JDK-8180837 : SunPKCS11-NSS tests failing with CKR_ATTRIBUTE_READ_ONLY and CKR_MECHANISM_PARAM_INVALID
  • Type: Bug
  • Component: security-libs
  • Sub-Component: javax.crypto:pkcs11
  • Affected Version: 7u141,8u131,9,10,11,12
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • Submitted: 2017-05-23
  • Updated: 2023-11-10
  • Resolved: 2019-09-23
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 11 JDK 14 JDK 8
11.0.11Fixed 14 b16Fixed 8u401Fixed
Related Reports
Relates :  
JDK-8232153 - sun/security/pkcs11/Secmod/AddTrustedCert.java failed with Linux built-in NSS libs
Relates :  
JDK-8226221 - Update PKCS11 tests to use NSS 3.46 libs
Relates :  
JDK-8231338 - sun/security/pkcs11/Secmod/AddTrustedCert.java failed on Ubuntu 18.04.2 LTS
Relates :  
JDK-8148501 - Upgrade NSS library used in tests to the latest version
Relates :  
JDK-8220084 - pkcs11 tests to be added to jdk/test/ProblemList.txt for 8u
Relates :  
JDK-8212134 - Failing tests in sun/security/pkcs11/Secmod with libnss 3.35
Relates :  
JDK-8209398 - sun/security/pkcs11/KeyStore/SecretKeysBasic.sh failed with "PKCS11Exception: CKR_ATTRIBUTE_SENSITIVE"
Sub Tasks
JDK-8195667 :  
ProblemList PKCS11 tests Secmod/AddTrustedCert.java and tls/TestKeyMaterial.java due to JDK-8180837 - Resolved
Description
Starting about a month ago, two pkcs11 nss tests started mysteriously failing, on 8u, 9, and 10:

sun/security/pkcs11/Secmod/AddTrustedCert.java generic-all
sun/security/pkcs11/tls/TestKeyMaterial.java generic-all

It seems very unlikely to be due to openjdk code changes; something in the environment must have changed.  The tests fail on Ubuntu 14.04 but pass on recent debian testing.  Recent deb package changes that may point at a culprit include libnss-cache and nsscacheclient.

Relevant exception snippets:

PKCS11Exception: CKR_ATTRIBUTE_READ_ONLY
PKCS11Exception: CKR_MECHANISM_PARAM_INVALID

jtreg output:

--------------------------------------------------
TEST: sun/security/pkcs11/Secmod/AddTrustedCert.java
TEST JDK: /home/martin/ws/jdk8u/build/linux-x86_64-normal-server-release/images/j2sdk-image

ACTION: build -- Passed. Build successful
REASON: Named class compiled on demand
TIME:   1.179 seconds
messages:
command: build AddTrustedCert
reason: Named class compiled on demand
Test directory:
  compile: AddTrustedCert
elapsed time (seconds): 1.179

ACTION: compile -- Passed. Compilation successful
REASON: .class file out of date or does not exist
TIME:   1.169 seconds
messages:
command: compile -XDignore.symbol.file=true /home/martin/ws/jdk8u/jdk/test/sun/security/pkcs11/Secmod/AddTrustedCert.java
reason: .class file out of date or does not exist
Mode: agentvm
Agent id: 0
elapsed time (seconds): 1.169
configuration:
Boot Layer (javac runtime environment)
  class path: /home/martin/ws/jdk8u/build/linux-x86_64-normal-server-release/images/j2sdk-image/lib/tools.jar
              /home/martin/jtreg-binaries/4.2-b07/lib/javatest.jar
              /home/martin/jtreg-binaries/4.2-b07/lib/jtreg.jar

javac compilation environment
  source path: /home/martin/ws/jdk8u/jdk/test/sun/security/pkcs11/Secmod
               /home/martin/ws/jdk8u/jdk/test/sun/security/pkcs11
  class path:  /home/martin/ws/jdk8u/jdk/test/sun/security/pkcs11/Secmod
               /home/martin/ws/jdk8u/jdk/test/JTwork/classes/sun/security/pkcs11/Secmod
               /home/martin/ws/jdk8u/jdk/test/JTwork/classes/sun/security/pkcs11
               /home/martin/ws/jdk8u/build/linux-x86_64-normal-server-release/images/j2sdk-image/lib/tools.jar

