# HG changeset patch # User weijun # Date 1513099798 -28800 # Node ID 55b9b1e184c6be7e0a44c125693f04bb4e9780d4 # Parent fa5a47cad0c9faf19b8eff332e0413acdcee3fbb 8165996: PKCS11 using NSS throws an error regarding secmod.db when NSS uses sqlite Reviewed-by: weijun Contributed-by: Martin Balao diff -r fa5a47cad0c9 -r 55b9b1e184c6 src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Secmod.java --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Secmod.java Tue Dec 12 15:38:18 2017 +0100 +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Secmod.java Wed Dec 13 01:29:58 2017 +0800 @@ -196,13 +196,23 @@ } if (configDir != null) { - File configBase = new File(configDir); - if (configBase.isDirectory() == false ) { - throw new IOException("configDir must be a directory: " + configDir); + String configDirPath = null; + String sqlPrefix = "sql:/"; + if (!configDir.startsWith(sqlPrefix)) { + configDirPath = configDir; + } else { + StringBuilder configDirPathSB = new StringBuilder(configDir); + configDirPath = configDirPathSB.substring(sqlPrefix.length()); } - File secmodFile = new File(configBase, "secmod.db"); - if (secmodFile.isFile() == false) { - throw new FileNotFoundException(secmodFile.getPath()); + File configBase = new File(configDirPath); + if (configBase.isDirectory() == false ) { + throw new IOException("configDir must be a directory: " + configDirPath); + } + if (!configDir.startsWith(sqlPrefix)) { + File secmodFile = new File(configBase, "secmod.db"); + if (secmodFile.isFile() == false) { + throw new FileNotFoundException(secmodFile.getPath()); + } } } diff -r fa5a47cad0c9 -r 55b9b1e184c6 test/jdk/sun/security/pkcs11/PKCS11Test.java --- a/test/jdk/sun/security/pkcs11/PKCS11Test.java Tue Dec 12 15:38:18 2017 +0100 +++ b/test/jdk/sun/security/pkcs11/PKCS11Test.java Wed Dec 13 01:29:58 2017 +0800 @@ -741,13 +741,18 @@ } private static String distro() { - try (BufferedReader in = - new BufferedReader(new InputStreamReader( - Runtime.getRuntime().exec("uname -v").getInputStream()))) { + if (props.getProperty("os.name").equals("SunOS")) { + try (BufferedReader in = + new BufferedReader(new InputStreamReader( + Runtime.getRuntime().exec("uname -v").getInputStream()))) { - return in.readLine(); - } catch (Exception e) { - throw new RuntimeException("Failed to determine distro.", e); + return in.readLine(); + } catch (Exception e) { + throw new RuntimeException("Failed to determine distro.", e); + } + } else { + // Not used outside Solaris + return null; } } diff -r fa5a47cad0c9 -r 55b9b1e184c6 test/jdk/sun/security/pkcs11/Secmod/README-SQLITE --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/test/jdk/sun/security/pkcs11/Secmod/README-SQLITE Wed Dec 13 01:29:58 2017 +0800 @@ -0,0 +1,8 @@ +// How to create key4.db and cert9.db +cd +echo "" > 1 +echo "test12" > 2 +modutil -create -force -dbdir sql:/$(pwd) +modutil -list "NSS Internal PKCS #11 Module" -dbdir sql:/$(pwd) +modutil -changepw "NSS Certificate DB" -force -dbdir sql:/$(pwd) -pwfile $(pwd)/1 -newpwfile $(pwd)/2 + diff -r fa5a47cad0c9 -r 55b9b1e184c6 test/jdk/sun/security/pkcs11/Secmod/TestNssDbSqlite.java --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/test/jdk/sun/security/pkcs11/Secmod/TestNssDbSqlite.java Wed Dec 13 01:29:58 2017 +0800 @@ -0,0 +1,134 @@ +/* + * Copyright (c) 2017, Red Hat, Inc. and/or its affiliates. + * + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +/* + * @test + * @bug 8165996 + * @summary Test NSS DB Sqlite + * @library ../ + * @modules java.base/sun.security.rsa + * java.base/sun.security.provider + * java.base/sun.security.jca + * java.base/sun.security.tools.keytool + * java.base/sun.security.x509 + * java.base/com.sun.crypto.provider + * jdk.crypto.cryptoki/sun.security.pkcs11:+open + * @run main/othervm/timeout=120 TestNssDbSqlite + * @author Martin Balao (mbalao@redhat.com) + */ + +import java.security.PrivateKey; +import java.security.cert.Certificate; +import java.security.KeyStore; +import java.security.Provider; +import java.security.Signature; + +import sun.security.rsa.SunRsaSign; +import sun.security.jca.ProviderList; +import sun.security.jca.Providers; +import sun.security.tools.keytool.CertAndKeyGen; +import sun.security.x509.X500Name; + +public final class TestNssDbSqlite extends SecmodTest { + + private static final boolean enableDebug = true; + + private