I have been testing OpenJDK with the Kryoptic PKCS11 soft token (https://github.com/latchset/kryoptic) by running the jtreg PKCS11 tests (test/jdk/sun/security/pkcs11) against it, for evaluation purposes.

I am mostly able to use PKCS11Test.java as-is, but I found a need to pass in a different library name, and different default and sensitive configuration files.

My test directory, /tmp/kryoptic-configuration/, has:

/tmp/kryoptic-configuration/
├── libkryoptic_pkcs11.so
└── nss
    ├── db
    │   ├── cert9.db
    │   ├── key4.db
    │   └── kryoptic.conf
    ├── p11-nss-sensitive.txt
    └── p11-nss.txt

In my locally-patched JDK tree I am passing to jtreg:

-javaoption:-DCUSTOM_P11_LIBRARY_NAME=kryoptic_pkcs11
-javaoption:-Djdk.test.lib.artifacts.nsslib-linux_x64=/tmp/kryoptic-configuration
-javaoption:-DCUSTOM_P11_CONFIG_BASE_DIR=/tmp/kryoptic-configuration

To support this use case upstream, I would like PKCS11Test.java to read two new system properties:

CUSTOM_P11_LIBRARY_NAME, to allow overriding nss_library from the command line; this is the library name that PKCS11Test.java searches for under the directory specified by jdk.test.lib.artifacts.nsslib-linux_x64

and:

CUSTOM_P11_BASE_DIR, to allow specifying a custom provider configuration file hierarchy, including nss/p11-nss.txt and nss/p11-nss-sensitive.txt.