8296631: NSS tests failing on OL9 linux-aarch64 hosts

[kurashige23]

Hi,

This is a backport of JDK-8296631: NSS tests failing on OL9 linux-aarch64 hosts

Original patch does not apply cleanly for the following reasons:

・Fix to getOsMap() in test/jdk/sun/security/pkcs11/PKCS11Test.java can not be applied since getOsMap() was removed in https://bugs.openjdk.org/browse/JDK-8331700.
・Fix to test/jdk/sun/security/pkcs11/tls/tls12 can not be applied since test/jdk/sun/security/pkcs11/tls/tls12 is an enhancement added in https://bugs.openjdk.org/browse/JDK-8220753 (jdk13).
・pkcs11/fips/ClientJSSEServerJSSE.java and pkcs11/fips/TrustManagerTest.java fail if I run the pkcs11 tests without the fix to test/jdk/sun/security/pkcs11/fips/. This is because cert9.db, key4.db, and pkcs11.txt, which are required to run the tests using sqlite, do not exist in test/jdk/sun/security/pkcs11/fips. test/jdk/sun/security/pkcs11/fips was removed in https://bugs.openjdk.org/browse/JDK-8217835 (jdk13), so the original patch does not fix test/jdk/sun/security/pkcs11/fips/. I added the database files to test/jdk/sun/security/pkcs11/fips so that pkcs11/fips/ClientJSSEServerJSSE.java and pkcs11/fips/TrustManagerTest.java can run tests using sqlite and pass.

Testing: jdk/sun/security/pkcs11 tests on RHEL9, GHA testing

Thanks.

---

Progress

• Change must be properly reviewed (1 review required, with at least 1 Reviewer)
• Change must not contain extraneous whitespace
• Commit message must refer to an issue
• JDK-8296631 needs maintainer approval

Warnings

 ⚠️ Patch contains a binary file (test/jdk/sun/security/pkcs11/KeyStore/ClientAuthData/cert9.db)
 ⚠️ Patch contains a binary file (test/jdk/sun/security/pkcs11/KeyStore/ClientAuthData/key4.db)
 ⚠️ Patch contains a binary file (test/jdk/sun/security/pkcs11/fips/cert9.db)
 ⚠️ Patch contains a binary file (test/jdk/sun/security/pkcs11/fips/key4.db)

Issue

• JDK-8296631: NSS tests failing on OL9 linux-aarch64 hosts (Bug - P3 - Requested)

Reviewers

• Paul Hohensee (@phohensee - Reviewer) 🔄 Re-review required (review applies to a247aa1d)

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk11u-dev.git pull/2955/head:pull/2955
$ git checkout pull/2955

Update a local copy of the PR:
$ git checkout pull/2955
$ git pull https://git.openjdk.org/jdk11u-dev.git pull/2955/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 2955

View PR using the GUI difftool:
$ git pr show -t 2955

Using diff file

Download this PR as a diff file:
https://git.openjdk.org/jdk11u-dev/pull/2955.diff

Using Webrev

Link to Webrev Comment

[bridgekeeper]

👋 Welcome back kurashige23! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

[openjdk]

❗ This change is not yet ready to be integrated.
See the Progress checklist in the description for automated requirements.

[openjdk]

This backport pull request has now been updated with issue from the original commit.

[mlbridge]

Webrevs

• 03: Full - Incremental (7c28df67)
• 02: Full - Incremental (a247aa1d)
• 01: Full - Incremental (2cc6ddb4)
• 00: Full (673cc8eb)

[kurashige23]

Could anyone review this backport please?

[openjdk]

⚠️ @kurashige23 This change is now ready for you to apply for maintainer approval. This can be done directly in each associated issue or by using the /approval command.

[kurashige23]

/approval request Backporting this patch resolves NSS tests failure. ,
Original patch does not apply cleanly because some code does not exist in jdk11 and some code exists just in jdk11. ,
Test-only fix, low risk. ,
Pkcs11 tests on RHEL9 and GHA pass. .

[openjdk]

@kurashige23
8296631: The approval request has been created successfully.

