Project

General

Profile

Actions

action #125654

closed

[security][FIPS] clarify openJDK version testing

Added by amanzini over 1 year ago. Updated 12 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
-
Target version:
-
Start date:
2023-03-08
Due date:
% Done:

100%

Estimated time:
Difficulty:

Description

Context

our current test https://github.com/os-autoinst/os-autoinst-distri-opensuse/blob/master/tests/fips/openjdk/openjdk_fips.pm is specifically installing jdk11, but with the progress of the updates it can happen that we find on the machines a newer one. The newer one could support new Cipher Suites and Security Providers.
At the moment as a workaround, we uninstall any JDK before testing; the question is:

Question

  • should we test any present and greater version of OpenJDK, or only some specific ones?

Action

Actions #1

Updated by amanzini over 1 year ago

  • Tags set to need-clarification
  • Subject changed from [security to [security][FIPS] clarify openJDK version testing
  • Description updated (diff)
Actions #2

Updated by pstivanin about 1 year ago

  • Status changed from New to In Progress
  • Assignee set to pstivanin
Actions #3

Updated by pstivanin about 1 year ago

  • % Done changed from 0 to 50

slack conversation: https://suse.slack.com/archives/C04QYGFKQ1G/p1679470228936649

Actions #5

Updated by pstivanin about 1 year ago

  • Status changed from In Progress to Blocked

about openjdk17, the test is currently failing (https://openqa.suse.de/tests/10752801) because the returned ciphers are different.
Currently, we have this(https://gitlab.suse.de/qe-security/testing/-/raw/main/data/openjdk/Tcheck.txt) for openjdk11, but openjdk17 outputs that(https://gitlab.suse.de/qe-security/testing/-/raw/2ff4bcc7545e7d0ea97c1645a1a25dd2cfab2bce/data/openjdk/Tcheck17.txt).

I've asked Dennis and Viktor how to proceed. Waiting for feedback.

Actions #6

Updated by pstivanin about 1 year ago

Fridrich Strba is looking into it.

Actions #8

Updated by pstivanin about 1 year ago

  • Status changed from Blocked to In Progress

Fridrich found the bug and already opened an SR:

I think that it will be working with this change. The reason for this from the part of RedHat was that right now there is no way to disable OpenJDK FIPS for all java applications running on a FIPS enabled host. I.e. let everything else - non-Java - be in FIPS mode, but disable it for OpenJDK applications.
Now, their reasoning for this change was that one could never disable fips globally for all java applications. Now, they implemented the possibility that if system config files are disabled, fips is disabled automatically too for openjdk. Which is a useful feature. But they also flipped the default, which changed our default behaviour and you thankfully found it out. Now, I flipped that default back. If some customer wants disable FIPS for all java applications, she just needs to flip that one property in the file. So I think that this solution is more or less the best.

https://build.suse.de/request/show/297511

Actions #9

Updated by pstivanin about 1 year ago

  • % Done changed from 80 to 60
Actions #10

Updated by pstivanin about 1 year ago

We will need a separate baseline file for J17, because the output will be different from J11.

Actions #11

Updated by pstivanin about 1 year ago

  • % Done changed from 60 to 80
Actions #12

Updated by pstivanin about 1 year ago

I've now scheduled both openjdk 11 and 17 on my devel prj: https://openqa.suse.de/group_overview/431

I'll let them both run there until we get an approval for the 17's baseline.

Actions #13

Updated by pstivanin about 1 year ago

  • Status changed from In Progress to Blocked
Actions #14

Updated by pstivanin about 1 year ago

SR has been submitted, so it is likely to reach the testing queue in about a week.

Actions #15

Updated by pstivanin about 1 year ago

  • Status changed from Blocked to In Progress
Actions #16

Updated by pstivanin about 1 year ago

  • % Done changed from 80 to 70

we now have the update in the testing queue (https://smelt.suse.de/request/299043/) and the fips test is now passing (https://openqa.suse.de/tests/11186952#step/openjdk17_fips/1)

the ssh one is failing though https://openqa.suse.de/tests/11186952#step/openjdk17_ssh/21 , so I'm looking into it.

Actions #17

Updated by pstivanin about 1 year ago

  • Status changed from In Progress to Blocked
Actions #18

Updated by pstivanin about 1 year ago

Fridrich already fixed the issue, and I've verified that it works correctly.
He will open a new SR in the next days.

Actions #19

Updated by pstivanin about 1 year ago

SR has been submitted, now waiting for it to reach the testing queue

Actions #20

Updated by pstivanin about 1 year ago

package is in the ready queue with id 299777

Actions #21

Updated by pstivanin about 1 year ago

SR went back to the submitted queue with a new id (300306)

Actions #22

Updated by pstivanin about 1 year ago

  • % Done changed from 70 to 80

with the latest update now both jdk11 and jdk17 are green.

will let them run here https://openqa.suse.de/tests/overview?distri=sle&version=15-SP4&build=20230607-1&groupid=431 for a few days before merging it into master

Actions #23

Updated by pstivanin about 1 year ago

  • Status changed from Blocked to In Progress
Actions #24

Updated by pstivanin about 1 year ago

As clarified with Dennis, we no longer need to check the whole cipher suites block, just that this line

 1. SunPKCS11-NSS-FIPS using library null

is always there and at the first place in Supported Security Providers:

Actions #25

Updated by pstivanin about 1 year ago

code has been updated, but VRs can't be executed due to broken scc

Actions #27

Updated by pstivanin about 1 year ago

  • Status changed from In Progress to Resolved
Actions #28

Updated by dzedro about 1 year ago

This Desktop test is now broken https://openqa.suse.de/tests/11347884

Actions #29

Updated by pstivanin about 1 year ago

@dzedro: would it be ok if we dropped it from that testsuite? I don't think it has much sense to have the same test running both in secmaint and coremaint. What do you think?

Actions #30

Updated by dzedro about 1 year ago

pstivanin wrote:

@dzedro: would it be ok if we dropped it from that testsuite? I don't think it has much sense to have the same test running both in secmaint and coremaint. What do you think?

I don't mind, but it's Desktop, no idea if fips is even used on Desktop.

Actions #32

Updated by pstivanin 12 months ago

thanks! sorry, I completely forgot about it :(

Actions

Also available in: Atom PDF