8027218: TEST_BUG: sun/security/pkcs11/ec tests fail because of ever-changing key size restrictions
Reviewed-by: vinnie
--- a/jdk/test/sun/security/pkcs11/PKCS11Test.java Wed Dec 04 18:02:33 2013 +0000
+++ b/jdk/test/sun/security/pkcs11/PKCS11Test.java Wed Dec 04 10:59:17 2013 -0800
@@ -29,6 +29,8 @@
import java.lang.reflect.*;
import java.security.*;
+import java.security.spec.ECGenParameterSpec;
+import java.security.spec.ECParameterSpec;
public abstract class PKCS11Test {
@@ -357,6 +359,93 @@
test.premain(p);
}
+ // Generate a vector of supported elliptic curves of a given provider
+ static Vector<ECParameterSpec> getKnownCurves(Provider p) throws Exception {
+ int index;
+ int begin;
+ int end;
+ String curve;
+ KeyPair kp = null;
+
+ Vector<ECParameterSpec> results = new Vector<ECParameterSpec>();
+ // Get Curves to test from SunEC.
+ String kcProp = Security.getProvider("SunEC").
+ getProperty("AlgorithmParameters.EC SupportedCurves");
+
+ if (kcProp == null) {
+ throw new RuntimeException(
+ "\"AlgorithmParameters.EC SupportedCurves property\" not found");
+ }
+
+ System.out.println("Finding supported curves using list from SunEC\n");
+ index = 0;
+ for (;;) {
+ // Each set of curve names is enclosed with brackets.
+ begin = kcProp.indexOf('[', index);
+ end = kcProp.indexOf(']', index);
+ if (begin == -1 || end == -1) {
+ break;
+ }
+
+ /*
+ * Each name is separated by a comma.
+ * Just get the first name in the set.
+ */
+ index = end + 1;
+ begin++;
+ end = kcProp.indexOf(',', begin);
+ if (end == -1) {
+ // Only one name in the set.
+ end = index -1;
+ }
+
+ curve = kcProp.substring(begin, end);
+ ECParameterSpec e = getECParameterSpec(p, curve);
+ System.out.print("\t "+ curve + ": ");
+ try {
+ KeyPairGenerator kpg = KeyPairGenerator.getInstance("EC", p);
+ kpg.initialize(e);
+ kp = kpg.generateKeyPair();
+ results.add(e);
+ System.out.println("Supported");
+ } catch (ProviderException ex) {
+ System.out.println("Unsupported: PKCS11: " +
+ ex.getCause().getMessage());
+ } catch (InvalidAlgorithmParameterException ex) {
+ System.out.println("Unsupported: Key Length: " +
+ ex.getMessage());
+ }
+ }
+
+ if (results.size() == 0) {
+ throw new RuntimeException("No supported EC curves found");
+ }
+
+ return results;
+ }
+
+ private static ECParameterSpec getECParameterSpec(Provider p, String name)
+ throws Exception {
+
+ AlgorithmParameters parameters =
+ AlgorithmParameters.getInstance("EC", p);
+
+ parameters.init(new ECGenParameterSpec(name));
+
+ return parameters.getParameterSpec(ECParameterSpec.class);
+ }
+
+ // Check support for a curve with a provided Vector of EC support
+ boolean checkSupport(Vector<ECParameterSpec> supportedEC,
+ ECParameterSpec curve) {
+ boolean found = false;
+ for (ECParameterSpec ec: supportedEC) {
+ if (ec.equals(curve)) {
+ return true;
+ }
+ }
+ return false;
+ }
private static final Map<String,String[]> osMap;
--- a/jdk/test/sun/security/pkcs11/ec/ReadCertificates.java Wed Dec 04 18:02:33 2013 +0000
+++ b/jdk/test/sun/security/pkcs11/ec/ReadCertificates.java Wed Dec 04 10:59:17 2013 -0800
@@ -37,6 +37,7 @@
import java.security.cert.*;
import java.security.*;
import java.security.interfaces.*;
+import java.security.spec.ECParameterSpec;
import javax.security.auth.x500.X500Principal;
@@ -101,33 +102,44 @@
}
System.out.println("OK: " + certs.size() + " certificates.");
+ // Get supported curves
+ Vector<ECParameterSpec> supportedEC = getKnownCurves(p);
+
+ System.out.println("Test Certs:\n");
for (X509Certificate cert : certs.values()) {
X509Certificate issuer = certs.get(cert.getIssuerX500Principal());
- System.out.println("Verifying " + cert.getSubjectX500Principal() + "...");
+ System.out.print("Verifying " + cert.getSubjectX500Principal() +
+ "... ");
PublicKey key = issuer.getPublicKey();
- // First try the provider under test (if it does not support the
- // necessary algorithm then try any registered provider).
