search

eclipse-openj9 / openj9

Eclipse OpenJ9: A Java Virtual Machine for OpenJDK that's optimized for small footprint, fast start-up, and high throughput. Builds on Eclipse OMR (https://github.com/eclipse/omr) and combines with the Extensions for OpenJDK for OpenJ9 repo.
Other
3.26k stars 717 forks source link

FIPS MauveMultiThrdLoad_5m_0_FAILED NoSuchAlgorithmException: SHA1PRNG SecureRandom not available #16904

Open JasonFengJ9 opened 1 year ago

JasonFengJ9 commented 1 year ago

Failure link

From an internal build(rhel8x64-fips1-1):

openjdk version "1.8.0_372"
IBM Semeru Runtime Open Edition (build 1.8.0_372-b03)
Eclipse OpenJ9 VM (build v0.38.0-release-25af2a240, JRE 1.8.0 Linux amd64-64-Bit Compressed References 20230309_612 (JIT enabled, AOT enabled)
OpenJ9   - 25af2a240
OMR      - 008f97b5c
JCL      - a1cfd8750f based on jdk8u372-b03)

Rerun in Grinder - Change TARGET to run only the failed test targets.

Optional info

Failure output (captured from console output)

[2023-03-10T10:54:27.872Z] variation: Mode150
[2023-03-10T10:54:27.872Z] JVM_OPTIONS:  -XX:+UseCompressedOops  -Dsemeru.fips=true

[2023-03-10T10:54:34.284Z] LT  02:54:33.846 - Test failed
[2023-03-10T10:54:34.284Z] LT    Failure num.  = 1
[2023-03-10T10:54:34.284Z] LT    Test number   = 3083
[2023-03-10T10:54:34.284Z] LT    Test details  = 'Mauve[gnu.testlet.java.security.SecureRandom.SHA1PRNG]'
[2023-03-10T10:54:34.284Z] LT    Suite number  = 0
[2023-03-10T10:54:34.284Z] LT    Thread number = 0
[2023-03-10T10:54:34.284Z] LT  >>> Captured test output >>>
[2023-03-10T10:54:34.284Z] LT  java.security.NoSuchAlgorithmException: SHA1PRNG SecureRandom not available
[2023-03-10T10:54:34.284Z] LT   at sun.security.jca.GetInstance.getInstance(GetInstance.java:159)
[2023-03-10T10:54:34.284Z] LT   at java.security.SecureRandom.getInstance(SecureRandom.java:312)
[2023-03-10T10:54:34.284Z] LT   at gnu.testlet.java.security.SecureRandom.SHA1PRNG.getInstance(SHA1PRNG.java:97)
[2023-03-10T10:54:34.284Z] LT   at gnu.testlet.java.security.SecureRandom.SHA1PRNG.instanceTest(SHA1PRNG.java:47)
[2023-03-10T10:54:34.284Z] LT   at gnu.testlet.java.security.SecureRandom.SHA1PRNG.test(SHA1PRNG.java:40)
[2023-03-10T10:54:34.284Z] LT   at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
[2023-03-10T10:54:34.284Z] LT   at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
[2023-03-10T10:54:34.284Z] LT   at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
[2023-03-10T10:54:34.284Z] LT   at java.lang.reflect.Method.invoke(Method.java:498)
[2023-03-10T10:54:34.284Z] LT   at net.adoptopenjdk.loadTest.adaptors.MauveAdaptor.executeTest(MauveAdaptor.java:74)
[2023-03-10T10:54:34.284Z] LT   at net.adoptopenjdk.loadTest.LoadTestRunner$2.run(LoadTestRunner.java:182)
[2023-03-10T10:54:34.284Z] LT   at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
[2023-03-10T10:54:34.284Z] LT   at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
[2023-03-10T10:54:34.284Z] LT   at java.lang.Thread.run(Thread.java:826)
[2023-03-10T10:54:34.284Z] LT  FAIL: gnu.testlet.java.security.SecureRandom.SHA1PRNG: found implementation (number 0)
[2023-03-10T10:54:34.284Z] LT  FAIL: gnu.testlet.java.security.SecureRandom.SHA1PRNG: no implementation found (number 0)

