Project

General

Profile

Actions

action #116263

closed

[security][fips] test fails in openjdk_fips

Added by punkioudi almost 2 years ago. Updated over 1 year ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Bugs in existing tests
Target version:
-
Start date:
2022-09-06
Due date:
% Done:

0%

Estimated time:
Difficulty:
Tags:

Description

# Test died: script failed with :
[ 218.567711] systemd[1]: snapperd.service: Deactivated successfully.

We have to make sure that the expected results of Supported Cipher Suites and Supported Security Providers are still the same as for 15-SP4. It seems that in 15-SP5 there are some new additions, so it seems more like a test issue, rather than a product bug.

For example there are these 3 cipher suites:

>  1. TLS_AES_256_GCM_SHA384
>  2. TLS_AES_128_GCM_SHA256
>  3. TLS_CHACHA20_POLY1305_SHA256

Acceptance criteria

  1. Find the supported cipher suites and supported security providers for 15-SP5
  2. Modify the expected outcome of the test accordingly (https://gitlab.suse.de/QA-APAC-I/testing/-/raw/master/data/openjdk/Tcheck.txt)
  3. Run verification runs, both for maintenance and product

Observation

openQA test in scenario sle-15-SP5-Online-x86_64-fips_env_mode_jdk@64bit fails in
openjdk_fips

Test suite description

The base test suite is used for job templates defined in YAML documents. It has no settings of its own.

Reproducible

Fails since (at least) Build 15.2

Expected result

Last good: (unknown) (or more recent)

Further details

Always latest result in this scenario: latest


Files

result.txt (2.47 KB) result.txt amanzini, 2022-10-11 10:40
Tcheck.txt (1.71 KB) Tcheck.txt amanzini, 2022-10-11 10:40

Related issues 2 (0 open2 closed)

Related to openQA Tests - action #119635: [security] test fails in sshdResolvedpstivanin2022-10-31

Actions
Related to openQA Tests - action #123013: [security][fips] test openjdk only in fips-kernel modeResolvedamanzini2023-01-12

Actions
Actions #1

Updated by openqa_review almost 2 years ago

This is an autogenerated message for openQA integration by the openqa_review script:

This bug is still referenced in a failing openQA test: fips_env_mode_jdk
https://openqa.suse.de/tests/9517914#step/openjdk_fips/1

To prevent further reminder comments one of the following options should be followed:

  1. The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
  2. The openQA job group is moved to "Released" or "EOL" (End-of-Life)
  3. The bugref in the openQA scenario is removed or replaced, e.g. label:wontfix:boo1234

Expect the next reminder at the earliest in 28 days if nothing changes in this ticket.

Actions #2

Updated by bchou over 1 year ago

Hi Viktor,

Would you please check with this issue too? Probably it's mozilla-nss lib problem. Thank you.

Actions #3

Updated by viktors.trubovics over 1 year ago

Update from Marcus Meissner:

  1. TLS_AES_256_GCM_SHA384
  2. TLS_AES_128_GCM_SHA256
    1 and 2 have approved ciphers only

  3. TLS_CHACHA20_POLY1305_SHA256
    is not approved.
    So it means:

  4. Test need to be updated to contain TLS_AES_256_GCM_SHA384 and TLS_AES_128_GCM_SHA256.

  5. Bug need to be raised against TLS_CHACHA20_POLY1305_SHA256

Actions #4

Updated by amanzini over 1 year ago

  • Assignee set to amanzini

Updated by amanzini over 1 year ago

in addition to the Cipher Suites, There's also a change on Supported Security Providers.
from:

 1. SunPKCS11-NSS-FIPS using library null
 2. SUN (DSA key/parameter generation; DSA signing; SHA-1, MD5 digests; SecureRandom; X.509 certificates; PKCS12, JKS & DKS keystores; PKIX CertPathValidator; PKIX CertPathBuilder; LDAP, Collection CertStores, JavaPolicy Policy; JavaLoginConfig Configuration)
 3. Sun Elliptic Curve provider (EC, ECDSA, ECDH)
 4. Sun JSSE provider (FIPS mode, crypto provider SunPKCS11-NSS-FIPS)

to:

 1. SUN (DSA key/parameter generation; DSA signing; SHA-1, MD5 digests; SecureRandom; X.509 certificates; PKCS12, JKS & DKS keystores; PKIX CertPathValidator; PKIX CertPathBuilder; LDAP, Collection CertStores, JavaPolicy Policy; JavaLoginConfig Configuration)
 2. Sun RSA signature provider
 3. Sun Elliptic Curve provider (EC, ECDSA, ECDH)
 4. Sun JSSE provider(PKCS12, SunX509/PKIX key/trust factories, SSLv3/TLSv1/TLSv1.1/TLSv1.2/TLSv1.3/DTLSv1.0/DTLSv1.2)
 5. SunJCE Provider (implements RSA, DES, Triple DES, AES, Blowfish, ARCFOUR, RC2, PBE, Diffie-Hellman, HMAC, ChaCha20)
 6. Sun (Kerberos v5, SPNEGO)
 7. Sun SASL provider(implements client mechanisms for: DIGEST-MD5, EXTERNAL, PLAIN, CRAM-MD5, NTLM; server mechanisms for: DIGEST-MD5, CRAM-MD5, NTLM)
 8. XMLDSig (DOM XMLSignatureFactory; DOM KeyInfoFactory; C14N 1.0, C14N 1.1, Exclusive C14N, Base64, Enveloped, XPath, XPath2, XSLT TransformServices)
 9. Sun PC/SC provider
 10. JdkLDAP Provider (implements LDAP CertStore)
 11. JDK SASL provider(implements client and server mechanisms for GSSAPI)
 12. Unconfigured and unusable PKCS11 provider

