提交 ef3392b7 编写于 作者: A ascarpino

8020424: The NSS version should be detected before running crypto tests

Reviewed-by: valeriep
上级 b8dc172b
......@@ -255,32 +255,12 @@ sun/rmi/transport/proxy/EagerHttpFallback.java generic-all
# jdk_security
# 8012971 PKCS11Test hiding exception failures
sun/security/pkcs11/KeyStore/SecretKeysBasic.java solaris-all
sun/security/pkcs11/KeyStore/SecretKeysBasic.java linux-all
sun/security/pkcs11/ec/TestCurves.java solaris-all
sun/security/pkcs11/ec/TestCurves.java linux-all
sun/security/pkcs11/ec/TestECDH.java solaris-all
sun/security/pkcs11/ec/TestECDH2.java solaris-all
sun/security/pkcs11/ec/TestECDH2.java linux-all
sun/security/pkcs11/ec/TestECDSA.java solaris-all
sun/security/pkcs11/ec/TestECDSA.java linux-all
sun/security/pkcs11/ec/TestECDSA2.java solaris-all
sun/security/pkcs11/ec/TestECDSA2.java linux-all
sun/security/pkcs11/ec/TestECGenSpec.java solaris-all
sun/security/pkcs11/ec/TestECGenSpec.java linux-all
sun/security/pkcs11/ec/TestKeyFactory.java solaris-all
sun/security/pkcs11/ec/TestKeyFactory.java linux-all
# 7157786
sun/security/pkcs11/ec/TestKeyFactory.java generic-all
# 7164518: no PortUnreachableException on Mac
sun/security/krb5/auto/Unreachable.java macosx-all
# 7193793
sun/security/pkcs11/ec/TestECDH.java linux-all
# 7198198: the test also fails on SuSE Linux
sun/security/pkcs11/ec/ReadCertificates.java linux-all
# 7147060
com/sun/org/apache/xml/internal/security/transforms/ClassLoaderTest.java generic-all
......@@ -290,9 +270,6 @@ sun/security/pkcs11/ec/ReadCertificates.java solaris-all
sun/security/pkcs11/ec/ReadPKCS12.java solaris-all
sun/security/pkcs11/sslecc/ClientJSSEServerJSSE.java solaris-all
# 8005247
sun/security/pkcs11/ec/TestECDSA.java solaris-all
# 8009438
sun/security/pkcs11/Secmod/AddPrivateKey.java linux-all
sun/security/pkcs11/Secmod/TrustAnchors.java linux-all
......
/*
* Copyright (c) 2008, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2008, 2013 Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
......@@ -23,16 +23,10 @@
import java.io.*;
import java.util.*;
import java.lang.reflect.*;
import java.security.*;
import java.security.cert.*;
import java.security.spec.*;
import java.security.interfaces.*;
import java.math.BigInteger;
import javax.crypto.*;
import javax.crypto.spec.*;
import javax.xml.bind.DatatypeConverter;
public class SecretKeysBasic extends PKCS11Test {
......@@ -94,6 +88,17 @@ public class SecretKeysBasic extends PKCS11Test {
SecretKey expected,
boolean saveBeforeCheck)
throws Exception {
// A bug in NSS 3.12 (Mozilla bug 471665) causes AES key lengths
// to be read incorrectly. Checking for improper 16 byte length
// in key string.
if (isNSS(provider) && expected.getAlgorithm().equals("AES") &&
(getNSSVersion() >= 3.12 && getNSSVersion() <= 3.122)) {
System.out.println("NSS 3.12 bug returns incorrect AES key "+
"length breaking key storage. Aborting...");
return true;
}
if (saveBeforeCheck) {
ks.setKeyEntry(alias, expected, null, null);
}
......@@ -127,7 +132,7 @@ public class SecretKeysBasic extends PKCS11Test {
System.out.println("\tALGO=" + key.getAlgorithm());
if (key.getFormat() != null) {
System.out.println("\t[" + key.getFormat() + "] VALUE=" +
new BigInteger(key.getEncoded()));
DatatypeConverter.printHexBinary(key.getEncoded()));
} else {
System.out.println("\tVALUE=n/a");
}
......