rerun:
DISPLAY=localhost:11.0 \
HOME=/home/martin \
LANG=en_US.UTF-8 \
PATH=/bin:/usr/bin \
    /home/martin/ws/jdk8u/build/linux-x86_64-normal-server-release/images/j2sdk-image/bin/javac \
        -J-enablesystemassertions \
        -J-Dtest.class.path.prefix=/home/martin/ws/jdk8u/jdk/test/JTwork/classes/sun/security/pkcs11/Secmod:/home/martin/ws/jdk8u/jdk/test/sun/security/pkcs11/Secmod:/home/martin/ws/jdk8u/jdk/test/JTwork/classes/sun/security/pkcs11 \
        -J-Dtest.src=/home/martin/ws/jdk8u/jdk/test/sun/security/pkcs11/Secmod \
        -J-Dtest.src.path=/home/martin/ws/jdk8u/jdk/test/sun/security/pkcs11/Secmod:/home/martin/ws/jdk8u/jdk/test/sun/security/pkcs11 \
        -J-Dtest.classes=/home/martin/ws/jdk8u/jdk/test/JTwork/classes/sun/security/pkcs11/Secmod \
        -J-Dtest.class.path=/home/martin/ws/jdk8u/jdk/test/JTwork/classes/sun/security/pkcs11/Secmod:/home/martin/ws/jdk8u/jdk/test/JTwork/classes/sun/security/pkcs11 \
        -J-Dtest.vm.opts=-enablesystemassertions \
        -J-Dtest.tool.vm.opts=-J-enablesystemassertions \
        -J-Dtest.compiler.opts= \
        -J-Dtest.java.opts= \
        -J-Dtest.jdk=/home/martin/ws/jdk8u/build/linux-x86_64-normal-server-release/images/j2sdk-image \
        -J-Dcompile.jdk=/home/martin/ws/jdk8u/build/linux-x86_64-normal-server-release/images/j2sdk-image \
        -J-Dtest.timeout.factor=1.0 \
        -d /home/martin/ws/jdk8u/jdk/test/JTwork/classes/sun/security/pkcs11/Secmod \
        -sourcepath /home/martin/ws/jdk8u/jdk/test/sun/security/pkcs11/Secmod:/home/martin/ws/jdk8u/jdk/test/sun/security/pkcs11 \
        -classpath /home/martin/ws/jdk8u/jdk/test/sun/security/pkcs11/Secmod:/home/martin/ws/jdk8u/jdk/test/JTwork/classes/sun/security/pkcs11/Secmod:/home/martin/ws/jdk8u/jdk/test/JTwork/classes/sun/security/pkcs11:/home/martin/ws/jdk8u/build/linux-x86_64-normal-server-release/images/j2sdk-image/lib/tools.jar \
        -XDignore.symbol.file=true /home/martin/ws/jdk8u/jdk/test/sun/security/pkcs11/Secmod/AddTrustedCert.java
direct:
Note: /home/martin/ws/jdk8u/jdk/test/sun/security/pkcs11/PKCS11Test.java uses unchecked or unsafe operations.
Note: Recompile with -Xlint:unchecked for details.

ACTION: main -- Failed. Execution failed: `main' threw exception: java.security.KeyStoreException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ATTRIBUTE_READ_ONLY
REASON: User specified action: run main/othervm AddTrustedCert 
TIME:   0.28 seconds
messages:
command: main AddTrustedCert
reason: User specified action: run main/othervm AddTrustedCert 
Mode: othervm [/othervm specified]
elapsed time (seconds): 0.28
configuration:
STDOUT:
SunPKCS11-NSSKeyStore version 1.8
entries: 1
[mykey]
first entry = Trusted certificate entry:
[
[
  Version: V3
  Subject: EMAILADDRESS=info@opentsa.org, CN=OpenTSA Root CA, O=OpenTSA, L=Dublin, ST=Co. Dublin, C=IE
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

