-
Notifications
You must be signed in to change notification settings - Fork 5
wolfjsse netty-tests #6
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
JeremiahM37
wants to merge
1
commit into
wolfSSL:main
Choose a base branch
from
JeremiahM37:netty-tests
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
+1,206
−0
Open
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
212 changes: 212 additions & 0 deletions
212
java/wolfssl-openjdk-fips-root/test-images/netty-tests/Dockerfile
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,212 @@ | ||
| # ============================================================================== | ||
| # Netty SSL Test Image with wolfJSSE - FIPS Mode | ||
| # ============================================================================== | ||
| # Runs Netty SSL tests with wolfJSSE in FIPS mode, OpenSSL disabled. | ||
| # | ||
| # Test Modules: | ||
| # - handler: All SSL handler tests (OpenSSL tests patched to skip) | ||
| # - handler-proxy: Proxy handler tests (including HTTPS proxy) | ||
| # - testsuite: Integration tests (SSL transport tests) | ||
| # | ||
| # Build: docker build -t netty-wolfjsse:latest . | ||
| # ============================================================================== | ||
|
|
||
| ARG FIPS_BASE_IMAGE=wolfssl-openjdk-fips-root:latest | ||
| ARG NETTY_REPO=https://github.com/netty/netty.git | ||
| # Pin to a specific Netty release tag for reproducible builds | ||
| ARG NETTY_TAG=netty-4.1.115.Final | ||
|
|
||
| # ------------------------------------------------------------------------------ | ||
| # Stage 1: Build Netty with patches | ||
| # ------------------------------------------------------------------------------ | ||
| FROM rootpublic/openjdk:19-jdk-bookworm-slim AS netty-builder | ||
|
|
||
| RUN apt-get update && apt-get install -y build-essential maven git perl && rm -rf /var/lib/apt/lists/* | ||
|
|
||
| ENV MAVEN_OPTS="-Xmx2048m" | ||
| ENV JAVA_HOME=/usr/local/openjdk-19 | ||
| ENV PATH=$JAVA_HOME/bin:$PATH | ||
|
|
||
| WORKDIR /app/netty | ||
| ARG NETTY_REPO | ||
| ARG NETTY_TAG | ||
| # Clone specific release tag (shallow clone for speed) | ||
| RUN git clone --depth 1 --branch ${NETTY_TAG} ${NETTY_REPO} . | ||
|
|
||
| # Copy patching script | ||
| COPY apply_netty_fips_fixes.sh /tmp/apply_netty_fips_fixes.sh | ||
|
|
||
| # Apply FIPS compatibility fixes | ||
| RUN chmod +x /tmp/apply_netty_fips_fixes.sh && /tmp/apply_netty_fips_fixes.sh /app/netty | ||
|
|
||
| # Build handler, handler-proxy, and testsuite with all dependencies | ||
| RUN ./mvnw clean install -DskipTests -Dcheckstyle.skip=true -Djapicmp.skip=true -Danimal.sniffer.skip=true \ | ||
| -pl handler,handler-proxy,transport-sctp,transport-udt,testsuite -am -T 1C | ||
|
|
||
| # Resolve all test dependencies | ||
| RUN ./mvnw dependency:resolve -DincludeScope=test -pl handler,handler-proxy,transport-sctp,transport-udt,testsuite -am | ||
| RUN ./mvnw dependency:resolve-plugins -pl handler,handler-proxy,transport-sctp,transport-udt,testsuite | ||
