Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove the 192-bit EC test case #779

Merged
merged 1 commit into from
May 14, 2024
Merged

Remove the 192-bit EC test case #779

merged 1 commit into from
May 14, 2024

Conversation

JinhangZhang
Copy link
Contributor

@JinhangZhang JinhangZhang commented May 8, 2024
edited
Loading

This patch eliminates the 192-bit EC test which causes exceptions
seen in issue #18320.

DefaultSignatureAlgorithm test was run in those Redhat OS based machines
in a non-FIPS mode, but with a FIPS version of openssl. So, a 192-bit
size of EC key pair generator is not allowed by the native code in a
FIPS version of openssl. The code path went to a replacement EC key-pair
generator Java implementation.

issue: eclipse-openj9/openj9#18320

@JinhangZhang
Copy link
Contributor Author

@jasonkatonica @pshipton FYI

@pshipton
Copy link
Member

pshipton commented May 8, 2024

If you are referring to an issue pls provide a link not just a number.
This should be added to the head stream (openj9-openjdk-jdk) first and then backported. If it doesn't apply to newer versions, pls explain.

@JinhangZhang
Copy link
Contributor Author

JinhangZhang commented May 13, 2024
edited
Loading

If you are referring to an issue pls provide a link not just a number. This should be added to the head stream (openj9-openjdk-jdk) first and then backported. If it doesn't apply to newer versions, pls explain.

@pshipton This only happens at 11. Case 18320 is failed on this line of code. The size of 192 is not supported by a FIPS version of OpenSSL. This 192 size of EC key is not declared in other versions such as 17, 21 and next. For 11, the native code path will not be used, instead a java code will be used.

@pshipton pshipton requested a review from keithc-ca May 13, 2024 11:43
@keithc-ca keithc-ca mentioned this pull request May 13, 2024
Open
@keithc-ca
Copy link
Member

Perhaps it makes more sense to just remove the 192-bit test from DefaultSignatureAlgorithm (or at least in FIPS mode)?

@JinhangZhang
Copy link
Contributor Author

Perhaps it makes more sense to just remove the 192-bit test from DefaultSignatureAlgorithm (or at least in FIPS mode)?

Remove the 192-bit test to align with other versions makes sense to me.

@JinhangZhang
Copy link
Contributor Author

Removed 192-bit test

@pshipton
Copy link
Member

Isn't that just leaving the problem to be found by a customer?

@keithc-ca
Copy link
Member

It's not clear that is the result: The failing test involves a replacement key-pair generator, not the one customers would be using.

@keithc-ca
Copy link
Member

Please update the commit message and the description here to more accurately describe this change.

@JinhangZhang
Copy link
Contributor Author

Please update the commit message and the description here to more accurately describe this change.

updated

@keithc-ca
Copy link
Member

Please update the commit message and the description here to more accurately describe this change.

updated

This doesn't "implement" anything as the commit message and description say, instead it removes testing of a specific EC key size. Perhaps the summary should be (paraphrasing the last line and editing for grammar):

Remove test of 192-bit EC or consistency with other JDK versions

@JinhangZhang
Copy link
Contributor Author

Please update the commit message and the description here to more accurately describe this change.

updated

This doesn't "implement" anything as the commit message and description say, instead it removes testing of a specific EC key size. Perhaps the summary should be (paraphrasing the last line and editing for grammar):

Remove test of 192-bit EC or consistency with other JDK versions

Updated

@JinhangZhang
Remove the 192-bit EC test case
c0fed93 
This patch eliminates the 192-bit EC test which causes exceptions
seen in issue #18320.

DefaultSignatureAlgorithm test was run in those Redhat OS based machines
in a non-FIPS mode, but with a FIPS version of openssl. So, a 192-bit
size of EC key pair generator is not allowed by the native code in a
FIPS version of openssl. The code path went to a replacement EC key-pair
generator Java implementation.

issue: eclipse-openj9/openj9#18320
@JinhangZhang JinhangZhang changed the title Implement ECKeyPairGenerator initialize func Remove the 192-bit EC test case May 14, 2024
@keithc-ca
Copy link
Member

Jenkins compile plinux jdk11

@keithc-ca
Copy link
Member

All plinux build systems are offline.

@keithc-ca
Copy link
Member

Jenkins compile zlinux jdk11

@keithc-ca keithc-ca merged commit 795d069 into ibmruntimes:openj9 May 14, 2024
4 of 5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@keithc-ca keithc-ca keithc-ca approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@JinhangZhang @pshipton @keithc-ca