6988842: jce/ECC test fails for SunPKCS11 provider using nss library

Reviewed-by: mullan

make/sun/security/Makefile

 #
-# Copyright (c) 1996, 2011, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 1996, 2012, Oracle and/or its affiliates. All rights reserved.
 # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 #
 # This code is free software; you can redistribute it and/or modify it
@@ -44,16 +44,6 @@ ifneq ($(PLATFORM), windows)
     JGSS_WRAPPER = jgss/wrapper
 endif
 
-# Build PKCS#11 on all platforms except 64-bit Windows.
-# We exclude windows-amd64 because we don't have any
-# 64-bit PKCS#11 implementations to test with on that platform.
-PKCS11 = pkcs11
-ifeq ($(ARCH_DATA_MODEL), 64)
-  ifeq ($(PLATFORM), windows)
-    PKCS11 =
-  endif
-endif
-
 # Build Microsoft CryptoAPI provider only on Windows platform.
 MSCAPI =
 ifeq ($(PLATFORM), windows)
@@ -68,7 +58,7 @@ ifdef DISABLE_INTREE_EC
 endif
 
 SUBDIRS       = $(INTREE_EC) other action util krb5
-SUBDIRS_misc  = jgss $(PKCS11) $(JGSS_WRAPPER) $(MSCAPI) smartcardio
+SUBDIRS_misc  = jgss pkcs11 $(JGSS_WRAPPER) $(MSCAPI) smartcardio
 SUBDIRS_tools = tools
 include $(BUILDDIR)/common/Subdirs.gmk
 

src/share/classes/sun/security/pkcs11/Config.java

 /*
- * Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -197,6 +197,9 @@ final class Config {
     // (false).
     private boolean useEcX963Encoding = false;
 
+    // The minimum library version number
+    private String libraryVersionCheck = null;
+
     private Config(String filename, InputStream in) throws IOException {
         if (in == null) {
             if (filename.startsWith("--")) {
@@ -329,6 +332,10 @@ final class Config {
         return useEcX963Encoding;
     }
 
+    String getLibraryVersionCheck() {
+        return libraryVersionCheck;
+    }
+
     private static String expand(final String s) throws IOException {
         try {
             return PropertyExpander.expand(s);
@@ -451,6 +458,8 @@ final class Config {
                 nssUseSecmodTrust = parseBooleanEntry(word);
             } else if (word.equals("useEcX963Encoding")) {
                 useEcX963Encoding = parseBooleanEntry(word);
+            } else if (word.equals("libraryVersionCheck")) {
+                libraryVersionCheck = parseStringEntry(word);
             } else {
                 throw new ConfigurationException
                         ("Unknown keyword '" + word + "', line " + st.lineno());

src/share/classes/sun/security/pkcs11/SunPKCS11.java

@@ -342,6 +342,18 @@ public final class SunPKCS11 extends AuthProvider {
                 System.out.println("Library info:");
                 System.out.println(p11Info);
             }
+
+            // Check library version number
+            String libraryVersionCheck = config.getLibraryVersionCheck();
+            if (libraryVersionCheck != null) {
+                if (p11Info.libraryVersion.toString()
+                    .compareTo(libraryVersionCheck) < 0) {
+                    throw new ProviderException(
+                        "Cryptoki library version check failed: " +
+                        "installed version is " + p11Info.libraryVersion);
+                }
+            }
+
             if ((slotID < 0) || showInfo) {
                 long[] slots = p11.C_GetSlotList(false);
                 if (showInfo) {

test/ProblemList.txt

@@ -234,16 +234,6 @@ sun/security/ssl/com/sun/net/ssl/internal/ssl/GenSSLConfigs/main.java	solaris-al
 # 7147060
 com/sun/org/apache/xml/internal/security/transforms/ClassLoaderTest.java	generic-all
 
