duplicit FIPSKeysImporter tests, one for el10, the other for everything else..#39
Conversation
| * @test | ||
| * @summary Test for RH1991003 - FIPS keys importer | ||
| * @requires (jdk.version.major >= 8) | ||
| * @requires os.version ~= ".*el10.*" |
There was a problem hiding this comment.
Whhere os version comes from?
Maybe split (add) better to https://github.com/rh-openjdk/jtreg-buffer/blob/550b97dd723545023993673648bbb3209cb87333/test/VarDeps.java so we can have os.name aka el, rhel, fedora... and os.versionNUmber ala 10.... And amyeb contribntue this to usptream?
In that moment there would be possibled to have os.versionNuimber >= 10 and we would be safe for next years.... @zzambers wdyt?
There was a problem hiding this comment.
the os.version is a java property.. you can try the output (as did I) via System.getProperty("os.version"), I was not able to manage any kind of splitting inside the jtreg annotations :( the syntax is quite strict and I am glad that I was able to at least narrow like this
same with fips.. other than the ugly hack you guys are using with OTOOL fips variable, I was not able to detect the fips environment on its own inside the jtreg annotations.. unless we are able to do it, I don't think we can hope to propagate this to upstream
There was a problem hiding this comment.
This https://github.com/rh-openjdk/jtreg-buffer/blob/main/test/VarDeps.java is what you were supposed to enhance. And larter backportt it o upstream...
| /* | ||
| * @test | ||
| * @summary Test for RH1991003 - FIPS keys importer | ||
| * @requires !(os.version ~= ".*el10.*") |
There was a problem hiding this comment.
Otherwise nice solution.. bad luck it may bite any time soon.... Eg dsa disapearing en el9, or need of el11 ....
There was a problem hiding this comment.
well it should not dissapear on already existing rhels.. we shall see in the future, but my guess is that DSA will be decomissioned since el10 fips and el11 non-fips.. but older rhels will support it just fine
| //doTestSignature("SHA1withDSA", rootCA0.getPrivateKey(JKS_ORIGIN), | ||
| // rootCA0.getPublicKey(JKS_ORIGIN)); | ||
|
|
||
| TestCA rootCA1 = cas.get("root_ca_1"); |
There was a problem hiding this comment.
I will leave on @zzambers how correct the algorithm listing is correct/enough. If you discussed with him, klet me know. TY!
There was a problem hiding this comment.
I think change is correct (removing DSA on rhel10, keeping others). I don't think there is anything more to be done (at least at this point).
|
Btw the fips condition seems to bne missing...? |
|
I need to redo the VarDeps to be jdk8 compatible |
| * @test | ||
| * @summary Test for RH1991003 - FIPS keys importer | ||
| * @requires os.version ~= ".*el10.*" | ||
| * @requires var.os.version.major >= 10 & var.sys.fips == "true" |
There was a problem hiding this comment.
Great!
Feel free to correct me, but the "el" check shouldstay, right? So you may match & os.version ~= ".*el.*" or add some var.os.version.name ?
There was a problem hiding this comment.
sorry I thought that rhel/fedora were the only OSes to feature fips.. okay.. I shall reinstate it.. I think that var.os.version.name would be unnecessary since I can just use this regex..
| * @run main/othervm/timeout=30 FIPSKeysImporterDSA | ||
| */ | ||
|
|
||
| public final class FIPSKeysImporterDSA { |
There was a problem hiding this comment.
One more thing - there is quite a lot of code shared between FipsKeysImporter*.java files. Any desire to share the code?
There was a problem hiding this comment.
Well honestly it was not my desire to do that, but fine :D
There was a problem hiding this comment.
Nn. I do not insits at all. It brings another ttroubles. Feel free to extract only some, aor none at all
There was a problem hiding this comment.
It depends on your judgement of possible complexity removal/aditional and pros and cons of the selected shared logic.
There was a problem hiding this comment.
Jdk8 adjustion have priority....
trying to mitigate duplicated code in FIPSKeysImporter classes
|
I just found out that this is not ready yet as is, in case it hits the el10 & fips combination it still triggers the DSA variant for some reason.. EDIT: nevermind.. I accidentaly force changed the msys variable on the line above instead of the fips one.. all good to merge |
| import javax.net.ssl.SSLParameters; | ||
| import javax.net.ssl.SSLSession; | ||
| import javax.net.ssl.TrustManagerFactory; | ||
| import javax.net.ssl.SSLEngineResult.HandshakeStatus; |
There was a problem hiding this comment.
I think nearly all imports are in FipsKesIMporter.java
There was a problem hiding this comment.
yep... all of them actually.. NOW it should be OK :D sorry
|
I wanted to squash and merge, but then I noticed that non of the two tests is visible in GH - eg: https://github.com/rh-openjdk/jtreg-buffer/actions/runs/18463464820/job/52599940744?pr=39 IS it expected? |
|
Looks ok to me. I think another alternative would be to pass different arg to test class on different systems (just having separate |
|
I can only comment. Seems I don't have rights in this repo to approve. :) |
Thats what i thought Jirik will do, but he did this.. so I was not nitpicking more... |
test/VarDeps.java
Outdated
| // Could not read flag — assume non-FIPS | ||
| } finally { | ||
| if (br != null) { | ||
| try { br.close(); } catch (IOException ignored) {} |
There was a problem hiding this comment.
Btw. you could make use of try-with-resources here (jdk7+, I think), to make it a bit more elegant / less error prone.
There was a problem hiding this comment.
oh yeah.. I vaguely remember this from school :D sorry
with the ".el." filter it only runs on el systems -> not in GH actions |
|
That do not seem right. |
|
yeah, it definitely should.. fix would be something like: translated to common speech would be "we require for it to be FIPS AND (for it to NOT be RHEL OR be at least of os.version 10)" |
- redone the logic statements in require to allow non-el OSes
|
@judovana OK, now!! |
4 participants
SSIA, was done due to the fact that DSA is being decomissioned from fips systems starting el10
tested on ojdk17 on both el8 & 10