I have been testing OpenJDK with the Kryoptic PKCS11 soft token (https://github.com/latchset/kryoptic) by running the jtreg PKCS11 tests (test/jdk/sun/security/pkcs11) against it, for evaluation purposes.

I am mostly able to use PKCS11Test.java as-is, but I found a need to pass in a different library name, and different default and sensitive configuration files.

My test directory, /tmp/kryoptic-configuration/, has:

/tmp/kryoptic-configuration/
├── db
│ ├── cert9.db
│ └── key4.db
├── kryoptic.conf
├── libkryoptic_pkcs11.so
├── p11-kryoptic-sensitive.txt
└── p11-kryoptic.txt

In my locally-patched JDK tree I am passing to jtreg:

-javaoption:-DCUSTOM_P11_LIBRARY_NAME=kryoptic_pkcs11
-javaoption:-Djdk.test.lib.artifacts.nsslib-linux_x64=/tmp/kryoptic-configuration
-javaoption:-DCUSTOM_DB_DIR=/tmp/kryoptic-configuration
-javaoption:-DCUSTOM_P11_CONFIG=/tmp/kryoptic-configuration/p11-kryoptic.txt

To support this use case upstream, I would like PKCS11Test.java to read two new system properties:

CUSTOM_P11_LIBRARY_NAME, to allow overriding nss_library from the command line; this is the library name that PKCS11Test.java searches for under the directory specified by jdk.test.lib.artifacts.nsslib-linux_x64

and:

CUSTOM_P11_CONFIG_VARIANT (expected to be either unset or set to "sensitive"), to support tests that hard-code references to p11-nss-sensitive.txt, for example:

@run main/othervm -DCUSTOM_P11_CONFIG_NAME=p11-nss-sensitive.txt TestP11KeyFactoryGetRSAKeySpec

Such tests would be changed to use:

@run main/othervm -DCUSTOM_P11_CONFIG_VARIANT=sensitive TestP11KeyFactoryGetRSAKeySpec

and PKCS11Test.java would use the sensitive configuration file variant corresponding to CUSTOM_P11_CONFIG or CUSTOM_P11_CONFIG_NAME.