Update the ProblemList-fips for JDK17 for FIPS extended.openjdk and s… #120
Conversation
|
There are 4 specific providers in FIPS mode, some tests using other non-FIPS providers, like SunJCE or SunRsaSign, etc. will be failed. Those failed tests should be added to a ProblemList-fips.txt, then they will not be run in the FIPS mode testing. Problem list details can be found from the issue #116 |
WilburZjh
force-pushed
the
fips-excludelist
branch
from
3b5cf02 to
12eb995
Compare
WilburZjh
force-pushed
the
fips-excludelist
branch
from
12eb995 to
f968474
Compare
|
@alon-sh could you please review the PR? Thanks |
WilburZjh
force-pushed
the
fips-excludelist
branch
2 times, most recently
from
5840caf to
8bba783
Compare
|
Questions: Non-Approved mode in FIPS modecom/sun/crypto/provider/Cipher/AEAD/GCMBufferTest.java #116 linux-x64 even tho. AES-GCM is not FIPS certified - we should still fix any functional issues. for these P11Signature Unknown mechanismjava/security/Signature/SignatureLength.java #116 linux-x64 No cipher suites in commoncom/sun/jndi/ldap/LdapCBPropertiesTest.java #116 linux-x64 explain what is the problem. lines 534 - 537 are duplicates. these: MessageDigest, Signature Engines are not supported in FIPS modejava/security/MessageDigest/TestCloneable.java #116 linux-x64 MessageDigest and Signature are supported in FIPS mode - please explain what is the problem. these: Related to CKR_ENCRYPTED_DATA_LEN_RANGEjavax/crypto/CipherSpi/ResetByteBuffer.java.ResetByteBuffer #116 linux-x64 explain what is the problem. I believe Bruce already looked at this issue - just give more info. |
|
java/security/Provider/NewInstance.java 116 linux-x64 com/sun/jndi/ldap/LdapCBPropertiesTest.java 116 linux-x64 java/security/MessageDigest/TestCloneable.java 116 linux-x64 |
|
javax/crypto/CipherSpi/ResetByteBuffer.java.ResetByteBuffer 116 linux-x64 |
|
@taoliult please comment on the issue above, I think you worked on it. |
|
@WilburZjh please update the excluded test list with the explanations you have above. Also why is java/security/Signature/SignatureLength.java excluded? |
WilburZjh
force-pushed
the
fips-excludelist
branch
from
8bba783 to
70d68cb
Compare
|
I removed the SignatureLength.java from the excluded list, it needs to be investigated in detail. |
|
The failures for AES-GCM are also removed from this excluded list, and an issue is created for these failures. These failures are related to the P11Cipher. Need to be investigated later in detail. |
|
For the test “javax/crypto/CipherSpi/ResetByteBuffer.java.ResetByteBuffer” The issue failed at the codes “ c.update(in, out); ”. The exception is
From the P11Cipher code line 191, when the cipher algorithm start with “AES”, then the “blockSize = 16;”. And for the “ c.update(in, out);” method, when the cipher is in the Cipher.DECRYPT_MODE, and if the “in.limit” is not set as multiple of 16, then CKR_ENCRYPTED_DATA_LEN_RANGE exception will be thrown from P11Cipher. In the “ResetByteBuffer” test, the data length is 1500, then data.length / 2 is 750, which is not the multiple of 16, so the exception happens. From the latest PKCS#11 Cryptographic Token Interface Base Specification Version 3.0 https://docs.oasis-open.org/pkcs11/pkcs11-base/v3.0/os/pkcs11-base-v3.0-os.html It explained this error. CKR_ENCRYPTED_DATA_LEN_RANGE: The ciphertext input to a decryption operation has been determined to be invalid ciphertext solely on the basis of its length. Depending on the operation’s mechanism, this could mean that the ciphertext is too short, too long, or is not a multiple of some particular block size. For this test case, the ciphertext input is not a multiple of some particular block size. So, the CKR_ENCRYPTED_DATA_LEN_RANGE will be returned, from methods C_Decrypt, C_DecryptUpdate, C_DecryptFinal, and other decrypt methods. The PKCS11 spec defined this ciphertext input check, and the test case is not design for the P11Cipher, so we can add this test into the exclude list. |
|
thank you - @WilburZjh please add a two sentence summary of what Bruce mentioned to the test list regarding that one failing test. Once thats done, looks good it can be merged. |
WilburZjh
force-pushed
the
fips-excludelist
branch
from
70d68cb to
0d26199
Compare
|
Updated in the ProblemList-fips.txt file. |
|
Pls fix the trailing whitespace so the check can pass. |
…anity.openjdk test Signed-off-by: Jinhang Zhang <Jinhang.Zhang@ibm.com>
WilburZjh
force-pushed
the
fips-excludelist
branch
from
0d26199 to
09b984a
Compare
|
updated |
|
Merging after Alon's review. |
|
sanity.openjdk passsed. |
|
looking at extended.openjdk - looks like some of those failures should have been put on the exclusion list - e.g. all the failures the say @WilburZjh are we missing some exclusion lists? see https://hyc-runtimes-jenkins.swg-devops.com/job/Test_openjdk17_j9_extended.openjdk_x86-64_linux_fips/7/consoleText looks like mostly failures of tests that should be excluded. fyi @llxia @Mesbah-Alam |
|
An update, here is the PR. |
|
Running extended.openjdk with the updated exclude list. |
|
Last grinder has 13 + 91 + 90 = 194 failures. |
|
@WilburZjh please look at those additional failures and create another problem exclusion list. @taoliult FYI please assist @WilburZjh |
…er-3 Port 5 patches from Java 11 z/OS for sun/security and crypto/provider
…anity.openjdk test
Signed-off-by: Jinhang Zhang Jinhang.Zhang@ibm.com