Hi, Martin,
I am ok with your option#1.
Note that your test fails at different places of the code, so you will
need to check and skip test execution before those exception are thrown.
Valerie
On 9/11/2018 7:54 AM, Martin Balao wrote:
Hi Valerie,
On Fri, Aug 31, 2018 at 9:16 PM, Valerie Peng <valerie.p...@oracle.com
<mailto:valerie.p...@oracle.com>> wrote:
Hi Martin,
In TestTLS12.java, you call the initSecmod() inside initialize()
and when initSecmod() returns false, you return from initialize()
and continue down the main(). Is this intentional? Other tests
seems to be skipping execution when initSecmod() return false.
This test skips execution too. That's because shouldRun method returns
false if sunPKCS11NSSProvider variable is null (which it is if
initSecmod returns false).
Changes in webrev.08 resolves 2 out of the 4 failure cases for
TestTLS12.java. However, when I submit the changes for testing, it
failed on some OS (see below):
macosx-x64:
jib > STDOUT:
jib > nssLibDir:
/scratch/mesos/jib-master/install/jpg/tests/jdk/nsslib/nsslib-macosx_x64/3.35/nsslib-macosx_x64-3.35.zip/nsslib/
jib > STDERR:
jib > java.security.ProviderException: Could not initialize NSS
jib > at
jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:218)
jib > at
jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunPKCS11.java:113)
jib > at
jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunPKCS11.java:110)
jib > at
java.base/java.security.AccessController.doPrivileged(Native
Method)
jib > at
jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.configure(SunPKCS11.java:110)
jib > at PKCS11Test.getSunPKCS11(PKCS11Test.java:156)
jib > at TestTLS12.initialize(TestTLS12.java:416)
jib > at TestTLS12.main(TestTLS12.java:84)
jib > at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
Method)
jib > at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
jib > at
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
jib > at java.base/java.lang.reflect.Me
<http://java.lang.reflect.Me>thod.invoke(Method.java:566)
jib > at
com.sun.javatest.regtest.agent.MainWrapper$MainThread.run(MainWrapper.java:127)
jib > at java.base/java.lang.Thread.run(Thread.java:834)
jib > Caused by: java.io.IOException: NSS initialization failed
jib > at
jdk.crypto.cryptoki/sun.security.pkcs11.Secmod.initialize(Secmod.java:234)
jib > at
jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:213)
jib > ... 13 more
jib >
jib > JavaTest Message: Test threw exception:
java.security.ProviderException: Could not initialize NSS
windows-x64:
jib > STDOUT:
jib > nssLibDir:
C:\ADE\mesos\work_dir\jib-master\install\jpg\tests\jdk\nsslib\nsslib-windows_x64\3.35\nsslib-windows_x64-3.35.zip\nsslib\
jib > SunPKCS11 provider: SunPKCS11-NSSKeyStore version 12
jib > STDERR:
jib > java.security.ProviderException: SunJSSE already
initialized in non-FIPS mode
jib > at
java.base/sun.security.ssl.SunJSSE.ensureFIPS(SunJSSE.java:94)
jib > at
java.base/sun.security.ssl.SunJSSE.<init>(SunJSSE.java:146)
jib > at
java.base/sun.security.ssl.SunJSSE.<init>(SunJSSE.java:118)
jib > at
java.base/com.sun.net.ssl.internal.ssl.Provider.<init>(Provider.java:47)
jib > at TestTLS12.initialize(TestTLS12.java:424)
jib > at TestTLS12.main(TestTLS12.java:84)
jib > at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
Method)
jib > at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
jib > at
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
jib > at java.base/java.lang.reflect.Me
<http://java.lang.reflect.Me>thod.invoke(Method.java:566)
jib > at
com.sun.javatest.regtest.agent.MainWrapper$MainThread.run(MainWrapper.java:127)
jib > at java.base/java.lang.Thread.run(Thread.java:834)
jib >
jib > JavaTest Message: Test threw exception:
java.security.ProviderException: SunJSSE already initialized
in non-FIPS mode
The 2 tests that initialize NSS in FIPS mode (TrustManagerTest and
ClientJSSEServerJSSE) only run on Solaris. My guess is that these
failures are not particular to TestTLS12 but to NSS + FIPS support on
these setups. I won't be able to reproduce the macOS failure and I'm
not sure if I'll be able to reproduce in my Windows x86_64 environment.
I propose the following options:
1) Make the test skip macOS & Windows x86_64 (and any other platform
that fails to initialize the SunPKCS11 provider)
2) If you can provide access to a testing environment where I can
reproduce these failures, I can see what's happening
I intentionally want to use FIPS in NSS configuration because it
represents a real use case, and is what motivated us to support TLS
1.2 in SunPKCS11. So, even though removing FIPS would be an option, I
prefer not to take it.
Kind regards,
Martin.-