RFR: 8225739: sun/security/pkcs11/tls/tls12/FipsModeTLS12.java is not reliable [v2]

Francisco Ferrari Bihurriet fferrari at openjdk.org
Mon Oct 13 22:11:09 UTC 2025 

On Fri, 7 Feb 2025 20:49:09 GMT, Rajan Halade <rhalade at openjdk.org> wrote:

>> Martin Balao Alonso has updated the pull request with a new target base due to a merge or a rebase. The pull request now contains two commits:
>> 
>>  - Merge openjdk:master
>>    
>>    Fix trivial conflict in the copyright of the test.
>>    
>>    Old path:
>>    test/jdk/sun/security/pkcs11/tls/tls12/FipsModeTLS12.java
>>    
>>    New path:
>>    test/jdk/sun/security/pkcs11/tls/fips/FipsModeTLS.java
>>  - 8225739: sun/security/pkcs11/tls/tls12/FipsModeTLS12.java is not reliable.
>
> test/jdk/sun/security/pkcs11/tls/tls12/FipsModeTLS12.java line 95:
> 
>> 93:                 System.out.println(e);
>> 94:             }
>> 95:             throw new SkippedException("Test skipped: failure during " +
> 
> I think we should update test to fail if call to `initialize` fails with any other exception than `SkippedException` which is thrown from call to `initSecmod` if NSS library fails. So you can remove try-catch here.

Hi @rhalade,

I'm continuing with @martinuy's work on this issue. Are you sure the [`loadNSPR` failure inside `initSecmod`](https://github.com/openjdk/jdk/blob/jdk-26+19/test/jdk/sun/security/pkcs11/SecmodTest.java#L48-L51) is the only case we are observing in [JDK-8225739](https://bugs.openjdk.org/browse/JDK-8225739 "sun/security/pkcs11/tls/tls12/FipsModeTLS12.java is not reliable")?

I'm asking because [the previous `getNSSLibDir` call](https://github.com/openjdk/jdk/blob/jdk-26+19/test/jdk/sun/security/pkcs11/SecmodTest.java#L47) can also fail in the following cases:

* When pointing the test to find NSS inside a nonexistent directory:
  ```
  java.nio.file.NoSuchFileException: /tmp/lib64
      at java.base/sun.nio.fs.UnixException.translateToIOException(UnixException.java:92)
      at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:108)
      at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:113)
      at java.base/sun.nio.fs.UnixFileAttributeViews$Basic.readAttributes(UnixFileAttributeViews.java:57)
      at java.base/sun.nio.fs.UnixFileSystemProvider.readAttributes(UnixFileSystemProvider.java:162)
      at java.base/sun.nio.fs.LinuxFileSystemProvider.readAttributes(LinuxFileSystemProvider.java:99)
      at java.base/java.nio.file.Files.readAttributes(Files.java:1702)
      at java.base/java.nio.file.FileTreeWalker.getAttributes(FileTreeWalker.java:216)
      at java.base/java.nio.file.FileTreeWalker.visit(FileTreeWalker.java:268)
      at java.base/java.nio.file.FileTreeWalker.walk(FileTreeWalker.java:306)
      at java.base/java.nio.file.FileTreeIterator.<init>(FileTreeIterator.java:69)
      at java.base/java.nio.file.Files.find(Files.java:3649)
      at PKCS11Test.findNSSLibrary(PKCS11Test.java:792)
      at PKCS11Test.fetchNssLib(PKCS11Test.java:788)
      at PKCS11Test.fetchNssLib(PKCS11Test.java:767)
      at PKCS11Test.getNSSLibPath(PKCS11Test.java:257)
      at PKCS11Test.getNSSLibDir(PKCS11Test.java:243)
      at PKCS11Test.getNSSLibDir(PKCS11Test.java:239)
      at SecmodTest.initSecmod(SecmodTest.java:47)
      at FipsModeTLS.initialize(FipsModeTLS.java:448)
      ... 5 more
  ```
* When pointing the test to find NSS inside an empty directory:
  ```
  java.lang.RuntimeException: NSS library "libnss3.so" was not found in /tmp/lib64
      at PKCS11Test.lambda$findNSSLibrary$1(PKCS11Test.java:797)
      at java.base/java.util.Optional.orElseThrow(Optional.java:403)
      at PKCS11Test.findNSSLibrary(PKCS11Test.java:796)
      at PKCS11Test.fetchNssLib(PKCS11Test.java:788)
      at PKCS11Test.fetchNssLib(PKCS11Test.java:767)
      at PKCS11Test.getNSSLibPath(PKCS11Test.java:257)
      at PKCS11Test.getNSSLibDir(PKCS11Test.java:243)
      at PKCS11Test.getNSSLibDir(PKCS11Test.java:239)
      at SecmodTest.initSecmod(SecmodTest.java:47)
      at FipsModeTLS.initialize(FipsModeTLS.java:448)
      ... 5 more
  ```
* When using a flawed library (`libnss3.so` and `libsoftokn3.so` replaced by unrelated libraries):
  ```
  java.lang.NullPointerException: Symbol not found: NSS_VersionCheck
      at jdk.crypto.cryptoki/sun.security.pkcs11.Secmod.nssVersionCheck(Native Method)
      at jdk.crypto.cryptoki/sun.security.pkcs11.Secmod.fetchVersions(Secmod.java:120)
      at jdk.crypto.cryptoki/sun.security.pkcs11.Secmod.initialize(Secmod.java:231)
      at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:220)
      at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.configure(SunPKCS11.java:125)
      at PKCS11Test.getSunPKCS11(PKCS11Test.java:158)
      at PKCS11Test.getSunPKCS11(PKCS11Test.java:150)
      at FipsModeTLS.initialize(FipsModeTLS.java:451)
      ... 5 more
  ```

