action #125654
closed[security][FIPS] clarify openJDK version testing
Added by amanzini over 1 year ago. Updated about 1 year ago.
100%
Description
Context¶
our current test https://github.com/os-autoinst/os-autoinst-distri-opensuse/blob/master/tests/fips/openjdk/openjdk_fips.pm is specifically installing jdk11, but with the progress of the updates it can happen that we find on the machines a newer one. The newer one could support new Cipher Suites and Security Providers.
At the moment as a workaround, we uninstall any JDK before testing; the question is:
Question¶
- should we test any present and greater version of OpenJDK, or only some specific ones?
Action¶
- provide for each JDK version the accepted list of FIPS crypto providers, which for OpenJDK 11 is currently stored in https://gitlab.suse.de/qe-security/testing/-/raw/main/data/openjdk/Tcheck.txt
- change the test to map the correct JDK version with the reference list of Supported Cipher Suites and Security Providers
Updated by amanzini over 1 year ago
- Tags set to need-clarification
- Subject changed from [security to [security][FIPS] clarify openJDK version testing
- Description updated (diff)
Updated by pstivanin over 1 year ago
- Status changed from New to In Progress
- Assignee set to pstivanin
Updated by pstivanin over 1 year ago
- % Done changed from 0 to 50
- ciphers reported here (https://gitlab.suse.de/qe-security/testing/-/raw/main/data/openjdk/Tcheck.txt) are correct for all openjdk versions tested under fips.
- according to https://confluence.suse.com/pages/viewpage.action?pageId=675512957, only openjdk-11 should be tested, but Marcus wrote that it'd be nice to have java-17-openjdk tested too
slack conversation: https://suse.slack.com/archives/C04QYGFKQ1G/p1679470228936649
Updated by pstivanin over 1 year ago
- % Done changed from 50 to 80
Updated by pstivanin over 1 year ago
- Status changed from In Progress to Blocked
about openjdk17, the test is currently failing (https://openqa.suse.de/tests/10752801) because the returned ciphers are different.
Currently, we have this(https://gitlab.suse.de/qe-security/testing/-/raw/main/data/openjdk/Tcheck.txt) for openjdk11, but openjdk17 outputs that(https://gitlab.suse.de/qe-security/testing/-/raw/2ff4bcc7545e7d0ea97c1645a1a25dd2cfab2bce/data/openjdk/Tcheck17.txt).
I've asked Dennis and Viktor how to proceed. Waiting for feedback.
Updated by pstivanin about 1 year ago
Updated by pstivanin about 1 year ago
- Status changed from Blocked to In Progress
Fridrich found the bug and already opened an SR:
I think that it will be working with this change. The reason for this from the part of RedHat was that right now there is no way to disable OpenJDK FIPS for all java applications running on a FIPS enabled host. I.e. let everything else - non-Java - be in FIPS mode, but disable it for OpenJDK applications.
Now, their reasoning for this change was that one could never disable fips globally for all java applications. Now, they implemented the possibility that if system config files are disabled, fips is disabled automatically too for openjdk. Which is a useful feature. But they also flipped the default, which changed our default behaviour and you thankfully found it out. Now, I flipped that default back. If some customer wants disable FIPS for all java applications, she just needs to flip that one property in the file. So I think that this solution is more or less the best.
Updated by pstivanin about 1 year ago
We will need a separate baseline file for J17, because the output will be different from J11.
Updated by pstivanin about 1 year ago
I've now scheduled both openjdk 11 and 17 on my devel prj: https://openqa.suse.de/group_overview/431
I'll let them both run there until we get an approval for the 17's baseline.
Updated by pstivanin about 1 year ago
- Status changed from In Progress to Blocked
Updated by pstivanin about 1 year ago
SR has been submitted, so it is likely to reach the testing queue in about a week.
Updated by pstivanin about 1 year ago
- Status changed from Blocked to In Progress
Updated by pstivanin about 1 year ago
- % Done changed from 80 to 70
we now have the update in the testing queue (https://smelt.suse.de/request/299043/) and the fips test is now passing (https://openqa.suse.de/tests/11186952#step/openjdk17_fips/1)
the ssh one is failing though https://openqa.suse.de/tests/11186952#step/openjdk17_ssh/21 , so I'm looking into it.
Updated by pstivanin about 1 year ago
- Status changed from In Progress to Blocked
Updated by pstivanin about 1 year ago
Fridrich already fixed the issue, and I've verified that it works correctly.
He will open a new SR in the next days.
Updated by pstivanin about 1 year ago
SR has been submitted, now waiting for it to reach the testing queue
Updated by pstivanin about 1 year ago
package is in the ready queue with id 299777
Updated by pstivanin about 1 year ago
SR went back to the submitted queue with a new id (300306)
Updated by pstivanin about 1 year ago
- % Done changed from 70 to 80
with the latest update now both jdk11 and jdk17 are green.
will let them run here https://openqa.suse.de/tests/overview?distri=sle&version=15-SP4&build=20230607-1&groupid=431 for a few days before merging it into master
Updated by pstivanin about 1 year ago
- Status changed from Blocked to In Progress
Updated by pstivanin about 1 year ago
As clarified with Dennis, we no longer need to check the whole cipher suites block, just that this line
1. SunPKCS11-NSS-FIPS using library null
is always there and at the first place in Supported Security Providers:
Updated by pstivanin about 1 year ago
code has been updated, but VRs can't be executed due to broken scc
Updated by pstivanin about 1 year ago
- % Done changed from 80 to 100
Updated by pstivanin about 1 year ago
- Status changed from In Progress to Resolved
Updated by dzedro about 1 year ago
This Desktop test is now broken https://openqa.suse.de/tests/11347884
Updated by pstivanin about 1 year ago
@dzedro: would it be ok if we dropped it from that testsuite? I don't think it has much sense to have the same test running both in secmaint and coremaint. What do you think?
Updated by dzedro about 1 year ago
pstivanin wrote:
@dzedro: would it be ok if we dropped it from that testsuite? I don't think it has much sense to have the same test running both in secmaint and coremaint. What do you think?
I don't mind, but it's Desktop, no idea if fips is even used on Desktop.
Updated by dzedro about 1 year ago
I updated the yaml schedule https://github.com/os-autoinst/os-autoinst-distri-opensuse/pull/17303
Updated by pstivanin about 1 year ago
thanks! sorry, I completely forgot about it :(