# HG changeset patch

# User weijun

# Date 1513099798 -28800

#      Wed Dec 13 01:29:58 2017 +0800

# Node ID aa8f2e25f003feddf362892b2820fa2839c854b6

# Parent  9ebb70cb99a472b5fee9ac08240b7979468c2fa5

8165996: PKCS11 using NSS throws an error regarding secmod.db when NSS uses sqlite

Reviewed-by: weijun

Contributed-by: Martin Balao <mbalao@redhat.com>

diff --git openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/Secmod.java openjdk/jdk/src/share/classes/sun/security/pkcs11/Secmod.java

--- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/Secmod.java

+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/Secmod.java

@@ -196,13 +196,23 @@

         }

         if (configDir != null) {

-            File configBase = new File(configDir);

-            if (configBase.isDirectory() == false ) {

-                throw new IOException("configDir must be a directory: " + configDir);

+            String configDirPath = null;

+            String sqlPrefix = "sql:/";

+            if (!configDir.startsWith(sqlPrefix)) {

+                configDirPath = configDir;

+            } else {

+                StringBuilder configDirPathSB = new StringBuilder(configDir);

+                configDirPath = configDirPathSB.substring(sqlPrefix.length());

             }

-            File secmodFile = new File(configBase, "secmod.db");

-            if (secmodFile.isFile() == false) {

-                throw new FileNotFoundException(secmodFile.getPath());

+            File configBase = new File(configDirPath);

+            if (configBase.isDirectory() == false ) {

+                throw new IOException("configDir must be a directory: " + configDirPath);

+            }

+            if (!configDir.startsWith(sqlPrefix)) {

+                File secmodFile = new File(configBase, "secmod.db");

+                if (secmodFile.isFile() == false) {

+                    throw new FileNotFoundException(secmodFile.getPath());

+                }

             }

         }

diff --git openjdk.orig/jdk/test/sun/security/pkcs11/Secmod/README-SQLITE openjdk/jdk/test/sun/security/pkcs11/Secmod/README-SQLITE

new file mode 100644

--- /dev/null

+++ openjdk/jdk/test/sun/security/pkcs11/Secmod/README-SQLITE

@@ -0,0 +1,8 @@

+// How to create key4.db and cert9.db

+cd <path-for-db>

+echo "" > 1

+echo "test12" > 2

+modutil -create -force -dbdir sql:/$(pwd)

+modutil -list "NSS Internal PKCS #11 Module" -dbdir sql:/$(pwd)

+modutil -changepw "NSS Certificate DB" -force -dbdir sql:/$(pwd) -pwfile $(pwd)/1 -newpwfile $(pwd)/2

+

diff --git openjdk.orig/jdk/test/sun/security/pkcs11/Secmod/TestNssDbSqlite.java openjdk/jdk/test/sun/security/pkcs11/Secmod/TestNssDbSqlite.java

new file mode 100644

--- /dev/null

+++ openjdk/jdk/test/sun/security/pkcs11/Secmod/TestNssDbSqlite.java

@@ -0,0 +1,134 @@

+/*

+ * Copyright (c) 2017, Red Hat, Inc. and/or its affiliates.

+ *

+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.

+ *

+ * This code is free software; you can redistribute it and/or modify it

+ * under the terms of the GNU General Public License version 2 only, as

+ * published by the Free Software Foundation.

+ *

+ * This code is distributed in the hope that it will be useful, but WITHOUT

+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or

+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License

+ * version 2 for more details (a copy is included in the LICENSE file that

+ * accompanied this code).

+ *

+ * You should have received a copy of the GNU General Public License version

+ * 2 along with this work; if not, write to the Free Software Foundation,

+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.

+ *

+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA

+ * or visit www.oracle.com if you need additional information or have any

+ * questions.

+ */

+

+/*

+ * @test

+ * @bug 8165996

+ * @summary Test NSS DB Sqlite

+ * @library ../

+ * @modules java.base/sun.security.rsa

+ *          java.base/sun.security.provider

+ *          java.base/sun.security.jca

+ *          java.base/sun.security.tools.keytool

+ *          java.base/sun.security.x509

+ *          java.base/com.sun.crypto.provider

+ *          jdk.crypto.cryptoki/sun.security.pkcs11:+open

+ * @run main/othervm/timeout=120 TestNssDbSqlite

+ * @author Martin Balao (mbalao@redhat.com)

+ */

+

+import java.security.PrivateKey;

+import java.security.cert.Certificate;

+import java.security.KeyStore;

+import java.security.Provider;

+import java.security.Signature;

+

+import sun.security.rsa.SunRsaSign;

+import sun.security.jca.ProviderList;

+import sun.security.jca.Providers;

+import sun.security.tools.keytool.CertAndKeyGen;

+import sun.security.x509.X500Name;

+

+public final class TestNssDbSqlite extends SecmodTest {

+

+    private static final boolean enableDebug = true;

+

+    private static Provider sunPKCS11NSSProvider;

+    private static Provider sunRsaSignProvider;

+    private static Provider sunJCEProvider;

+    private static KeyStore ks;

+    private static char[] passphrase = "test12".toCharArray();

+    private static PrivateKey privateKey;