| RUN ./mvnw dependency:get -Dartifact=org.apache.maven.surefire:surefire-junit-platform:3.5.3 | ||
| RUN ./mvnw dependency:get -Dartifact=org.apache.maven.surefire:surefire-junit-platform:2.22.2 | ||
| RUN ./mvnw dependency:get -Dartifact=org.apache.maven.surefire:surefire-api:2.22.2 | ||
| RUN ./mvnw dependency:get -Dartifact=org.junit.platform:junit-platform-launcher:1.10.2 | ||
| RUN ./mvnw test-compile -Dcheckstyle.skip=true -Danimal.sniffer.skip=true -pl handler,handler-proxy,transport-sctp,transport-udt,testsuite -am | ||
|
|
||
| # ------------------------------------------------------------------------------ | ||
| # Stage 2: Runtime Image (FIPS base) | ||
| # ------------------------------------------------------------------------------ | ||
| FROM ${FIPS_BASE_IMAGE} | ||
|
|
||
| RUN apt-get update && apt-get install -y maven git && rm -rf /var/lib/apt/lists/* | ||
|
|
||
| COPY --from=netty-builder /app/netty /app/netty | ||
| COPY --from=netty-builder /root/.m2 /root/.m2 | ||
|
|
||
| # Clone wolfSSL example certs directly from repo (sparse checkout) | ||
| RUN git clone --depth 1 --filter=blob:none --sparse https://github.com/wolfSSL/wolfssl.git /tmp/wolfssl && \ | ||
| cd /tmp/wolfssl && \ | ||
| git sparse-checkout set certs && \ | ||
| cp -r certs /app/certs && \ | ||
| rm -rf /tmp/wolfssl | ||
|
|
||
| # Fix wolfSSL cert files: they contain text dump THEN PEM data, but Java needs pure PEM | ||
| # Extract only the PEM portion (from -----BEGIN to -----END) for each cert/key file | ||
| RUN for f in /app/certs/*.pem; do \ | ||
| if grep -q "BEGIN" "$f" 2>/dev/null; then \ | ||
| sed -n '/-----BEGIN/,/-----END/p' "$f" > "$f.tmp"; \ | ||
| if [ -s "$f.tmp" ]; then mv "$f.tmp" "$f"; else rm -f "$f.tmp"; fi; \ | ||
| fi; \ | ||
| done | ||
|
|
||
| WORKDIR /app/netty | ||
|
|
||
| # FIPS environment | ||
| # Ensure the base image performs its FIPS verification check on container start. | ||
| ENV FIPS_CHECK=true | ||
| ENV MAVEN_OPTS="-Xmx4g -XX:MaxMetaspaceSize=512m -Djava.security.egd=file:/dev/urandom -Dio.netty.handler.ssl.noOpenSsl=true" | ||
|
|
||
| ENV JAVA_TOOL_OPTIONS="-Xbootclasspath/a:/usr/share/java/wolfcrypt-jni.jar:/usr/share/java/wolfssl-jsse.jar:/usr/share/java/filtered-providers.jar \ | ||
| -Djava.library.path=/usr/lib/jni:/usr/local/lib \ | ||
| -Dio.netty.handler.ssl.noOpenSsl=true \ | ||
| --add-modules=jdk.crypto.ec \ | ||
| --add-exports=jdk.crypto.ec/sun.security.ec=ALL-UNNAMED \ | ||
| --add-opens=jdk.crypto.ec/sun.security.ec=ALL-UNNAMED \ | ||
| --add-opens=java.base/java.security=ALL-UNNAMED \ | ||
| --add-opens=java.base/sun.security.provider=ALL-UNNAMED \ | ||
| --add-opens=java.base/sun.security.util=ALL-UNNAMED \ | ||
| --add-opens=java.base/sun.security.rsa=ALL-UNNAMED \ | ||
| --add-exports=java.base/sun.security.provider=ALL-UNNAMED \ | ||
| --add-exports=java.base/sun.security.rsa=ALL-UNNAMED \ | ||
| --add-exports=jdk.crypto.ec/sun.security.ec=ALL-UNNAMED" | ||
|
|
||
| # Symlink native libs | ||
| RUN ln -sf /usr/lib/jni/libwolfssljni.so /usr/local/openjdk-19/lib/libwolfssljni.so && \ | ||
