RFR: 8361711: Add library name configurability to PKCS11Test.java

Thomas Fitzsimmons duke at openjdk.org
Tue Aug 5 23:09:02 UTC 2025 

On Mon, 4 Aug 2025 17:32:38 GMT, Rajan Halade <rhalade at openjdk.org> wrote:

>> This patch adds configurability to `PKCS11Test.java`.
>> 
>> Specifically, it adds two new system properties:
>> 
>> - `CUSTOM_P11_LIBRARY_NAME`: Allow overriding the value assigned to the `nss_library` field.  Prior to this patch, `nss_library` was set to either `"softokn3"` or `"nss3"`.
>> 
>> - `CUSTOM_P11_CONFIG_VARIANT`: Abstract the configuration file type to load.  Prior to this patch, test cases that wanted to run `NSS` in sensitive mode would hard-code `p11-nss-sensitive.txt` on their command lines.
>> 
>> The patch updates the three `p11-nss-sensitive.txt`-using test cases to use the new `CUSTOM_P11_CONFIG_VARIANT` property:
>> 
>> 
>> test/jdk/java/security/KeyAgreement/Generic.java
>> test/jdk/sun/security/pkcs11/Mac/TestLargeSecretKeys.java
>> test/jdk/sun/security/pkcs11/rsa/TestP11KeyFactoryGetRSAKeySpec.java
>> 
>> 
>> I have been using this change to run `PKCS11Test.java` against the [Kryoptic](https://github.com/latchset/kryoptic) PKCS11 soft token, using this invocation:
>> 
>> 
>> make test \
>>     JTREG="JAVA_OPTIONS=-DCUSTOM_P11_CONFIG=/tmp/kryoptic-configuration/p11-kryoptic.txt \
>>                         -DCUSTOM_P11_LIBRARY_NAME=kryoptic_pkcs11 \
>>                         -Djdk.test.lib.artifacts.nsslib-linux_x64=/tmp/kryoptic-configuration \
>>                         -DCUSTOM_DB_DIR=/tmp/kryoptic-configuration"
>> 
>> 
>> `/tmp/kryoptic-configuration` contains (among other files):
>> 
>> 
>> libkryoptic_pkcs11.so
>> p11-kryoptic.txt
>> p11-kryoptic-sensitive.txt
>> 
>> 
>> With `CUSTOM_P11_LIBRARY_NAME` set, `PKCS11Test.java` can find `libkryoptic_pkcs11.so`.
>> 
>> And setting `CUSTOM_P11_CONFIG` causes the sensitive tests to use `p11-kryoptic-sensitive.txt` via the new `CUSTOM_P11_CONFIG_VARIANT` property.
>> 
>> On my `Fedora 42` `x86-64` machine, I tested for regressions with:
>> 
>> $ time make test JOBS=4 JTREG="JAVA_OPTIONS=-Djdk.test.lib.artifacts.nsslib-linux_x64=/usr/lib64" TEST="test/jdk/sun/security/pkcs11"
>> 
>> and:
>> 
>> $ time make test JOBS=4 TEST="test/jdk/sun/security/pkcs11"
>
> Will you also include p11-kryoptic.txt and p11-kryoptic-sensitive.txt configuration files for Kryoptic library so others can also run this interoperability? And do the current P11-NSS tests continue to work as expected?

Thank you for taking a look, @rhalade.

> Will you also include p11-kryoptic.txt and p11-kryoptic-sensitive.txt configuration files for Kryoptic library so others can also run this interoperability?

I had not planned to yet (i.e., not with this patch).  Eventually I think doing so will make sense, once we settle on the Kryoptic configuration that best suits `OpenJDK`.

For reference in the meantime, the `Kryoptic` project is running their continuous integration with the following configuration files:

https://github.com/latchset/kryoptic/blob/main/testdata/openjdk/p11-kryoptic.txt
https://github.com/latchset/kryoptic/blob/main/testdata/openjdk/p11-kryoptic-sensitive.txt

> And do the current P11-NSS tests continue to work as expected?

Yes, I checked for differences in `.jtr` files produced by the following invocation:


time make test JOBS=4 JTREG="JAVA_OPTIONS=-Djdk.test.lib.artifacts.nsslib-linux_x64=/usr/lib64 --enable-native-access=ALL-UNNAMED" TEST="test/jdk/sun/security/pkcs11 test/jdk/java/security/KeyAgreement/Generic.java"


on commit b65fdf5af0a5e1cf0d66d7551c6df63e8d07c5fa (i.e., without my patch) and on commit 780a630af938edeab3d8c5c895c92f2243814ede (i.e., with my patch).

(The `--enable-native-access=ALL-UNNAMED` argument is not strictly required, but reduces noise in the diffs; without it, both with and without my patch, tests mostly print the following warning, but sometimes do not; which tests do and do not changes from run to run:


WARNING: A restricted method in java.lang.System has been called
WARNING: java.lang.System::load has been called by PKCS11Test in an unnamed module (file:/[...])
WARNING: Use --enable-native-access=ALL-UNNAMED to avoid a warning for callers in this module
WARNING: Restricted methods will be blocked in a future release unless native access is enabled


I am not sure what's going on there.)

The only differences are the configuration file lines printed in the `.jtr` files, for example, `TestRSAKeyLength.jtr` has a new line:


Configuration file: ./nss/p11-nss.txt

-------------

PR Comment: https://git.openjdk.org/jdk/pull/26325#issuecomment-3156881829

More information about the security-dev mailing list