RFR: 8312428: PKCS11 tests fail with NSS 3.91

Rajan Halade rhalade at openjdk.org
Thu Aug 10 18:25:28 UTC 2023


On Thu, 10 Aug 2023 00:56:56 GMT, Valerie Peng <valeriep at openjdk.org> wrote:

> Starting NSS v3.91, SHA-3 support is added for MessageDigest but not for PSS Signature. This breaks existing test assumptions made by PSS regression tests. In addition, the NSS SHA-3 message digests do not support cloning which causes the failure of TestCloning.java.
> 
> This PR adds a PSSUtil.java class which provides utility method for detecting/guessing whether a digest algorithm is valid for PSS signature or not.
> 
> The changes are verified with NSS v3.46, v3.57 and v3.91 (on local Linux machine).
> 
> Thanks in advance for review~

test/jdk/sun/security/pkcs11/MessageDigest/TestCloning.java line 26:

> 24: /*
> 25:  * @test
> 26:  * @bug 6414899 8242332 8312428

No need to add bug id for test only updates.

test/jdk/sun/security/pkcs11/MessageDigest/TestCloning.java line 67:

> 65:             } catch (CloneNotSupportedException cnse) {
> 66:                 // skip test if clone isn't supported
> 67:                 System.out.println("=> Clone not supported; skip!");

Can you please update the test to throw SkippedException if no digest algorithms are found to not support clone? This would help us with coverage analysis.

test/jdk/sun/security/pkcs11/PSSUtil.java line 24:

> 22:  */
> 23: import java.security.*;
> 24: import java.security.interfaces.*;

Please remove unused imports

test/jdk/sun/security/pkcs11/PSSUtil.java line 34:

> 32:     private static final String KEYALG = "RSA";
> 33:     private static final String SIGALG = "RSASSA-PSS";
> 34:     private static final String[] DIGESTS = {

is this constant used anywhere or supposed to be used?

test/jdk/sun/security/pkcs11/PSSUtil.java line 59:

> 57:         for (String h : hashAlgs) {
> 58:             String sigAlg = (h.startsWith("SHA3-")?
> 59:                     h : h.replace("-","")) + "withRSASSA-PSS";

Suggestion:

            String sigAlg = (h.startsWith("SHA3-") ?
                    h : h.replace("-", "")) + "withRSASSA-PSS";

test/jdk/sun/security/pkcs11/Signature/KeyAndParamCheckForPSS.java line 51:

> 49:     public void main(Provider p) throws Exception {
> 50:         if (!PSSUtil.isSignatureSupported(p)) {
> 51:             System.out.println("Skip testing RSASSA-PSS" +

Update to throw SkippedException.

test/jdk/sun/security/pkcs11/Signature/KeyAndParamCheckForPSS.java line 75:

> 73:         runTest(p, 1040, "SHA3-512", "SHA3-256");
> 74:         runTest(p, 1040, "SHA3-512", "SHA3-384");
> 75:         runTest(p, 1040, "SHA3-512", "SHA3-512");

Similar check can be added here to throw SkippedException if all runTest call skip testing.

test/jdk/sun/security/pkcs11/Signature/KeyAndParamCheckForPSS.java line 129:

> 127:         sig.setParameter(paramsGood);
> 128:         sig.initVerify(pub);
> 129:         System.out.println("test#2: good params pass");

Either add a `test#1` message after `initSign` test or update this to remove `#2`

test/jdk/sun/security/pkcs11/Signature/SignatureTestPSS.java line 66:

> 64:     public void main(Provider p) throws Exception {
> 65:         if (!PSSUtil.isSignatureSupported(p)) {
> 66:             System.out.println("Skip testing RSASSA-PSS" +

throw SkippedException here.

test/jdk/sun/security/pkcs11/Signature/SignatureTestPSS.java line 83:

> 81:                             PSSUtil.isHashSupported(p, hash, mgfHash);
> 82:                     if (s == PSSUtil.AlgoSupport.NO) {
> 83:                         System.out.println("    => Skip; no support");

Similar request here to mark test as skipped if all algorithms are not supported.

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/15217#discussion_r1290485564
PR Review Comment: https://git.openjdk.org/jdk/pull/15217#discussion_r1290488107
PR Review Comment: https://git.openjdk.org/jdk/pull/15217#discussion_r1290509833
PR Review Comment: https://git.openjdk.org/jdk/pull/15217#discussion_r1290510886
PR Review Comment: https://git.openjdk.org/jdk/pull/15217#discussion_r1290513331
PR Review Comment: https://git.openjdk.org/jdk/pull/15217#discussion_r1290490575
PR Review Comment: https://git.openjdk.org/jdk/pull/15217#discussion_r1290492472
PR Review Comment: https://git.openjdk.org/jdk/pull/15217#discussion_r1290494138
PR Review Comment: https://git.openjdk.org/jdk/pull/15217#discussion_r1290496752
PR Review Comment: https://git.openjdk.org/jdk/pull/15217#discussion_r1290497611



More information about the security-dev mailing list