8165996: PKCS11 using NSS throws an error regarding secmod.db when NSS uses sqlite
Reviewed-by: weijun
Contributed-by: Martin Balao <mbalao@redhat.com>
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Secmod.java Tue Dec 12 15:38:18 2017 +0100
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Secmod.java Wed Dec 13 01:29:58 2017 +0800
@@ -196,13 +196,23 @@
}
if (configDir != null) {
- File configBase = new File(configDir);
- if (configBase.isDirectory() == false ) {
- throw new IOException("configDir must be a directory: " + configDir);
+ String configDirPath = null;
+ String sqlPrefix = "sql:/";
+ if (!configDir.startsWith(sqlPrefix)) {
+ configDirPath = configDir;
+ } else {
+ StringBuilder configDirPathSB = new StringBuilder(configDir);
+ configDirPath = configDirPathSB.substring(sqlPrefix.length());
}
- File secmodFile = new File(configBase, "secmod.db");
- if (secmodFile.isFile() == false) {
- throw new FileNotFoundException(secmodFile.getPath());
+ File configBase = new File(configDirPath);
+ if (configBase.isDirectory() == false ) {
+ throw new IOException("configDir must be a directory: " + configDirPath);
+ }
+ if (!configDir.startsWith(sqlPrefix)) {
+ File secmodFile = new File(configBase, "secmod.db");
+ if (secmodFile.isFile() == false) {
+ throw new FileNotFoundException(secmodFile.getPath());
+ }
}
}
--- a/test/jdk/sun/security/pkcs11/PKCS11Test.java Tue Dec 12 15:38:18 2017 +0100
+++ b/test/jdk/sun/security/pkcs11/PKCS11Test.java Wed Dec 13 01:29:58 2017 +0800
@@ -741,13 +741,18 @@
}
private static String distro() {
- try (BufferedReader in =
- new BufferedReader(new InputStreamReader(
- Runtime.getRuntime().exec("uname -v").getInputStream()))) {
+ if (props.getProperty("os.name").equals("SunOS")) {
+ try (BufferedReader in =
+ new BufferedReader(new InputStreamReader(
+ Runtime.getRuntime().exec("uname -v").getInputStream()))) {
- return in.readLine();
- } catch (Exception e) {
- throw new RuntimeException("Failed to determine distro.", e);
+ return in.readLine();
+ } catch (Exception e) {
+ throw new RuntimeException("Failed to determine distro.", e);
+ }
+ } else {
+ // Not used outside Solaris
+ return null;
}
}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/test/jdk/sun/security/pkcs11/Secmod/README-SQLITE Wed Dec 13 01:29:58 2017 +0800
@@ -0,0 +1,8 @@
+// How to create key4.db and cert9.db
+cd <path-for-db>
+echo "" > 1
+echo "test12" > 2
+modutil -create -force -dbdir sql:/$(pwd)
+modutil -list "NSS Internal PKCS #11 Module" -dbdir sql:/$(pwd)
+modutil -changepw "NSS Certificate DB" -force -dbdir sql:/$(pwd) -pwfile $(pwd)/1 -newpwfile $(pwd)/2
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/test/jdk/sun/security/pkcs11/Secmod/TestNssDbSqlite.java Wed Dec 13 01:29:58 2017 +0800
@@ -0,0 +1,134 @@
+/*
+ * Copyright (c) 2017, Red Hat, Inc. and/or its affiliates.
+ *
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug 8165996
+ * @summary Test NSS DB Sqlite
+ * @library ../
+ * @modules java.base/sun.security.rsa
+ * java.base/sun.security.provider
+ * java.base/sun.security.jca
+ * java.base/sun.security.tools.keytool
+ * java.base/sun.security.x509
+ * java.base/com.sun.crypto.provider
+ * jdk.crypto.cryptoki/sun.security.pkcs11:+open
+ * @run main/othervm/timeout=120 TestNssDbSqlite
+ * @author Martin Balao (mbalao@redhat.com)
+ */
+
+import java.security.PrivateKey;
+import java.security.cert.Certificate;
+import java.security.KeyStore;
+import java.security.Provider;
+import java.security.Signature;
+
+import sun.security.rsa.SunRsaSign;
+import sun.security.jca.ProviderList;
+import sun.security.jca.Providers;
+import sun.security.tools.keytool.CertAndKeyGen;
+import sun.security.x509.X500Name;
+
+public final class TestNssDbSqlite extends SecmodTest {
+
+ private static final boolean enableDebug = true;
+
+ private static Provider sunPKCS11NSSProvider;
+ private static Provider sunRsaSignProvider;
