8020424: The NSS version should be detected before running crypto tests
Reviewed-by: valeriep
This commit is contained in:
parent
a7dbbbddcd
commit
eae349e914
@ -255,32 +255,12 @@ sun/rmi/transport/proxy/EagerHttpFallback.java generic-all
|
||||
|
||||
# jdk_security
|
||||
|
||||
# 8012971 PKCS11Test hiding exception failures
|
||||
sun/security/pkcs11/KeyStore/SecretKeysBasic.java solaris-all
|
||||
sun/security/pkcs11/KeyStore/SecretKeysBasic.java linux-all
|
||||
sun/security/pkcs11/ec/TestCurves.java solaris-all
|
||||
sun/security/pkcs11/ec/TestCurves.java linux-all
|
||||
sun/security/pkcs11/ec/TestECDH.java solaris-all
|
||||
sun/security/pkcs11/ec/TestECDH2.java solaris-all
|
||||
sun/security/pkcs11/ec/TestECDH2.java linux-all
|
||||
sun/security/pkcs11/ec/TestECDSA.java solaris-all
|
||||
sun/security/pkcs11/ec/TestECDSA.java linux-all
|
||||
sun/security/pkcs11/ec/TestECDSA2.java solaris-all
|
||||
sun/security/pkcs11/ec/TestECDSA2.java linux-all
|
||||
sun/security/pkcs11/ec/TestECGenSpec.java solaris-all
|
||||
sun/security/pkcs11/ec/TestECGenSpec.java linux-all
|
||||
sun/security/pkcs11/ec/TestKeyFactory.java solaris-all
|
||||
sun/security/pkcs11/ec/TestKeyFactory.java linux-all
|
||||
# 7157786
|
||||
sun/security/pkcs11/ec/TestKeyFactory.java generic-all
|
||||
|
||||
# 7164518: no PortUnreachableException on Mac
|
||||
sun/security/krb5/auto/Unreachable.java macosx-all
|
||||
|
||||
# 7193793
|
||||
sun/security/pkcs11/ec/TestECDH.java linux-all
|
||||
|
||||
# 7198198: the test also fails on SuSE Linux
|
||||
sun/security/pkcs11/ec/ReadCertificates.java linux-all
|
||||
|
||||
# 7147060
|
||||
com/sun/org/apache/xml/internal/security/transforms/ClassLoaderTest.java generic-all
|
||||
|
||||
@ -290,9 +270,6 @@ sun/security/pkcs11/ec/ReadCertificates.java solaris-all
|
||||
sun/security/pkcs11/ec/ReadPKCS12.java solaris-all
|
||||
sun/security/pkcs11/sslecc/ClientJSSEServerJSSE.java solaris-all
|
||||
|
||||
# 8005247
|
||||
sun/security/pkcs11/ec/TestECDSA.java solaris-all
|
||||
|
||||
# 8009438
|
||||
sun/security/pkcs11/Secmod/AddPrivateKey.java linux-all
|
||||
sun/security/pkcs11/Secmod/TrustAnchors.java linux-all
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright (c) 2008, Oracle and/or its affiliates. All rights reserved.
|
||||
* Copyright (c) 2008, 2013 Oracle and/or its affiliates. All rights reserved.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
@ -23,16 +23,10 @@
|
||||
|
||||
import java.io.*;
|
||||
import java.util.*;
|
||||
import java.lang.reflect.*;
|
||||
|
||||
import java.security.*;
|
||||
import java.security.cert.*;
|
||||
import java.security.spec.*;
|
||||
import java.security.interfaces.*;
|
||||
import java.math.BigInteger;
|
||||
|
||||
import javax.crypto.*;
|
||||
import javax.crypto.spec.*;
|
||||
import javax.xml.bind.DatatypeConverter;
|
||||
|
||||
public class SecretKeysBasic extends PKCS11Test {
|
||||
|
||||
@ -94,6 +88,17 @@ public class SecretKeysBasic extends PKCS11Test {
|
||||
SecretKey expected,
|
||||
boolean saveBeforeCheck)
|
||||
throws Exception {
|
||||
|
||||
// A bug in NSS 3.12 (Mozilla bug 471665) causes AES key lengths
|
||||
// to be read incorrectly. Checking for improper 16 byte length
|
||||
// in key string.