-# Failing on Solaris i586, 3/9/2010, not a -samevm issue (jdk_security3)
-sun/security/pkcs11/Secmod/AddPrivateKey.java                   solaris-i586
-sun/security/pkcs11/ec/ReadCertificates.java                    solaris-i586
-sun/security/pkcs11/ec/ReadPKCS12.java                          solaris-i586
-sun/security/pkcs11/ec/TestCurves.java                          solaris-i586
-sun/security/pkcs11/ec/TestECDSA.java                           solaris-i586
-#sun/security/pkcs11/ec/TestECGenSpec.java                      solaris-i586
-#sun/security/pkcs11/ec/TestKeyFactory.java                     solaris-i586
-sun/security/pkcs11/sslecc/ClientJSSEServerJSSE.java            solaris-i586
-
 # Fails on Fedora 9/Ubuntu 10.04 64bit, PKCS11Exception: CKR_DEVICE_ERROR
 sun/security/pkcs11/KeyAgreement/TestDH.java                    generic-all
 

test/sun/security/pkcs11/PKCS11Test.java

 /*
- * Copyright (c) 2003, 2007, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -42,6 +42,9 @@ public abstract class PKCS11Test {
     // directory corresponding to BASE in the /closed hierarchy
     static final String CLOSED_BASE;
 
+    // Minimum supported NSS library version
+    private static final String MINIMUM_SUPPORTED_NSS_VERSION = "3.12";
+
     static {
         // hack
         String absBase = new File(BASE).getAbsolutePath();
@@ -129,6 +132,13 @@ public abstract class PKCS11Test {
     }
 
     private static String PKCS11_BASE;
+    static {
+        try {
+            PKCS11_BASE = getBase();
+        } catch (Exception e) {
+            // ignore
+        }
+    }
 
     private final static String PKCS11_REL_PATH = "sun/security/pkcs11";
 
@@ -160,20 +170,18 @@ public abstract class PKCS11Test {
         }
         String osid = osName + "-"
                 + props.getProperty("os.arch") + "-" + props.getProperty("sun.arch.data.model");
-        String ostype = osMap.get(osid);
-        if (ostype == null) {
+        String nssLibDir = osMap.get(osid);
+        if (nssLibDir == null) {
             System.out.println("Unsupported OS, skipping: " + osid);
             return null;
-//          throw new Exception("Unsupported OS " + osid);
+//          throw new Exception("Unsupported OS " + osName);
         }
-        if (ostype.length() == 0) {
+        if (nssLibDir.length() == 0) {
             System.out.println("NSS not supported on this platform, skipping test");
             return null;
         }
-        String base = getBase();
-        String libdir = base + SEP + "nss" + SEP + "lib" + SEP + ostype + SEP;
-        System.setProperty("pkcs11test.nss.libdir", libdir);
-        return libdir;
+        System.setProperty("pkcs11test.nss.libdir", nssLibDir);
+        return nssLibDir;
     }
 
     protected static void safeReload(String lib) throws Exception {
@@ -191,6 +199,8 @@ public abstract class PKCS11Test {
         safeReload(libdir + System.mapLibraryName(NSPR_PREFIX + "nspr4"));
         safeReload(libdir + System.mapLibraryName(NSPR_PREFIX + "plc4"));
         safeReload(libdir + System.mapLibraryName(NSPR_PREFIX + "plds4"));
+        safeReload(libdir + System.mapLibraryName("sqlite3"));
+        safeReload(libdir + System.mapLibraryName("nssutil3"));
         return true;
     }
 
@@ -220,7 +230,12 @@ public abstract class PKCS11Test {
                                 customConfig :
                                 base + SEP + "nss" + SEP + customConfigName;
 