......@@ -54,6 +54,11 @@ public abstract class PKCS11Test {
static String NSPR_PREFIX = "";
// NSS version info
public static enum ECCState { None, Basic, Extended };
static double nss_version = -1;
static ECCState nss_ecc_status = ECCState.Extended;
// The NSS library we need to search for in getNSSLibDir()
// Default is "libsoftokn3.so", listed as "softokn3"
// The other is "libnss3.so", listed as "nss3".
......@@ -217,6 +222,104 @@ public abstract class PKCS11Test {
return true;
}
// Check the provider being used is NSS
public static boolean isNSS(Provider p) {
return p.getName().toUpperCase().equals("SUNPKCS11-NSS");
}
static double getNSSVersion() {
if (nss_version == -1)
getNSSInfo();
return nss_version;
}
static ECCState getNSSECC() {
if (nss_version == -1)
getNSSInfo();
return nss_ecc_status;
}
/* Read the library to find out the verison */
static void getNSSInfo() {
String nssHeader = "$Header: NSS";
boolean found = false;
String s = null;
int i = 0;
String libfile = "";
try {
libfile = getNSSLibDir() + System.mapLibraryName(nss_library);
FileInputStream is = new FileInputStream(libfile);
byte[] data = new byte[1000];
int read = 0;
while (is.available() > 0) {
if (read == 0) {
read = is.read(data, 0, 1000);
} else {
// Prepend last 100 bytes in case the header was split
// between the reads.
System.arraycopy(data, 900, data, 0, 100);
read = 100 + is.read(data, 100, 900);
}
s = new String(data, 0, read);
if ((i = s.indexOf(nssHeader)) > 0) {
found = true;
// If the nssHeader is before 920 we can break, otherwise
// we may not have the whole header so do another read. If
// no bytes are in the stream, that is ok, found is true.
if (i < 920) {
break;
}
}
}
is.close();
} catch (Exception e) {
e.printStackTrace();
}
if (!found) {
System.out.println("NSS version not found, set to 0.0: "+libfile);
nss_version = 0.0;
return;
}
// the index after whitespace after nssHeader
int afterheader = s.indexOf("NSS", i) + 4;
String version = s.substring(afterheader, s.indexOf(' ', afterheader));
// If a "dot dot" release, strip the extra dots for double parsing
String[] dot = version.split("\\.");
if (dot.length > 2) {
version = dot[0]+"."+dot[1];
for (int j = 2; dot.length > j; j++) {
version += dot[j];
}
}
// Convert to double for easier version value checking
try {
nss_version = Double.parseDouble(version);
} catch (NumberFormatException e) {
System.out.println("Failed to parse NSS version. Set to 0.0");
e.printStackTrace();
}
System.out.print("NSS version = "+version+". ");
// Check for ECC
if (s.indexOf("Basic") > 0) {
nss_ecc_status = ECCState.Basic;
System.out.println("ECC Basic.");
} else if (s.indexOf("Extended") > 0) {
nss_ecc_status = ECCState.Extended;
System.out.println("ECC Extended.");
}
}
// Used to set the nss_library file to search for libsoftokn3.so
public static void useNSS() {
nss_library = "nss3";
......
This README is to keep a list facts and known workaround for the pkcs11 java tests
perform as a result of bugs or features in NSS or other pkcs11 libraries.
- NSS ECC None/Basic/Extended
The tests detect the NSS library support for Elliptic Curves as to not
report incorrect failures. PKCS11 reports back CKR_DOMAIN_PARAMS_INVALID
when the curve is not supported.
- Default libsoftokn3.so
By default PKCS11Test.java will look for libsoftokn3.so. There are a number of
tests, particularly in Secmod, that need libnss3.so. The method useNSS() in
PKCS11test.java is to change the search and version checking to libnss3.
ECC Basic supports is secp256r1, secp384r1, and secp521r1.