+ private static Provider sunJCEProvider;
+ private static KeyStore ks;
+ private static char[] passphrase = "test12".toCharArray();
+ private static PrivateKey privateKey;
+ private static Certificate certificate;
+
+ public static void main(String[] args) throws Exception {
+
+ initialize();
+
+ if (enableDebug) {
+ System.out.println("SunPKCS11 provider: " +
+ sunPKCS11NSSProvider);
+ }
+
+ testRetrieveKeysFromKeystore();
+
+ System.out.println("Test PASS - OK");
+ }
+
+ private static void testRetrieveKeysFromKeystore() throws Exception {
+
+ String plainText = "known plain text";
+
+ ks.setKeyEntry("root_ca_1", privateKey, passphrase,
+ new Certificate[]{certificate});
+ PrivateKey k1 = (PrivateKey) ks.getKey("root_ca_1", passphrase);
+
+ Signature sS = Signature.getInstance(
+ "SHA256withRSA", sunPKCS11NSSProvider);
+ sS.initSign(k1);
+ sS.update(plainText.getBytes());
+ byte[] generatedSignature = sS.sign();
+
+ if (enableDebug) {
+ System.out.println("Generated signature: ");
+ for (byte b : generatedSignature) {
+ System.out.printf("0x%02x, ", (int)(b) & 0xFF);
+ }
+ System.out.println("");
+ }
+
+ Signature sV = Signature.getInstance("SHA256withRSA", sunRsaSignProvider);
+ sV.initVerify(certificate);
+ sV.update(plainText.getBytes());
+ if(!sV.verify(generatedSignature)){
+ throw new Exception("Couldn't verify signature");
+ }
+ }
+
+ private static void initialize() throws Exception {
+ initializeProvider();
+ }
+
+ private static void initializeProvider () throws Exception {
+ useSqlite(true);
+ if (!initSecmod()) {
+ return;
+ }
+
+ sunPKCS11NSSProvider = getSunPKCS11(BASE + SEP + "nss-sqlite.cfg");
+ sunJCEProvider = new com.sun.crypto.provider.SunJCE();
+ sunRsaSignProvider = new SunRsaSign();
+ Providers.setProviderList(ProviderList.newList(
+ sunJCEProvider, sunPKCS11NSSProvider,
+ new sun.security.provider.Sun(), sunRsaSignProvider));
+
+ ks = KeyStore.getInstance("PKCS11-NSS-Sqlite", sunPKCS11NSSProvider);
+ ks.load(null, passphrase);
+
+ CertAndKeyGen gen = new CertAndKeyGen("RSA", "SHA256withRSA");
+ gen.generate(2048);
+ privateKey = gen.getPrivateKey();
+ certificate = gen.getSelfCertificate(new X500Name("CN=Me"), 365);
+ }
+}
Binary file test/jdk/sun/security/pkcs11/Secmod/cert9.db has changed
Binary file test/jdk/sun/security/pkcs11/Secmod/key4.db has changed
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/test/jdk/sun/security/pkcs11/Secmod/nss-sqlite.cfg Wed Dec 13 01:29:58 2017 +0800
@@ -0,0 +1,13 @@
+# config file for secmod KeyStore access using sqlite backend
+
+name = NSS-Sqlite
+
+nssLibraryDirectory = ${pkcs11test.nss.libdir}
+
+nssDbMode = readWrite
+
+nssModule = keystore
+
+nssSecmodDirectory = ${pkcs11test.nss.db}
+
+attributes = compatibility
--- a/test/jdk/sun/security/pkcs11/SecmodTest.java Tue Dec 12 15:38:18 2017 +0100
+++ b/test/jdk/sun/security/pkcs11/SecmodTest.java Wed Dec 13 01:29:58 2017 +0800
@@ -34,6 +34,11 @@
static String DBDIR;
static char[] password = "test12".toCharArray();
static String keyAlias = "mykey";
+ static boolean useSqlite = false;
+
+ static void useSqlite(boolean b) {
+ useSqlite = b;
+ }
static boolean initSecmod() throws Exception {
useNSS();
@@ -49,14 +54,24 @@
safeReload(LIBPATH + System.mapLibraryName("nssckbi"));
DBDIR = System.getProperty("test.classes", ".") + SEP + "tmpdb";
- System.setProperty("pkcs11test.nss.db", DBDIR);
+ if (useSqlite) {
+ System.setProperty("pkcs11test.nss.db", "sql:/" + DBDIR);
+ } else {
+ System.setProperty("pkcs11test.nss.db", DBDIR);
+ }
File dbdirFile = new File(DBDIR);
if (dbdirFile.exists() == false) {
dbdirFile.mkdir();
}
- copyFile("secmod.db", BASE, DBDIR);
- copyFile("key3.db", BASE, DBDIR);
- copyFile("cert8.db", BASE, DBDIR);
+
+ if (useSqlite) {
+ copyFile("key4.db", BASE, DBDIR);
+ copyFile("cert9.db", BASE, DBDIR);
+ } else {
+ copyFile("secmod.db", BASE, DBDIR);
+ copyFile("key3.db", BASE, DBDIR);
+ copyFile("cert8.db", BASE, DBDIR);
+ }
return true;
}