提交 95388526 编写于 作者: A ascarpino

8027218: TEST_BUG: sun/security/pkcs11/ec tests fail because of ever-changing key size restrictions

Reviewed-by: vinnie
上级 bea8a261
......@@ -29,6 +29,8 @@ import java.util.*;
import java.lang.reflect.*;
import java.security.*;
import java.security.spec.ECGenParameterSpec;
import java.security.spec.ECParameterSpec;
public abstract class PKCS11Test {
......@@ -357,6 +359,93 @@ public abstract class PKCS11Test {
test.premain(p);
}
// Generate a vector of supported elliptic curves of a given provider
static Vector<ECParameterSpec> getKnownCurves(Provider p) throws Exception {
int index;
int begin;
int end;
String curve;
KeyPair kp = null;
Vector<ECParameterSpec> results = new Vector<ECParameterSpec>();
// Get Curves to test from SunEC.
String kcProp = Security.getProvider("SunEC").
getProperty("AlgorithmParameters.EC SupportedCurves");
if (kcProp == null) {
throw new RuntimeException(
"\"AlgorithmParameters.EC SupportedCurves property\" not found");
}
System.out.println("Finding supported curves using list from SunEC\n");
index = 0;
for (;;) {
// Each set of curve names is enclosed with brackets.
begin = kcProp.indexOf('[', index);
end = kcProp.indexOf(']', index);
if (begin == -1 || end == -1) {
break;
}
/*
* Each name is separated by a comma.
* Just get the first name in the set.
*/
index = end + 1;
begin++;
end = kcProp.indexOf(',', begin);
if (end == -1) {
// Only one name in the set.
end = index -1;
}
curve = kcProp.substring(begin, end);
ECParameterSpec e = getECParameterSpec(p, curve);
System.out.print("\t "+ curve + ": ");
try {
KeyPairGenerator kpg = KeyPairGenerator.getInstance("EC", p);
kpg.initialize(e);
kp = kpg.generateKeyPair();
results.add(e);
System.out.println("Supported");
} catch (ProviderException ex) {
System.out.println("Unsupported: PKCS11: " +
ex.getCause().getMessage());
} catch (InvalidAlgorithmParameterException ex) {
System.out.println("Unsupported: Key Length: " +
ex.getMessage());
}
}
if (results.size() == 0) {
throw new RuntimeException("No supported EC curves found");
}
return results;
}
private static ECParameterSpec getECParameterSpec(Provider p, String name)
throws Exception {
AlgorithmParameters parameters =
AlgorithmParameters.getInstance("EC", p);
parameters.init(new ECGenParameterSpec(name));
return parameters.getParameterSpec(ECParameterSpec.class);
}
// Check support for a curve with a provided Vector of EC support
boolean checkSupport(Vector<ECParameterSpec> supportedEC,
ECParameterSpec curve) {
boolean found = false;
for (ECParameterSpec ec: supportedEC) {
if (ec.equals(curve)) {
return true;
}
}
return false;
}
private static final Map<String,String[]> osMap;
......
......@@ -37,6 +37,7 @@ import java.util.*;
import java.security.cert.*;
import java.security.*;
import java.security.interfaces.*;
import java.security.spec.ECParameterSpec;
import javax.security.auth.x500.X500Principal;
......@@ -101,33 +102,44 @@ public class ReadCertificates extends PKCS11Test {
}
System.out.println("OK: " + certs.size() + " certificates.");
// Get supported curves
Vector<ECParameterSpec> supportedEC = getKnownCurves(p);
System.out.println("Test Certs:\n");
for (X509Certificate cert : certs.values()) {
X509Certificate issuer = certs.get(cert.getIssuerX500Principal());
System.out.println("Verifying " + cert.getSubjectX500Principal() + "...");
System.out.print("Verifying " + cert.getSubjectX500Principal() +
"... ");
PublicKey key = issuer.getPublicKey();
// First try the provider under test (if it does not support the
// necessary algorithm then try any registered provider).
try {
cert.verify(key, p.getName());
} catch (NoSuchAlgorithmException e) {
System.out.println("Warning: " + e.getMessage() +
". Trying another provider...");
cert.verify(key);
} catch (InvalidKeyException e) {
// The root cause of the exception might be NSS not having
// "ECC Extended" support curves. If so, we can ignore it.
Throwable t = e;
while (t.getCause() != null) {
t = t.getCause();
}
if (t instanceof sun.security.pkcs11.wrapper.PKCS11Exception &&
t.getMessage().equals("CKR_DOMAIN_PARAMS_INVALID") &&
isNSS(p) && getNSSECC() == ECCState.Basic) {
System.out.println("Failed as expected. NSS Basic ECC.");
// Check if curve is supported
if (issuer.getPublicKey() instanceof ECPublicKey) {
if (!checkSupport(supportedEC,
((ECPublicKey)key).getParams())) {
System.out.println("Curve not found. Skipped.");
continue;
}
throw e;
}
try {
cert.verify(key, p.getName());
System.out.println("Pass.");
} catch (NoSuchAlgorithmException e) {
System.out.println("Warning: " + e.getMessage() +
". Trying another provider...");
cert.verify(key);
} catch (Exception e) {
System.out.println(e.getMessage());
if (key instanceof ECPublicKey) {
System.out.println("Failed.\n\tCurve: " +
((ECPublicKey)key).getParams() +
"\n\tSignature Alg: " + cert.getSigAlgName());
} else {
System.out.println("Key: "+key.toString());
}
System.err.println("Verifying " + cert.getSubjectX500Principal());
e.printStackTrace();
}
}
// try some random invalid signatures to make sure we get the correct
......
