<div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr">Hi Valerie,<div class="gmail_extra"><br><div class="gmail_quote">On Fri, Aug 31, 2018 at 9:16 PM, Valerie Peng <span dir="ltr"><<a href="mailto:valerie.peng@oracle.com" target="_blank">valerie.peng@oracle.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi Martin,<br>
<br>
In TestTLS12.java, you call the initSecmod() inside initialize() and when initSecmod() returns false, you return from initialize() and continue down the main(). Is this intentional? Other tests seems to be skipping execution when initSecmod() return false.<br></blockquote><div><br></div><div>This test skips execution too. That's because shouldRun method returns false if sunPKCS11NSSProvider variable is null (which it is if initSecmod returns false).</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
Changes in webrev.08 resolves 2 out of the 4 failure cases for TestTLS12.java. However, when I submit the changes for testing, it failed on some OS (see below):<br>
<br>
macosx-x64:<br>
<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
jib > STDOUT:<br>
jib > nssLibDir: /scratch/mesos/jib-master/inst<wbr>all/jpg/tests/jdk/nsslib/nssli<wbr>b-macosx_x64/3.35/nsslib-macos<wbr>x_x64-3.35.zip/nsslib/<br>
jib > STDERR:<br>
jib > java.security.ProviderExceptio<wbr>n: Could not initialize NSS<br>
jib > at jdk.crypto.cryptoki/sun.securi<wbr>ty.pkcs11.SunPKCS11.<init>(<wbr>SunPKCS11.java:218)<span class="gmail-"><br>
jib > at jdk.crypto.cryptoki/sun.securi<wbr>ty.pkcs11.SunPKCS11$1.run(<wbr>SunPKCS11.java:113)<br>
jib > at jdk.crypto.cryptoki/sun.securi<wbr>ty.pkcs11.SunPKCS11$1.run(<wbr>SunPKCS11.java:110)<br>
jib > at java.base/java.security.Access<wbr>Controller.doPrivileged(Native Method)<br>
jib > at jdk.crypto.cryptoki/sun.securi<wbr>ty.pkcs11.SunPKCS11.configure(<wbr>SunPKCS11.java:110)<br></span>
jib > at PKCS11Test.getSunPKCS11(PKCS11<wbr>Test.java:156)<br>
jib > at TestTLS12.initialize(TestTLS12<wbr>.java:416)<br>
jib > at TestTLS12.main(TestTLS12.java:<wbr>84)<span class="gmail-"><br>
jib > at java.base/jdk.internal.reflect<wbr>.NativeMethodAccessorImpl.invo<wbr>ke0(Native Method)<br>
jib > at java.base/jdk.internal.reflect<wbr>.NativeMethodAccessorImpl.invo<wbr>ke(NativeMethodAccessorImpl.<wbr>java:62)<br>
jib > at java.base/jdk.internal.reflect<wbr>.DelegatingMethodAccessorImpl.<wbr>invoke(DelegatingMethodAccesso<wbr>rImpl.java:43)<br>
jib > at java.base/<a href="http://java.lang.reflect.Me">java.lang.reflect.Me</a><wbr>thod.invoke(Method.java:566)<br></span>
jib > at com.sun.javatest.regtest.agent<wbr>.MainWrapper$MainThread.run(<wbr>MainWrapper.java:127)<br>
jib > at java.base/java.lang.Thread.run<wbr>(Thread.java:834)<br>
jib > Caused by: java.io.IOException: NSS initialization failed<br>
jib > at jdk.crypto.cryptoki/sun.securi<wbr>ty.pkcs11.Secmod.initialize(<wbr>Secmod.java:234)<br>
jib > at jdk.crypto.cryptoki/sun.securi<wbr>ty.pkcs11.SunPKCS11.<init>(<wbr>SunPKCS11.java:213)<br>
jib > ... 13 more<br>
jib ><br>
jib > JavaTest Message: Test threw exception: java.security.ProviderExceptio<wbr>n: Could not initialize NSS<br></blockquote></blockquote><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
</blockquote>
windows-x64:<br>
<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
jib > STDOUT:<br>
jib > nssLibDir: C:\ADE\mesos\work_dir\jib-mast<wbr>er\install\jpg\tests\jdk\nssli<wbr>b\nsslib-windows_x64\3.35\<wbr>nsslib-windows_x64-3.35.zip\<wbr>nsslib\<br>
jib > SunPKCS11 provider: SunPKCS11-NSSKeyStore version 12<br>
jib > STDERR:<br>
jib > java.security.ProviderExceptio<wbr>n: SunJSSE already initialized in non-FIPS mode<br>
jib > at java.base/sun.security.ssl.Sun<wbr>JSSE.ensureFIPS(SunJSSE.java:<wbr>94)<br>
jib > at java.base/sun.security.ssl.Sun<wbr>JSSE.<init>(SunJSSE.java:146)<br>
jib > at java.base/sun.security.ssl.Sun<wbr>JSSE.<init>(SunJSSE.java:118)<br>
jib > at java.base/com.sun.net.ssl.inte<wbr>rnal.ssl.Provider.<init>(Provi<wbr>der.java:47)<br>
jib > at TestTLS12.initialize(TestTLS12<wbr>.java:424)<br>
jib > at TestTLS12.main(TestTLS12.java:<wbr>84)<span class="gmail-"><br>
jib > at java.base/jdk.internal.reflect<wbr>.NativeMethodAccessorImpl.invo<wbr>ke0(Native Method)<br>
jib > at java.base/jdk.internal.reflect<wbr>.NativeMethodAccessorImpl.invo<wbr>ke(NativeMethodAccessorImpl.<wbr>java:62)<br>
jib > at java.base/jdk.internal.reflect<wbr>.DelegatingMethodAccessorImpl.<wbr>invoke(DelegatingMethodAccesso<wbr>rImpl.java:43)<br>
jib > at java.base/<a href="http://java.lang.reflect.Me">java.lang.reflect.Me</a><wbr>thod.invoke(Method.java:566)<br></span>
jib > at com.sun.javatest.regtest.agent<wbr>.MainWrapper$MainThread.run(<wbr>MainWrapper.java:127)<span class="gmail-"><br>
jib > at java.base/java.lang.Thread.run<wbr>(Thread.java:834)<br>
jib ><br></span>
jib > JavaTest Message: Test threw exception: java.security.ProviderExceptio<wbr>n: SunJSSE already initialized in non-FIPS mode<br>
</blockquote><div class="gmail-HOEnZb"><div class="gmail-h5"><br></div></div></blockquote><div><br></div><div>The 2 tests that initialize NSS in FIPS mode (TrustManagerTest and ClientJSSEServerJSSE) only run on Solaris. My guess is that these failures are not particular to TestTLS12 but to NSS + FIPS support on these setups. I won't be able to reproduce the macOS failure and I'm not sure if I'll be able to reproduce in my Windows x86_64 environment.</div><div><br></div><div>I propose the following options:</div><div><br></div><div> 1) Make the test skip macOS & Windows x86_64 (and any other platform that fails to initialize the SunPKCS11 provider)</div><div><br></div><div> 2) If you can provide access to a testing environment where I can reproduce these failures, I can see what's happening</div><div><br></div><div>I intentionally want to use FIPS in NSS configuration because it represents a real use case, and is what motivated us to support TLS 1.2 in SunPKCS11. So, even though removing FIPS would be an option, I prefer not to take it.</div><div><br></div><div>Kind regards,</div><div>Martin.-</div></div><br></div></div></div></div></div></div></div></div>