- A bug in NSS 3.12 (Mozilla bug 471665) causes AES key lengths to be
read incorrectly. KeyStore/SecretKeysBasic.java tiggers this bug and
knows to avoid it.
- A number of EC tests fail because of a DER bug in NSS 3.11. The best guess
is Mozilla bug 480280. Those tests that abort execution with a PASS result
are: TestECDH2, TestECDSA, TestECDSA2 and TestECGenSpec.
/*
* Copyright (c) 2006, 2012, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2006, 2013, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
......@@ -113,6 +113,20 @@ public class ReadCertificates extends PKCS11Test {
System.out.println("Warning: " + e.getMessage() +
". Trying another provider...");
cert.verify(key);
} catch (InvalidKeyException e) {
// The root cause of the exception might be NSS not having
// "ECC Extended" support curves. If so, we can ignore it.
Throwable t = e;
while (t.getCause() != null) {
t = t.getCause();
}
if (t instanceof sun.security.pkcs11.wrapper.PKCS11Exception &&
t.getMessage().equals("CKR_DOMAIN_PARAMS_INVALID") &&
isNSS(p) && getNSSECC() == ECCState.Basic) {
System.out.println("Failed as expected. NSS Basic ECC.");
continue;
}
throw e;
}
}
......
/*
* Copyright (c) 2006, 2012, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2006, 2013, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
......@@ -50,6 +50,12 @@ public class TestCurves extends PKCS11Test {
return;
}
if (isNSS(p) && getNSSVersion() >= 3.11 && getNSSVersion() < 3.12) {
System.out.println("NSS 3.11 has a DER issue that recent " +
"version do not.");
return;
}
Random random = new Random();
byte[] data = new byte[2048];
random.nextBytes(data);
......@@ -61,8 +67,29 @@ public class TestCurves extends PKCS11Test {
KeyPairGenerator kpg = KeyPairGenerator.getInstance("EC", p);
kpg.initialize(params);
KeyPair kp1, kp2;
kp1 = kpg.generateKeyPair();
kp2 = kpg.generateKeyPair();
try {
kp1 = kpg.generateKeyPair();
kp2 = kpg.generateKeyPair();
} catch (Exception e) {
// The root cause of the exception might be NSS not having
// "ECC Extended" support curves. If so, we can ignore it.
if (e instanceof java.security.ProviderException) {
Throwable t = e.getCause();
if (t instanceof
sun.security.pkcs11.wrapper.PKCS11Exception &&
t.getMessage().equals("CKR_DOMAIN_PARAMS_INVALID") &&
isNSS(p) && (getNSSECC() == ECCState.Basic) &&
(!params.toString().startsWith("secp256r1") &&
!params.toString().startsWith("secp384r1") &&
!params.toString().startsWith("secp521r1"))) {
System.out.println("NSS Basic ECC. Failure expected");
continue;
}
}
throw e;
}
testSigning(p, "SHA1withECDSA", data, kp1, kp2);
testSigning(p, "SHA224withECDSA", data, kp1, kp2);
......@@ -97,8 +124,9 @@ public class TestCurves extends PKCS11Test {
int end;
String curve;
Vector<ECParameterSpec> results = new Vector<ECParameterSpec>();
String kcProp =
p.getProperty("AlgorithmParameters.EC SupportedCurves");
// Get Curves to test from SunEC.
String kcProp = Security.getProvider("SunEC").
getProperty("AlgorithmParameters.EC SupportedCurves");
if (kcProp == null) {
throw new RuntimeException(
......
/*
* Copyright (c) 2006, 2012, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2006, 2013, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
......@@ -61,6 +61,11 @@ public class TestECDH extends PKCS11Test {
return;
}
if (isNSS(p) && getNSSECC() == ECCState.Basic) {
System.out.println("NSS only supports Basic ECC. Skipping..");
return;
}
/*
* PKCS11Test.main will remove this provider if needed
*/
......