  Key:  Sun RSA public key, 2048 bits
  modulus: 28015647916364875829141896049677220882914191436294605577513377891910662717336292436491710471594406842772073838695462019009454723293288506992417485761129126311538268002377286178684649711932051555842344360775863345218752895239460508761587090794001550599392104457188635329925564746414056111210478603450167440907565077703922928621867939042884745257219423496925695838757642236269036957557147241224660577528253185760515264362748497612078896510637739121732184250485539505699485155279825000189178169555672844007672373755234739866676449460941418806853690713277829199399068163905100762713680303566487520616527043839846563616127
  public exponent: 65537
  Validity: [From: Thu Oct 17 13:51:34 PDT 2002,
               To: Mon Oct 16 13:51:34 PDT 2006]
  Issuer: EMAILADDRESS=info@opentsa.org, CN=OpenTSA Root CA, O=OpenTSA, L=Dublin, ST=Co. Dublin, C=IE
  SerialNumber: [    00]

Certificate Extensions: 6
[1]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 2D 9D F7 1D 7E 65 77 9A   F4 D9 B4 99 B1 17 3B C4  -....ew.......;.
0010: 2F C8 AD A5                                        /...
]
[EMAILADDRESS=info@opentsa.org, CN=OpenTSA Root CA, O=OpenTSA, L=Dublin, ST=Co. Dublin, C=IE]
SerialNumber: [    00]
]

[2]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

[3]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
  Key_CertSign
  Crl_Sign
]

[4]: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
NetscapeCertType [
   SSL CA
   S/MIME CA
]

[5]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  RFC822Name: info@opentsa.org
]

[6]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 2D 9D F7 1D 7E 65 77 9A   F4 D9 B4 99 B1 17 3B C4  -....ew.......;.
0010: 2F C8 AD A5                                        /...
]
]

]
  Algorithm: [SHA1withRSA]
  Signature:
0000: 26 A9 2D 41 7E 71 12 DA   BB 89 AE 0C 84 E4 FC FC  &.-A.q..........
0010: 71 6B 13 1E 41 2C 85 A0   51 BA 81 90 4C 9A 2C A4  qk..A,..Q...L.,.
0020: 61 ED 7B 61 AC A4 13 C7   6C 07 E9 46 E4 F6 C3 05  a..a....l..F....
0030: 31 96 C2 42 FC 39 2D 43   37 34 24 8B EB 3E 90 FC  1..B.9-C74$..>..
0040: F5 FE 64 37 1F 8C 24 98   E6 FC 62 FC 9C 2C 05 B4  ..d7..$...b..,..
0050: 7F 59 4E 28 DA 22 64 0B   5C 35 BA 0B DE 81 53 0B  .YN(."d.\5....S.
0060: 80 9B 3A FD BE A7 ED 63   09 EE AB 52 B7 DE 96 12  ..:....c...R....
0070: 1E 58 87 DE C0 61 31 56   86 BB 93 9A DF 20 63 20  .X...a1V..... c 
0080: F6 EF F9 B8 28 1B 6E 0E   36 35 BE A2 8A D2 F9 D1  ....(.n.65......
0090: 54 04 29 18 5E 27 72 65   8B 63 22 A7 43 2A AB 39  T.).^'re.c".C*.9
00A0: AE EF CF D5 FF D1 9C 21   FB 8C 96 D5 12 D1 51 12  .......!......Q.
00B0: 15 33 DB 96 96 AA 5E 55   9D B2 C5 E8 83 22 FA 08  .3....^U....."..
00C0: EF 8C 51 80 A8 59 6B EC   80 19 F7 6E 6B C8 80 53  ..Q..Yk....nk..S
00D0: 8F 30 D8 F8 B3 83 31 ED   E3 5C CE 5C 47 D8 2F 71  .0....1..\.\G./q
00E0: C8 88 78 D0 90 B4 D6 39   64 0D 05 8A 86 C4 63 B5  ..x....9d.....c.
00F0: 9B 63 3F DF A2 E6 28 39   D0 67 27 75 4D E2 CF 1E  .c?...(9.g'uM...

]
STDERR:
java.security.KeyStoreException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ATTRIBUTE_READ_ONLY
	at sun.security.pkcs11.P11KeyStore.engineSetEntry(P11KeyStore.java:1048)
	at sun.security.pkcs11.P11KeyStore.engineSetCertificateEntry(P11KeyStore.java:516)
	at java.security.KeyStore.setCertificateEntry(KeyStore.java:1201)
	at AddTrustedCert.main(AddTrustedCert.java:79)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at com.sun.javatest.regtest.agent.MainWrapper$MainThread.run(MainWrapper.java:115)
	at java.lang.Thread.run(Thread.java:748)
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ATTRIBUTE_READ_ONLY
	at sun.security.pkcs11.wrapper.PKCS11.C_CreateObject(Native Method)
	at sun.security.pkcs11.P11KeyStore.storeCert(P11KeyStore.java:1564)
	at sun.security.pkcs11.P11KeyStore.engineSetEntry(P11KeyStore.java:1044)
	... 9 more

JavaTest Message: Test threw exception: java.security.KeyStoreException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ATTRIBUTE_READ_ONLY
JavaTest Message: shutting down test

STATUS:Failed.`main' threw exception: java.security.KeyStoreException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ATTRIBUTE_READ_ONLY
rerun:
DISPLAY=localhost:11.0 \
HOME=/home/martin \
LANG=en_US.UTF-8 \
PATH=/bin:/usr/bin \
CLASSPATH=/home/martin/ws/jdk8u/jdk/test/JTwork/classes/sun/security/pkcs11/Secmod:/home/martin/ws/jdk8u/jdk/test/sun/security/pkcs11/Secmod:/home/martin/ws/jdk8u/jdk/test/JTwork/classes/sun/security/pkcs11:/home/martin/ws/jdk8u/jdk/test/sun/security/pkcs11:/home/martin/ws/jdk8u/build/linux-x86_64-normal-server-release/images/j2sdk-image/lib/tools.jar:/home/martin/jtreg-binaries/4.2-b07/lib/javatest.jar:/home/martin/jtreg-binaries/4.2-b07/lib/jtreg.jar \
    /home/martin/ws/jdk8u/build/linux-x86_64-normal-server-release/images/j2sdk-image/bin/java \
        -Dtest.class.path.prefix=/home/martin/ws/jdk8u/jdk/test/JTwork/classes/sun/security/pkcs11/Secmod:/home/martin/ws/jdk8u/jdk/test/sun/security/pkcs11/Secmod:/home/martin/ws/jdk8u/jdk/test/JTwork/classes/sun/security/pkcs11 \
        -Dtest.src=/home/martin/ws/jdk8u/jdk/test/sun/security/pkcs11/Secmod \
        -Dtest.src.path=/home/martin/ws/jdk8u/jdk/test/sun/security/pkcs11/Secmod:/home/martin/ws/jdk8u/jdk/test/sun/security/pkcs11 \
        -Dtest.classes=/home/martin/ws/jdk8u/jdk/test/JTwork/classes/sun/security/pkcs11/Secmod \
        -Dtest.class.path=/home/martin/ws/jdk8u/jdk/test/JTwork/classes/sun/security/pkcs11/Secmod:/home/martin/ws/jdk8u/jdk/test/JTwork/classes/sun/security/pkcs11 \
        -Dtest.vm.opts=-enablesystemassertions \
        -Dtest.tool.vm.opts=-J-enablesystemassertions \
        -Dtest.compiler.opts= \
        -Dtest.java.opts= \
        -Dtest.jdk=/home/martin/ws/jdk8u/build/linux-x86_64-normal-server-release/images/j2sdk-image \
        -Dcompile.jdk=/home/martin/ws/jdk8u/build/linux-x86_64-normal-server-release/images/j2sdk-image \
        -Dtest.timeout.factor=1.0 \
        -enablesystemassertions \
        com.sun.javatest.regtest.agent.MainWrapper /home/martin/ws/jdk8u/jdk/test/JTwork/sun/security/pkcs11/Secmod/AddTrustedCert.d/main.0.jta

TEST RESULT: Failed. Execution failed: `main' threw exception: java.security.KeyStoreException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ATTRIBUTE_READ_ONLY
--------------------------------------------------
TEST: sun/security/pkcs11/tls/TestKeyMaterial.java
TEST JDK: /home/martin/ws/jdk8u/build/linux-x86_64-normal-server-release/images/j2sdk-image