|
||||
if (isNSS(provider) && expected.getAlgorithm().equals("AES") &&
|
||||
(getNSSVersion() >= 3.12 && getNSSVersion() <= 3.122)) {
|
||||
System.out.println("NSS 3.12 bug returns incorrect AES key "+
|
||||
"length breaking key storage. Aborting...");
|
||||
return true;
|
||||
}
|
||||
|
||||
if (saveBeforeCheck) {
|
||||
ks.setKeyEntry(alias, expected, null, null);
|
||||
}
|
||||
@ -127,7 +132,7 @@ public class SecretKeysBasic extends PKCS11Test {
|
||||
System.out.println("\tALGO=" + key.getAlgorithm());
|
||||
if (key.getFormat() != null) {
|
||||
System.out.println("\t[" + key.getFormat() + "] VALUE=" +
|
||||
new BigInteger(key.getEncoded()));
|
||||
DatatypeConverter.printHexBinary(key.getEncoded()));
|
||||
} else {
|
||||
System.out.println("\tVALUE=n/a");
|
||||
}
|
||||
|
@ -54,6 +54,11 @@ public abstract class PKCS11Test {
|
||||
|
||||
static String NSPR_PREFIX = "";
|
||||
|
||||
// NSS version info
|
||||
public static enum ECCState { None, Basic, Extended };
|
||||
static double nss_version = -1;
|
||||
static ECCState nss_ecc_status = ECCState.Extended;
|
||||
|
||||
// The NSS library we need to search for in getNSSLibDir()
|
||||
// Default is "libsoftokn3.so", listed as "softokn3"
|
||||
// The other is "libnss3.so", listed as "nss3".
|
||||
@ -217,6 +222,104 @@ public abstract class PKCS11Test {
|
||||
return true;
|
||||
}
|
||||
|
||||
// Check the provider being used is NSS
|
||||
public static boolean isNSS(Provider p) {
|
||||
return p.getName().toUpperCase().equals("SUNPKCS11-NSS");
|
||||
}
|
||||
|
||||
static double getNSSVersion() {
|
||||
if (nss_version == -1)
|
||||
getNSSInfo();
|
||||
return nss_version;
|
||||
}
|
||||
|
||||
static ECCState getNSSECC() {
|
||||
if (nss_version == -1)
|
||||
getNSSInfo();
|
||||
return nss_ecc_status;
|
||||
}
|
||||
|
||||
/* Read the library to find out the verison */
|
||||
static void getNSSInfo() {
|
||||
String nssHeader = "$Header: NSS";
|
||||
boolean found = false;
|
||||
String s = null;
|
||||
int i = 0;
|
||||
String libfile = "";
|
||||
|
||||
try {
|
||||
libfile = getNSSLibDir() + System.mapLibraryName(nss_library);
|
||||
FileInputStream is = new FileInputStream(libfile);
|
||||
byte[] data = new byte[1000];
|
||||
int read = 0;
|
||||
|
||||
while (is.available() > 0) {
|
||||
if (read == 0) {
|
||||
read = is.read(data, 0, 1000);
|
||||
} else {
|
||||
// Prepend last 100 bytes in case the header was split
|
||||
// between the reads.
|
||||
System.arraycopy(data, 900, data, 0, 100);
|
||||
read = 100 + is.read(data, 100, 900);
|
||||
}
|
||||
|
||||
s = new String(data, 0, read);
|
||||
if ((i = s.indexOf(nssHeader)) > 0) {
|
||||
found = true;
|
||||
// If the nssHeader is before 920 we can break, otherwise
|
||||
// we may not have the whole header so do another read. If
|
||||
// no bytes are in the stream, that is ok, found is true.