Are we going to handle that too ? Please see attached result.txt (output from JavaCryptoTest) and Tcheck.txt (expected)

Actions #7

Updated by tjyrinki_suse over 1 year ago

Note this has failed already in 15-SP4 GMC https://openqa.suse.de/tests/9064912#step/openjdk_fips/43

Actions #8

Updated by amanzini over 1 year ago

  • Status changed from New to Blocked
Actions #9

Updated by amanzini over 1 year ago

  • Status changed from Blocked to In Progress
Actions #10

Updated by amanzini over 1 year ago

  • Status changed from In Progress to Blocked
Actions #11

Updated by amanzini over 1 year ago

  • Status changed from Blocked to In Progress

test passes when run in FIPS KERNEL mode: https://openqa.suse.de/tests/9776262 .
So basically the issue is that SSL and/or jdk does not honor env mode, but rely on kernel setting. We should decide if it is a correct behaviour, and so adapt the test, or ask upstream to implement proper ENV mode.

Actions #12

Updated by amanzini over 1 year ago

  • Status changed from In Progress to Blocked
Actions #13

Updated by amanzini over 1 year ago

Actions #14

Updated by openqa_review over 1 year ago

This is an autogenerated message for openQA integration by the openqa_review script:

This bug is still referenced in a failing openQA test: fips_env_mode_jdk
https://openqa.suse.de/tests/9881955#step/openjdk_fips/1

To prevent further reminder comments one of the following options should be followed:

  1. The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
  2. The openQA job group is moved to "Released" or "EOL" (End-of-Life)
  3. The bugref in the openQA scenario is removed or replaced, e.g. label:wontfix:boo1234

Expect the next reminder at the earliest in 28 days if nothing changes in this ticket.

Actions #15

Updated by openqa_review over 1 year ago

This is an autogenerated message for openQA integration by the openqa_review script:

This bug is still referenced in a failing openQA test: fips_env_mode_jdk
https://openqa.suse.de/tests/10029317#step/openjdk_fips/1

To prevent further reminder comments one of the following options should be followed:

  1. The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
  2. The openQA job group is moved to "Released" or "EOL" (End-of-Life)
  3. The bugref in the openQA scenario is removed or replaced, e.g. label:wontfix:boo1234

Expect the next reminder at the earliest in 28 days if nothing changes in this ticket.

Actions #16

Updated by openqa_review over 1 year ago

This is an autogenerated message for openQA integration by the openqa_review script:

This bug is still referenced in a failing openQA test: fips_env_mode_jdk
https://openqa.suse.de/tests/10186562#step/openjdk_fips/1

To prevent further reminder comments one of the following options should be followed:

  1. The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
  2. The openQA job group is moved to "Released" or "EOL" (End-of-Life)
  3. The bugref in the openQA scenario is removed or replaced, e.g. label:wontfix:boo1234

Expect the next reminder at the earliest in 56 days if nothing changes in this ticket.

Actions #17

Updated by tjyrinki_suse over 1 year ago

This is waiting for Dennis to discuss with Fridrich directly some details.

Actions #18

Updated by amanzini over 1 year ago

seems failing on kernel mode too, need further investigation https://openqa.suse.de/tests/10307628#

JCE Provider Info: OpenJDK 64-Bit Server VM 17.0.5+0-suse-150400.3.6.1-x8664/17.0.5+0-suse-150400.3.6.1-x8664 on Linux 5.14.21-150400.24.38-default

this new failure is related to a newer java-17-openjdk that's coming already installed in the image. The test installs jdk11 but the one in use is always 17 so the output of crypto providers differs.
To fix the test, either we update the baseline to the newest jdk, or if the reference has to be jdk11, we uninstall any jdk present in the system before installing jdk11.

Actions #19

Updated by amanzini over 1 year ago

  • Related to action #123013: [security][fips] test openjdk only in fips-kernel mode added
Actions #20

Updated by amanzini over 1 year ago

  • Status changed from Blocked to In Progress
Actions #21

Updated by tjyrinki_suse over 1 year ago

Thank you for the analysis! Your suggestion to to make them pass on jdk11 and asking for update to the reference jdk later sounds good to me!

Actions #22

Updated by amanzini over 1 year ago

  • Status changed from In Progress to Feedback

PR: https://github.com/os-autoinst/os-autoinst-distri-opensuse/pull/16236

we need to clarify if JDK11 is a strict requirement or we should test against any newer version.

Actions #23

Updated by openqa_review over 1 year ago

This is an autogenerated message for openQA integration by the openqa_review script:

This bug is still referenced in a failing openQA test: fips_env_mode_openjdk
https://openqa.suse.de/tests/10386057#step/openjdk_fips/1

To prevent further reminder comments one of the following options should be followed:

  1. The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
  2. The openQA job group is moved to "Released" or "EOL" (End-of-Life)
  3. The bugref in the openQA scenario is removed or replaced, e.g. label:wontfix:boo1234

Expect the next reminder at the earliest in 28 days if nothing changes in this ticket.

Actions #24

Updated by tjyrinki_suse over 1 year ago

  • Status changed from Feedback to Resolved

openJDK is now executed only in kernel mode, due to lack of support for enabling FIPS with just an environment variable.

Actions

Also available in: Atom PDF