[kurashige23]

/approval request Backporting this patch resolves NSS tests failure.
Original patch does not apply cleanly because some code does not exist in jdk11 and some code exists just in jdk11.
Test-only fix, low risk.
Pkcs11 tests on RHEL9 and GHA pass.

[openjdk]

@kurashige23
8296631: The approval request has been updated successfully.

[theRealAph]

Why are the two sets of files key4.db and cert9.db different?

zarquon:Downloads $ shasum cert9*.db
41eed34f2505f3a549cb85542ae58b2f239c593e  cert9(1).db
b0e2a3aa1c884de00a342e01d5c2aa4c4ca1d801  cert9.db
zarquon:Downloads $ shasum key4*.db
c06ef63d0a2e960bbe91744c2fe1b8e7cd2bd841  key4(1).db
0a48f27990384fbae2d70dc9a496d08b6b5ea0f3  key4.db

dbtool can't read the files in fips/. Are they a different kind of database?

[kurashige23]

@theRealAph

Why are the two sets of files key4.db and cert9.db different?

The reason key4.db and cert9.db are different is that they are newly created by me using the "modutil" command.
I created them with reference to jdk/test/jdk/sun/security/pkcs11/Secmod/README-SQLITE and manually copied pkcs11.txt from jdk/test/jdk/sun/security/pkcs11/Secmod/pkcs11.txt. However, after receiving your comment, I realized that the README-SQLITE procedure does not correspond to the contents of pkcs11.txt. So I recreated key4.db ,cert9.db and pkcs11.txt using the following steps:

$ mkdir ./tmpdb
$ modutil -create -force -dbdir sql:./tmpdb
$ modutil -enable "NSS Internal PKCS #11 Module" -dbdir sql:./tmpdb

WARNING: Performing this operation while the browser is running could cause
corruption of your security databases. If the browser is currently running,
you should exit browser before continuing this operation. Type
'q <enter>' to abort, or <enter> to continue:

Slot "NSS Internal Cryptographic Services" enabled.
Slot "NSS User Private Key and Certificate Services" enabled.
$ modutil -undefault "NSS Internal PKCS #11 Module" -mechanisms SHA256:SHA512:Camellia:SEED:ECC -force -dbdir sql:./tmpdb -secmod secmod.db
Successfully changed defaults.
$ modutil -add "Builtin Roots Module" -libfile libnssckbi.so -dbdir sql:./tmpdb

WARNING: Performing this operation while the browser is running could cause
corruption of your security databases. If the browser is currently running,
you should exit browser before continuing this operation. Type
'q <enter>' to abort, or <enter> to continue:


WARNING: Manually adding a module while p11-kit is enabled could cause
duplicate module registration in your security database. It is suggested
to configure the module through p11-kit configuration file instead.

Type 'q <enter>' to abort, or <enter> to continue:

Module "Builtin Roots Module" added to database.
$ echo "" > ./tmpdb/1
$ echo "test12" > ./tmpdb/2
$ modutil -changepw "NSS Certificate DB" -force -dbdir sql:./tmpdb/ -pwfile ./tmpdb/1 -newpwfile ./tmpdb/2
Token "NSS Certificate DB" password changed successfully.

$ ls tmpdb/
1  2  cert9.db  key4.db  pkcs11.txt
$ cat tmpdb/pkcs11.txt
library=
name=NSS Internal PKCS #11 Module
parameters=configdir='sql:./tmpdb' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription=''
NSS=trustOrder=75 cipherOrder=100 slotParams={0x00000001=[slotFlags=RSA,RC4,RC2,DES,DH,SHA1,MD5,MD2,SSL,TLS,AES,RANDOM askpw=any timeout=30 ] }  Flags=internal,critical

library=libnssckbi.so
name=Builtin Roots Module
NSS=trustOrder=100

(The hash value for cert9.db was the same as before the above procedure.)

I then verified again that the tests in pkcs11/fips/pass.

dbtool can't read the files in fips/. Are they a different kind of database?

Please check if dbtool can't read the db files in fips/ again because I recreated as above.
I didn't intend to use a different kind of database.
If dbtool can't read them, it would be helpful if you could provide an error message. In some cases, I will replace the db files in pkcs11/fips with the db files in pkcs11/KeyStore/ClientAuthData.