JDK-8039212 : SecretKeyBasic.sh needs to avoid NSS libnss3 and libsoftokn3 version mismatches
  • Type: Bug
  • Component: security-libs
  • Sub-Component: javax.crypto:pkcs11
  • Affected Version: 9
  • Priority: P4
  • Status: Closed
  • Resolution: Fixed
  • OS: linux
  • CPU: x86_64
  • Submitted: 2014-04-03
  • Updated: 2016-06-13
  • Resolved: 2014-06-10
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
7u85Fixed 8u20Fixed 9 b19Fixed
This test fails all the time on OEL 6.4 for me, not clear if this is a NSS issue or something else


Beginning test run SecretKeysBasic...
Running test with provider SunPKCS11-nss...
softkey> javax.crypto.spec.SecretKeySpec@1776a
	[RAW] VALUE=5B470CBCDF052F5764156B35BF09F069
skey1> SunPKCS11-nss DESede secret key, 168 bits (id 1, session object, not sensitive, extractable)
	[RAW] VALUE=499BF1520DEFA8CBF7A8547051C82F8AF280E67F38A2EAE6
skey2> SunPKCS11-nss DESede secret key, 168 bits (id 2, session object, not sensitive, extractable)
	[RAW] VALUE=688CD0C7B6328A0202E0583B8C37C762349E8097C1FB37F1
Number of entries: 0
NSS version = 3.1290.  Test against  nss  Failed!
Exception in thread "main" java.lang.NullPointerException
	at SecretKeysBasic.checkSecretKeyEntry(SecretKeysBasic.java:106)
	at SecretKeysBasic.doTest(SecretKeysBasic.java:160)
	at SecretKeysBasic.main(SecretKeysBasic.java:84)
	at PKCS11Test.premain(PKCS11Test.java:81)
	at PKCS11Test.testNSS(PKCS11Test.java:359)
	at PKCS11Test.main(PKCS11Test.java:91)
	at SecretKeysBasic.main(SecretKeysBasic.java:47)
Vinnie and I talked and we continue to believe this is a bug in the OS (OEL 6.4) for using different version of libnss3 and libsoftoken3. All keys in this test fail to be found in the keystore. Correctly matching library version of older and newer version of NSS work ok so we don't believe the failure is with the jdk.

This is the same as INTJDK-7608113. It is sad that OEL distributes a problem version of NSS because it's FIPS validated, but that is a whole different topic on failure to understand security. It's hard to say if it's because of the mismatch version of libnss3 and libsoftokn3, a some configuration problem, or if 3.1290 is just broken. It's not a problem in Java, but maybe the test will have to skip this version to avoid inevitable filings of similar bugs in the future.