Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

8296631: NSS tests failing on OL9 linux-aarch64 hosts #2955

Open
wants to merge 5 commits into
base: master
Choose a base branch
from

Conversation

kurashige23
Copy link
Contributor

@kurashige23 kurashige23 commented Oct 17, 2024

Hi,

This is a backport of JDK-8296631: NSS tests failing on OL9 linux-aarch64 hosts

Original patch does not apply cleanly for the following reasons:

・Fix to getOsMap() in test/jdk/sun/security/pkcs11/PKCS11Test.java can not be applied since getOsMap() was removed in https://bugs.openjdk.org/browse/JDK-8331700.
・Fix to test/jdk/sun/security/pkcs11/tls/tls12 can not be applied since test/jdk/sun/security/pkcs11/tls/tls12 is an enhancement added in https://bugs.openjdk.org/browse/JDK-8220753 (jdk13).
・pkcs11/fips/ClientJSSEServerJSSE.java and pkcs11/fips/TrustManagerTest.java fail if I run the pkcs11 tests without the fix to test/jdk/sun/security/pkcs11/fips/. This is because cert9.db, key4.db, and pkcs11.txt, which are required to run the tests using sqlite, do not exist in test/jdk/sun/security/pkcs11/fips. test/jdk/sun/security/pkcs11/fips was removed in https://bugs.openjdk.org/browse/JDK-8217835 (jdk13), so the original patch does not fix test/jdk/sun/security/pkcs11/fips/. I added the database files to test/jdk/sun/security/pkcs11/fips so that pkcs11/fips/ClientJSSEServerJSSE.java and pkcs11/fips/TrustManagerTest.java can run tests using sqlite and pass.

Testing: jdk/sun/security/pkcs11 tests on RHEL9, GHA testing

Thanks.


Progress

  • Change must be properly reviewed (1 review required, with at least 1 Reviewer)
  • Change must not contain extraneous whitespace
  • Commit message must refer to an issue
  • JDK-8296631 needs maintainer approval

Warnings

 ⚠️ Patch contains a binary file (test/jdk/sun/security/pkcs11/KeyStore/ClientAuthData/cert9.db)
 ⚠️ Patch contains a binary file (test/jdk/sun/security/pkcs11/KeyStore/ClientAuthData/key4.db)
 ⚠️ Patch contains a binary file (test/jdk/sun/security/pkcs11/fips/cert9.db)
 ⚠️ Patch contains a binary file (test/jdk/sun/security/pkcs11/fips/key4.db)

Issue

  • JDK-8296631: NSS tests failing on OL9 linux-aarch64 hosts (Bug - P3 - Requested)

Reviewers

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk11u-dev.git pull/2955/head:pull/2955
$ git checkout pull/2955

Update a local copy of the PR:
$ git checkout pull/2955
$ git pull https://git.openjdk.org/jdk11u-dev.git pull/2955/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 2955

View PR using the GUI difftool:
$ git pr show -t 2955

Using diff file

Download this PR as a diff file:
https://git.openjdk.org/jdk11u-dev/pull/2955.diff

Using Webrev

Link to Webrev Comment

@bridgekeeper
Copy link

bridgekeeper bot commented Oct 17, 2024

👋 Welcome back kurashige23! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

@openjdk
Copy link

openjdk bot commented Oct 17, 2024

❗ This change is not yet ready to be integrated.
See the Progress checklist in the description for automated requirements.

@openjdk openjdk bot changed the title Backport 6e1aacdfba5a32f7b071eea8039888d275827e83 8296631: NSS tests failing on OL9 linux-aarch64 hosts Oct 17, 2024
@openjdk
Copy link

openjdk bot commented Oct 17, 2024

This backport pull request has now been updated with issue from the original commit.

@openjdk openjdk bot added backport rfr Pull request is ready for review labels Oct 17, 2024
@mlbridge
Copy link

mlbridge bot commented Oct 17, 2024

Webrevs

@kurashige23
Copy link
Contributor Author

Could anyone review this backport please?

@openjdk
Copy link

openjdk bot commented Nov 5, 2024

⚠️ @kurashige23 This change is now ready for you to apply for maintainer approval. This can be done directly in each associated issue or by using the /approval command.

@kurashige23
Copy link
Contributor Author

kurashige23 commented Nov 6, 2024

/approval request Backporting this patch resolves NSS tests failure. ,
Original patch does not apply cleanly because some code does not exist in jdk11 and some code exists just in jdk11. ,
Test-only fix, low risk. ,
Pkcs11 tests on RHEL9 and GHA pass. .

@openjdk
Copy link

openjdk bot commented Nov 6, 2024

@kurashige23
8296631: The approval request has been created successfully.

@openjdk openjdk bot added the approval label Nov 6, 2024
@kurashige23
Copy link
Contributor Author

/approval request Backporting this patch resolves NSS tests failure.
Original patch does not apply cleanly because some code does not exist in jdk11 and some code exists just in jdk11.
Test-only fix, low risk.
Pkcs11 tests on RHEL9 and GHA pass.

@openjdk
Copy link

openjdk bot commented Nov 6, 2024

@kurashige23
8296631: The approval request has been updated successfully.