|
||||
if (i < 920) {
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
is.close();
|
||||
|
||||
} catch (Exception e) {
|
||||
e.printStackTrace();
|
||||
}
|
||||
|
||||
if (!found) {
|
||||
System.out.println("NSS version not found, set to 0.0: "+libfile);
|
||||
nss_version = 0.0;
|
||||
return;
|
||||
}
|
||||
|
||||
// the index after whitespace after nssHeader
|
||||
int afterheader = s.indexOf("NSS", i) + 4;
|
||||
String version = s.substring(afterheader, s.indexOf(' ', afterheader));
|
||||
|
||||
// If a "dot dot" release, strip the extra dots for double parsing
|
||||
String[] dot = version.split("\\.");
|
||||
if (dot.length > 2) {
|
||||
version = dot[0]+"."+dot[1];
|
||||
for (int j = 2; dot.length > j; j++) {
|
||||
version += dot[j];
|
||||
}
|
||||
}
|
||||
|
||||
// Convert to double for easier version value checking
|
||||
try {
|
||||
nss_version = Double.parseDouble(version);
|
||||
} catch (NumberFormatException e) {
|
||||
System.out.println("Failed to parse NSS version. Set to 0.0");
|
||||
e.printStackTrace();
|
||||
}
|
||||
|
||||
System.out.print("NSS version = "+version+". ");
|
||||
|
||||
// Check for ECC
|
||||
if (s.indexOf("Basic") > 0) {
|
||||
nss_ecc_status = ECCState.Basic;
|
||||
System.out.println("ECC Basic.");
|
||||
} else if (s.indexOf("Extended") > 0) {
|
||||
nss_ecc_status = ECCState.Extended;
|
||||
System.out.println("ECC Extended.");
|
||||
}
|
||||
}
|
||||
|
||||
// Used to set the nss_library file to search for libsoftokn3.so
|
||||
public static void useNSS() {
|
||||
nss_library = "nss3";
|
||||
|
22
jdk/test/sun/security/pkcs11/README
Normal file
22
jdk/test/sun/security/pkcs11/README
Normal file
@ -0,0 +1,22 @@
|
||||
This README is to keep a list facts and known workaround for the pkcs11 java tests
|
||||
perform as a result of bugs or features in NSS or other pkcs11 libraries.
|
||||
|
||||
- NSS ECC None/Basic/Extended
|
||||
The tests detect the NSS library support for Elliptic Curves as to not
|
||||
report incorrect failures. PKCS11 reports back CKR_DOMAIN_PARAMS_INVALID
|
||||
when the curve is not supported.
|
||||
|
||||
- Default libsoftokn3.so
|
||||
By default PKCS11Test.java will look for libsoftokn3.so. There are a number of
|
||||
tests, particularly in Secmod, that need libnss3.so. The method useNSS() in
|
||||
PKCS11test.java is to change the search and version checking to libnss3.
|
||||
|
||||
ECC Basic supports is secp256r1, secp384r1, and secp521r1.
|
||||
|
||||
- A bug in NSS 3.12 (Mozilla bug 471665) causes AES key lengths to be
|
||||
read incorrectly. KeyStore/SecretKeysBasic.java tiggers this bug and
|
||||
knows to avoid it.
|
||||
|
||||
- A number of EC tests fail because of a DER bug in NSS 3.11. The best guess
|
||||
is Mozilla bug 480280. Those tests that abort execution with a PASS result
|
||||
are: TestECDH2, TestECDSA, TestECDSA2 and TestECGenSpec.
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright (c) 2006, 2012, Oracle and/or its affiliates. All rights reserved.
|
||||
* Copyright (c) 2006, 2013, Oracle and/or its affiliates. All rights reserved.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
@ -113,6 +113,20 @@ public class ReadCertificates extends PKCS11Test {
|
||||
System.out.println("Warning: " + e.getMessage() +
|
||||
". Trying another provider...");
|
||||
cert.verify(key);
|
||||
} catch (InvalidKeyException e) {
|
||||
// The root cause of the exception might be NSS not having
|
||||
// "ECC Extended" support curves. If so, we can ignore it.
|
||||
Throwable t = e;
|
||||
while (t.getCause() != null) {
|
||||
t = t.getCause();
|
||||
}
|
||||
if (t instanceof sun.security.pkcs11.wrapper.PKCS11Exception &&
|
||||
t.getMessage().equals("CKR_DOMAIN_PARAMS_INVALID") &&
|
||||
isNSS(p) && getNSSECC() == ECCState.Basic) {
|
||||
System.out.println("Failed as expected. NSS Basic ECC.");
|
||||
continue;
|
||||
}
|
||||
throw e;
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright (c) 2006, 2012, Oracle and/or its affiliates. All rights reserved.
|
||||
* Copyright (c) 2006, 2013, Oracle and/or its affiliates. All rights reserved.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
@ -50,6 +50,12 @@ public class TestCurves extends PKCS11Test {
|
||||
return;
|
||||
}
|
||||
|
||||
if (isNSS(p) && getNSSVersion() >= 3.11 && getNSSVersion() < 3.12) {
|
||||
System.out.println("NSS 3.11 has a DER issue that recent " +
|
||||
"version do not.");
|
||||
return;
|
||||
}
|
||||
|
||||
Random random = new Random();
|
||||
byte[] data = new byte[2048];
|
||||
random.nextBytes(data);
|
||||
@ -61,8 +67,29 @@ public class TestCurves extends PKCS11Test {
|
||||
KeyPairGenerator kpg = KeyPairGenerator.getInstance("EC", p);
|
||||
kpg.initialize(params);
|
||||
KeyPair kp1, kp2;
|
||||
kp1 = kpg.generateKeyPair();
|
||||
kp2 = kpg.generateKeyPair();
|
||||
|
||||
try {
|
||||
kp1 = kpg.generateKeyPair();
|
||||
kp2 = kpg.generateKeyPair();
|
||||
} catch (Exception e) {
|
||||
// The root cause of the exception might be NSS not having
|
||||
// "ECC Extended" support curves. If so, we can ignore it.
