On Mon, 4 Aug 2025 17:32:38 GMT, Rajan Halade <rhal...@openjdk.org> wrote:
>> This patch adds configurability to `PKCS11Test.java`. >> >> Specifically, it adds two new system properties: >> >> - `CUSTOM_P11_LIBRARY_NAME`: Allow overriding the value assigned to the >> `nss_library` field. Prior to this patch, `nss_library` was set to either >> `"softokn3"` or `"nss3"`. >> >> - `CUSTOM_P11_CONFIG_VARIANT`: Abstract the configuration file type to load. >> Prior to this patch, test cases that wanted to run `NSS` in sensitive mode >> would hard-code `p11-nss-sensitive.txt` on their command lines. >> >> The patch updates the three `p11-nss-sensitive.txt`-using test cases to use >> the new `CUSTOM_P11_CONFIG_VARIANT` property: >> >> >> test/jdk/java/security/KeyAgreement/Generic.java >> test/jdk/sun/security/pkcs11/Mac/TestLargeSecretKeys.java >> test/jdk/sun/security/pkcs11/rsa/TestP11KeyFactoryGetRSAKeySpec.java >> >> >> I have been using this change to run `PKCS11Test.java` against the >> [Kryoptic](https://github.com/latchset/kryoptic) PKCS11 soft token, using >> this invocation: >> >> >> make test \ >> >> JTREG="JAVA_OPTIONS=-DCUSTOM_P11_CONFIG=/tmp/kryoptic-configuration/p11-kryoptic.txt >> \ >> -DCUSTOM_P11_LIBRARY_NAME=kryoptic_pkcs11 \ >> >> -Djdk.test.lib.artifacts.nsslib-linux_x64=/tmp/kryoptic-configuration \ >> -DCUSTOM_DB_DIR=/tmp/kryoptic-configuration" >> >> >> `/tmp/kryoptic-configuration` contains (among other files): >> >> >> libkryoptic_pkcs11.so >> p11-kryoptic.txt >> p11-kryoptic-sensitive.txt >> >> >> With `CUSTOM_P11_LIBRARY_NAME` set, `PKCS11Test.java` can find >> `libkryoptic_pkcs11.so`. >> >> And setting `CUSTOM_P11_CONFIG` causes the sensitive tests to use >> `p11-kryoptic-sensitive.txt` via the new `CUSTOM_P11_CONFIG_VARIANT` >> property. >> >> On my `Fedora 42` `x86-64` machine, I tested for regressions with: >> >> $ time make test JOBS=4 >> JTREG="JAVA_OPTIONS=-Djdk.test.lib.artifacts.nsslib-linux_x64=/usr/lib64" >> TEST="test/jdk/sun/security/pkcs11" >> >> and: >> >> $ time make test JOBS=4 TEST="test/jdk/sun/security/pkcs11" > > Will you also include p11-kryoptic.txt and p11-kryoptic-sensitive.txt > configuration files for Kryoptic library so others can also run this > interoperability? And do the current P11-NSS tests continue to work as > expected? Thank you for taking a look, @rhalade. > Will you also include p11-kryoptic.txt and p11-kryoptic-sensitive.txt > configuration files for Kryoptic library so others can also run this > interoperability? I had not planned to yet (i.e., not with this patch). Eventually I think doing so will make sense, once we settle on the Kryoptic configuration that best suits `OpenJDK`. For reference in the meantime, the `Kryoptic` project is running their continuous integration with the following configuration files: https://github.com/latchset/kryoptic/blob/main/testdata/openjdk/p11-kryoptic.txt https://github.com/latchset/kryoptic/blob/main/testdata/openjdk/p11-kryoptic-sensitive.txt > And do the current P11-NSS tests continue to work as expected? Yes, I checked for differences in `.jtr` files produced by the following invocation: time make test JOBS=4 JTREG="JAVA_OPTIONS=-Djdk.test.lib.artifacts.nsslib-linux_x64=/usr/lib64 --enable-native-access=ALL-UNNAMED" TEST="test/jdk/sun/security/pkcs11 test/jdk/java/security/KeyAgreement/Generic.java" on commit b65fdf5af0a5e1cf0d66d7551c6df63e8d07c5fa (i.e., without my patch) and on commit 780a630af938edeab3d8c5c895c92f2243814ede (i.e., with my patch). (The `--enable-native-access=ALL-UNNAMED` argument is not strictly required, but reduces noise in the diffs; without it, both with and without my patch, tests mostly print the following warning, but sometimes do not; which tests do and do not changes from run to run: WARNING: A restricted method in java.lang.System has been called WARNING: java.lang.System::load has been called by PKCS11Test in an unnamed module (file:/[...]) WARNING: Use --enable-native-access=ALL-UNNAMED to avoid a warning for callers in this module WARNING: Restricted methods will be blocked in a future release unless native access is enabled I am not sure what's going on there.) The only differences are the configuration file lines printed in the `.jtr` files, for example, `TestRSAKeyLength.jtr` has a new line: Configuration file: ./nss/p11-nss.txt ------------- PR Comment: https://git.openjdk.org/jdk/pull/26325#issuecomment-3156881829