@theRealAph
Copy link
Contributor

Why are the two sets of files key4.db and cert9.db different?

zarquon:Downloads $ shasum cert9*.db
41eed34f2505f3a549cb85542ae58b2f239c593e  cert9(1).db
b0e2a3aa1c884de00a342e01d5c2aa4c4ca1d801  cert9.db
zarquon:Downloads $ shasum key4*.db
c06ef63d0a2e960bbe91744c2fe1b8e7cd2bd841  key4(1).db
0a48f27990384fbae2d70dc9a496d08b6b5ea0f3  key4.db

dbtool can't read the files in fips/. Are they a different kind of database?

@kurashige23
Copy link
Contributor Author

kurashige23 commented Nov 7, 2024

@theRealAph

Why are the two sets of files key4.db and cert9.db different?

The reason key4.db and cert9.db are different is that they are newly created by me using the "modutil" command.
I created them with reference to jdk/test/jdk/sun/security/pkcs11/Secmod/README-SQLITE and manually copied pkcs11.txt from jdk/test/jdk/sun/security/pkcs11/Secmod/pkcs11.txt. However, after receiving your comment, I realized that the README-SQLITE procedure does not correspond to the contents of pkcs11.txt. So I recreated key4.db ,cert9.db and pkcs11.txt using the following steps:

$ mkdir ./tmpdb
$ modutil -create -force -dbdir sql:./tmpdb
$ modutil -enable "NSS Internal PKCS #11 Module" -dbdir sql:./tmpdb

WARNING: Performing this operation while the browser is running could cause
corruption of your security databases. If the browser is currently running,
you should exit browser before continuing this operation. Type
'q <enter>' to abort, or <enter> to continue:

Slot "NSS Internal Cryptographic Services" enabled.
Slot "NSS User Private Key and Certificate Services" enabled.
$ modutil -undefault "NSS Internal PKCS #11 Module" -mechanisms SHA256:SHA512:Camellia:SEED:ECC -force -dbdir sql:./tmpdb -secmod secmod.db
Successfully changed defaults.
$ modutil -add "Builtin Roots Module" -libfile libnssckbi.so -dbdir sql:./tmpdb

WARNING: Performing this operation while the browser is running could cause
corruption of your security databases. If the browser is currently running,
you should exit browser before continuing this operation. Type
'q <enter>' to abort, or <enter> to continue:


WARNING: Manually adding a module while p11-kit is enabled could cause
duplicate module registration in your security database. It is suggested
to configure the module through p11-kit configuration file instead.

Type 'q <enter>' to abort, or <enter> to continue:

Module "Builtin Roots Module" added to database.
$ echo "" > ./tmpdb/1
$ echo "test12" > ./tmpdb/2
$ modutil -changepw "NSS Certificate DB" -force -dbdir sql:./tmpdb/ -pwfile ./tmpdb/1 -newpwfile ./tmpdb/2
Token "NSS Certificate DB" password changed successfully.

$ ls tmpdb/
1  2  cert9.db  key4.db  pkcs11.txt
$ cat tmpdb/pkcs11.txt
library=
name=NSS Internal PKCS #11 Module
parameters=configdir='sql:./tmpdb' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription=''
NSS=trustOrder=75 cipherOrder=100 slotParams={0x00000001=[slotFlags=RSA,RC4,RC2,DES,DH,SHA1,MD5,MD2,SSL,TLS,AES,RANDOM askpw=any timeout=30 ] }  Flags=internal,critical

library=libnssckbi.so
name=Builtin Roots Module
NSS=trustOrder=100

(The hash value for cert9.db was the same as before the above procedure.)

I then verified again that the tests in pkcs11/fips/pass.

dbtool can't read the files in fips/. Are they a different kind of database?

Please check if dbtool can't read the db files in fips/ again because I recreated as above.
I didn't intend to use a different kind of database.
If dbtool can't read them, it would be helpful if you could provide an error message. In some cases, I will replace the db files in pkcs11/fips with the db files in pkcs11/KeyStore/ClientAuthData.

@kurashige23
Copy link
Contributor Author

@theRealAph

If you have time, I would like you to check my comment and fix. Thanks.

@theRealAph
Copy link
Contributor

What do you see?

 $ pwd
/local/jdk11u-dev/test/jdk/sun/security/pkcs11/fips
 $ /usr/lib64/nss/unsupported-tools/dbtool  -d .       
dbdir selected is .

CertDB:
KeyDB:

@kurashige23
Copy link
Contributor Author

I tried and got the same output as you ...

$ pwd
/work/kurashige/JDK-8296631/jdk11u-dev/test/jdk/sun/security/pkcs11/fips
$ /usr/lib64/nss/unsupported-tools/dbtool -d .
dbdir selected is .

CertDB:
KeyDB:

However, the same output was obtained for dbdir that existed before this PR was created.

$ pwd
/work/kurashige/JDK-8296631/jdk11u-dev/test/jdk/sun/security/pkcs11/nss/db
$ ls
cert8.db  cert9.db  key3.db  key4.db  secmod.db
$ /usr/lib64/nss/unsupported-tools/dbtool -d .
dbdir selected is .

CertDB:
KeyDB:

I'm sorry for my ignorance, but I don't know what the problem is.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approval backport rfr Pull request is ready for review
Development

Successfully merging this pull request may close these issues.

3 participants