8020424: The NSS version should be detected before running crypto tests

Reviewed-by: valeriep

test/ProblemList.txt

@@ -255,32 +255,12 @@ sun/rmi/transport/proxy/EagerHttpFallback.java                  generic-all
 
 # jdk_security
 
-# 8012971 PKCS11Test hiding exception failures
-sun/security/pkcs11/KeyStore/SecretKeysBasic.java		solaris-all
-sun/security/pkcs11/KeyStore/SecretKeysBasic.java		linux-all
-sun/security/pkcs11/ec/TestCurves.java				solaris-all
-sun/security/pkcs11/ec/TestCurves.java				linux-all
-sun/security/pkcs11/ec/TestECDH.java				solaris-all
-sun/security/pkcs11/ec/TestECDH2.java				solaris-all
-sun/security/pkcs11/ec/TestECDH2.java				linux-all
-sun/security/pkcs11/ec/TestECDSA.java				solaris-all
-sun/security/pkcs11/ec/TestECDSA.java				linux-all
-sun/security/pkcs11/ec/TestECDSA2.java				solaris-all
-sun/security/pkcs11/ec/TestECDSA2.java				linux-all
-sun/security/pkcs11/ec/TestECGenSpec.java			solaris-all
-sun/security/pkcs11/ec/TestECGenSpec.java			linux-all
-sun/security/pkcs11/ec/TestKeyFactory.java			solaris-all
-sun/security/pkcs11/ec/TestKeyFactory.java			linux-all
+# 7157786
+sun/security/pkcs11/ec/TestKeyFactory.java                      generic-all
 
 # 7164518: no PortUnreachableException on Mac
 sun/security/krb5/auto/Unreachable.java                         macosx-all
 
-# 7193793
-sun/security/pkcs11/ec/TestECDH.java				linux-all
-
-# 7198198: the test also fails on SuSE Linux
-sun/security/pkcs11/ec/ReadCertificates.java                    linux-all
-
 # 7147060
 com/sun/org/apache/xml/internal/security/transforms/ClassLoaderTest.java	generic-all
 
@@ -290,9 +270,6 @@ sun/security/pkcs11/ec/ReadCertificates.java                    solaris-all
 sun/security/pkcs11/ec/ReadPKCS12.java                          solaris-all
 sun/security/pkcs11/sslecc/ClientJSSEServerJSSE.java            solaris-all
 
-# 8005247
-sun/security/pkcs11/ec/TestECDSA.java				solaris-all
-
 # 8009438
 sun/security/pkcs11/Secmod/AddPrivateKey.java			linux-all
 sun/security/pkcs11/Secmod/TrustAnchors.java 			linux-all

test/sun/security/pkcs11/KeyStore/SecretKeysBasic.java

 /*
- * Copyright (c) 2008, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2008, 2013 Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -23,16 +23,10 @@
 
 import java.io.*;
 import java.util.*;
-import java.lang.reflect.*;
-
 import java.security.*;
-import java.security.cert.*;
-import java.security.spec.*;
-import java.security.interfaces.*;
-import java.math.BigInteger;
-
 import javax.crypto.*;
 import javax.crypto.spec.*;
+import javax.xml.bind.DatatypeConverter;
 
 public class SecretKeysBasic extends PKCS11Test {
 
@@ -94,6 +88,17 @@ public class SecretKeysBasic extends PKCS11Test {
             SecretKey expected,
             boolean saveBeforeCheck)
             throws Exception {
+
+        // A bug in NSS 3.12 (Mozilla bug 471665) causes AES key lengths
+        // to be read incorrectly.  Checking for improper 16 byte length
+        // in key string.
+        if (isNSS(provider) && expected.getAlgorithm().equals("AES") &&
+                (getNSSVersion() >= 3.12 && getNSSVersion() <= 3.122)) {
+            System.out.println("NSS 3.12 bug returns incorrect AES key "+
+                    "length breaking key storage. Aborting...");
+            return true;
+        }
+
         if (saveBeforeCheck) {
             ks.setKeyEntry(alias, expected, null, null);
         }
@@ -127,7 +132,7 @@ public class SecretKeysBasic extends PKCS11Test {
         System.out.println("\tALGO=" + key.getAlgorithm());
         if (key.getFormat() != null) {
             System.out.println("\t[" + key.getFormat() + "] VALUE=" +
-                    new BigInteger(key.getEncoded()));
+                    DatatypeConverter.printHexBinary(key.getEncoded()));
         } else {
             System.out.println("\tVALUE=n/a");
         }

test/sun/security/pkcs11/PKCS11Test.java

@@ -54,6 +54,11 @@ public abstract class PKCS11Test {
 
     static String NSPR_PREFIX = "";
 