| ln -sf /usr/lib/jni/libwolfcryptjni.so /usr/local/openjdk-19/lib/libwolfcryptjni.so && \ | ||
| ln -sf /usr/local/lib/libwolfssl.so /usr/local/openjdk-19/lib/libwolfssl.so | ||
|
|
||
| # Create test runner script | ||
| # Runs handler, handler-proxy, and testsuite modules with aggregate summary | ||
| RUN cat > /app/run-tests.sh <<'EOF' && chmod +x /app/run-tests.sh | ||
| #!/bin/bash | ||
JeremiahM37 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| cd /app/netty | ||
JeremiahM37 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| HANDLER_RESULT=0 | ||
| PROXY_RESULT=0 | ||
| TESTSUITE_RESULT=0 | ||
|
|
||
| RUNS=() | ||
|
|
||
| run_mvn() { | ||
| local name="$1" | ||
| shift | ||
| RUNS+=("$name") | ||
|
|
||
| echo "" | ||
| echo "============================================================" | ||
| echo "=== Running: ${name}" | ||
| echo "============================================================" | ||
|
|
||
| # Run tests and filter out fork cleanup error messages | ||
| # These appear when wolfJSSE native threads don't terminate cleanly | ||
| # but don't indicate actual test failures | ||
| set -o pipefail | ||
| "$@" 2>&1 | tee "/tmp/${name}.raw.log" | grep -v -E \ | ||
| 'ForkStarter|forked process|forked VM terminated|SurefireBooterForkException|ExecutionException|Java heap space|Crashed tests:|There are test failures|dump files|surefire-reports' \ | ||
| | tee "/tmp/${name}.log" | ||
| local rc=${PIPESTATUS[0]} | ||
| set +o pipefail | ||
| return $rc | ||
| } | ||
|
|
||
| extract_summary_line() { | ||
| local name="$1" | ||
| # Read from raw log to get unfiltered summary line | ||
| # surefire sometimes logs with [INFO] or [WARNING] | ||
| grep -E 'Tests run: [0-9]+, Failures: [0-9]+, Errors: [0-9]+, Skipped: [0-9]+' "/tmp/${name}.raw.log" | tail -n 1 || true | ||
| } | ||
|
|
||
| add_totals_from_line() { | ||
| local line="$1" | ||
| if [[ "$line" =~ Tests\ run:\ ([0-9]+),\ Failures:\ ([0-9]+),\ Errors:\ ([0-9]+),\ Skipped:\ ([0-9]+) ]]; then | ||
| TOTAL_RUN=$((TOTAL_RUN + BASH_REMATCH[1])) | ||
| TOTAL_FAIL=$((TOTAL_FAIL + BASH_REMATCH[2])) | ||
| TOTAL_ERR=$((TOTAL_ERR + BASH_REMATCH[3])) | ||
| TOTAL_SKIP=$((TOTAL_SKIP + BASH_REMATCH[4])) | ||
| fi | ||
| } | ||
|
|
||
| # Surefire fork settings to handle native library cleanup timing | ||
| SUREFIRE_OPTS='-DforkCount=1 -DreuseForks=false -Dsurefire.shutdown=exit' | ||
| SUREFIRE_OPTS="$SUREFIRE_OPTS -DforkedProcessExitTimeoutInSeconds=60" | ||
| SUREFIRE_OPTS="$SUREFIRE_OPTS -DforkedProcessTimeoutInSeconds=900" | ||
| SUREFIRE_OPTS="$SUREFIRE_OPTS -DuseSystemClassLoader=false" | ||
| SUREFIRE_OPTS="$SUREFIRE_OPTS -DtrimStackTrace=false" | ||
| ARGLINE_COMMON='-Xmx4g -Dio.netty.allocator.type=unpooled -XX:+ExitOnOutOfMemoryError' | ||
|
|
||
| # Handler module - all SSL tests (OpenSSL tests are patched to skip) | ||
| # -Dmaven.test.failure.ignore=true prevents BUILD FAILURE from fork cleanup issues | ||
| run_mvn "handler" ./mvnw -o test -pl handler -Dcheckstyle.skip=true -Danimal.sniffer.skip=true -Dsurefire.timeout=600 -DfailIfNoTests=false -Dmaven.test.failure.ignore=true $SUREFIRE_OPTS "-DargLine.common=$ARGLINE_COMMON" "$@" || HANDLER_RESULT=1 | ||
