8180837: SunPKCS11-NSS tests failing with CKR_ATTRIBUTE_READ_ONLY and CKR_MECHANISM_PARAM_INVALID

John Jiang · John Jiang · commit 0a0956bcda28 · 2019-09-21T08:06:00.000+08:00
Reviewed-by: xuelei
diff --git a/test/jdk/ProblemList.txt b/test/jdk/ProblemList.txt
@@ -652,8 +652,6 @@ com/sun/nio/sctp/SctpChannel/SocketOptionTests.java             8141694 linux-al
 # jdk_security
 
 sun/security/pkcs11/ec/TestKeyFactory.java                      8026976 generic-all
-sun/security/pkcs11/Secmod/AddTrustedCert.java                  8180837 generic-all
-sun/security/pkcs11/tls/TestKeyMaterial.java                    8180837 generic-all
 sun/security/pkcs11/sslecc/ClientJSSEServerJSSE.java            8161536 generic-all
 
 sun/security/tools/keytool/ListKeychainStore.sh                 8156889 macosx-all
diff --git a/test/jdk/sun/security/pkcs11/PKCS11Test.java b/test/jdk/sun/security/pkcs11/PKCS11Test.java
@@ -39,6 +39,7 @@
 import java.security.InvalidAlgorithmParameterException;
 import java.security.KeyPairGenerator;
 import java.security.NoSuchProviderException;
+import java.security.Policy;
 import java.security.Provider;
 import java.security.ProviderException;
 import java.security.Security;
@@ -879,6 +880,9 @@ private static String fetchNssLib(String osId) {
         case "MacOSX-x86_64-64":
             return fetchNssLib(MACOSX_X64.class);
 
+        case "Linux-amd64-64":
+            return fetchNssLib(LINUX_X64.class);
+
         default:
             return null;
         }
@@ -900,6 +904,7 @@ private static String fetchNssLib(Class<?> clazz) {
                         + "\nPlease make sure the artifact is available.");
             }
         }
+        Policy.setPolicy(null); // Clear the policy created by JIB if any
         return path;
     }
 
@@ -923,4 +928,11 @@ private static class WINDOWS_X86 { }
             revision = "3.46",
             extension = "zip")
     private static class MACOSX_X64 { }
+
+    @Artifact(
+            organization = "jpg.tests.jdk.nsslib",
+            name = "nsslib-linux_x64",
+            revision = "3.46",
+            extension = "zip")
+    private static class LINUX_X64 { }
 }
diff --git a/test/jdk/sun/security/pkcs11/Secmod/AddTrustedCert.java b/test/jdk/sun/security/pkcs11/Secmod/AddTrustedCert.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2005, 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2019, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -67,6 +67,13 @@ public static void main(String[] args) throws Exception {
         String configName = BASE + SEP + "nss.cfg";
         Provider p = getSunPKCS11(configName);
 
+        if (improperNSSVersion(p)) {
+            System.out.println(
+                    "Skip test due to improper NSS version in [3.28, 3.35). "
+                    + "See JDK-8180837 for more detatils.");
+            return;
+        }
+
         System.out.println(p);
         Security.addProvider(p);
 
@@ -125,4 +132,13 @@ public static void main(String[] args) throws Exception {
         System.out.println("OK");
     }
 
+    private static boolean improperNSSVersion(Provider p) {
+        double nssVersion = getNSSVersion();
+        if (p.getName().equalsIgnoreCase("SunPKCS11-NSSKeyStore")
+                && nssVersion >= 3.28 && nssVersion < 3.35) {
+            return true;
+        }
+
+        return false;
+    }
 }
diff --git a/test/jdk/sun/security/pkcs11/tls/TestKeyMaterial.java b/test/jdk/sun/security/pkcs11/tls/TestKeyMaterial.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2005, 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2019, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -36,13 +36,16 @@
 import java.io.BufferedReader;
 import java.nio.file.Files;
 import java.nio.file.Paths;
-import java.security.Provider;
 import java.security.InvalidAlgorithmParameterException;
+import java.security.Provider;
+import java.security.ProviderException;
 import java.util.Arrays;
+
 import javax.crypto.KeyGenerator;
 import javax.crypto.SecretKey;
 import javax.crypto.spec.IvParameterSpec;
 import javax.crypto.spec.SecretKeySpec;
+
 import sun.security.internal.spec.TlsKeyMaterialParameterSpec;
 import sun.security.internal.spec.TlsKeyMaterialSpec;
 
@@ -51,6 +54,7 @@ public class TestKeyMaterial extends PKCS11Test {
     private static final int PREFIX_LENGTH = "km-master:  ".length();
 
     public static void main(String[] args) throws Exception {
+        System.out.println("NSS Version: " + getNSSVersion());
         main(new TestKeyMaterial(), args);
     }
 
@@ -154,10 +158,26 @@ public void main(Provider provider) throws Exception {
                         match(lineNumber, serverMacBytes, result.getServerMacKey(), "");
                     } catch (InvalidAlgorithmParameterException iape) {
                         // SSLv3 support is removed in S12
-                        if (major == 3 && minor == 0) {
-                            System.out.println("Skip testing SSLv3");
-                            continue;
+                        if (provider.getName().indexOf("Solaris") != -1) {
+                            if (major == 3 && minor == 0) {
+                                System.out.println("Skip testing SSLv3 on Solaris");
+                                continue;
+                            }
+                        }
+                        throw iape;
+                    } catch (ProviderException pe) {
+                        if (provider.getName().indexOf("NSS") != -1) {
+                            Throwable t = pe.getCause();
+                            if (expandedKeyLength != 0
+                                    && t.getMessage().indexOf(
+                                            "CKR_MECHANISM_PARAM_INVALID") != -1) {
+                                // NSS removed support for export-grade cipher suites in 3.28,
+                                // see https://bugzilla.mozilla.org/show_bug.cgi?id=1252849
+                                System.out.println("Ignore known NSS failure on CKR_MECHANISM_PARAM_INVALID");
+                                continue;
+                            }
                         }
+                        throw pe;
                     }
                } else {
                     throw new Exception("Unknown line: " + line);
