/Cipher/TestKATForGCM.java fails on SLES11 using mozilla-nss-3.14

Langer, Christoph christoph.langer at sap.com
Mon Sep 23 13:52:48 UTC 2019

Hi Matthias,

generally I agree that it's a good idea to have more diagnostic output in case of failures in this test.

But, given that there's an upgrade path even on our old Linux SLES 11.3 system to a newer libnss that has a fix for the bug that we observe, I suggest that the test should still fail with libnss 3.14. So I suggest you only add the line

System.out.println("Exception occured using " + p.getName() + " version " + ver);

and maybe a comment stating that libnss 3.14 on Linux isn't good for this test.

BTW, if you want to clean up the testcase a bit, you might remove line 36, import java.math.*; because it's not needed. Or replace all the imports with:

import java.security.GeneralSecurityException;

import java.security.Provider;

import java.util.Arrays;

import javax.crypto.Cipher;

import javax.crypto.SecretKey;

import javax.crypto.spec.GCMParameterSpec;

import javax.crypto.spec.SecretKeySpec;



From: Baesken, Matthias <matthias.baesken at sap.com>
Sent: Montag, 23. September 2019 15:16
To: security-dev at openjdk.java.net
Cc: Langer, Christoph <christoph.langer at sap.com>; Zeller, Arno <arno.zeller at sap.com>
Subject: RFR [XS] 8231357: sun/security/pkcs11/Cipher/TestKATForGCM.java fails on SLES11 using mozilla-nss-3.14

Hello,  please review  this small test related change .

We  noticed that  on our SLES (SuSE Linux) 11   test  machines, the test


fails when older nss versions  are used on the system , especially  nss 3.14 .

The used package is named   mozilla-nss-3.14 .
Upgrading to newer versions (e.g. 3.20)   makes the test succeed , so it might be helpful
to add a check in the test like it is done already for old nss versions on Solaris.

(nss  3.15  contains a couple  of  AES cipher with GCM    related fixes, those might be the ones needed to run the test successfully ).

Bug/webrev :



Thanks, Matthias

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.java.net/pipermail/security-dev/attachments/20190923/d38accba/attachment-0001.html>

More information about the security-dev mailing list