8308453: Convert JKS test keystores in test/jdk/javax/net/ssl/etc to PKCS12

[driverkt]

JDK-8308453: JSSE regression test keystore migration from JKS to PKCS12

---

Progress

• Change must be properly reviewed (1 review required, with at least 1 Reviewer)
• Change must not contain extraneous whitespace
• Commit message must refer to an issue

Issue

• JDK-8308453: Convert JKS test keystores in test/jdk/javax/net/ssl/etc to PKCS12 (Enhancement - P4)

Reviewers

• Weijun Wang (@wangweij - Reviewer)

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk.git pull/16159/head:pull/16159
$ git checkout pull/16159

Update a local copy of the PR:
$ git checkout pull/16159
$ git pull https://git.openjdk.org/jdk.git pull/16159/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 16159

View PR using the GUI difftool:
$ git pr show -t 16159

Using diff file

Download this PR as a diff file:
https://git.openjdk.org/jdk/pull/16159.diff

Webrev

Link to Webrev Comment

[bridgekeeper]

👋 Welcome back kdriver! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

[openjdk]

@driverkt The following label will be automatically applied to this pull request:

• security

When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing list. If you would like to change these labels, use the /label pull request command.

[mlbridge]

Webrevs

• 11: Full - Incremental (a3856ce9)
• 10: Full - Incremental (59aaba72)
• 09: Full - Incremental (a35fa4cf)
• 08: Full - Incremental (253ee1e1)
• 07: Full - Incremental (d309acdb)
• 06: Full - Incremental (206e5b9c)
• 05: Full - Incremental (3666328b)
• 04: Full - Incremental (e104fb92)
• 03: Full - Incremental (8146a694)
• 02: Full - Incremental (e118be60)
• 01: Full - Incremental (06a30c07)
• 00: Full (9ccd25b8)

[mcpowers]

Looks good to me.

[seanjmullan]

The ones you changed to PKCS12 is fine, but you should also convert the binary keystores in the test/jdk/javax/net/ssl/etc directory. You can use the keytool -importkeystore command to convert JKS to PKCS12, ex:

keytool -importkeystore -srckeystore keystore -srcstoretype JKS -deststoretype PKCS12 -destkeystore keystore.p12

[driverkt]

The ones you changed to PKCS12 is fine, but you should also convert the binary keystores in the test/jdk/javax/net/ssl/etc directory.

I have done so now. Please re-review.

[seanjmullan]

There are other tests under test/jdk/sun/security/ssl that are instantiating the keystores in test/jdk/javax/net/ssl/etc as "JKS". For example, see test/jdk/javax/net/ssl/SSLSession/SSLCtxAccessToSessCtx.java. Although the compatibility mode by default allows JKS keystores to load PKCS12 keystores (and vice-versa), I think it would be better/cleaner to change all of these tests to load them as "PKCS12".

[wangweij]

I have 2 comments:

1. For those system properties. If you don't set them explicitly to pkcs12, will there by any failure? In my understanding, the default type is already pkcs12 now.
2. For those getInstance("JKS") calls. Is it possible to rewrite them with getInstance(File)?

[driverkt]

deliberate

[driverkt]

deliberate

[driverkt]

deliberate

[driverkt]

deliberate

[wangweij]

No need for this FileInputStream.

[driverkt]

I left this due to the "try." I can remove if you prefer, but it seemed like it was better to leave in this check for the existence of the file due to the declared exception in the method signature.

[wangweij]

No need for this FileInputStream.

[driverkt]

I left this due to the "try." I can remove if you prefer, but it seemed like it was better to leave in this check for the existence of the file due to the declared exception in the method signature.

[wangweij]

I see what you mean, but in any of these tests, no matter if a FNFE or an IAE is thrown, it's not handled and the test simply fails. I don't think it's worth checking twice on the existence of the file.

[wangweij]

No need for this FileInputStream.

[driverkt]

I left this due to the "try." I can remove if you prefer, but it seemed like it was better to leave in this check for the existence of the file due to the declared exception in the method signature.

[wangweij]

No need for these FileInputStreams.

[driverkt]

I left this due to the "try." I can remove if you prefer, but it seemed like it was better to leave in this check for the existence of the file due to the declared exception in the method signature.

[wangweij]

Looks good to me.

BTW, have you considered making truststore a password-less pkcs12 file? Then there is no need to provide a password for it. You can create one with -J-Dkeystore.pkcs12.certProtectionAlgorithm=NONE -J-Dkeystore.pkcs12.macAlgorithm=NONE when calling the keytool -importkeystore command.

[openjdk]

@driverkt This change now passes all automated pre-integration checks.

ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details.

After integration, the commit message for the final commit will be:

8308453: Convert JKS test keystores in test/jdk/javax/net/ssl/etc to PKCS12

Reviewed-by: weijun

You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed.

At the time when this comment was updated there had been no new commits pushed to the master branch. If another commit should be pushed before you perform the /integrate command, your PR will be automatically rebased. If you prefer to avoid any potential automatic rebasing, please check the documentation for the /integrate command for further details.

➡️ To integrate this PR with the above commit message to the master branch, type /integrate in a new comment.

[driverkt]

/integrate

[openjdk]

Going to push as commit 1696603.
Since your change was applied there have been 12 commits pushed to the master branch:

• b3126b6: 8319455: Test compiler/print/CompileCommandMemLimit.java times out
• 1c2ea1d: 8319153: Fix: Class is a raw type in ProcessTools
• 96e6e67: 4365952: Cannot disable JFileChooser
• 2d4bbf4: 8319465: Typos in javadoc of com.sun.management.OperatingSystemMXBean methods
• 8fb94fd: 8319379: G1: gc/logging/TestUnifiedLoggingSwitchStress.java crashes after JDK-8318894
• b5c863b: 8316533: C2 compilation fails with assert(verify(phase)) failed: missing Value() optimization
• 377138c: 8318959: C2: define MachNode::fill_new_machnode() statically
• c146685: 8319165: hsdis binutils: warns on empty string as option string
• 01c0d5d: 8319412: RISC-V: Simple fix of indent in c2_MacroAssembler_riscv.hpp
• df599db: 8295159: DSO created with -ffast-math breaks Java floating-point arithmetic
• ... and 2 more: https://git.openjdk.org/jdk/compare/ea6a88a0aa4e8a365a94e71078e67a4452f40945...master

Your commit was automatically rebased without conflicts.

[openjdk]

@driverkt Pushed as commit 1696603.

💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored.