JDK-6988842 : jce/ECC test fails for SunPKCS11 provider using nss library
  • Type: Bug
  • Component: security-libs
  • Sub-Component: javax.crypto:pkcs11
  • Affected Version: 6,7,8
  • Priority: P4
  • Status: Resolved
  • Resolution: Fixed
  • OS: linux,solaris,windows
  • CPU: generic,x86
  • Submitted: 2010-10-01
  • Updated: 2015-06-25
  • Resolved: 2014-10-08
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 8
8Fixed
Related Reports
Duplicate :  
Duplicate :  
Duplicate :  
Duplicate :  
Relates :  
Relates :  
Relates :  
Description
TESTFAIL:sun/security/pkcs11/ec/ReadCertificates.java
TESTFAIL:sun/security/pkcs11/ec/ReadPKCS12.java
TESTFAIL:sun/security/pkcs11/ec/TestECDSA.java
TESTFAIL:sun/security/pkcs11/Secmod/AddPrivateKey.java
TESTFAIL:sun/security/pkcs11/sslecc/ClientJSSEServerJSSE.java
TESTFAIL:sun/security/tools/jarsigner/ec.sh 

----------

The following test fails if nss library is being used through SunPKCS11 provider:

jce/ECC

Test log:
/java/sqe/results/security/promotion/7/b111/gtee/oel5.5-x64-32_c1/7-b111_promotion_security_oel5.5-x64-32_c1/ResultDir/ECC/

There are multiple test case in this test. Running test case, TestECDSA, will shows the issue. 

Steps to reproduce:

amd-susew $cd 
/java/sqe/results/security/promotion/7/b111/gtee/oel5.5-x64-32_c1/7-b111_promotion_security_oel5.5-x64-32_c1/ResultDir/ECC

amd-susew $export LD_LIBRARY_PATH=/java/sqe/comp//jsn/all_workspace/7_int/security/tools/lib/nss/Linux2.6

amd-susew $/java/re/jdk/7/promoted/all/b111/binaries/linux-i586/bin/java -cp . TestECDSA
FAIL: java.lang.Exception: Configuration file is required as argument
amd-susew $/java/re/jdk/7/promoted/all/b111/binaries/linux-i586/bin/java -cp . TestECDSA ecprovider.cfg 
============================================
====Test ECC with SunPKCS11 provider ==========
============================================
FAIL: java.lang.Exception: Result mismatch, actual: false

The failure seems to start from b89.
The following test also fails starting from b89. 

JSSE/SSLECC
More regression tests failing on Solaris 5.10 covered by this CR.

sun/security/pkcs11/Secmod/AddPrivateKey.java
sun/security/pkcs11/ec/ReadCertificates.java
sun/security/pkcs11/ec/ReadPKCS12.java
sun/security/pkcs11/sslecc/ClientJSSEServerJSSE.java

In the first 3, signature cannot be verified.

The last one shows

Caused by: java.lang.RuntimeException: Could not parse key values
	at sun.security.pkcs11.P11Key$P11ECPublicKey.fetchValues(P11Key.java:1055)
	at sun.security.pkcs11.P11Key$P11ECPublicKey.getParams(P11Key.java:1080)
	at sun.security.ssl.HandshakeMessage$ECDH_ServerKeyExchange.<init>(HandshakeMessage.java:983)
	at sun.security.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:774)
	at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:167)
	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
	at sun.security.ssl.Handshaker.process_record(Handshaker.java:804)
	at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1031)
	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1327)
	at sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:881)
	at sun.security.ssl.AppInputStream.read(AppInputStream.java:102)
	... 6 more
Caused by: java.io.IOException: DerInputStream.getLength(): lengthTag=105, too big.
	at sun.security.util.DerInputStream.getLength(DerInputStream.java:561)
	at sun.security.util.DerValue.init(DerValue.java:365)
	at sun.security.util.DerValue.<init>(DerValue.java:294)
	at sun.security.pkcs11.P11Key$P11ECPublicKey.fetchValues(P11Key.java:1041)
	... 16 more

Comments
Should we remove these tests from JDK 8u problem list as a result of this issue being fixed? # 6988842: 4 tests failing on Solaris 5.10 sun/security/pkcs11/Secmod/AddPrivateKey.java solaris-all sun/security/pkcs11/ec/ReadCertificates.java solaris-all sun/security/pkcs11/ec/ReadPKCS12.java solaris-all sun/security/pkcs11/sslecc/ClientJSSEServerJSSE.java solaris-all
25-06-2015

This issue has been resolved. A changeset to fix the issue use was pushed but subsequently backed-out. The issue is fixed by JDK-7152582 and JDK-6880559.
08-10-2014

Affected test (for DKFL): JSSE/SSLECC_SunEC
04-02-2013

EVALUATION These tests fail only on the SunPKCS11-NSS security provider that uses the built-in version of NSS supplied in our PKCS11 testsuite. That version of NSS is from circa 2005 and contains an unpatched bug. These tests pass on a SunPKCS11-NSS security provider that uses a more recent version of NSS. The version of NSS supplied in our PKCS11 testsuite should be updated.
07-04-2011