+    private static Certificate certificate;

+

+    public static void main(String[] args) throws Exception {

+

+        initialize();

+

+        if (enableDebug) {

+            System.out.println("SunPKCS11 provider: " +

+                sunPKCS11NSSProvider);

+        }

+

+        testRetrieveKeysFromKeystore();

+

+        System.out.println("Test PASS - OK");

+    }

+

+    private static void testRetrieveKeysFromKeystore() throws Exception {

+

+        String plainText = "known plain text";

+

+        ks.setKeyEntry("root_ca_1", privateKey, passphrase,

+                new Certificate[]{certificate});

+        PrivateKey k1 = (PrivateKey) ks.getKey("root_ca_1", passphrase);

+

+        Signature sS = Signature.getInstance(

+                "SHA256withRSA", sunPKCS11NSSProvider);

+        sS.initSign(k1);

+        sS.update(plainText.getBytes());

+        byte[] generatedSignature = sS.sign();

+

+        if (enableDebug) {

+            System.out.println("Generated signature: ");

+            for (byte b : generatedSignature) {

+                System.out.printf("0x%02x, ", (int)(b) & 0xFF);

+            }

+            System.out.println("");

+        }

+

+        Signature sV = Signature.getInstance("SHA256withRSA", sunRsaSignProvider);

+        sV.initVerify(certificate);

+        sV.update(plainText.getBytes());

+        if(!sV.verify(generatedSignature)){

+            throw new Exception("Couldn't verify signature");

+        }

+    }

+

+    private static void initialize() throws Exception {

+        initializeProvider();

+    }

+

+    private static void initializeProvider () throws Exception {

+        useSqlite(true);

+        if (!initSecmod()) {

+            return;

+        }

+

+        sunPKCS11NSSProvider = getSunPKCS11(BASE + SEP + "nss-sqlite.cfg");

+        sunJCEProvider = new com.sun.crypto.provider.SunJCE();

+        sunRsaSignProvider = new SunRsaSign();

+        Providers.setProviderList(ProviderList.newList(

+                sunJCEProvider, sunPKCS11NSSProvider,

+                new sun.security.provider.Sun(), sunRsaSignProvider));

+

+        ks = KeyStore.getInstance("PKCS11-NSS-Sqlite", sunPKCS11NSSProvider);

+        ks.load(null, passphrase);

+

+        CertAndKeyGen gen = new CertAndKeyGen("RSA", "SHA256withRSA");

+        gen.generate(2048);

+        privateKey = gen.getPrivateKey();

+        certificate = gen.getSelfCertificate(new X500Name("CN=Me"), 365);

+    }

+}

diff --git openjdk.orig/jdk/test/sun/security/pkcs11/Secmod/nss-sqlite.cfg openjdk/jdk/test/sun/security/pkcs11/Secmod/nss-sqlite.cfg

new file mode 100644

--- /dev/null

+++ openjdk/jdk/test/sun/security/pkcs11/Secmod/nss-sqlite.cfg

@@ -0,0 +1,13 @@

+# config file for secmod KeyStore access using sqlite backend

+

+name = NSS-Sqlite

+

+nssLibraryDirectory = ${pkcs11test.nss.libdir}

+

+nssDbMode = readWrite

+

+nssModule =  keystore

+

+nssSecmodDirectory = ${pkcs11test.nss.db}

+

+attributes = compatibility

diff --git openjdk.orig/jdk/test/sun/security/pkcs11/SecmodTest.java openjdk/jdk/test/sun/security/pkcs11/SecmodTest.java

--- openjdk.orig/jdk/test/sun/security/pkcs11/SecmodTest.java

+++ openjdk/jdk/test/sun/security/pkcs11/SecmodTest.java

@@ -34,6 +34,11 @@

     static String DBDIR;

     static char[] password = "test12".toCharArray();

     static String keyAlias = "mykey";

+    static boolean useSqlite = false;

+

+    static void useSqlite(boolean b) {

+        useSqlite = b;

+    }

     static boolean initSecmod() throws Exception {

         useNSS();

@@ -49,14 +54,24 @@

         safeReload(LIBPATH + System.mapLibraryName("nssckbi"));

         DBDIR = System.getProperty("test.classes", ".") + SEP + "tmpdb";

-        System.setProperty("pkcs11test.nss.db", DBDIR);

+        if (useSqlite) {

+            System.setProperty("pkcs11test.nss.db", "sql:/" + DBDIR);

+        } else {

+            System.setProperty("pkcs11test.nss.db", DBDIR);

+        }

         File dbdirFile = new File(DBDIR);

         if (dbdirFile.exists() == false) {

             dbdirFile.mkdir();

         }

-        copyFile("secmod.db", BASE, DBDIR);

-        copyFile("key3.db", BASE, DBDIR);

-        copyFile("cert8.db", BASE, DBDIR);

+

+        if (useSqlite) {

+            copyFile("key4.db", BASE, DBDIR);

+            copyFile("cert9.db", BASE, DBDIR);

+        } else {

+            copyFile("secmod.db", BASE, DBDIR);

+            copyFile("key3.db", BASE, DBDIR);

+            copyFile("cert8.db", BASE, DBDIR);

+        }

         return true;

     }