ACTION: build -- Passed. Build successful
REASON: Named class compiled on demand
TIME:   0.3 seconds
messages:
command: build TestKeyMaterial
reason: Named class compiled on demand
Test directory:
  compile: TestKeyMaterial
elapsed time (seconds): 0.3

ACTION: compile -- Passed. Compilation successful
REASON: .class file out of date or does not exist
TIME:   0.3 seconds
messages:
command: compile -XDignore.symbol.file=true /home/martin/ws/jdk8u/jdk/test/sun/security/pkcs11/tls/TestKeyMaterial.java
reason: .class file out of date or does not exist
Mode: agentvm
Agent id: 0
elapsed time (seconds): 0.3
configuration:
Boot Layer (javac runtime environment)
  class path: /home/martin/ws/jdk8u/build/linux-x86_64-normal-server-release/images/j2sdk-image/lib/tools.jar
              /home/martin/jtreg-binaries/4.2-b07/lib/javatest.jar
              /home/martin/jtreg-binaries/4.2-b07/lib/jtreg.jar

javac compilation environment
  source path: /home/martin/ws/jdk8u/jdk/test/sun/security/pkcs11/tls
               /home/martin/ws/jdk8u/jdk/test/sun/security/pkcs11
  class path:  /home/martin/ws/jdk8u/jdk/test/sun/security/pkcs11/tls
               /home/martin/ws/jdk8u/jdk/test/JTwork/classes/sun/security/pkcs11/tls
               /home/martin/ws/jdk8u/jdk/test/JTwork/classes/sun/security/pkcs11
               /home/martin/ws/jdk8u/build/linux-x86_64-normal-server-release/images/j2sdk-image/lib/tools.jar

rerun:
DISPLAY=localhost:11.0 \
HOME=/home/martin \
LANG=en_US.UTF-8 \
PATH=/bin:/usr/bin \
    /home/martin/ws/jdk8u/build/linux-x86_64-normal-server-release/images/j2sdk-image/bin/javac \
        -J-enablesystemassertions \
        -J-Dtest.class.path.prefix=/home/martin/ws/jdk8u/jdk/test/JTwork/classes/sun/security/pkcs11/tls:/home/martin/ws/jdk8u/jdk/test/sun/security/pkcs11/tls:/home/martin/ws/jdk8u/jdk/test/JTwork/classes/sun/security/pkcs11 \
        -J-Dtest.src=/home/martin/ws/jdk8u/jdk/test/sun/security/pkcs11/tls \
        -J-Dtest.src.path=/home/martin/ws/jdk8u/jdk/test/sun/security/pkcs11/tls:/home/martin/ws/jdk8u/jdk/test/sun/security/pkcs11 \
        -J-Dtest.classes=/home/martin/ws/jdk8u/jdk/test/JTwork/classes/sun/security/pkcs11/tls \
        -J-Dtest.class.path=/home/martin/ws/jdk8u/jdk/test/JTwork/classes/sun/security/pkcs11/tls:/home/martin/ws/jdk8u/jdk/test/JTwork/classes/sun/security/pkcs11 \
        -J-Dtest.vm.opts=-enablesystemassertions \
        -J-Dtest.tool.vm.opts=-J-enablesystemassertions \
        -J-Dtest.compiler.opts= \
        -J-Dtest.java.opts= \
        -J-Dtest.jdk=/home/martin/ws/jdk8u/build/linux-x86_64-normal-server-release/images/j2sdk-image \
        -J-Dcompile.jdk=/home/martin/ws/jdk8u/build/linux-x86_64-normal-server-release/images/j2sdk-image \
        -J-Dtest.timeout.factor=1.0 \
        -d /home/martin/ws/jdk8u/jdk/test/JTwork/classes/sun/security/pkcs11/tls \
        -sourcepath /home/martin/ws/jdk8u/jdk/test/sun/security/pkcs11/tls:/home/martin/ws/jdk8u/jdk/test/sun/security/pkcs11 \
        -classpath /home/martin/ws/jdk8u/jdk/test/sun/security/pkcs11/tls:/home/martin/ws/jdk8u/jdk/test/JTwork/classes/sun/security/pkcs11/tls:/home/martin/ws/jdk8u/jdk/test/JTwork/classes/sun/security/pkcs11:/home/martin/ws/jdk8u/build/linux-x86_64-normal-server-release/images/j2sdk-image/lib/tools.jar \
        -XDignore.symbol.file=true /home/martin/ws/jdk8u/jdk/test/sun/security/pkcs11/tls/TestKeyMaterial.java
direct:
Note: /home/martin/ws/jdk8u/jdk/test/sun/security/pkcs11/tls/TestKeyMaterial.java uses or overrides a deprecated API.
Note: Recompile with -Xlint:deprecation for details.
Note: /home/martin/ws/jdk8u/jdk/test/sun/security/pkcs11/PKCS11Test.java uses unchecked or unsafe operations.
Note: Recompile with -Xlint:unchecked for details.