+    // NSS version info
+    public static enum ECCState { None, Basic, Extended };
+    static double nss_version = -1;
+    static ECCState nss_ecc_status = ECCState.Extended;
+
     // The NSS library we need to search for in getNSSLibDir()
     // Default is "libsoftokn3.so", listed as "softokn3"
     // The other is "libnss3.so", listed as "nss3".
@@ -217,6 +222,104 @@ public abstract class PKCS11Test {
         return true;
     }
 
+    // Check the provider being used is NSS
+    public static boolean isNSS(Provider p) {
+        return p.getName().toUpperCase().equals("SUNPKCS11-NSS");
+    }
+
+    static double getNSSVersion() {
+        if (nss_version == -1)
+            getNSSInfo();
+        return nss_version;
+    }
+
+    static ECCState getNSSECC() {
+        if (nss_version == -1)
+            getNSSInfo();
+        return nss_ecc_status;
+    }
+
+    /* Read the library to find out the verison */
+    static void getNSSInfo() {
+        String nssHeader = "$Header: NSS";
+        boolean found = false;
+        String s = null;
+        int i = 0;
+        String libfile = "";
+
+        try {
+            libfile = getNSSLibDir() + System.mapLibraryName(nss_library);
+            FileInputStream is = new FileInputStream(libfile);
+            byte[] data = new byte[1000];
+            int read = 0;
+
+            while (is.available() > 0) {
+                if (read == 0) {
+                    read = is.read(data, 0, 1000);
+                } else {
+                    // Prepend last 100 bytes in case the header was split
+                    // between the reads.
+                    System.arraycopy(data, 900, data, 0, 100);
+                    read = 100 + is.read(data, 100, 900);
+                }
+
+                s = new String(data, 0, read);
+                if ((i = s.indexOf(nssHeader)) > 0) {
+                    found = true;
+                    // If the nssHeader is before 920 we can break, otherwise
+                    // we may not have the whole header so do another read.  If
+                    // no bytes are in the stream, that is ok, found is true.
+                    if (i < 920) {
+                        break;
+                    }
+                }
+            }
+
+            is.close();
+
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+
+        if (!found) {
+            System.out.println("NSS version not found, set to 0.0: "+libfile);
+            nss_version = 0.0;
+            return;
+        }
+
+        // the index after whitespace after nssHeader
+        int afterheader = s.indexOf("NSS", i) + 4;
+        String version = s.substring(afterheader, s.indexOf(' ', afterheader));
+
+        // If a "dot dot" release, strip the extra dots for double parsing
+        String[] dot = version.split("\\.");
+        if (dot.length > 2) {
+            version = dot[0]+"."+dot[1];
+            for (int j = 2; dot.length > j; j++) {
+                version += dot[j];
+            }
+        }
+
+        // Convert to double for easier version value checking
+        try {
+            nss_version = Double.parseDouble(version);
+        } catch (NumberFormatException e) {
+            System.out.println("Failed to parse NSS version. Set to 0.0");
+            e.printStackTrace();
+        }
+
+        System.out.print("NSS version = "+version+".  ");
+
+        // Check for ECC
+        if (s.indexOf("Basic") > 0) {
+            nss_ecc_status = ECCState.Basic;
+            System.out.println("ECC Basic.");
+        } else if (s.indexOf("Extended") > 0) {
+            nss_ecc_status = ECCState.Extended;
+            System.out.println("ECC Extended.");
+        }
+    }
+
     // Used to set the nss_library file to search for libsoftokn3.so
     public static void useNSS() {
         nss_library = "nss3";

test/sun/security/pkcs11/README

+This README is to keep a list facts and known workaround for the pkcs11 java tests
+perform as a result of bugs or features in NSS or other pkcs11 libraries.
+
+- NSS ECC None/Basic/Extended
+The tests detect the NSS library support for Elliptic Curves as to not
+report incorrect failures.  PKCS11 reports back CKR_DOMAIN_PARAMS_INVALID
+when the curve is not supported.
+
+- Default libsoftokn3.so
+By default PKCS11Test.java will look for libsoftokn3.so.  There are a number of
+tests, particularly in Secmod, that need libnss3.so.  The method useNSS() in
+PKCS11test.java is to change the search and version checking to libnss3.
+
+ECC Basic supports is secp256r1, secp384r1, and secp521r1.
+
+- A bug in NSS 3.12 (Mozilla bug 471665) causes AES key lengths to be
+read incorrectly. KeyStore/SecretKeysBasic.java tiggers this bug and
+knows to avoid it.
+
+- A number of EC tests fail because of a DER bug in NSS 3.11.  The best guess
+is Mozilla bug 480280.  Those tests that abort execution with a PASS result
+are:  TestECDH2, TestECDSA, TestECDSA2 and TestECGenSpec.

