From 95388526b9082db896294d6c796205c336983bb1 Mon Sep 17 00:00:00 2001 From: ascarpino Date: Wed, 4 Dec 2013 10:59:17 -0800 Subject: [PATCH] 8027218: TEST_BUG: sun/security/pkcs11/ec tests fail because of ever-changing key size restrictions Reviewed-by: vinnie --- test/sun/security/pkcs11/PKCS11Test.java | 89 ++++++++++++++ .../security/pkcs11/ec/ReadCertificates.java | 54 ++++---- test/sun/security/pkcs11/ec/TestCurves.java | 115 +++++------------- 3 files changed, 150 insertions(+), 108 deletions(-) diff --git a/test/sun/security/pkcs11/PKCS11Test.java b/test/sun/security/pkcs11/PKCS11Test.java index 138252475..3699f8804 100644 --- a/test/sun/security/pkcs11/PKCS11Test.java +++ b/test/sun/security/pkcs11/PKCS11Test.java @@ -29,6 +29,8 @@ import java.util.*; import java.lang.reflect.*; import java.security.*; +import java.security.spec.ECGenParameterSpec; +import java.security.spec.ECParameterSpec; public abstract class PKCS11Test { @@ -357,6 +359,93 @@ public abstract class PKCS11Test { test.premain(p); } + // Generate a vector of supported elliptic curves of a given provider + static Vector getKnownCurves(Provider p) throws Exception { + int index; + int begin; + int end; + String curve; + KeyPair kp = null; + + Vector results = new Vector(); + // Get Curves to test from SunEC. + String kcProp = Security.getProvider("SunEC"). + getProperty("AlgorithmParameters.EC SupportedCurves"); + + if (kcProp == null) { + throw new RuntimeException( + "\"AlgorithmParameters.EC SupportedCurves property\" not found"); + } + + System.out.println("Finding supported curves using list from SunEC\n"); + index = 0; + for (;;) { + // Each set of curve names is enclosed with brackets. + begin = kcProp.indexOf('[', index); + end = kcProp.indexOf(']', index); + if (begin == -1 || end == -1) { + break; + } + + /* + * Each name is separated by a comma. + * Just get the first name in the set. + */ + index = end + 1; + begin++; + end = kcProp.indexOf(',', begin); + if (end == -1) { + // Only one name in the set. + end = index -1; + } + + curve = kcProp.substring(begin, end); + ECParameterSpec e = getECParameterSpec(p, curve); + System.out.print("\t "+ curve + ": "); + try { + KeyPairGenerator kpg = KeyPairGenerator.getInstance("EC", p); + kpg.initialize(e); + kp = kpg.generateKeyPair(); + results.add(e); + System.out.println("Supported"); + } catch (ProviderException ex) { + System.out.println("Unsupported: PKCS11: " + + ex.getCause().getMessage()); + } catch (InvalidAlgorithmParameterException ex) { + System.out.println("Unsupported: Key Length: " + + ex.getMessage()); + } + } + + if (results.size() == 0) { + throw new RuntimeException("No supported EC curves found"); + } + + return results; + } + + private static ECParameterSpec getECParameterSpec(Provider p, String name) + throws Exception { + + AlgorithmParameters parameters = + AlgorithmParameters.getInstance("EC", p); + + parameters.init(new ECGenParameterSpec(name)); + + return parameters.getParameterSpec(ECParameterSpec.class); + } + + // Check support for a curve with a provided Vector of EC support + boolean checkSupport(Vector supportedEC, + ECParameterSpec curve) { + boolean found = false; + for (ECParameterSpec ec: supportedEC) { + if (ec.equals(curve)) { + return true; + } + } + return false; + } private static final Map osMap; diff --git a/test/sun/security/pkcs11/ec/ReadCertificates.java b/test/sun/security/pkcs11/ec/ReadCertificates.java index ff0a62ba2..8311b8d1e 100644 --- a/test/sun/security/pkcs11/ec/ReadCertificates.java +++ b/test/sun/security/pkcs11/ec/ReadCertificates.java @@ -37,6 +37,7 @@ import java.util.