RFR: 8366182: Some PKCS11Tests are being skipped when they shouldn't
Mikhail Yankelevich
myankelevich at openjdk.org
Fri Sep 5 09:32:16 UTC 2025
On Thu, 4 Sep 2025 16:54:48 GMT, Matthew Donovan <mdonovan at openjdk.org> wrote:
>> test/jdk/sun/security/pkcs11/Cipher/TestKATForGCM.java line 330:
>>
>>> 328: String osName = System.getProperty("os.name");
>>> 329: int idx = ver.indexOf(".");
>>> 330: double major = Double.parseDouble(ver.substring(0, idx));
>>
>> IMO the split between major version and minor is a bit hard to read. Wouldn't it be easier to just get a major.minor version entirely with something like:
>>
>>
>> String[] splitParts = ver.split("//.");
>> Double.parseDouble(splitParts.length > 1
>> ? splitParts[0] + "." + splitParts[1]
>> : splitParts[0]);
>>
>>
>> This way it will always take a full double value (1.13 will not be the same as 1.1, as it's now as far as I can see) and would be a bit easier to understand
>>
>> The checking for only major version could be either `doubleVersion<4 && doubleVersion>=3` or even cleaner, using floor function `Math.floor(doubleVersion)`
>>
>> And the same for the other files.
>>
>> What do you think?
>
> I may be misunderstanding your comment but it looks like you're using a single, `double` value to compare versions. The original code did that but it doesn't work in all cases. The problem occurs when checking a range such as
>
> `version >= 3.11 && version < 3.12`
>
> If the version number is 3.111, then the comparison is `true` and tests are skipped, even though _version_ 3.111 is "greater" than 3.12. So this code creates two doubles: `major` and `minor` to do separate comparisons of the values.
>
> To further complicate things, NSS also has versions of the form `x.y.z`. The original code combined the 'y' and 'z' components to go from 3.11.9 to 3.119. My change would create major version 3.0 and minor version 11.9.
Ah, you're right, I didn't think of this case! This approach will be easier then, I agree.
Still, `ver.substring(idx+1)` may cause errors in cases like this [NSS 3.15.3.1 release notes](https://nss-crypto.org/reference/security/nss/legacy/nss_releases/nss_3.15.3.1_release_notes/index.html#mozilla-projects-nss-nss-3-15-3-1-release-notes). It will try to convert 15.3.1 to a double. Do you think changing to something like this would be worth it?
String verSubstring = ver.substring(idx+1);
String[] splitParts = verSubstring.split("//.");
Double minor = Double.parseDouble(splitParts.length > 1
? splitParts[0] + "." + splitParts[1]
: splitParts[0]);
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/27095#discussion_r2324586473
More information about the security-dev
mailing list