|
|
||
| # Handler-Proxy tests (TLS via ProxyHandlerTest) | ||
| run_mvn "handler-proxy" ./mvnw -o test -pl handler-proxy -Dcheckstyle.skip=true -Danimal.sniffer.skip=true -Dsurefire.timeout=120 -DfailIfNoTests=false -Dmaven.test.failure.ignore=true $SUREFIRE_OPTS "-DargLine.common=$ARGLINE_COMMON" "$@" || PROXY_RESULT=1 | ||
|
|
||
| # Testsuite (must stay JDK/wolfJSSE-only; no tcnative/OpenSSL) | ||
| run_mvn "testsuite" ./mvnw -o test -pl testsuite -Dcheckstyle.skip=true -Danimal.sniffer.skip=true -Dsurefire.timeout=300 -DfailIfNoTests=false -Dmaven.test.failure.ignore=true $SUREFIRE_OPTS "-DargLine.common=$ARGLINE_COMMON" "$@" || TESTSUITE_RESULT=1 | ||
|
|
||
| echo "" | ||
| echo "============================================================" | ||
| echo "=== AGGREGATE TEST SUMMARY (all mvn runs) ===" | ||
| echo "============================================================" | ||
|
|
||
| TOTAL_RUN=0 | ||
| TOTAL_FAIL=0 | ||
| TOTAL_ERR=0 | ||
| TOTAL_SKIP=0 | ||
|
|
||
| for name in "${RUNS[@]}"; do | ||
| line="$(extract_summary_line "$name")" | ||
| if [ -z "$line" ]; then | ||
| echo "- ${name}: (no surefire summary line found)" | ||
| else | ||
| echo "- ${name}: ${line}" | ||
| add_totals_from_line "$line" | ||
| fi | ||
| done | ||
|
|
||
| echo "" | ||
| echo "TOTAL: Tests run: ${TOTAL_RUN}, Failures: ${TOTAL_FAIL}, Errors: ${TOTAL_ERR}, Skipped: ${TOTAL_SKIP}" | ||
|
|
||
| echo "" | ||
| echo "========================================" | ||
| echo "=== ALL TESTS COMPLETE ===" | ||
| echo "========================================" | ||
|
|
||
| if [ $HANDLER_RESULT -ne 0 ] || [ $PROXY_RESULT -ne 0 ] || [ $TESTSUITE_RESULT -ne 0 ]; then | ||
| echo "Some tests failed. Check logs above." | ||
| exit 1 | ||
| fi | ||
| EOF | ||
|
|
||
|
|
||
| # Default: run all tests | ||
| CMD ["/app/run-tests.sh"] | ||
27 changes: 27 additions & 0 deletions
27
java/wolfssl-openjdk-fips-root/test-images/netty-tests/README.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,27 @@ | ||
| # Netty wolfJSSE FIPS Test Image | ||
|
|
||
| Runs upstream Netty SSL tests under wolfJSSE in FIPS mode. | ||
|
|
||
| ## Build & Run | ||
|
|
||
| ```bash | ||
| # Build base image first (from wolfssl-openjdk-fips-root/) | ||
| ./build.sh -p <password> --wolfcrypt-jni ./wolfcrypt-jni --wolfssl-jni ./wolfssljni | ||
|
|
||
| # Build and run netty tests | ||
| cd test-images/netty-tests | ||
| ./build.sh | ||
| docker run --rm netty-wolfjsse:latest | ||
| ``` | ||
|
|
||
| ## Run Single Test | ||
|
|
||
| ```bash | ||
| docker run --rm -it netty-wolfjsse:latest bash | ||
| ./mvnw -o test -pl handler -Dtest=JdkSslClientContextTest \ | ||
| -Dcheckstyle.skip=true -Danimal.sniffer.skip=true | ||
| ``` | ||
|
|
||
| ## Patch Summary | ||
|
|
||
| `apply_netty_fips_fixes.sh` patches Netty to skip OpenSSL-specific tests, use wolfSSL certs, and disable FIPS-incompatible algorithms (MD5, 3DES). |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.