*; import java.security.cert.*; import java.security.*; import java.security.interfaces.*; +import java.security.spec.ECParameterSpec; import javax.security.auth.x500.X500Principal; @@ -101,33 +102,44 @@ public class ReadCertificates extends PKCS11Test { } System.out.println("OK: " + certs.size() + " certificates."); + // Get supported curves + Vector supportedEC = getKnownCurves(p); + + System.out.println("Test Certs:\n"); for (X509Certificate cert : certs.values()) { X509Certificate issuer = certs.get(cert.getIssuerX500Principal()); - System.out.println("Verifying " + cert.getSubjectX500Principal() + "..."); + System.out.print("Verifying " + cert.getSubjectX500Principal() + + "... "); PublicKey key = issuer.getPublicKey(); - // First try the provider under test (if it does not support the - // necessary algorithm then try any registered provider). - try { - cert.verify(key, p.getName()); - } catch (NoSuchAlgorithmException e) { - System.out.println("Warning: " + e.getMessage() + - ". Trying another provider..."); - cert.verify(key); - } catch (InvalidKeyException e) { - // The root cause of the exception might be NSS not having - // "ECC Extended" support curves. If so, we can ignore it. - Throwable t = e; - while (t.getCause() != null) { - t = t.getCause(); - } - if (t instanceof sun.security.pkcs11.wrapper.PKCS11Exception && - t.getMessage().equals("CKR_DOMAIN_PARAMS_INVALID") && - isNSS(p) && getNSSECC() == ECCState.Basic) { - System.out.println("Failed as expected. NSS Basic ECC."); + // Check if curve is supported + if (issuer.getPublicKey() instanceof ECPublicKey) { + if (!checkSupport(supportedEC, + ((ECPublicKey)key).getParams())) { + System.out.println("Curve not found. Skipped."); continue; } - throw e; } + + try { + cert.verify(key, p.getName()); + System.out.println("Pass."); + } catch (NoSuchAlgorithmException e) { + System.out.println("Warning: " + e.getMessage() + + ". Trying another provider..."); + cert.verify(key); + } catch (Exception e) { + System.out.println(e.getMessage()); + if (key instanceof ECPublicKey) { + System.out.println("Failed.\n\tCurve: " + + ((ECPublicKey)key).getParams() + + "\n\tSignature Alg: " + cert.getSigAlgName()); + } else { + System.out.println("Key: "+key.toString()); + } + + System.err.println("Verifying " + cert.getSubjectX500Principal()); + e.printStackTrace(); + } } // try some random invalid signatures to make sure we get the correct diff --git a/test/sun/security/pkcs11/ec/TestCurves.java b/test/sun/security/pkcs11/ec/TestCurves.java index 511bbaf75..de53e2147 100644 --- a/test/sun/security/pkcs11/ec/TestCurves.java +++ b/test/sun/security/pkcs11/ec/TestCurves.java @@ -56,47 +56,49 @@ public class TestCurves extends PKCS11Test { return; } + // Check if this is sparc for later failure avoidance. + boolean sparc = false; + if (System.getProperty("os.arch").equals("sparcv9")) { + sparc = true; + System.out.println("This is a sparcv9"); + } + Random random = new Random(); byte[] data = new byte[2048]; random.nextBytes(data); Vector curves = getKnownCurves(p); - for (ECParameterSpec params : curves) { System.out.println("Testing " + params + "..."); KeyPairGenerator kpg = KeyPairGenerator.getInstance("EC", p); kpg.initialize(params); KeyPair kp1, kp2; + kp1 = kpg.generateKeyPair(); + kp2 = kpg.generateKeyPair(); + + testSigning(p, "SHA1withECDSA", data, kp1, kp2); + // Check