JDK-8142541 : [TESTBUG] TestECDH.java and TestECDSA.java fail on multiple Linux platforms
  • Type: Bug
  • Component: security-libs
  • Sub-Component: javax.crypto:pkcs11
  • Affected Version: 7u97,8u65
  • Priority: P2
  • Status: Resolved
  • Resolution: Not an Issue
  • OS: linux_ubuntu
  • Submitted: 2015-11-12
  • Updated: 2023-11-29
  • Resolved: 2020-04-27
Related Reports
Duplicate :  
JDK-8142549 - Test sun/security/pkcs11/ec/TestECGenSpec.java fails on Ubuntu 15.10
Relates :  
JDK-8138653 - Default key sizes for the AlgorithmParameterGenerator and KeyPairGenerator implementations should be upgraded
Description
The following PKCS11 tests fail on Ubuntu 15.10 (have since been tested on other Linux flavors, and have been proven to fail on some of those too):

sun/security/pkcs11/ec/TestECDH.java
sun/security/pkcs11/ec/TestECDSA.java

The tests fail with exceptions like the following:

java.security.spec.InvalidKeySpecException: Could not create EC public key
	at sun.security.pkcs11.P11ECKeyFactory.engineGeneratePublic(P11ECKeyFactory.java:173)
	at java.security.KeyFactory.generatePublic(KeyFactory.java:328)
	at TestECDH.test(TestECDH.java:94)
	at TestECDH.main(TestECDH.java:86)
	at PKCS11Test.premain(PKCS11Test.java:86)
	at PKCS11Test.testNSS(PKCS11Test.java:401)
	at PKCS11Test.main(PKCS11Test.java:96)
	at TestECDH.main(TestECDH.java:124)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:497)
	at com.sun.javatest.regtest.agent.MainWrapper$MainThread.run(MainWrapper.java:92)
	at java.lang.Thread.run(Thread.java:745)
Caused by: java.security.InvalidKeyException: Could not create EC public key
	at sun.security.pkcs11.P11ECKeyFactory.implTranslatePublicKey(P11ECKeyFactory.java:130)
	at sun.security.pkcs11.P11ECKeyFactory.engineGeneratePublic(P11ECKeyFactory.java:171)
	... 13 more
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_DOMAIN_PARAMS_INVALID
	at sun.security.pkcs11.wrapper.PKCS11.C_CreateObject(Native Method)
	at sun.security.pkcs11.P11ECKeyFactory.generatePublic(P11ECKeyFactory.java:254)
	at sun.security.pkcs11.P11ECKeyFactory.implTranslatePublicKey(P11ECKeyFactory.java:110)
	... 14 more
Comments
If NSS has changed how they return their version string, then the test common code needs to be modified for proper coverage. I don't see this on the ProblemList, so the failures must not be common in the current test infrastructure.
23-08-2017
I have checked the libsoftokn3.so and found below data related to version details of NSS. I did not find any traces of strings "$HEADER:" or "Version:" in the file. ... NSS_3.4^@GLIBC_2.2.5^@NSSUTIL_3.17.1^@NSSUTIL_3.12.3^@NSSUTIL_3.12^@NSSUTIL_3.14^@GLIBC_2.14^@GLIBC_2.3^@GLIBC_2.3.4^@GLIBC_2.3.2^@GLIBC_2.4^
10-03-2016
I have ported the change to PKCS11Test.java and the fix still not working with Ubuntu 15.10. I have used jdk1.8.0_76b11, on Ubuntu 15.10 machine with nss library version 2:3.19.2-1ubuntu1. The test is using default version 0.0 as it is not able to derive from libsoftokn3.so file Beginning test run TestECDH... Running test with provider SunPKCS11-NSS... libsoftokn3 version not found, set to 0.0: /usr/lib/x86_64-linux-gnu/nss/libsoftokn3.so ----------System.err:(29/1744)---------- java.security.spec.InvalidKeySpecException: Could not create EC public key at sun.security.pkcs11.P11ECKeyFactory.engineGeneratePublic(P11ECKeyFactory.java:173) at java.security.KeyFactory.generatePublic(KeyFactory.java:328) at TestECDH.test(TestECDH.java:94)
10-03-2016
This issue was fixed in JDK 9 as part of JDK-8138653. You can backport the patch: http://hg.openjdk.java.net/jdk9/dev/jdk/diff/c76255da3ec0/test/sun/security/pkcs11/PKCS11Test.java
07-03-2016
The NSS version in Ubuntu 15.10 and earlier release (eg: Ubuntu 14.04) look almost same. Ubuntu 15.10 ---- >> dpkg -s libnss3 | grep Version Version: 2:3.19.2-1ubuntu1 Ubuntu 14.04: ---- >> dpkg -s libnss3 | grep Version Version: 2:3.19.2.1-0ubuntu0.14.04.1 The PKCS11Test.getNSSInfo(String library) reads the libsoftokn3.so file and searches for "$Header: NSS" to find the NSS version. The /usr/lib/x86_64-linux-gnu/nss/libsoftokn3.so file of Ubuntu 15.10 do not have header or string having the NSS version information (eg: NSS version header "3.19.2" ) as it was present Ubuntu 14.04 file. The call to PKCS11Test.getNSSInfo(String library) is resulting in internal error and due to that NSS version set to 0.0. The default value of PKCS11Test.nss_ecc_status is "ECCState.Extended" which is causing additional ec curves to be tested on unsupported platform. One solution is to set the PKCS11Test.nss_ecc_status DEFAULT value to ECCState.Basic so that limited curve would be tested in case of NSS version error. But this is like a workaround. As Anthony suggested we may need to find a new mechanism to get NSS version. The libsoftokn3.so file no longer contain version string, we may need to relay on platform commands. For example "dpkg" gets NSS version present on the host and works in linux environment but this is platform specific.
20-01-2016
This is a test bug. The previous versions of NSS displayed their version number when 'strings' was run. It appears the version of NSS on these machines does not show the version number. A new way will have to be found. The NSS version is important for this test so that it can avoid NSS bugs and EC curve support limitations. The CKR_DOMAIN_PARAMS_INVALID means the EC curve was not found, so these systems has NSS libraries with limited EC support that the test was unable to detect. ----------System.out:(3/163)---------- Beginning test run TestECDH... Running test with provider SunPKCS11-NSS... libsoftokn3 version not found, set to 0.0: /usr/lib/x86_64-linux-gnu/nss/libsoftokn3.so ----------System.err:(29/1744)----------
12-11-2015