ACTION: main -- Failed. Execution failed: `main' threw exception: java.security.ProviderException: Could not generate key
REASON: Assumed action based on file name: run main TestKeyMaterial 
TIME:   0.176 seconds
messages:
command: main TestKeyMaterial
reason: Assumed action based on file name: run main TestKeyMaterial 
Mode: agentvm
Agent id: 0
elapsed time (seconds): 0.176
configuration:
Boot Layer
  class path: /home/martin/ws/jdk8u/build/linux-x86_64-normal-server-release/images/j2sdk-image/lib/tools.jar
              /home/martin/jtreg-binaries/4.2-b07/lib/javatest.jar
              /home/martin/jtreg-binaries/4.2-b07/lib/jtreg.jar

Test Layer
  class path: /home/martin/ws/jdk8u/jdk/test/JTwork/classes/sun/security/pkcs11/tls
              /home/martin/ws/jdk8u/jdk/test/sun/security/pkcs11/tls
              /home/martin/ws/jdk8u/jdk/test/JTwork/classes/sun/security/pkcs11
              /home/martin/ws/jdk8u/jdk/test/sun/security/pkcs11

rerun:
DISPLAY=localhost:11.0 \
HOME=/home/martin \
LANG=en_US.UTF-8 \
PATH=/bin:/usr/bin \
    /home/martin/ws/jdk8u/build/linux-x86_64-normal-server-release/images/j2sdk-image/bin/java \
        -Dtest.class.path.prefix=/home/martin/ws/jdk8u/jdk/test/JTwork/classes/sun/security/pkcs11/tls:/home/martin/ws/jdk8u/jdk/test/sun/security/pkcs11/tls:/home/martin/ws/jdk8u/jdk/test/JTwork/classes/sun/security/pkcs11 \
        -Dtest.src=/home/martin/ws/jdk8u/jdk/test/sun/security/pkcs11/tls \
        -Dtest.src.path=/home/martin/ws/jdk8u/jdk/test/sun/security/pkcs11/tls:/home/martin/ws/jdk8u/jdk/test/sun/security/pkcs11 \
        -Dtest.classes=/home/martin/ws/jdk8u/jdk/test/JTwork/classes/sun/security/pkcs11/tls \
        -Dtest.class.path=/home/martin/ws/jdk8u/jdk/test/JTwork/classes/sun/security/pkcs11/tls:/home/martin/ws/jdk8u/jdk/test/JTwork/classes/sun/security/pkcs11 \
        -Dtest.vm.opts=-enablesystemassertions \
        -Dtest.tool.vm.opts=-J-enablesystemassertions \
        -Dtest.compiler.opts= \
        -Dtest.java.opts= \
        -Dtest.jdk=/home/martin/ws/jdk8u/build/linux-x86_64-normal-server-release/images/j2sdk-image \
        -Dcompile.jdk=/home/martin/ws/jdk8u/build/linux-x86_64-normal-server-release/images/j2sdk-image \
        -Dtest.timeout.factor=1.0 \
        -classpath /home/martin/ws/jdk8u/jdk/test/JTwork/classes/sun/security/pkcs11/tls:/home/martin/ws/jdk8u/jdk/test/sun/security/pkcs11/tls:/home/martin/ws/jdk8u/jdk/test/JTwork/classes/sun/security/pkcs11:/home/martin/ws/jdk8u/jdk/test/sun/security/pkcs11:/home/martin/ws/jdk8u/build/linux-x86_64-normal-server-release/images/j2sdk-image/lib/tools.jar:/home/martin/jtreg-binaries/4.2-b07/lib/javatest.jar:/home/martin/jtreg-binaries/4.2-b07/lib/jtreg.jar \
        TestKeyMaterial
STDOUT:
Beginning test run TestKeyMaterial...
Running test with provider SunPKCS11-NSS...
..................................................................STDERR:
java.security.ProviderException: Could not generate key
	at sun.security.pkcs11.P11TlsKeyMaterialGenerator.engineGenerateKey(P11TlsKeyMaterialGenerator.java:206)
	at javax.crypto.KeyGenerator.generateKey(KeyGenerator.java:540)
	at TestKeyMaterial.main(TestKeyMaterial.java:140)
	at PKCS11Test.premain(PKCS11Test.java:88)
	at PKCS11Test.testNSS(PKCS11Test.java:403)
	at PKCS11Test.main(PKCS11Test.java:98)
	at TestKeyMaterial.main(TestKeyMaterial.java:50)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at com.sun.javatest.regtest.agent.MainActionHelper$SameVMRunnable.run(MainActionHelper.java:230)
	at java.lang.Thread.run(Thread.java:748)
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_MECHANISM_PARAM_INVALID
	at sun.security.pkcs11.wrapper.PKCS11.C_DeriveKey(Native Method)
	at sun.security.pkcs11.P11TlsKeyMaterialGenerator.engineGenerateKey(P11TlsKeyMaterialGenerator.java:164)
	... 12 more

