RFR: 8361711: Add library name configurability to PKCS11Test.java [v3]
Thomas Fitzsimmons
duke at openjdk.org
Wed Sep 3 00:22:16 UTC 2025
> This patch adds configurability to `PKCS11Test.java`.
>
> Specifically, it adds two new system properties:
>
> - `CUSTOM_P11_LIBRARY_NAME`: Allow overriding the value assigned to the `nss_library` field. Prior to this patch, `nss_library` was set to either `"softokn3"` or `"nss3"`.
>
> - `CUSTOM_P11_CONFIG_VARIANT`: Abstract the configuration file type to load. Prior to this patch, test cases that wanted to run `NSS` in sensitive mode would hard-code `p11-nss-sensitive.txt` on their command lines.
>
> The patch updates the three `p11-nss-sensitive.txt`-using test cases to use the new `CUSTOM_P11_CONFIG_VARIANT` property:
>
>
> test/jdk/java/security/KeyAgreement/Generic.java
> test/jdk/sun/security/pkcs11/Mac/TestLargeSecretKeys.java
> test/jdk/sun/security/pkcs11/rsa/TestP11KeyFactoryGetRSAKeySpec.java
>
>
> I have been using this change to run `PKCS11Test.java` against the [Kryoptic](https://github.com/latchset/kryoptic) PKCS11 soft token, using this invocation:
>
>
> make test \
> JTREG="JAVA_OPTIONS=-DCUSTOM_P11_CONFIG=/tmp/kryoptic-configuration/p11-kryoptic.txt \
> -DCUSTOM_P11_LIBRARY_NAME=kryoptic_pkcs11 \
> -Djdk.test.lib.artifacts.nsslib-linux_x64=/tmp/kryoptic-configuration \
> -DCUSTOM_DB_DIR=/tmp/kryoptic-configuration"
>
>
> `/tmp/kryoptic-configuration` contains (among other files):
>
>
> libkryoptic_pkcs11.so
> p11-kryoptic.txt
> p11-kryoptic-sensitive.txt
>
>
> With `CUSTOM_P11_LIBRARY_NAME` set, `PKCS11Test.java` can find `libkryoptic_pkcs11.so`.
>
> And setting `CUSTOM_P11_CONFIG` causes the sensitive tests to use `p11-kryoptic-sensitive.txt` via the new `CUSTOM_P11_CONFIG_VARIANT` property.
>
> On my `Fedora 42` `x86-64` machine, I tested for regressions with:
>
> $ time make test JOBS=4 JTREG="JAVA_OPTIONS=-Djdk.test.lib.artifacts.nsslib-linux_x64=/usr/lib64" TEST="test/jdk/sun/security/pkcs11"
>
> and:
>
> $ time make test JOBS=4 TEST="test/jdk/sun/security/pkcs11"
Thomas Fitzsimmons has updated the pull request incrementally with one additional commit since the last revision:
Remove CUSTOM_P11_CONFIG_VARIANT, add CUSTOM_P11_BASE_DIR
-------------
Changes:
- all: https://git.openjdk.org/jdk/pull/26325/files
- new: https://git.openjdk.org/jdk/pull/26325/files/621a35f3..423962fe
Webrevs:
- full: https://webrevs.openjdk.org/?repo=jdk&pr=26325&range=02
- incr: https://webrevs.openjdk.org/?repo=jdk&pr=26325&range=01-02
Stats: 75 lines in 4 files changed: 14 ins; 34 del; 27 mod
Patch: https://git.openjdk.org/jdk/pull/26325.diff
Fetch: git fetch https://git.openjdk.org/jdk.git pull/26325/head:pull/26325
PR: https://git.openjdk.org/jdk/pull/26325
More information about the security-dev
mailing list