<div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr">Hi Valerie,<div><br></div><div>Thanks for your answer.</div><div><br></div><div>Webrev.09:</div><div><br></div><div> * <a href="http://cr.openjdk.java.net/~mbalao/webrevs/8029661/8029661.webrev.09/">http://cr.openjdk.java.net/~mbalao/webrevs/8029661/8029661.webrev.09/</a></div><div> * <a href="http://cr.openjdk.java.net/~mbalao/webrevs/8029661/8029661.webrev.09.zip">http://cr.openjdk.java.net/~mbalao/webrevs/8029661/8029661.webrev.09.zip</a></div><div><br></div><div>In TestTLS12.java, we now capture any exception during initialization phase and skip test execution if that happens.</div><div><br></div><div>Kind regards,</div><div>Martin.-</div></div></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Sep 12, 2018 at 2:20 AM, Valerie Peng <span dir="ltr"><<a href="mailto:valerie.peng@oracle.com" target="_blank">valerie.peng@oracle.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<p>Hi, Martin,</p>
I am ok with your option#1.<br>
Note that your test fails at different places of the code, so you
will need to check and skip test execution before those exception
are thrown.<span class="HOEnZb"><font color="#888888"><br>
<br>
Valerie</font></span><div><div class="h5"><br>
<br>
<div class="m_223099622882184183moz-cite-prefix">On 9/11/2018 7:54 AM, Martin Balao
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">Hi Valerie,
<div class="gmail_extra"><br>
<div class="gmail_quote">On Fri, Aug 31, 2018 at
9:16 PM, Valerie Peng <span dir="ltr"><<a href="mailto:valerie.peng@oracle.com" target="_blank">valerie.peng@oracle.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi Martin,<br>
<br>
In TestTLS12.java, you call the initSecmod()
inside initialize() and when initSecmod()
returns false, you return from initialize()
and continue down the main(). Is this
intentional? Other tests seems to be skipping
execution when initSecmod() return false.<br>
</blockquote>
<div><br>
</div>
<div>This test skips execution too. That's
because shouldRun method returns false
if sunPKCS11NSSProvider variable is null
(which it is if initSecmod returns false).</div>
<div> </div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
Changes in webrev.08 resolves 2 out of the 4
failure cases for TestTLS12.java. However,
when I submit the changes for testing, it
failed on some OS (see below):<br>
<br>
macosx-x64:<br>
<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
jib > STDOUT:<br>
jib > nssLibDir:
/scratch/mesos/jib-master/inst<wbr>all/jpg/tests/jdk/nsslib/nssli<wbr>b-macosx_x64/3.35/nsslib-macos<wbr>x_x64-3.35.zip/nsslib/<br>
jib > STDERR:<br>
jib > java.security.ProviderExceptio<wbr>n:
Could not initialize NSS<br>
jib > at jdk.crypto.cryptoki/sun.securi<wbr>ty.pkcs11.SunPKCS11.<init>(Sun<wbr>PKCS11.java:218)<span class="m_223099622882184183gmail-"><br>
jib > at
jdk.crypto.cryptoki/sun.securi<wbr>ty.pkcs11.SunPKCS11$1.run(SunP<wbr>KCS11.java:113)<br>
jib > at
jdk.crypto.cryptoki/sun.securi<wbr>ty.pkcs11.SunPKCS11$1.run(SunP<wbr>KCS11.java:110)<br>
jib > at
java.base/java.security.Access<wbr>Controller.doPrivileged(Native
Method)<br>
jib > at
jdk.crypto.cryptoki/sun.securi<wbr>ty.pkcs11.SunPKCS11.configure(<wbr>SunPKCS11.java:110)<br>
</span>
jib > at PKCS11Test.getSunPKCS11(PKCS11<wbr>Test.java:156)<br>
jib > at TestTLS12.initialize(TestTLS12<wbr>.java:416)<br>
jib > at TestTLS12.main(TestTLS12.java:<wbr>84)<span class="m_223099622882184183gmail-"><br>
jib > at
java.base/jdk.internal.reflect<wbr>.NativeMethodAccessorImpl.invo<wbr>ke0(Native
Method)<br>
jib > at
java.base/jdk.internal.reflect<wbr>.NativeMethodAccessorImpl.invo<wbr>ke(NativeMethodAccessorImpl.ja<wbr>va:62)<br>
jib > at
java.base/jdk.internal.reflect<wbr>.DelegatingMethodAccessorImpl.<wbr>invoke(DelegatingMethodAccesso<wbr>rImpl.java:43)<br>