static Provider sunPKCS11NSSProvider; + private static Provider sunRsaSignProvider; + private static Provider sunJCEProvider; + private static KeyStore ks; + private static char[] passphrase = "test12".toCharArray(); + private static PrivateKey privateKey; + private static Certificate certificate; + + public static void main(String[] args) throws Exception { + + initialize(); + + if (enableDebug) { + System.out.println("SunPKCS11 provider: " + + sunPKCS11NSSProvider); + } + + testRetrieveKeysFromKeystore(); + + System.out.println("Test PASS - OK"); + } + + private static void testRetrieveKeysFromKeystore() throws Exception { + + String plainText = "known plain text"; + + ks.setKeyEntry("root_ca_1", privateKey, passphrase, + new Certificate[]{certificate}); + PrivateKey k1 = (PrivateKey) ks.getKey("root_ca_1", passphrase); + + Signature sS = Signature.getInstance( + "SHA256withRSA", sunPKCS11NSSProvider); + sS.initSign(k1); + sS.update(plainText.getBytes()); + byte[] generatedSignature = sS.sign(); + + if (enableDebug) { + System.out.println("Generated signature: "); + for (byte b : generatedSignature) { + System.out.printf("0x%02x, ", (int)(b) & 0xFF); + } + System.out.println(""); + } + + Signature sV = Signature.getInstance("SHA256withRSA", sunRsaSignProvider); + sV.initVerify(certificate); + sV.update(plainText.getBytes()); + if(!sV.verify(generatedSignature)){ + throw new Exception("Couldn't verify signature"); + } + } + + private static void initialize() throws Exception { + initializeProvider(); + } + + private static void initializeProvider () throws Exception { + useSqlite(true); + if (!initSecmod()) { + return; + } + + sunPKCS11NSSProvider = getSunPKCS11(BASE + SEP + "nss-sqlite.cfg"); + sunJCEProvider = new com.sun.crypto.provider.SunJCE(); + sunRsaSignProvider = new SunRsaSign(); + Providers.setProviderList(ProviderList.newList( + sunJCEProvider, sunPKCS11NSSProvider, + new sun.security.provider.Sun(), sunRsaSignProvider)); + + ks = KeyStore.getInstance("PKCS11-NSS-Sqlite", sunPKCS11NSSProvider); + ks.load(null, passphrase); + + CertAndKeyGen gen = new CertAndKeyGen("RSA", "SHA256withRSA"); + gen.generate(2048); + privateKey = gen.getPrivateKey(); + certificate = gen.getSelfCertificate(new X500Name("CN=Me"), 365); + } +} diff -r fa5a47cad0c9 -r 55b9b1e184c6 test/jdk/sun/security/pkcs11/Secmod/cert9.db Binary file test/jdk/sun/security/pkcs11/Secmod/cert9.db has changed diff -r fa5a47cad0c9 -r 55b9b1e184c6 test/jdk/sun/security/pkcs11/Secmod/key4.db Binary file test/jdk/sun/security/pkcs11/Secmod/key4.db has changed diff -r fa5a47cad0c9 -r 55b9b1e184c6 test/jdk/sun/security/pkcs11/Secmod/nss-sqlite.cfg --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/test/jdk/sun/security/pkcs11/Secmod/nss-sqlite.cfg Wed Dec 13 01:29:58 2017 +0800 @@ -0,0 +1,13 @@ +# config file for secmod KeyStore access using sqlite backend + +name = NSS-Sqlite + +nssLibraryDirectory = ${pkcs11test.nss.libdir} + +nssDbMode = readWrite + +nssModule = keystore + +nssSecmodDirectory = ${pkcs11test.nss.db} + +attributes = compatibility diff -r fa5a47cad0c9 -r 55b9b1e184c6 test/jdk/sun/security/pkcs11/SecmodTest.java --- a/test/jdk/sun/security/pkcs11/SecmodTest.java Tue Dec 12 15:38:18 2017 +0100 +++ b/test/jdk/sun/security/pkcs11/SecmodTest.java Wed Dec 13 01:29:58 2017 +0800 @@ -34,6 +34,11 @@ static String DBDIR; static char[] password = "test12".toCharArray(); static String keyAlias = "mykey"; + static boolean useSqlite = false; + + static void useSqlite(boolean b) { + useSqlite = b; + } static boolean initSecmod() throws Exception { useNSS(); @@ -49,14 +54,24 @@ safeReload(LIBPATH + System.mapLibraryName("nssckbi")); DBDIR = System.getProperty("test.classes", ".") + SEP + "tmpdb"; - System.setProperty("pkcs11test.nss.db", DBDIR); + if (useSqlite) { + System.setProperty("pkcs11test.nss.db", "sql:/" + DBDIR); + } else { + System.setProperty("pkcs11test.nss.db", DBDIR); + } File dbdirFile = new File(DBDIR); if (dbdirFile.exists() == false) { dbdirFile.mkdir(); } - copyFile("secmod.db", BASE, DBDIR); - copyFile("key3.db", BASE, DBDIR); - copyFile("cert8.db", BASE, DBDIR); + + if (useSqlite) { + copyFile("key4.db", BASE, DBDIR); + copyFile("cert9.db", BASE, DBDIR); + } else { + copyFile("secmod.db", BASE, DBDIR); + copyFile("key3.db", BASE, DBDIR); + copyFile("cert8.db", BASE, DBDIR); + } return true; }