+        System.out.println("[WARNING: NSS libraries loaded from " + libdir +
+            " must be at least version " +
+            MINIMUM_SUPPORTED_NSS_VERSION + "]");
         System.setProperty("pkcs11test.nss.lib", libfile);
+        System.setProperty("pkcs11test.nss.libVersionCheck",
+            MINIMUM_SUPPORTED_NSS_VERSION);
         System.setProperty("pkcs11test.nss.db", dbdir);
         Provider p = getSunPKCS11(p11config);
         test.premain(p);
@@ -229,15 +244,19 @@ public abstract class PKCS11Test {
 
     private static final Map<String,String> osMap;
 
+    // Location of the NSS libraries on each supported platform
     static {
         osMap = new HashMap<String,String>();
-        osMap.put("SunOS-sparc-32", "solaris-sparc");
-        osMap.put("SunOS-sparcv9-64", "solaris-sparcv9");
-        osMap.put("SunOS-x86-32", "solaris-i586");
-        osMap.put("SunOS-amd64-64", "solaris-amd64");
-        osMap.put("Linux-i386-32", "linux-i586");
-        osMap.put("Linux-amd64-64", "linux-amd64");
-        osMap.put("Windows-x86-32", "windows-i586");
+        osMap.put("SunOS-sparc-32", "/usr/lib/mps/");
+        osMap.put("SunOS-sparcv9-64", "/usr/lib/mps/64/");
+        osMap.put("SunOS-x86-32", "/usr/lib/mps/");
+        osMap.put("SunOS-amd64-64", "/usr/lib/mps/64/");
+        osMap.put("Linux-i386-32", "/usr/lib/");
+        osMap.put("Linux-amd64-64", "/usr/lib64/");
+        osMap.put("Windows-x86-32",
+            PKCS11_BASE + "/nss/lib/windows-i586/".replace('/', SEP));
+        osMap.put("Windows-amd64-64",
+            PKCS11_BASE + "/nss/lib/windows-amd64/".replace('/', SEP));
     }
 
     private final static char[] hexDigits = "0123456789abcdef".toCharArray();

test/sun/security/pkcs11/nss/lib/README

+This copy of the Mozilla NSS-3.13.1 libraries is used by the PKCS11 tests.
+The following source code versions were used to build these libraries:
+  NSS_3.13.1_RTM
+  NSPR_4.8.9_RTM

test/sun/security/pkcs11/nss/p11-nss.txt

@@ -9,6 +9,8 @@ slot = 1
 
 library = ${pkcs11test.nss.lib}
 
+libraryVersionCheck = ${pkcs11test.nss.libVersionCheck}
+
 nssArgs = "configdir='${pkcs11test.nss.db}' certPrefix='' keyPrefix='' secmod='secmod.db' flags=readOnly"
 
 # HMAC_SHA256/384/512 broken until NSS 3.10.2

test/sun/security/tools/keytool/autotest.sh

 #
-# Copyright (c) 2006, 2009, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2006, 2012, Oracle and/or its affiliates. All rights reserved.
 # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 #
 # This code is free software; you can redistribute it and/or modify it
@@ -50,7 +50,7 @@ case "$OS" in
     ARCH=`isainfo`
     case "$ARCH" in
       sparc* )
-        PF="solaris-sparc"
+        NSSDIR="/usr/lib/mps"
         ;;
       * )
         echo "Will not run test on: Solaris ${ARCH}"
@@ -64,7 +64,7 @@ case "$OS" in
     FS="/"
     case "$ARCH" in
       i[3-6]86 )
-        PF="linux-i586"
+        NSSDIR="/usr/lib"
         ;;
       * )
         echo "Will not run test on: Linux ${ARCH}"
@@ -91,7 +91,7 @@ chmod u+w key3.db
 chmod u+w cert8.db
 
 echo | ${TESTJAVA}${FS}bin${FS}java -Dnss \
-   -Dnss.lib=${NSS}${FS}lib${FS}${PF}${FS}${LIBNAME} \
+   -Dnss.lib=${NSSDIR}${FS}${LIBNAME} \
    KeyToolTest
 status=$?