JavaTest Message: Test threw exception: java.security.ProviderException
JavaTest Message: shutting down test


TEST RESULT: Failed. Execution failed: `main' threw exception: java.security.ProviderException: Could not generate key
--------------------------------------------------
Test results: failed: 2
Comments
Fix request (11u) It would be desirable to have this fix in 11u so we can fix a known bug and improve the SunPKCS11 testing infrastructure overall. The risk is very low as only tests are affected by this fix. jdk/jdk patch does not apply cleanly but has been review-approved here: http://mail.openjdk.java.net/pipermail/jdk-updates-dev/2021-January/004655.html
15-01-2021
RFR (11u): http://mail.openjdk.java.net/pipermail/jdk-updates-dev/2021-January/004632.html
13-01-2021
URL: https://hg.openjdk.java.net/jdk/jdk/rev/e6231dbaa862 User: jjiang Date: 2019-09-21 00:07:25 +0000
23-09-2019
Hi [~jjiang], sun/security/pkcs11/Secmod/AddTrustedCert.java failed on Ubuntu 18.04.2 LTS with default nss-3.35, but passed with your nss-3.35. I've filed JDK-8231338 for you. Hope you can find the root cause about the failure. Thanks.
23-09-2019
Thanks Valerie's patch! I'll try it.
21-08-2019
Valerie's patch looks reasonable. Do you plan to use this [~jjiang] ?
09-07-2019
For sun/security/pkcs11/tls/TestKeyMaterial.java, the C_DeriveKey() call fails when the corresponding CK_SSL3_KEY_MAT_PARAMS structure has its "bIsExport" field set to true. Based on NSS 3.28 release note, it removed support for export-grade cipher suites, i.e. https://bugzilla.mozilla.org/show_bug.cgi?id=1252849 Thus, at a minimum, we should update the test to ignore the failed calls when NSS is used with export-grade cipher suites. With the following diff, TestKeyMaterial.java can pass. Note that this diff below just checks the provider name and test vector, it does not double check the NSS version to be 3.28 or later. diff -r 1e569f37cf36 test/jdk/sun/security/pkcs11/tls/TestKeyMaterial.java --- a/test/jdk/sun/security/pkcs11/tls/TestKeyMaterial.java +++ b/test/jdk/sun/security/pkcs11/tls/TestKeyMaterial.java @@ -37,6 +37,7 @@ import java.nio.file.Files; import java.nio.file.Paths; import java.security.Provider; +import java.security.ProviderException; import java.security.InvalidAlgorithmParameterException; import java.util.Arrays; import javax.crypto.KeyGenerator; @@ -154,10 +155,25 @@ match(lineNumber, serverMacBytes, result.getServerMacKey(), ""); } catch (InvalidAlgorithmParameterException iape) { // SSLv3 support is removed in S12 - if (major == 3 && minor == 0) { - System.out.println("Skip testing SSLv3"); - continue; + if (provider.getName().indexOf("Solaris") != -1) { + if (major == 3 && minor == 0) { + System.out.println("Skip testing SSLv3 on Solaris"); + continue; + } } + throw iape; + } catch (ProviderException pe) { + // NSS remove support for export-grade cipher suites in 3.28 + if (provider.getName().indexOf("NSS") != -1) { + Throwable t = pe.getCause(); + if (expandedKeyLength != 0 && + t.getMessage().indexOf("CKR_MECHANISM_PARAM_INVALID") != -1) { + // see https://bugzilla.mozilla.org/show_bug.cgi?id=1252849 + System.out.println("Ignore known NSS failures"); + continue; + } + } + throw pe; } } else { throw new Exception("Unknown line: " + line);