- try {
- cert.verify(key, p.getName());
- } catch (NoSuchAlgorithmException e) {
- System.out.println("Warning: " + e.getMessage() +
- ". Trying another provider...");
- cert.verify(key);
- } catch (InvalidKeyException e) {
- // The root cause of the exception might be NSS not having
- // "ECC Extended" support curves. If so, we can ignore it.
- Throwable t = e;
- while (t.getCause() != null) {
- t = t.getCause();
- }
- if (t instanceof sun.security.pkcs11.wrapper.PKCS11Exception &&
- t.getMessage().equals("CKR_DOMAIN_PARAMS_INVALID") &&
- isNSS(p) && getNSSECC() == ECCState.Basic) {
- System.out.println("Failed as expected. NSS Basic ECC.");
+ // Check if curve is supported
+ if (issuer.getPublicKey() instanceof ECPublicKey) {
+ if (!checkSupport(supportedEC,
+ ((ECPublicKey)key).getParams())) {
+ System.out.println("Curve not found. Skipped.");
continue;
}
- throw e;
}
+
+ try {
+ cert.verify(key, p.getName());
+ System.out.println("Pass.");
+ } catch (NoSuchAlgorithmException e) {
+ System.out.println("Warning: " + e.getMessage() +
+ ". Trying another provider...");
+ cert.verify(key);
+ } catch (Exception e) {
+ System.out.println(e.getMessage());
+ if (key instanceof ECPublicKey) {
+ System.out.println("Failed.\n\tCurve: " +
+ ((ECPublicKey)key).getParams() +
+ "\n\tSignature Alg: " + cert.getSigAlgName());
+ } else {
+ System.out.println("Key: "+key.toString());
+ }
+
+ System.err.println("Verifying " + cert.getSubjectX500Principal());
+ e.printStackTrace();
+ }
}
// try some random invalid signatures to make sure we get the correct
--- a/jdk/test/sun/security/pkcs11/ec/TestCurves.java Wed Dec 04 18:02:33 2013 +0000
+++ b/jdk/test/sun/security/pkcs11/ec/TestCurves.java Wed Dec 04 10:59:17 2013 -0800
@@ -56,47 +56,49 @@
return;
}
+ // Check if this is sparc for later failure avoidance.
+ boolean sparc = false;
+ if (System.getProperty("os.arch").equals("sparcv9")) {
+ sparc = true;
+ System.out.println("This is a sparcv9");
+ }
+
Random random = new Random();
byte[] data = new byte[2048];
random.nextBytes(data);
Vector<ECParameterSpec> curves = getKnownCurves(p);
-
for (ECParameterSpec params : curves) {
System.out.println("Testing " + params + "...");
KeyPairGenerator kpg = KeyPairGenerator.getInstance("EC", p);
kpg.initialize(params);
KeyPair kp1, kp2;
- try {
- kp1 = kpg.generateKeyPair();
- kp2 = kpg.generateKeyPair();
- } catch (Exception e) {
- // The root cause of the exception might be NSS not having
- // "ECC Extended" support curves. If so, we can ignore it.
