aqa-tests icon indicating copy to clipboard operation
aqa-tests copied to clipboard

Published 20 hours ago verified publisher icon adoptium

jdk22+ PKCS11 nss testing requires `-Djdk.test.lib.artifacts.nsslib-<platform>=<nss location>`

Open pshipton opened this issue 1 year ago • 5 comments

As of https://github.com/openjdk/jdk22/commit/6ce0ebb858d3112f136e12d3ad595f805f6871a0 there is a test requirement to set -Djdk.test.lib.artifacts.nsslib-<platform>=<nss location> when running PKCS11 nss tests, otherwise the tests are just skipped.

i.e. if the option is not set jtreg.SkippedException: Warning: unsupported OS: Linux-amd64-64, please initialize NSS library location, skipping test

An example test is sun/security/pkcs11/ec/ReadCertificates.java in jdk_security3.

pshipton avatar Jan 12 '24 18:01 pshipton

@smlambert do we have a map between OpenJDK platforms and the AQA platforms? @AdamBrousseau Any idea where is NSS library is located in openj9 machines and internal machines?

llxia avatar Feb 14 '24 17:02 llxia

@llxia - the closest thing we have in terms of documentation regarding how to specify platforms / OS / architectures in our ProblemList files is here: https://github.com/adoptium/aqa-tests/tree/master/openjdk#exclude-a-testcase

smlambert avatar Feb 14 '24 17:02 smlambert

Thanks @smlambert . It looks like we need to define a map between OpenJDK platforms and the AQA platforms in order to set -Djdk.test.lib.artifacts.nsslib-<platform>=<nss location> value in the test pipeline.

llxia avatar Feb 14 '24 17:02 llxia

Talked to @jasonkatonica. NSS is a lib that is installed on our rhel test machines where fips 140-2 testing runs. It installs an artifact location and a lib location. These locations are hardcoded in the OpenJ9 extensions code as they are consistent for the time being given we only test on rhel. https://github.com/ibmruntimes/openj9-openjdk-jdk17/blob/openj9/closed/src/java.base/share/conf/security/nss.fips.cfg

nssLibraryDirectory = /usr/lib64
nssSecmodDirectory = /etc/pki/nssdb

I believe it is the nssSecmod folder you want. It is the database where the keys and certificated are stored. The PKCS11 provider and NSS push and pull keys and certs from that location.

AdamBrousseau avatar Feb 14 '24 19:02 AdamBrousseau

I talked with Jason. We are not aware of a cmd to check if NSS is installed atm. For NSS on RHEL for fips, it should be installed at the above location. However, the library could reside at other places on other platforms. Also, it is preferred to not hardcode the NSS location.

Based on the situation, I think we should limit the test to machines with ci.role.test.fips until we figure out a better way to locate the library.

Details:

  • get the machine labels
  • if it contains ci.role.test.fips, set -Djdk.test.lib.artifacts.nsslib-<platform>=/usr/lib64 in openjdk.mk for jdk_security3
  • try to see if we can just use $(OS)-$(ARCH) for platform. That is, -Djdk.test.lib.artifacts.nsslib-$(OS)-$(ARCH)=/usr/lib64

@LongyuZhang could you help with this issue? Thanks

llxia avatar Feb 22 '24 22:02 llxia