|
||||
if (e instanceof java.security.ProviderException) {
|
||||
Throwable t = e.getCause();
|
||||
if (t instanceof
|
||||
sun.security.pkcs11.wrapper.PKCS11Exception &&
|
||||
t.getMessage().equals("CKR_DOMAIN_PARAMS_INVALID") &&
|
||||
isNSS(p) && (getNSSECC() == ECCState.Basic) &&
|
||||
(!params.toString().startsWith("secp256r1") &&
|
||||
!params.toString().startsWith("secp384r1") &&
|
||||
!params.toString().startsWith("secp521r1"))) {
|
||||
System.out.println("NSS Basic ECC. Failure expected");
|
||||
continue;
|
||||
}
|
||||
}
|
||||
|
||||
throw e;
|
||||
}
|
||||
|
||||
testSigning(p, "SHA1withECDSA", data, kp1, kp2);
|
||||
testSigning(p, "SHA224withECDSA", data, kp1, kp2);
|
||||
@ -97,8 +124,9 @@ public class TestCurves extends PKCS11Test {
|
||||
int end;
|
||||
String curve;
|
||||
Vector<ECParameterSpec> results = new Vector<ECParameterSpec>();
|
||||
String kcProp =
|
||||
p.getProperty("AlgorithmParameters.EC SupportedCurves");
|
||||
// Get Curves to test from SunEC.
|
||||
String kcProp = Security.getProvider("SunEC").
|
||||
getProperty("AlgorithmParameters.EC SupportedCurves");
|
||||
|
||||
if (kcProp == null) {
|
||||
throw new RuntimeException(
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright (c) 2006, 2012, Oracle and/or its affiliates. All rights reserved.
|
||||
* Copyright (c) 2006, 2013, Oracle and/or its affiliates. All rights reserved.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
@ -61,6 +61,11 @@ public class TestECDH extends PKCS11Test {
|
||||
return;
|
||||
}
|
||||
|
||||
if (isNSS(p) && getNSSECC() == ECCState.Basic) {
|
||||
System.out.println("NSS only supports Basic ECC. Skipping..");
|
||||
return;
|
||||
}
|
||||
|
||||
/*
|
||||
* PKCS11Test.main will remove this provider if needed
|
||||
*/
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
|
||||
* Copyright (c) 2012, 2013, Oracle and/or its affiliates. All rights reserved.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
@ -106,6 +106,13 @@ public class TestECDH2 extends PKCS11Test {
|
||||
return;
|
||||
}
|
||||
|
||||
if (isNSS(provider) && getNSSVersion() >= 3.11 &&
|
||||
getNSSVersion() < 3.12) {
|
||||
System.out.println("NSS 3.11 has a DER issue that recent " +
|
||||
"version do not.");
|
||||
return;
|
||||
}
|
||||
|
||||
kf = KeyFactory.getInstance("EC", provider);
|
||||
kpg = KeyPairGenerator.getInstance("EC", provider);
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright (c) 2006, 2012, Oracle and/or its affiliates. All rights reserved.