How about the following change?


diff --git a/test/jdk/sun/security/pkcs11/tls/fips/FipsModeTLS.java b/test/jdk/sun/security/pkcs11/tls/fips/FipsModeTLS.java
index 1aece0a00e9..c8a9fe14419 100644
--- a/test/jdk/sun/security/pkcs11/tls/fips/FipsModeTLS.java
+++ b/test/jdk/sun/security/pkcs11/tls/fips/FipsModeTLS.java
@@ -92,15 +92,7 @@ public static void main(String[] args) throws Exception {
         // reduce the limit to trigger a key update later
         Security.setProperty("jdk.tls.keyLimits",
                 "AES/GCM/NoPadding KeyUpdate 10000");
-        try {
-            initialize();
-        } catch (Exception e) {
-            if (enableDebug) {
-                System.out.println(e);
-            }
-            throw new SkippedException("Test skipped: failure during " +
-                    "initialization.");
-        }
+        initialize();
 
         if (shouldRun()) {
             // Test against JCE
@@ -118,9 +110,6 @@ public static void main(String[] args) throws Exception {
     }
 
     private static boolean shouldRun() {
-        if (sunPKCS11NSSProvider == null) {
-            return false;
-        }
         try {
             String proto = System.getProperty("jdk.tls.client.protocols");
             if ("TLSv1.3".equals(proto)) {
@@ -455,12 +444,13 @@ private static void initialize() throws Exception {
         //  1. SunPKCS11 (with an NSS FIPS mode backend)
         //  2. SUN (to handle X.509 certificates)
         //  3. SunJSSE (for a TLS engine)
-
-        if (initSecmod() == false) {
-            return;
+        try {
+            initSecmod();
+            String configName = BASE + SEP + "nss.cfg";
+            sunPKCS11NSSProvider = getSunPKCS11(configName);
+        } catch (Exception e) {
+            throw new SkippedException("SunPKCS11 initialization failed", e);
         }
-        String configName = BASE + SEP + "nss.cfg";
-        sunPKCS11NSSProvider = getSunPKCS11(configName);
         System.out.println("SunPKCS11 provider: " + sunPKCS11NSSProvider);
 
         List<Provider> installedProviders = new LinkedList<>();



If I don't include this new `try`/`catch` inside `initialize`, could you execute a similar regression to the one where this issue was found?

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/23177#discussion_r2427408511

More information about the security-dev mailing list