/*
* Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2012, 2013, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
......@@ -106,6 +106,13 @@ public class TestECDH2 extends PKCS11Test {
return;
}
if (isNSS(provider) && getNSSVersion() >= 3.11 &&
getNSSVersion() < 3.12) {
System.out.println("NSS 3.11 has a DER issue that recent " +
"version do not.");
return;
}
kf = KeyFactory.getInstance("EC", provider);
kpg = KeyPairGenerator.getInstance("EC", provider);
......
/*
* Copyright (c) 2006, 2012, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2006, 2013, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
......@@ -30,9 +30,7 @@
* @library ../../../../java/security/testlibrary
*/
import java.io.*;
import java.util.*;
import java.math.BigInteger;
import java.security.*;
import java.security.spec.*;
......@@ -117,6 +115,13 @@ public class TestECDSA extends PKCS11Test {
return;
}
if (isNSS(provider) && getNSSVersion() >= 3.11 &&
getNSSVersion() < 3.12) {
System.out.println("NSS 3.11 has a DER issue that recent " +
"version do not.");
return;
}
/*
* PKCS11Test.main will remove this provider if needed
*/
......@@ -136,10 +141,14 @@ public class TestECDSA extends PKCS11Test {
return;
}
test(provider, pub192, priv192, sig192);
test(provider, pub163, priv163, sig163);
if (getNSSECC() != ECCState.Basic) {
test(provider, pub192, priv192, sig192);
test(provider, pub163, priv163, sig163);
test(provider, pub571, priv571, sig571);
} else {
System.out.println("ECC Basic only, skipping 192, 163 and 571.");
}
test(provider, pub521, priv521, sig521);
test(provider, pub571, priv571, sig571);
long stop = System.currentTimeMillis();
System.out.println("All tests passed (" + (stop - start) + " ms).");
......
/*
* Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2012, 2013, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
......@@ -104,6 +104,13 @@ public class TestECDSA2 extends PKCS11Test {
return;
}
if (isNSS(provider) && getNSSVersion() >= 3.11 &&
getNSSVersion() < 3.12) {
System.out.println("NSS 3.11 has a DER issue that recent " +
"version do not.");
return;
}
kf = KeyFactory.getInstance("EC", provider);
long start = System.currentTimeMillis();
......
/*
* Copyright (c) 2006, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2006, 2013 Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
......@@ -47,9 +47,20 @@ public class TestECGenSpec extends PKCS11Test {
return;
}
String[] names = { "NIST P-192", "sect163k1", "1.3.132.0.26", "X9.62 c2tnb239v1"};
int[] lengths = {192, 163, 233, 239};
for (int i = 0; i < names.length; i++) {
if (isNSS(p) && getNSSVersion() >= 3.11 && getNSSVersion() < 3.12) {
System.out.println("NSS 3.11 has a DER issue that recent " +
"version do not.");
return;
}
String[] names = { "secp256r1", "NIST P-192", "sect163k1", "1.3.132.0.26",
"X9.62 c2tnb239v1"};
int curves = 1;
if (getNSSECC() == ECCState.Extended) {
curves = names.length;
}
int[] lengths = {256, 192, 163, 233, 239};
for (int i = 0; i < curves; i++) {
String name = names[i];
int len = lengths[i];
System.out.println("Testing " + name + "...");
......
/*
* Copyright (c) 2006, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2006, 2013 Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
......@@ -119,11 +119,17 @@ public class TestKeyFactory extends PKCS11Test {
System.out.println("Provider does not support EC, skipping");
return;
}
int[] keyLengths = {192, 163, 521, 409};
int[] keyLengths = {192, 163, 409, 521};
int len = 0;
if (getNSSECC() == ECCState.Basic) {
System.out.println("NSS Basic ECC only. Skipping 192, 163, & 409");
len = 3;
}
KeyFactory kf = KeyFactory.getInstance("EC", p);
for (int len : keyLengths) {
for (; keyLengths.length > len ; len++) {
System.out.println("Length "+keyLengths[len]);
KeyPairGenerator kpg = KeyPairGenerator.getInstance("EC", p);
kpg.initialize(len);
kpg.initialize(keyLengths[len]);
KeyPair kp = kpg.generateKeyPair();
test(kf, kp.getPrivate());
test(kf, kp.getPublic());
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册