On Wed, 20 Aug 2025 01:26:19 GMT, Valerie Peng <valer...@openjdk.org> wrote:
>> This patch adds configurability to `PKCS11Test.java`. >> >> Specifically, it adds two new system properties: >> >> - `CUSTOM_P11_LIBRARY_NAME`: Allow overriding the value assigned to the >> `nss_library` field. Prior to this patch, `nss_library` was set to either >> `"softokn3"` or `"nss3"`. >> >> - `CUSTOM_P11_CONFIG_VARIANT`: Abstract the configuration file type to load. >> Prior to this patch, test cases that wanted to run `NSS` in sensitive mode >> would hard-code `p11-nss-sensitive.txt` on their command lines. >> >> The patch updates the three `p11-nss-sensitive.txt`-using test cases to use >> the new `CUSTOM_P11_CONFIG_VARIANT` property: >> >> >> test/jdk/java/security/KeyAgreement/Generic.java >> test/jdk/sun/security/pkcs11/Mac/TestLargeSecretKeys.java >> test/jdk/sun/security/pkcs11/rsa/TestP11KeyFactoryGetRSAKeySpec.java >> >> >> I have been using this change to run `PKCS11Test.java` against the >> [Kryoptic](https://github.com/latchset/kryoptic) PKCS11 soft token, using >> this invocation: >> >> >> make test \ >> >> JTREG="JAVA_OPTIONS=-DCUSTOM_P11_CONFIG=/tmp/kryoptic-configuration/p11-kryoptic.txt >> \ >> -DCUSTOM_P11_LIBRARY_NAME=kryoptic_pkcs11 \ >> >> -Djdk.test.lib.artifacts.nsslib-linux_x64=/tmp/kryoptic-configuration \ >> -DCUSTOM_DB_DIR=/tmp/kryoptic-configuration" >> >> >> `/tmp/kryoptic-configuration` contains (among other files): >> >> >> libkryoptic_pkcs11.so >> p11-kryoptic.txt >> p11-kryoptic-sensitive.txt >> >> >> With `CUSTOM_P11_LIBRARY_NAME` set, `PKCS11Test.java` can find >> `libkryoptic_pkcs11.so`. >> >> And setting `CUSTOM_P11_CONFIG` causes the sensitive tests to use >> `p11-kryoptic-sensitive.txt` via the new `CUSTOM_P11_CONFIG_VARIANT` >> property. >> >> On my `Fedora 42` `x86-64` machine, I tested for regressions with: >> >> $ time make test JOBS=4 >> JTREG="JAVA_OPTIONS=-Djdk.test.lib.artifacts.nsslib-linux_x64=/usr/lib64" >> TEST="test/jdk/sun/security/pkcs11" >> >> and: >> >> $ time make test JOBS=4 TEST="test/jdk/sun/security/pkcs11" > > test/jdk/sun/security/pkcs11/PKCS11Test.java line 490: > >> 488: configFilePath = configFilePath.replaceFirst( >> 489: "(\\.[^\\.]*)?$", "-" + customConfigVariant + "$1"); >> 490: } > > Hmm, I find it somewhat obscure that the config variant property changes the > value of the config file name. With this new config variant property, it > assumes that the confg file name has a "." which is probably true most if not > all times. We should document all these properties so it's clear their > precedence as well as the assumptions/implications. > All these security can be set independently, right? It's a bit strange that > you set the CUSTOM_P11_CONFIG NAME and then setting the config variant > property would actually changes the config file to a different name. Perhaps check the existence of the file and error out with the config file and its path if the check fails, this way, it's crystal clear. ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/26325#discussion_r2286812773