because Solaris ncp driver does not support these but + // Solaris metaslot causes them to be run. try { - kp1 = kpg.generateKeyPair(); - kp2 = kpg.generateKeyPair(); - } catch (Exception e) { - // The root cause of the exception might be NSS not having - // "ECC Extended" support curves. If so, we can ignore it. - if (e instanceof java.security.ProviderException) { + testSigning(p, "SHA224withECDSA", data, kp1, kp2); + testSigning(p, "SHA256withECDSA", data, kp1, kp2); + testSigning(p, "SHA384withECDSA", data, kp1, kp2); + testSigning(p, "SHA512withECDSA", data, kp1, kp2); + } catch (ProviderException e) { + if (sparc) { Throwable t = e.getCause(); - if (t instanceof - sun.security.pkcs11.wrapper.PKCS11Exception && - t.getMessage().equals("CKR_DOMAIN_PARAMS_INVALID") && - isNSS(p) && (getNSSECC() == ECCState.Basic) && - (!params.toString().startsWith("secp256r1") && - !params.toString().startsWith("secp384r1") && - !params.toString().startsWith("secp521r1"))) { - System.out.println("NSS Basic ECC. Failure expected"); - continue; + if (t instanceof sun.security.pkcs11.wrapper.PKCS11Exception && + t.getMessage().equals("CKR_ATTRIBUTE_VALUE_INVALID")) { + System.out.print("-Failure not uncommon. Probably pre-T4."); + } else { + throw e; } + } else { + throw e; } - - throw e; } - - testSigning(p, "SHA1withECDSA", data, kp1, kp2); - testSigning(p, "SHA224withECDSA", data, kp1, kp2); - testSigning(p, "SHA256withECDSA", data, kp1, kp2); - testSigning(p, "SHA384withECDSA", data, kp1, kp2); - testSigning(p, "SHA512withECDSA", data, kp1, kp2); - // System.out.println(); + System.out.println(); KeyAgreement ka1 = KeyAgreement.getInstance("ECDH", p); ka1.init(kp1.getPrivate()); @@ -116,70 +118,9 @@ public class TestCurves extends PKCS11Test { System.out.println("OK"); } - private static Vector - getKnownCurves(Provider p) throws Exception { - - int index; - int begin; - int end; - String curve; - Vector results = new Vector(); - // Get Curves to test from SunEC. - String kcProp = Security.getProvider("SunEC"). - getProperty("AlgorithmParameters.EC SupportedCurves"); - - if (kcProp == null) { - throw new RuntimeException( - "\"AlgorithmParameters.EC SupportedCurves property\" not found"); - } - - index = 0; - for (;;) { - // Each set of curve names is enclosed with brackets. - begin = kcProp.indexOf('[', index); - end = kcProp.indexOf(']', index); - if (begin == -1 || end == -1) { - break; - } - - /* - * Each name is separated by a comma. - * Just get the first name in the set. - */ - index = end + 1; - begin++; - end = kcProp.indexOf(',', begin); - if (end == -1) { - // Only one name in the set. - end = index -1; - } - - curve = kcProp.substring(begin, end); - - results.add(getECParameterSpec(p, curve)); - } - - if (results.size() == 0) { - throw new RuntimeException("No supported EC curves found"); - } - - return results; - } - - private static ECParameterSpec getECParameterSpec(Provider p, String name) - throws Exception { - - AlgorithmParameters parameters = - AlgorithmParameters.getInstance("EC", p); - - parameters.init(new ECGenParameterSpec(name)); - - return parameters.getParameterSpec(ECParameterSpec.class); - } - private static void testSigning(Provider p, String algorithm, byte[] data, KeyPair kp1, KeyPair kp2) throws Exception { - // System.out.print(" " + algorithm); + System.out.print(" " + algorithm); Signature s = Signature.getInstance(algorithm, p); s.initSign(kp1.getPrivate()); s.update(data); -- GitLab