RFR: 8361711: Add library name configurability to PKCS11Test.java [v3]

Thomas Fitzsimmons duke at openjdk.org
Wed Sep 3 00:22:16 UTC 2025


> This patch adds configurability to `PKCS11Test.java`.
> 
> Specifically, it adds two new system properties:
> 
> - `CUSTOM_P11_LIBRARY_NAME`: Allow overriding the value assigned to the `nss_library` field.  Prior to this patch, `nss_library` was set to either `"softokn3"` or `"nss3"`.
> 
> - `CUSTOM_P11_CONFIG_VARIANT`: Abstract the configuration file type to load.  Prior to this patch, test cases that wanted to run `NSS` in sensitive mode would hard-code `p11-nss-sensitive.txt` on their command lines.
> 
> The patch updates the three `p11-nss-sensitive.txt`-using test cases to use the new `CUSTOM_P11_CONFIG_VARIANT` property:
> 
> 
> test/jdk/java/security/KeyAgreement/Generic.java
> test/jdk/sun/security/pkcs11/Mac/TestLargeSecretKeys.java
> test/jdk/sun/security/pkcs11/rsa/TestP11KeyFactoryGetRSAKeySpec.java
> 
> 
> I have been using this change to run `PKCS11Test.java` against the [Kryoptic](https://github.com/latchset/kryoptic) PKCS11 soft token, using this invocation:
> 
> 
> make test \
>     JTREG="JAVA_OPTIONS=-DCUSTOM_P11_CONFIG=/tmp/kryoptic-configuration/p11-kryoptic.txt \
>                         -DCUSTOM_P11_LIBRARY_NAME=kryoptic_pkcs11 \
>                         -Djdk.test.lib.artifacts.nsslib-linux_x64=/tmp/kryoptic-configuration \
>                         -DCUSTOM_DB_DIR=/tmp/kryoptic-configuration"
> 
> 
> `/tmp/kryoptic-configuration` contains (among other files):
> 
> 
> libkryoptic_pkcs11.so
> p11-kryoptic.txt
> p11-kryoptic-sensitive.txt
> 
> 
> With `CUSTOM_P11_LIBRARY_NAME` set, `PKCS11Test.java` can find `libkryoptic_pkcs11.so`.
> 
> And setting `CUSTOM_P11_CONFIG` causes the sensitive tests to use `p11-kryoptic-sensitive.txt` via the new `CUSTOM_P11_CONFIG_VARIANT` property.
> 
> On my `Fedora 42` `x86-64` machine, I tested for regressions with:
> 
> $ time make test JOBS=4 JTREG="JAVA_OPTIONS=-Djdk.test.lib.artifacts.nsslib-linux_x64=/usr/lib64" TEST="test/jdk/sun/security/pkcs11"
> 
> and:
> 
> $ time make test JOBS=4 TEST="test/jdk/sun/security/pkcs11"

Thomas Fitzsimmons has updated the pull request incrementally with one additional commit since the last revision:

  Remove CUSTOM_P11_CONFIG_VARIANT, add CUSTOM_P11_BASE_DIR

-------------

Changes:
  - all: https://git.openjdk.org/jdk/pull/26325/files
  - new: https://git.openjdk.org/jdk/pull/26325/files/621a35f3..423962fe

Webrevs:
 - full: https://webrevs.openjdk.org/?repo=jdk&pr=26325&range=02
 - incr: https://webrevs.openjdk.org/?repo=jdk&pr=26325&range=01-02

  Stats: 75 lines in 4 files changed: 14 ins; 34 del; 27 mod
  Patch: https://git.openjdk.org/jdk/pull/26325.diff
  Fetch: git fetch https://git.openjdk.org/jdk.git pull/26325/head:pull/26325

PR: https://git.openjdk.org/jdk/pull/26325


More information about the security-dev mailing list