22-02-2019
These test would not depend on the native NSS libs, especially on Linux.
31-01-2019
Secmod/AddTrustedCert.java passed with NSS 3.35 on macosx. But it still could not release this test from ProblemList since PKCS11 test may use earlier NSS libs on Linux and Solaris.
26-10-2018
We started running tests on a new Linux distro (based on debian testing) and noticed that AddTrustedCert started to pass again. (but TestKeyMaterial is still failing). The most likely reason is the NSS version - the new system is running NSS 3.35, while failures were observed on systems running NSS 3.28.
12-10-2018
We're going to exclude these tests in jdk8u-dev. It would be good for someone to root cause the issue.
25-05-2018
I have run the test with NSS 3.27, 3.28, 3.29 and 3.31 (the latest version) on Ubuntu 16.04. It passed with 3.27, but failed with 3.28, 3.29 and 3.31. Then, this failure should be caused by some changes on NSS 3.28. It may be a NSS bug or JDK product bug(?)
28-06-2017
This can be reproduced as well with the oldest jdk8 I still have lying about, 8u40, so bisecting to find a culprit commit seems unlikely to be useful.
28-06-2017
This issue also can be reproduced with NSS 3.28 and a very early JDK 9 build (9-ea+100-2016-01-06-182319.javare.4235), so it may not be caused by some changes on JDK 9.
28-06-2017
I just reproduced the same issues with NSS 3.28 on Ubuntu 16.04. So, I suspect some changes on NSS libraries causes the failures. $ uname -a Linux ubuntu-john 4.4.0-62-generic #83-Ubuntu SMP Wed Jan 18 14:10:15 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux $ cat /etc/lsb-release DISTRIB_ID=Ubuntu DISTRIB_RELEASE=16.04 DISTRIB_CODENAME=xenial DISTRIB_DESCRIPTION="Ubuntu 16.04.2 LTS"
28-06-2017
I re-run these tests with NSS 3.28 and reproduced the issue related to PKCS11Exception: CKR_ATTRIBUTE_READ_ONLY.
28-06-2017
Gustavo, this cannot be bisected to a particular build; it was a change to Ubuntu 14.04 that apparently triggered the failure. My machine gives $ uname -a Linux nucke 4.4.0-72-generic #93~14.04.1-Ubuntu SMP Fri Mar 31 15:05:15 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux Notice that my kernel has a larger patch number and has a later timestamp. I suspect that ubuntu-john simply hasn't had the troublesome update applied. If you patch the machine ("e.g. sudo update-manager") and reboot (and maybe rebuild from scratch?), there's a good chance the tests will start failing. My version of libnss3 is 2:3.28.4-0ubuntu0.14.04.2 /etc/lsb-release contains: Ubuntu 14.04.5 LTS
27-06-2017
I am using Ubuntu 14.04 and NSS 3.16, but cannot reproduce this issue by running the tests in a loop with JDK 9 build 175. $ uname -a Linux ubuntu-john 4.4.0-31-generic #50~14.04.1-Ubuntu SMP Wed Jul 13 01:07:32 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux [~martin] Can you still reproduce the issue? Is it intermittent?
27-06-2017
John, please investigate root cause. Can we pinpoint starting at what build (let's say for 9) this happens?
31-05-2017