- if (e instanceof java.security.ProviderException) {
- Throwable t = e.getCause();
- if (t instanceof
- sun.security.pkcs11.wrapper.PKCS11Exception &&
- t.getMessage().equals("CKR_DOMAIN_PARAMS_INVALID") &&
- isNSS(p) && (getNSSECC() == ECCState.Basic) &&
- (!params.toString().startsWith("secp256r1") &&
- !params.toString().startsWith("secp384r1") &&
- !params.toString().startsWith("secp521r1"))) {
- System.out.println("NSS Basic ECC. Failure expected");
- continue;
- }
- }
-
- throw e;
- }
+ kp1 = kpg.generateKeyPair();
+ kp2 = kpg.generateKeyPair();
testSigning(p, "SHA1withECDSA", data, kp1, kp2);
- testSigning(p, "SHA224withECDSA", data, kp1, kp2);
- testSigning(p, "SHA256withECDSA", data, kp1, kp2);
- testSigning(p, "SHA384withECDSA", data, kp1, kp2);
- testSigning(p, "SHA512withECDSA", data, kp1, kp2);
- // System.out.println();
+ // Check because Solaris ncp driver does not support these but
+ // Solaris metaslot causes them to be run.
+ try {
+ testSigning(p, "SHA224withECDSA", data, kp1, kp2);
+ testSigning(p, "SHA256withECDSA", data, kp1, kp2);
+ testSigning(p, "SHA384withECDSA", data, kp1, kp2);
+ testSigning(p, "SHA512withECDSA", data, kp1, kp2);
+ } catch (ProviderException e) {
+ if (sparc) {
+ Throwable t = e.getCause();
+ if (t instanceof sun.security.pkcs11.wrapper.PKCS11Exception &&
+ t.getMessage().equals("CKR_ATTRIBUTE_VALUE_INVALID")) {
+ System.out.print("-Failure not uncommon. Probably pre-T4.");
+ } else {
+ throw e;
+ }
+ } else {
+ throw e;
+ }
+ }
+ System.out.println();
KeyAgreement ka1 = KeyAgreement.getInstance("ECDH", p);
ka1.init(kp1.getPrivate());
@@ -116,70 +118,9 @@
System.out.println("OK");
}
- private static Vector<ECParameterSpec>
- getKnownCurves(Provider p) throws Exception {
-
- int index;
- int begin;
- int end;
- String curve;
- Vector<ECParameterSpec> results = new Vector<ECParameterSpec>();
- // Get Curves to test from SunEC.
- String kcProp = Security.getProvider("SunEC").
- getProperty("AlgorithmParameters.EC SupportedCurves");
-
- if (kcProp == null) {
- throw new RuntimeException(
- "\"AlgorithmParameters.EC SupportedCurves property\" not found");
- }
-
- index = 0;
- for (;;) {
- // Each set of curve names is enclosed with brackets.
- begin = kcProp.indexOf('[', index);
- end = kcProp.indexOf(']', index);
- if (begin == -1 || end == -1) {
- break;
- }
-
- /*
- * Each name is separated by a comma.
- * Just get the first name in the set.
- */
- index = end + 1;
- begin++;
- end = kcProp.indexOf(',', begin);
- if (end == -1) {
- // Only one name in the set.
- end = index -1;
- }
-
- curve = kcProp.substring(begin, end);
-
- results.add(getECParameterSpec(p, curve));
- }
-
- if (results.size() == 0) {
- throw new RuntimeException("No supported EC curves found");
- }
-
- return results;
- }
-
- private static ECParameterSpec getECParameterSpec(Provider p, String name)
- throws Exception {
-
- AlgorithmParameters parameters =
- AlgorithmParameters.getInstance("EC", p);
-
- parameters.init(new ECGenParameterSpec(name));
-
- return parameters.getParameterSpec(ECParameterSpec.class);
- }
-
private static void testSigning(Provider p, String algorithm,
byte[] data, KeyPair kp1, KeyPair kp2) throws Exception {
- // System.out.print(" " + algorithm);
+ System.out.print(" " + algorithm);
Signature s = Signature.getInstance(algorithm, p);
s.initSign(kp1.getPrivate());
s.update(data);