test/sun/security/pkcs11/ec/ReadCertificates.java

 /*
- * Copyright (c) 2006, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2006, 2013, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -113,6 +113,20 @@ public class ReadCertificates extends PKCS11Test {
                 System.out.println("Warning: " + e.getMessage() +
                 ". Trying another provider...");
                 cert.verify(key);
+            } catch (InvalidKeyException e) {
+                // The root cause of the exception might be NSS not having
+                // "ECC Extended" support curves.  If so, we can ignore it.
+                Throwable t = e;
+                while (t.getCause() != null) {
+                    t = t.getCause();
+                }
+                if (t instanceof sun.security.pkcs11.wrapper.PKCS11Exception &&
+                        t.getMessage().equals("CKR_DOMAIN_PARAMS_INVALID") &&
+                        isNSS(p) && getNSSECC() == ECCState.Basic) {
+                    System.out.println("Failed as expected. NSS Basic ECC.");
+                    continue;
+                }
+                throw e;
             }
         }
 

test/sun/security/pkcs11/ec/TestCurves.java

 /*
- * Copyright (c) 2006, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2006, 2013, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -50,6 +50,12 @@ public class TestCurves extends PKCS11Test {
             return;
         }
 
+        if (isNSS(p) && getNSSVersion() >= 3.11 && getNSSVersion() < 3.12) {
+            System.out.println("NSS 3.11 has a DER issue that recent " +
+                    "version do not.");
+            return;
+        }
+
         Random random = new Random();
         byte[] data = new byte[2048];
         random.nextBytes(data);
@@ -61,8 +67,29 @@ public class TestCurves extends PKCS11Test {
             KeyPairGenerator kpg = KeyPairGenerator.getInstance("EC", p);
             kpg.initialize(params);
             KeyPair kp1, kp2;
-            kp1 = kpg.generateKeyPair();
-            kp2 = kpg.generateKeyPair();
+
+            try {
+                kp1 = kpg.generateKeyPair();
+                kp2 = kpg.generateKeyPair();
+            } catch (Exception e) {
+                // The root cause of the exception might be NSS not having
+                // "ECC Extended" support curves.  If so, we can ignore it.
+                if (e instanceof java.security.ProviderException) {
+                    Throwable t = e.getCause();
+                    if (t instanceof
+                            sun.security.pkcs11.wrapper.PKCS11Exception &&
+                            t.getMessage().equals("CKR_DOMAIN_PARAMS_INVALID") &&
+                            isNSS(p) && (getNSSECC() == ECCState.Basic) &&
+                            (!params.toString().startsWith("secp256r1") &&
+                            !params.toString().startsWith("secp384r1") &&
+                            !params.toString().startsWith("secp521r1"))) {
+                        System.out.println("NSS Basic ECC.  Failure expected");
+                        continue;
+                    }
+                }
+
+                throw e;
+            }
 
             testSigning(p, "SHA1withECDSA", data, kp1, kp2);
             testSigning(p, "SHA224withECDSA", data, kp1, kp2);
@@ -97,8 +124,9 @@ public class TestCurves extends PKCS11Test {
         int end;
         String curve;
         Vector<ECParameterSpec> results = new Vector<ECParameterSpec>();
-        String kcProp =
-            p.getProperty("AlgorithmParameters.EC SupportedCurves");
+        // Get Curves to test from SunEC.
+        String kcProp = Security.getProvider("SunEC").
+                getProperty("AlgorithmParameters.EC SupportedCurves");
 
         if (kcProp == null) {
             throw new RuntimeException(

test/sun/security/pkcs11/ec/TestECDH.java

 /*
- * Copyright (c) 2006, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2006, 2013, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -61,6 +61,11 @@ public class TestECDH extends PKCS11Test {
             return;
         }
 
+        if (isNSS(p) && getNSSECC() == ECCState.Basic) {
+            System.out.println("NSS only supports Basic ECC.  Skipping..");
+            return;
+        }
+
         /*
          * PKCS11Test.main will remove this provider if needed
          */

test/sun/security/pkcs11/ec/TestECDH2.java

 /*
- * Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2012, 2013, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -106,6 +106,13 @@ public class TestECDH2 extends PKCS11Test {
             return;
         }
 