......@@ -56,47 +56,49 @@ public class TestCurves extends PKCS11Test {
return;
}
// Check if this is sparc for later failure avoidance.
boolean sparc = false;
if (System.getProperty("os.arch").equals("sparcv9")) {
sparc = true;
System.out.println("This is a sparcv9");
}
Random random = new Random();
byte[] data = new byte[2048];
random.nextBytes(data);
Vector<ECParameterSpec> curves = getKnownCurves(p);
for (ECParameterSpec params : curves) {
System.out.println("Testing " + params + "...");
KeyPairGenerator kpg = KeyPairGenerator.getInstance("EC", p);
kpg.initialize(params);
KeyPair kp1, kp2;
kp1 = kpg.generateKeyPair();
kp2 = kpg.generateKeyPair();
testSigning(p, "SHA1withECDSA", data, kp1, kp2);
// Check because Solaris ncp driver does not support these but
// Solaris metaslot causes them to be run.
try {
kp1 = kpg.generateKeyPair();
kp2 = kpg.generateKeyPair();
} catch (Exception e) {
// The root cause of the exception might be NSS not having
// "ECC Extended" support curves. If so, we can ignore it.
if (e instanceof java.security.ProviderException) {
testSigning(p, "SHA224withECDSA", data, kp1, kp2);
testSigning(p, "SHA256withECDSA", data, kp1, kp2);
testSigning(p, "SHA384withECDSA", data, kp1, kp2);
testSigning(p, "SHA512withECDSA", data, kp1, kp2);
} catch (ProviderException e) {
if (sparc) {
Throwable t = e.getCause();
if (t instanceof
sun.security.pkcs11.wrapper.PKCS11Exception &&
t.getMessage().equals("CKR_DOMAIN_PARAMS_INVALID") &&
isNSS(p) && (getNSSECC() == ECCState.Basic) &&
(!params.toString().startsWith("secp256r1") &&
!params.toString().startsWith("secp384r1") &&
!params.toString().startsWith("secp521r1"))) {
System.out.println("NSS Basic ECC. Failure expected");
continue;
if (t instanceof sun.security.pkcs11.wrapper.PKCS11Exception &&
t.getMessage().equals("CKR_ATTRIBUTE_VALUE_INVALID")) {
System.out.print("-Failure not uncommon. Probably pre-T4.");
} else {
throw e;
}
} else {
throw e;
}
throw e;
}
testSigning(p, "SHA1withECDSA", data, kp1, kp2);
testSigning(p, "SHA224withECDSA", data, kp1, kp2);
testSigning(p, "SHA256withECDSA", data, kp1, kp2);
testSigning(p, "SHA384withECDSA", data, kp1, kp2);
testSigning(p, "SHA512withECDSA", data, kp1, kp2);
// System.out.println();
System.out.println();
KeyAgreement ka1 = KeyAgreement.getInstance("ECDH", p);
ka1.init(kp1.getPrivate());
......@@ -116,70 +118,9 @@ public class TestCurves extends PKCS11Test {
System.out.println("OK");
}
private static Vector<ECParameterSpec>
getKnownCurves(Provider p) throws Exception {
int index;
int begin;
int end;
String curve;
Vector<ECParameterSpec> results = new Vector<ECParameterSpec>();
// Get Curves to test from SunEC.
String kcProp = Security.getProvider("SunEC").
getProperty("AlgorithmParameters.EC SupportedCurves");
if (kcProp == null) {
throw new RuntimeException(
"\"AlgorithmParameters.EC SupportedCurves property\" not found");
}
index = 0;
for (;;) {
// Each set of curve names is enclosed with brackets.
begin = kcProp.indexOf('[', index);
end = kcProp.indexOf(']', index);
if (begin == -1 || end == -1) {
break;
}
/*
* Each name is separated by a comma.
* Just get the first name in the set.
*/
index = end + 1;
begin++;
end = kcProp.indexOf(',', begin);
if (end == -1) {
// Only one name in the set.
end = index -1;
}
curve = kcProp.substring(begin, end);
results.add(getECParameterSpec(p, curve));
}
if (results.size() == 0) {
throw new RuntimeException("No supported EC curves found");
}
return results;
}
private static ECParameterSpec getECParameterSpec(Provider p, String name)
throws Exception {
AlgorithmParameters parameters =
AlgorithmParameters.getInstance("EC", p);
parameters.init(new ECGenParameterSpec(name));
return parameters.getParameterSpec(ECParameterSpec.class);
}
private static void testSigning(Provider p, String algorithm,
byte[] data, KeyPair kp1, KeyPair kp2) throws Exception {
// System.out.print(" " + algorithm);
System.out.print(" " + algorithm);
Signature s = Signature.getInstance(algorithm, p);
s.initSign(kp1.getPrivate());
s.update(data);
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册