Conversation
There was a problem hiding this comment.
Pull request overview
This pull request adds Spring Boot SSL test infrastructure for wolfJSSE FIPS mode. It creates a Docker-based test environment that patches Spring Boot 3.4.1 to work with wolfJSSE in FIPS mode, handling FIPS-specific requirements such as WKS keystore format, FIPS-compliant passwords (minimum 14 characters), and CA-signed certificates. The tests require wolfssljni PR #310 to pass, and many tests are skipped due to FIPS restrictions on certain cryptographic algorithms like DSA, EdDSA, and PBES2.
Changes:
- Added build script for creating Spring Boot test Docker images with wolfJSSE FIPS support
- Implemented comprehensive patching script to modify Spring Boot source code for FIPS compliance
- Created multi-stage Dockerfile with test orchestration and WKS keystore generation utilities
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 8 comments.
| File | Description |
|---|---|
| build.sh | Shell script to build the Spring Boot test Docker image with command-line options for customization |
| apply_spring_fips_fixes.sh | Comprehensive bash script that patches Spring Boot source code to support wolfJSSE FIPS requirements |
| Dockerfile | Multi-stage Docker build that clones Spring Boot, applies patches, and sets up test environment with proper keystores |
| README.md | Repository documentation (currently duplicates root README) |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
java/wolfssl-openjdk-fips-root/test-images/spring-boot-tests/Dockerfile
Outdated
Show resolved
Hide resolved
java/wolfssl-openjdk-fips-root/test-images/spring-boot-tests/Dockerfile
Outdated
Show resolved
Hide resolved
java/wolfssl-openjdk-fips-root/test-images/spring-boot-tests/Dockerfile
Outdated
Show resolved
Hide resolved
java/wolfssl-openjdk-fips-root/test-images/spring-boot-tests/Dockerfile
Outdated
Show resolved
Hide resolved
java/wolfssl-openjdk-fips-root/test-images/spring-boot-tests/Dockerfile
Outdated
Show resolved
Hide resolved
java/wolfssl-openjdk-fips-root/test-images/spring-boot-tests/apply_spring_fips_fixes.sh
Show resolved
Hide resolved
java/wolfssl-openjdk-fips-root/test-images/spring-boot-tests/Dockerfile
Outdated
Show resolved
Hide resolved
JeremiahM37
force-pushed
the
spring-boot-tests
branch
from
c7e5d59 to
fa07559
Compare
JeremiahM37
force-pushed
the
spring-boot-tests
branch
from
fa07559 to
7b87e1f
Compare
| # instead of SSLHandshakeException. Reactor/Netty tests are disabled in Section 9. | ||
|
|
||
| # PEM certificate parsing tests - try enabling, uses RSA certs | ||
| # disable_test_class "${BOOT_TEST}/ssl/pem/PemCertificateParserTests.java" \ |
There was a problem hiding this comment.
It looks like there are a few tests commented out here. Should we delete these lines now?
|
|
||
| # Autoconfigure SSL tests - only disable specific SSL methods that actually fail | ||
| # RabbitAutoConfigurationTests - most tests pass, only disable ones that actually fail | ||
| for method in enableSslWithNonExistingKeystoreShouldFail \ |
There was a problem hiding this comment.
What was the reason these tests were failing? If they were failing due to a non-FIPS algo or cert, could we update those tests to use a FIPS compliant one? We have had people try to use wolfJSSE with RabbitMQ in the past, so getting to the bottom of these will be good.
If some tests were failing with a self-signed CA/cert error, that is usually caused by a self-signed certificate missing the "isCA:true" basic constraint. If we run into that scenario, it is worth exploring if we can update the certs to include that constraint, or adjust the cert generation to include it.
| done | ||
| # Disable only the SSL tests that actually fail (verified by running tests) | ||
| # Cassandra - cqlSessionBuilderWithSslBundle fails with WolfCryptException | ||
| disable_test_method "${AUTOCONFIG_TEST}/cassandra/CassandraAutoConfigurationTests.java" \ |
There was a problem hiding this comment.
Let's identify the exact reason Cassandra test was failing here.
There was a problem hiding this comment.
The password wasn't being caught by my sed replacement, so it was not using a fips approved algorithm. Fixed
| "cqlSessionBuilderWithSslBundle" "wolfJSSE FIPS: SSL bundle initialization fails" | ||
|
|
||
| # MongoDB - configuresSslWithBundle fails with AssertionError (behavior difference) | ||
| disable_test_method "${AUTOCONFIG_TEST}/mongo/MongoAutoConfigurationTests.java" \ |
There was a problem hiding this comment.
