Hi Valerie, On Fri, Aug 31, 2018 at 9:16 PM, Valerie Peng <valerie.p...@oracle.com> wrote:
> Hi Martin, > > In TestTLS12.java, you call the initSecmod() inside initialize() and when > initSecmod() returns false, you return from initialize() and continue down > the main(). Is this intentional? Other tests seems to be skipping execution > when initSecmod() return false. > This test skips execution too. That's because shouldRun method returns false if sunPKCS11NSSProvider variable is null (which it is if initSecmod returns false). > > Changes in webrev.08 resolves 2 out of the 4 failure cases for > TestTLS12.java. However, when I submit the changes for testing, it failed > on some OS (see below): > > macosx-x64: > > jib > STDOUT: >> jib > nssLibDir: /scratch/mesos/jib-master/inst >> all/jpg/tests/jdk/nsslib/nsslib-macosx_x64/3.35/nsslib-macos >> x_x64-3.35.zip/nsslib/ >> jib > STDERR: >> jib > java.security.ProviderException: Could not initialize NSS >> jib > at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.<init>( >> SunPKCS11.java:218) >> jib > at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run( >> SunPKCS11.java:113) >> jib > at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run( >> SunPKCS11.java:110) >> jib > at java.base/java.security.AccessController.doPrivileged(Native >> Method) >> jib > at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.configure( >> SunPKCS11.java:110) >> jib > at PKCS11Test.getSunPKCS11(PKCS11Test.java:156) >> jib > at TestTLS12.initialize(TestTLS12.java:416) >> jib > at TestTLS12.main(TestTLS12.java:84) >> jib > at >> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native >> Method) >> jib > at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invo >> ke(NativeMethodAccessorImpl.java:62) >> jib > at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl. >> invoke(DelegatingMethodAccessorImpl.java:43) >> jib > at java.base/java.lang.reflect.Method.invoke(Method.java:566) >> jib > at com.sun.javatest.regtest.agent.MainWrapper$MainThread.run( >> MainWrapper.java:127) >> jib > at java.base/java.lang.Thread.run(Thread.java:834) >> jib > Caused by: java.io.IOException: NSS initialization failed >> jib > at jdk.crypto.cryptoki/sun.security.pkcs11.Secmod.initialize( >> Secmod.java:234) >> jib > at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.<init>( >> SunPKCS11.java:213) >> jib > ... 13 more >> jib > >> jib > JavaTest Message: Test threw exception: >> java.security.ProviderException: Could not initialize NSS >> > > windows-x64: > > jib > STDOUT: >> jib > nssLibDir: C:\ADE\mesos\work_dir\jib-mast >> er\install\jpg\tests\jdk\nsslib\nsslib-windows_x64\3.35\ >> nsslib-windows_x64-3.35.zip\nsslib\ >> jib > SunPKCS11 provider: SunPKCS11-NSSKeyStore version 12 >> jib > STDERR: >> jib > java.security.ProviderException: SunJSSE already initialized in >> non-FIPS mode >> jib > at java.base/sun.security.ssl.SunJSSE.ensureFIPS(SunJSSE.java:94) >> jib > at java.base/sun.security.ssl.SunJSSE.<init>(SunJSSE.java:146) >> jib > at java.base/sun.security.ssl.SunJSSE.<init>(SunJSSE.java:118) >> jib > at java.base/com.sun.net.ssl.internal.ssl.Provider.<init>(Provi >> der.java:47) >> jib > at TestTLS12.initialize(TestTLS12.java:424) >> jib > at TestTLS12.main(TestTLS12.java:84) >> jib > at >> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native >> Method) >> jib > at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invo >> ke(NativeMethodAccessorImpl.java:62) >> jib > at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl. >> invoke(DelegatingMethodAccessorImpl.java:43) >> jib > at java.base/java.lang.reflect.Method.invoke(Method.java:566) >> jib > at com.sun.javatest.regtest.agent.MainWrapper$MainThread.run( >> MainWrapper.java:127) >> jib > at java.base/java.lang.Thread.run(Thread.java:834) >> jib > >> jib > JavaTest Message: Test threw exception: >> java.security.ProviderException: SunJSSE already initialized in non-FIPS >> mode >> > > The 2 tests that initialize NSS in FIPS mode (TrustManagerTest and ClientJSSEServerJSSE) only run on Solaris. My guess is that these failures are not particular to TestTLS12 but to NSS + FIPS support on these setups. I won't be able to reproduce the macOS failure and I'm not sure if I'll be able to reproduce in my Windows x86_64 environment. I propose the following options: 1) Make the test skip macOS & Windows x86_64 (and any other platform that fails to initialize the SunPKCS11 provider) 2) If you can provide access to a testing environment where I can reproduce these failures, I can see what's happening I intentionally want to use FIPS in NSS configuration because it represents a real use case, and is what motivated us to support TLS 1.2 in SunPKCS11. So, even though removing FIPS would be an option, I prefer not to take it. Kind regards, Martin.-
