RFR [XS] 8231357: sun/security/pkcs11/Cipher/TestKATForGCM.java fails on SLES11 using mozilla-nss-3.14

Valerie Peng valerie.peng at oracle.com
Tue Sep 24 21:29:48 UTC 2019 

Hi Matthias,

The output on line 324 may report inconsistent info - the provider in 
use may not be NSS but yet you put NSS version with provider name?

Since you are updating the code here, how about re-org the code a bit 
and first check for whether NSS provider is used then do the various 
version-specific handling.

Regards,

Valerie


On 9/24/2019 5:39 AM, Langer, Christoph wrote:
>
> Hi Matthias,
>
> looks good to me.
>
> One minor style nit: You could close the else case in line 335 with 
> “}” and then have just one throw e; after the whole if else block.
>
> Best regards
>
> Christoph
>
> *From:*Baesken, Matthias <matthias.baesken at sap.com>
> *Sent:* Dienstag, 24. September 2019 10:30
> *To:* Langer, Christoph <christoph.langer at sap.com>; 
> security-dev at openjdk.java.net
> *Cc:* Zeller, Arno <arno.zeller at sap.com>
> *Subject:* RE: RFR [XS] 8231357: 
> sun/security/pkcs11/Cipher/TestKATForGCM.java fails on SLES11 using 
> mozilla-nss-3.14
>
> New webrev :
>
> http://cr.openjdk.java.net/~mbaesken/webrevs/8231357.1/
>
> I adjusted the imports and  now output a warning .
>
> Best regards, Matthias
>
> *From:*Baesken, Matthias
> *Sent:* Montag, 23. September 2019 16:07
> *To:* Langer, Christoph <christoph.langer at sap.com 
> <mailto:christoph.langer at sap.com>>; security-dev at openjdk.java.net 
> <mailto:security-dev at openjdk.java.net>
> *Cc:* Zeller, Arno <arno.zeller at sap.com <mailto:arno.zeller at sap.com>>
> *Subject:* RE: RFR [XS] 8231357: 
> sun/security/pkcs11/Cipher/TestKATForGCM.java fails on SLES11 using 
> mozilla-nss-3.14
>
> Hi Christoph,   I am okay  with your suggestion to   just  print  a  
> message in  case that  an  older nss lib  < 3.15 is found ; however   
> let’s  see what others think .
>
> (but for Solaris  we let the test pass when   noticing  old nss 
> versions , so I thought  it might make some sense to behave on Linux 
> in the same way )
>
> Best regards, Matthias
>
> *From:*Langer, Christoph <christoph.langer at sap.com 
> <mailto:christoph.langer at sap.com>>
> *Sent:* Montag, 23. September 2019 15:53
> *To:* Baesken, Matthias <matthias.baesken at sap.com 
> <mailto:matthias.baesken at sap.com>>; security-dev at openjdk.java.net 
> <mailto:security-dev at openjdk.java.net>
> *Cc:* Zeller, Arno <arno.zeller at sap.com <mailto:arno.zeller at sap.com>>
> *Subject:* RE: RFR [XS] 8231357: 
> sun/security/pkcs11/Cipher/TestKATForGCM.java fails on SLES11 using 
> mozilla-nss-3.14
>
> Hi Matthias,
>
> generally I agree that it’s a good idea to have more diagnostic output 
> in case of failures in this test.
>
> But, given that there’s an upgrade path even on our old Linux SLES 
> 11.3 system to a newer libnss that has a fix for the bug that we 
> observe, I suggest that the test should still fail with libnss 3.14. 
> So I suggest you only add the line
>
> System.out.println("Exception occured using " + p.getName() + " 
> version " + ver);
>
> and maybe a comment stating that libnss 3.14 on Linux isn’t good for 
> this test.
>
> BTW, if you want to clean up the testcase a bit, you might remove line 
> 36, import java.math.*; because it’s not needed. Or replace all the 
> imports with:
>
> import java.security.GeneralSecurityException;
>
> import java.security.Provider;
>
> import java.util.Arrays;
>
> import javax.crypto.Cipher;
>
> import javax.crypto.SecretKey;
>
> import javax.crypto.spec.GCMParameterSpec;
>
> import javax.crypto.spec.SecretKeySpec;
>
> Thanks
>
> Christoph
>
> *From:*Baesken, Matthias <matthias.baesken at sap.com 
> <mailto:matthias.baesken at sap.com>>
> *Sent:* Montag, 23. September 2019 15:16
> *To:* security-dev at openjdk.java.net <mailto:security-dev at openjdk.java.net>
> *Cc:* Langer, Christoph <christoph.langer at sap.com 
> <mailto:christoph.langer at sap.com>>; Zeller, Arno <arno.zeller at sap.com 
> <mailto:arno.zeller at sap.com>>
> *Subject:* RFR [XS] 8231357: 
> sun/security/pkcs11/Cipher/TestKATForGCM.java fails on SLES11 using 
> mozilla-nss-3.14
>
> Hello,  please review  this small test related change .
>
> We  noticed that  on our SLES (SuSE Linux) 11   test  machines, the test
>
> sun/security/pkcs11/Cipher/TestKATForGCM.java
>
> fails when older nss versions  are used on the system , especially 
>  nss 3.14 .
>
>
> The used package is named   mozilla-nss-3.14 .
> Upgrading to newer versions (e.g. 3.20)   makes the test succeed , so 
> it might be helpful
> to add a check in the test like it is done already for old nss 
> versions on Solaris.
>
> (nss  3.15 contains a couple  of  AES cipher with GCM   related fixes, 
> those might be the ones needed to run the test successfully ).
>
> Bug/webrev :
>
> https://bugs.openjdk.java.net/browse/JDK-8231357
>
> http://cr.openjdk.java.net/~mbaesken/webrevs/8231357.0/
>
> Thanks, Matthias
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20190924/d00ea067/attachment.htm>

More information about the security-dev mailing list