On Tue, 15 Jul 2025 16:43:16 GMT, Thomas Fitzsimmons <d...@openjdk.org> wrote:
> This patch adds configurability to `PKCS11Test.java`. > > Specifically, it adds two new system properties: > > - `CUSTOM_P11_LIBRARY_NAME`: Allow overriding the value assigned to the > `nss_library` field. Prior to this patch, `nss_library` was set to either > `"softokn3"` or `"nss3"`. > > - `CUSTOM_P11_CONFIG_VARIANT`: Abstract the configuration file type to load. > Prior to this patch, test cases that wanted to run `NSS` in sensitive mode > would hard-code `p11-nss-sensitive.txt` on their command lines. > > The patch updates the three `p11-nss-sensitive.txt`-using test cases to use > the new `CUSTOM_P11_CONFIG_VARIANT` property: > > > test/jdk/java/security/KeyAgreement/Generic.java > test/jdk/sun/security/pkcs11/Mac/TestLargeSecretKeys.java > test/jdk/sun/security/pkcs11/rsa/TestP11KeyFactoryGetRSAKeySpec.java > > > I have been using this change to run `PKCS11Test.java` against the > [Kryoptic](https://github.com/latchset/kryoptic) PKCS11 soft token, using > this invocation: > > > make test \ > > JTREG="JAVA_OPTIONS=-DCUSTOM_P11_CONFIG=/tmp/kryoptic-configuration/p11-kryoptic.txt > \ > -DCUSTOM_P11_LIBRARY_NAME=kryoptic_pkcs11 \ > > -Djdk.test.lib.artifacts.nsslib-linux_x64=/tmp/kryoptic-configuration \ > -DCUSTOM_DB_DIR=/tmp/kryoptic-configuration" > > > `/tmp/kryoptic-configuration` contains (among other files): > > > libkryoptic_pkcs11.so > p11-kryoptic.txt > p11-kryoptic-sensitive.txt > > > With `CUSTOM_P11_LIBRARY_NAME` set, `PKCS11Test.java` can find > `libkryoptic_pkcs11.so`. > > And setting `CUSTOM_P11_CONFIG` causes the sensitive tests to use > `p11-kryoptic-sensitive.txt` via the new `CUSTOM_P11_CONFIG_VARIANT` property. > > On my `Fedora 42` `x86-64` machine, I tested for regressions with: > > $ time make test JOBS=4 > JTREG="JAVA_OPTIONS=-Djdk.test.lib.artifacts.nsslib-linux_x64=/usr/lib64" > TEST="test/jdk/sun/security/pkcs11" > > and: > > $ time make test JOBS=4 TEST="test/jdk/sun/security/pkcs11" test/jdk/sun/security/pkcs11/PKCS11Test.java line 490: > 488: configFilePath = configFilePath.replaceFirst( > 489: "(\\.[^\\.]*)?$", "-" + customConfigVariant + "$1"); > 490: } Hmm, I find it somewhat obscure that the config variant property changes the value of the config file name. With this new config variant property, it assumes that the confg file name has a "." which is probably true most if not all times. We should document all these properties so it's clear their precedence as well as the assumptions/implications. All these security can be set independently, right? It's a bit strange that you set the CUSTOM_P11_CONFIG NAME and then setting the config variant property would actually changes the config file to a different name. ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/26325#discussion_r2286765283
