Re: RFR JDK-8029661: JDK-Support TLS v1.2 algorithm in SunPKCS11 provider

Tue, 11 Sep 2018 17:22:04 -0700 

Hi, Martin,

I am ok with your option#1.
Note that your test fails at different places of the code, so you will need to check and skip test execution before those exception are thrown. 

Valerie

On 9/11/2018 7:54 AM, Martin Balao wrote:

Hi Valerie,


On Fri, Aug 31, 2018 at 9:16 PM, Valerie Peng <valerie.p...@oracle.com 
<mailto:valerie.p...@oracle.com>> wrote:


    Hi Martin,

    In TestTLS12.java, you call the initSecmod() inside initialize()
    and when initSecmod() returns false, you return from initialize()
    and continue down the main(). Is this intentional? Other tests
    seems to be skipping execution when initSecmod() return false.



This test skips execution too. That's because shouldRun method returns 
false if sunPKCS11NSSProvider variable is null (which it is if 
initSecmod returns false).



    Changes in webrev.08 resolves 2 out of the 4 failure cases for
    TestTLS12.java. However, when I submit the changes for testing, it
    failed on some OS (see below):

    macosx-x64:

        jib > STDOUT:
        jib > nssLibDir:
        
/scratch/mesos/jib-master/install/jpg/tests/jdk/nsslib/nsslib-macosx_x64/3.35/nsslib-macosx_x64-3.35.zip/nsslib/
        jib > STDERR:
        jib > java.security.ProviderException: Could not initialize NSS
        jib >   at
        
jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:218)
        jib >   at
        
jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunPKCS11.java:113)
        jib >   at
        
jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunPKCS11.java:110)
        jib >   at
        java.base/java.security.AccessController.doPrivileged(Native
        Method)
        jib >   at
        
jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.configure(SunPKCS11.java:110)
        jib >   at PKCS11Test.getSunPKCS11(PKCS11Test.java:156)
        jib >   at TestTLS12.initialize(TestTLS12.java:416)
        jib >   at TestTLS12.main(TestTLS12.java:84)
        jib >   at
        java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
        Method)
        jib >   at
        
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        jib >   at
        
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        jib >   at java.base/java.lang.reflect.Me
        <http://java.lang.reflect.Me>thod.invoke(Method.java:566)
        jib >   at
        
com.sun.javatest.regtest.agent.MainWrapper$MainThread.run(MainWrapper.java:127)
        jib >   at java.base/java.lang.Thread.run(Thread.java:834)
        jib > Caused by: java.io.IOException: NSS initialization failed
        jib >   at
        
jdk.crypto.cryptoki/sun.security.pkcs11.Secmod.initialize(Secmod.java:234)
        jib >   at
        
jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:213)
        jib >   ... 13 more
        jib >
        jib > JavaTest Message: Test threw exception:
        java.security.ProviderException: Could not initialize NSS


    windows-x64:

        jib > STDOUT:
        jib > nssLibDir:
        
C:\ADE\mesos\work_dir\jib-master\install\jpg\tests\jdk\nsslib\nsslib-windows_x64\3.35\nsslib-windows_x64-3.35.zip\nsslib\
        jib > SunPKCS11 provider: SunPKCS11-NSSKeyStore version 12
        jib > STDERR:
        jib > java.security.ProviderException: SunJSSE already
        initialized in non-FIPS mode
        jib >   at
        java.base/sun.security.ssl.SunJSSE.ensureFIPS(SunJSSE.java:94)
        jib >   at
        java.base/sun.security.ssl.SunJSSE.<init>(SunJSSE.java:146)
        jib >   at
        java.base/sun.security.ssl.SunJSSE.<init>(SunJSSE.java:118)
        jib >   at
        java.base/com.sun.net.ssl.internal.ssl.Provider.<init>(Provider.java:47)
        jib >   at TestTLS12.initialize(TestTLS12.java:424)
        jib >   at TestTLS12.main(TestTLS12.java:84)
        jib >   at
        java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
        Method)
        jib >   at
        
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        jib >   at
        
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        jib >   at java.base/java.lang.reflect.Me
        <http://java.lang.reflect.Me>thod.invoke(Method.java:566)
        jib >   at
        
com.sun.javatest.regtest.agent.MainWrapper$MainThread.run(MainWrapper.java:127)
        jib >   at java.base/java.lang.Thread.run(Thread.java:834)
        jib >
        jib > JavaTest Message: Test threw exception:
        java.security.ProviderException: SunJSSE already initialized
        in non-FIPS mode




The 2 tests that initialize NSS in FIPS mode (TrustManagerTest and 
ClientJSSEServerJSSE) only run on Solaris. My guess is that these 
failures are not particular to TestTLS12 but to NSS + FIPS support on 
these setups. I won't be able to reproduce the macOS failure and I'm 
not sure if I'll be able to reproduce in my Windows x86_64 environment.


I propose the following options:


 1) Make the test skip macOS & Windows x86_64 (and any other platform 
that fails to initialize the SunPKCS11 provider)



 2) If you can provide access to a testing environment where I can 
reproduce these failures, I can see what's happening



I intentionally want to use FIPS in NSS configuration because it 
represents a real use case, and is what motivated us to support TLS 
1.2 in SunPKCS11. So, even though removing FIPS would be an option, I 
prefer not to take it.


Kind regards,
Martin.-


























					Reply via email to