|
||||
* Copyright (c) 2006, 2013, Oracle and/or its affiliates. All rights reserved.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
@ -30,9 +30,7 @@
|
||||
* @library ../../../../java/security/testlibrary
|
||||
*/
|
||||
|
||||
import java.io.*;
|
||||
import java.util.*;
|
||||
import java.math.BigInteger;
|
||||
|
||||
import java.security.*;
|
||||
import java.security.spec.*;
|
||||
@ -117,6 +115,13 @@ public class TestECDSA extends PKCS11Test {
|
||||
return;
|
||||
}
|
||||
|
||||
if (isNSS(provider) && getNSSVersion() >= 3.11 &&
|
||||
getNSSVersion() < 3.12) {
|
||||
System.out.println("NSS 3.11 has a DER issue that recent " +
|
||||
"version do not.");
|
||||
return;
|
||||
}
|
||||
|
||||
/*
|
||||
* PKCS11Test.main will remove this provider if needed
|
||||
*/
|
||||
@ -136,10 +141,14 @@ public class TestECDSA extends PKCS11Test {
|
||||
return;
|
||||
}
|
||||
|
||||
test(provider, pub192, priv192, sig192);
|
||||
test(provider, pub163, priv163, sig163);
|
||||
if (getNSSECC() != ECCState.Basic) {
|
||||
test(provider, pub192, priv192, sig192);
|
||||
test(provider, pub163, priv163, sig163);
|
||||
test(provider, pub571, priv571, sig571);
|
||||
} else {
|
||||
System.out.println("ECC Basic only, skipping 192, 163 and 571.");
|
||||
}
|
||||
test(provider, pub521, priv521, sig521);
|
||||
test(provider, pub571, priv571, sig571);
|
||||
|
||||
long stop = System.currentTimeMillis();
|
||||
System.out.println("All tests passed (" + (stop - start) + " ms).");
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
|
||||
* Copyright (c) 2012, 2013, Oracle and/or its affiliates. All rights reserved.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
@ -104,6 +104,13 @@ public class TestECDSA2 extends PKCS11Test {
|
||||
return;
|
||||
}
|
||||
|
||||
if (isNSS(provider) && getNSSVersion() >= 3.11 &&
|
||||
getNSSVersion() < 3.12) {
|
||||
System.out.println("NSS 3.11 has a DER issue that recent " +
|
||||
"version do not.");
|
||||
return;
|
||||
}
|
||||
|
||||
kf = KeyFactory.getInstance("EC", provider);
|
||||
|
||||
long start = System.currentTimeMillis();
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright (c) 2006, Oracle and/or its affiliates. All rights reserved.
|
||||
* Copyright (c) 2006, 2013 Oracle and/or its affiliates. All rights reserved.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
@ -47,9 +47,20 @@ public class TestECGenSpec extends PKCS11Test {
|
||||
return;
|
||||
}
|
||||
|
||||
String[] names = { "NIST P-192", "sect163k1", "1.3.132.0.26", "X9.62 c2tnb239v1"};
|
||||
int[] lengths = {192, 163, 233, 239};
|
||||
for (int i = 0; i < names.length; i++) {
|
||||
if (isNSS(p) && getNSSVersion() >= 3.11 && getNSSVersion() < 3.12) {
|
||||
System.out.println("NSS 3.11 has a DER issue that recent " +
|
||||
"version do not.");
|
||||
return;
|
||||
}
|
||||
|
||||
String[] names = { "secp256r1", "NIST P-192", "sect163k1", "1.3.132.0.26",
|
||||
"X9.62 c2tnb239v1"};
|
||||
int curves = 1;
|
||||
if (getNSSECC() == ECCState.Extended) {
|
||||
curves = names.length;
|
||||
}
|
||||
int[] lengths = {256, 192, 163, 233, 239};
|
||||
for (int i = 0; i < curves; i++) {
|
||||
String name = names[i];
|
||||
int len = lengths[i];
|
||||
System.out.println("Testing " + name + "...");
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright (c) 2006, Oracle and/or its affiliates. All rights reserved.
|
||||
* Copyright (c) 2006, 2013 Oracle and/or its affiliates. All rights reserved.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
@ -119,11 +119,17 @@ public class TestKeyFactory extends PKCS11Test {
|
||||
System.out.println("Provider does not support EC, skipping");
|
||||
return;
|
||||
}
|
||||
int[] keyLengths = {192, 163, 521, 409};
|
||||
int[] keyLengths = {192, 163, 409, 521};
|
||||
int len = 0;
|
||||
if (getNSSECC() == ECCState.Basic) {
|
||||
System.out.println("NSS Basic ECC only. Skipping 192, 163, & 409");
|
||||
len = 3;
|
||||
}
|
||||
KeyFactory kf = KeyFactory.getInstance("EC", p);
|
||||
for (int len : keyLengths) {
|
||||
for (; keyLengths.length > len ; len++) {
|
||||
System.out.println("Length "+keyLengths[len]);
|
||||
KeyPairGenerator kpg = KeyPairGenerator.getInstance("EC", p);
|
||||
kpg.initialize(len);
|
||||
kpg.initialize(keyLengths[len]);
|
||||
KeyPair kp = kpg.generateKeyPair();
|
||||
test(kf, kp.getPrivate());
|
||||
test(kf, kp.getPublic());
|
||||
|
Loading…
x
Reference in New Issue
Block a user