+        if (isNSS(provider) && getNSSVersion() >= 3.11 &&
+                getNSSVersion() < 3.12) {
+            System.out.println("NSS 3.11 has a DER issue that recent " +
+                    "version do not.");
+            return;
+        }
+
         kf = KeyFactory.getInstance("EC", provider);
         kpg = KeyPairGenerator.getInstance("EC", provider);
 

test/sun/security/pkcs11/ec/TestECDSA.java

 /*
- * Copyright (c) 2006, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2006, 2013, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -30,9 +30,7 @@
  * @library ../../../../java/security/testlibrary
  */
 
-import java.io.*;
 import java.util.*;
-import java.math.BigInteger;
 
 import java.security.*;
 import java.security.spec.*;
@@ -117,6 +115,13 @@ public class TestECDSA extends PKCS11Test {
             return;
         }
 
+        if (isNSS(provider) && getNSSVersion() >= 3.11 &&
+                getNSSVersion() < 3.12) {
+            System.out.println("NSS 3.11 has a DER issue that recent " +
+                    "version do not.");
+            return;
+        }
+
         /*
          * PKCS11Test.main will remove this provider if needed
          */
@@ -136,10 +141,14 @@ public class TestECDSA extends PKCS11Test {
             return;
         }
 
-        test(provider, pub192, priv192, sig192);
-        test(provider, pub163, priv163, sig163);
+        if (getNSSECC() != ECCState.Basic) {
+            test(provider, pub192, priv192, sig192);
+            test(provider, pub163, priv163, sig163);
+            test(provider, pub571, priv571, sig571);
+        } else {
+            System.out.println("ECC Basic only, skipping 192, 163 and 571.");
+        }
         test(provider, pub521, priv521, sig521);
-        test(provider, pub571, priv571, sig571);
 
         long stop = System.currentTimeMillis();
         System.out.println("All tests passed (" + (stop - start) + " ms).");

test/sun/security/pkcs11/ec/TestECDSA2.java

 /*
- * Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2012, 2013, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -104,6 +104,13 @@ public class TestECDSA2 extends PKCS11Test {
             return;
         }
 
+        if (isNSS(provider) && getNSSVersion() >= 3.11 &&
+                getNSSVersion() < 3.12) {
+            System.out.println("NSS 3.11 has a DER issue that recent " +
+                    "version do not.");
+            return;
+        }
+
         kf = KeyFactory.getInstance("EC", provider);
 
         long start = System.currentTimeMillis();

test/sun/security/pkcs11/ec/TestECGenSpec.java

 /*
- * Copyright (c) 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2006, 2013 Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -47,9 +47,20 @@ public class TestECGenSpec extends PKCS11Test {
             return;
         }
 
-        String[] names = { "NIST P-192", "sect163k1", "1.3.132.0.26", "X9.62 c2tnb239v1"};
-        int[] lengths = {192, 163, 233, 239};
-        for (int i = 0; i < names.length; i++) {
+        if (isNSS(p) && getNSSVersion() >= 3.11 && getNSSVersion() < 3.12) {
+            System.out.println("NSS 3.11 has a DER issue that recent " +
+                    "version do not.");
+            return;
+        }
+
+        String[] names = { "secp256r1", "NIST P-192", "sect163k1", "1.3.132.0.26",
+            "X9.62 c2tnb239v1"};
+        int curves = 1;
+        if (getNSSECC() == ECCState.Extended) {
+            curves = names.length;
+        }
+        int[] lengths = {256, 192, 163, 233, 239};
+        for (int i = 0; i < curves; i++) {
             String name = names[i];
             int len = lengths[i];
             System.out.println("Testing " + name + "...");

test/sun/security/pkcs11/ec/TestKeyFactory.java

 /*
- * Copyright (c) 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2006, 2013 Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -119,11 +119,17 @@ public class TestKeyFactory extends PKCS11Test {
             System.out.println("Provider does not support EC, skipping");
             return;
         }
-        int[] keyLengths = {192, 163, 521, 409};
+        int[] keyLengths = {192, 163, 409, 521};
+        int len = 0;
+        if (getNSSECC() == ECCState.Basic) {
+            System.out.println("NSS Basic ECC only. Skipping 192, 163, & 409");
+            len = 3;
+        }
         KeyFactory kf = KeyFactory.getInstance("EC", p);
-        for (int len : keyLengths) {
+        for (; keyLengths.length > len ; len++) {
+            System.out.println("Length "+keyLengths[len]);
             KeyPairGenerator kpg = KeyPairGenerator.getInstance("EC", p);
-            kpg.initialize(len);
+            kpg.initialize(keyLengths[len]);
             KeyPair kp = kpg.generateKeyPair();
             test(kf, kp.getPrivate());
             test(kf, kp.getPublic());