Are these failing MogoDB tests showing us some wolfJSSE behavior we should fix? Or did we determine that would not affect a real-world use case?
There was a problem hiding this comment.
Partially fixed (password length). The non reactive test still fails due to assertion mismatch since it is looking for specific algorithms, so it should remain disabled.
| "configuresSslWithBundle" "wolfJSSE FIPS: SSL bundle behavior difference" | ||
|
|
||
| # RSocket - shouldUseSslWhenRocketServerSslIsConfigured fails | ||
| disable_test_method "${AUTOCONFIG_TEST}/rsocket/RSocketServerAutoConfigurationTests.java" \ |
There was a problem hiding this comment.
Same here, let's figure out why this RSocket test is failing, and if we nee to fix something in wolfJSSE.
There was a problem hiding this comment.
The test only provides 'keyPassword', but not 'keyStorePassword'. JKS can load without a keystore password, but WKS requires it.
| # NettyRSocket and Reactive tests - disabled in Section 9 (use compiled Netty jars) | ||
|
|
||
| # PEM trust store with client auth - inline PEM certificates don't work with wolfJSSE | ||
| disable_test_method "${BOOT_TEST}/web/reactive/server/AbstractReactiveWebServerFactoryTests.java" \ |
There was a problem hiding this comment.
Just curious, what does "inline PEM certificate" mean here? Is this something we should consider adding support in wolfJSSE for?
There was a problem hiding this comment.
One test used Ed25519. The rest have been reenabled with FIPS password patches. The PEM label was incorrect.
| disable_test_method "${BOOT_TEST}/web/reactive/server/AbstractReactiveWebServerFactoryTests.java" \ | ||
| "sslWithPemCertificates" "wolfJSSE: Inline PEM certificates not supported" | ||
|
|
||
| disable_test_method "${BOOT_TEST}/web/embedded/tomcat/TomcatServletWebServerFactoryTests.java" \ |
There was a problem hiding this comment.
What does "dynamic SSL reload" mean here? Is this something wolfJSSE should support?
There was a problem hiding this comment.
Dynamic SSL reload is a spring boot feature where ssl bundles can be hot swapped at runtime. WolfJSSE does support this. It used ED25519 certs, which I replaced with RSA certs and the tests are now re-enabled.
| fi | ||
|
|
||
| # ============================================================================== | ||
| # SECTION 8: Patch TrustSelfSignedStrategy -> TrustAllStrategy |
There was a problem hiding this comment.
See comment about about self-signed certs, and how wolfSSL requires those to have the "isCA:true" boolean constraint set to true. Is this something we can adjust in the certs / generate new certs / etc?
There was a problem hiding this comment.
Fixed. Ca cert generation now has CA:true
| echo "" | ||
| echo "=== SECTION 9: Disabling Netty/Reactor SSL tests ===" | ||
|
|
||
| # These tests use Netty's InsecureTrustManagerFactory which returns empty accepted issuers. |
There was a problem hiding this comment.
I am curious as to why the InsecureTrustManagerFactory does not override cert chain validation in wolfJSSE like it would in SunJSSE. Maybe after looking at the Netty tests again we will get some insight into this?
|
|
||
| # Gradle security config (needs MD5 for checksums, WKS as default keystore) | ||
| RUN cat > /usr/local/openjdk-19/conf/security/java.security.gradle <<'EOF' | ||
| security.provider.1=SUN |
There was a problem hiding this comment.
Do we need to register WolfCryptProvider and WolfSSLProvider as top priority ones here?
…reload - Re-enable SslInfoTests (all 6 tests): use faketime+openssl to generate self-signed certs with exact validity dates, WksUtil to create WKS keystores, and sed/perl to patch test assertions for WKS structure - Re-enable shouldUpdateSslWhenReloadingSslBundles: replace ED25519 certs with RSA, fix PemSslStoreBundle null password and getKeyStorePassword - Fix password replacement to catch =pwd" property format (fixes Cassandra, MongoReactive, RabbitMQ SSL bundle tests) - Add CA cert extensions (basicConstraints, keyUsage) per review feedback - Replace python3 patching with sed/perl (removes python3 dependency) - Add detailed root cause comments for all disabled tests - Improve Section 9 Netty/InsecureTrustManagerFactory documentation Test results: 392 tests, 277 passed, 0 failed, 115 skipped Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2 participants
Added springboot test image for wolfjsse FIPS
Requires wolfSSL/wolfssljni#310 to be merged for the tests to pass which I'm still cleaning up a bit and should be done soon.
All tests that are skipped are due to fips restrictions as every single test passes with non-fips.