jib > at java.base/<a href="http://java.lang.reflect.Me" target="_blank">java.lang.reflect.Me</a><wbr>thod.invoke(Method.java:566)<br>
</span>
jib > at com.sun.javatest.regtest.agent<wbr>.MainWrapper$MainThread.run(Ma<wbr>inWrapper.java:127)<br>
jib > at java.base/java.lang.Thread.run<wbr>(Thread.java:834)<br>
jib > Caused by: java.io.IOException: NSS
initialization failed<br>
jib > at jdk.crypto.cryptoki/sun.securi<wbr>ty.pkcs11.Secmod.initialize(Se<wbr>cmod.java:234)<br>
jib > at jdk.crypto.cryptoki/sun.securi<wbr>ty.pkcs11.SunPKCS11.<init>(Sun<wbr>PKCS11.java:213)<br>
jib > ... 13 more<br>
jib ><br>
jib > JavaTest Message: Test threw
exception: java.security.ProviderExceptio<wbr>n:
Could not initialize NSS<br>
</blockquote>
</blockquote>
<div><br>
</div>
<div> </div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
</blockquote>
windows-x64:<br>
<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
jib > STDOUT:<br>
jib > nssLibDir:
C:\ADE\mesos\work_dir\jib-mast<wbr>er\install\jpg\tests\jdk\nssli<wbr>b\nsslib-windows_x64\3.35\nssl<wbr>ib-windows_x64-3.35.zip\nsslib<wbr>\<br>
jib > SunPKCS11 provider:
SunPKCS11-NSSKeyStore version 12<br>
jib > STDERR:<br>
jib > java.security.ProviderExceptio<wbr>n:
SunJSSE already initialized in non-FIPS mode<br>
jib > at java.base/sun.security.ssl.Sun<wbr>JSSE.ensureFIPS(SunJSSE.java:9<wbr>4)<br>
jib > at java.base/sun.security.ssl.Sun<wbr>JSSE.<init>(SunJSSE.java:146)<br>
jib > at java.base/sun.security.ssl.Sun<wbr>JSSE.<init>(SunJSSE.java:118)<br>
jib > at java.base/com.sun.net.ssl.inte<wbr>rnal.ssl.Provider.<init>(Provi<wbr>der.java:47)<br>
jib > at TestTLS12.initialize(TestTLS12<wbr>.java:424)<br>
jib > at TestTLS12.main(TestTLS12.java:<wbr>84)<span class="m_223099622882184183gmail-"><br>
jib > at
java.base/jdk.internal.reflect<wbr>.NativeMethodAccessorImpl.invo<wbr>ke0(Native
Method)<br>
jib > at
java.base/jdk.internal.reflect<wbr>.NativeMethodAccessorImpl.invo<wbr>ke(NativeMethodAccessorImpl.ja<wbr>va:62)<br>
jib > at
java.base/jdk.internal.reflect<wbr>.DelegatingMethodAccessorImpl.<wbr>invoke(DelegatingMethodAccesso<wbr>rImpl.java:43)<br>
jib > at java.base/<a href="http://java.lang.reflect.Me" target="_blank">java.lang.reflect.Me</a><wbr>thod.invoke(Method.java:566)<br>
</span>
jib > at com.sun.javatest.regtest.agent<wbr>.MainWrapper$MainThread.run(Ma<wbr>inWrapper.java:127)<span class="m_223099622882184183gmail-"><br>
jib > at
java.base/java.lang.Thread.run<wbr>(Thread.java:834)<br>
jib ><br>
</span>
jib > JavaTest Message: Test threw
exception: java.security.ProviderExceptio<wbr>n:
SunJSSE already initialized in non-FIPS mode<br>
</blockquote>
<div class="m_223099622882184183gmail-HOEnZb">
<div class="m_223099622882184183gmail-h5"><br>
</div>
</div>
</blockquote>
<div><br>
</div>
<div>The 2 tests that initialize NSS in FIPS
mode (TrustManagerTest and
ClientJSSEServerJSSE) only run on Solaris. My
guess is that these failures are not
particular to TestTLS12 but to NSS + FIPS
support on these setups. I won't be able to
reproduce the macOS failure and I'm not sure
if I'll be able to reproduce in my Windows
x86_64 environment.</div>
<div><br>
</div>
<div>I propose the following options:</div>
<div><br>
</div>
<div> 1) Make the test skip macOS & Windows
x86_64 (and any other platform that fails to
initialize the SunPKCS11 provider)</div>
<div><br>
</div>
<div> 2) If you can provide access to a testing
environment where I can reproduce these
failures, I can see what's happening</div>
<div><br>
</div>
<div>I intentionally want to use FIPS in NSS
configuration because it represents a real use
case, and is what motivated us to support TLS
1.2 in SunPKCS11. So, even though removing
FIPS would be an option, I prefer not to take
it.</div>
<div><br>
</div>
<div>Kind regards,</div>
<div>Martin.-</div>
</div>
<br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
</div></div></div>
</blockquote></div><br></div>