[2023-03-10T10:54:38.838Z] STF 02:54:38.803 - Overall result: **FAILED**
[2023-03-10T10:54:38.838Z] -----------------------------------
[2023-03-10T10:54:38.838Z] MauveMultiThrdLoad_5m_0_FAILED
jasonkatonica commented 1 year ago

Hello @JasonFengJ9 , When executing with the flag -Dsemeru.fips=true set the Sun provider, and its associated cryptograhic algorithms, are all currently disabled. This is because the crypto code in Sun is not FIPS certified. The algorithm SHA1PRNG reported above is not a FIPS certified algorithm so this failure can be expected.

pshipton commented 1 year ago

We don't want to have any expected failures, we want to exclude them when running in FIPS mode (or change the test). @llxia how can these be excluded for FIPS?

JasonFengJ9 commented 1 year ago

Hi @jasonkatonica, is there a list of providers/algorithms not FIPS certificated ([1]??) so we can mark them as an expected failure? 

RestrictedSecurity1.jce.provider.2 = SUN [{CertificateFactory, X.509, ImplementedIn=Software}, \
    {CertStore, Collection, ImplementedIn=Software}, \
    {CertStore, com.sun.security.IndexedCollection, ImplementedIn=Software}, \
    {Policy, JavaPolicy, *}, {Configuration, JavaLoginConfig, *}, \
    {CertPathBuilder, PKIX, ValidationAlgorithm=RFC5280:ImplementedIn=Software}, \
    {CertPathValidator, PKIX, ValidationAlgorithm=RFC5280:ImplementedIn=Software}]
RestrictedSecurity1.jce.provider.3 = SunEC [{KeyFactory, EC, ImplementedIn=Software: \
    SupportedKeyClasses=java.security.interfaces.ECPublicKey|java.security.interfaces.ECPrivateKey: \
    KeySize=256}, {AlgorithmParameters, EC, *}]
RestrictedSecurity1.jce.provider.4 = SunJSSE

[1] https://github.com/ibmruntimes/openj9-openjdk-jdk11/blob/d89db392f756e98f6ec55a86862b2131f7e0a585/src/java.base/share/conf/security/java.security#L135-L144

jasonkatonica commented 1 year ago

As you pasted above we do enable some algorithms using this provider list in the restricted security mode settings. This does make it difficult to see the complete list and each algorithms alias names this way. Additionally some FIPS certified algorithms are dynamically registered by the PKCS11 provider. I have been running the below snippet of code which prints all the algorithms while running in FIPS mode to get a more accurate list of FIPS algorithms configured in a given environment:

import java.security.Provider;
import java.security.Security;
import java.util.Enumeration;

public class SecurityProvidersAndAlgorithms {
  public static void main(String[] args) throws Exception {
    try {
      Provider p[] = Security.getProviders();
      for (int i = 0; i < p.length; i++) {
          System.out.println("Provider Name: " + p[i].getName());
          System.out.println("Provider Version: " + p[i]);
          for (Enumeration e = p[i].keys(); e.hasMoreElements();) {
              System.out.println("\t" + e.nextElement());
          }   
      }
    } catch (Exception e) {
      System.out.println(e);
    }
  }
}

This for example returns the following on a recent Java 8 build:

>java -Dsemeru.fips=true SecurityProvidersAndAlgorithms

Provider Name: SunPKCS11-NSS-FIPS
Provider Version: SunPKCS11-NSS-FIPS version 1.8
    Alg.Alias.Signature.1.2.840.113549.1.1.2
    Cipher.DESede/CBC/NoPadding
    Alg.Alias.KeyFactory.DiffieHellman
    Cipher.RSA/ECB/NoPadding
    Alg.Alias.Cipher.AES
    Signature.SHA256withECDSA
    Cipher.AES/CTR/NoPadding
    Alg.Alias.SecretKeyFactory.RC4
    MessageDigest.SHA-512
    Alg.Alias.KeyFactory.1.3.14.3.2.12
    Cipher.AES/ECB/PKCS5Padding
    KeyGenerator.DES
    Cipher.AES/GCM/NoPadding
    Provider.id version
    KeyGenerator.DESede
    Alg.Alias.Cipher.2.16.840.1.101.3.4.1.46
    Alg.Alias.KeyFactory.1.2.840.10040.4.1
    Alg.Alias.Cipher.2.16.840.1.101.3.4.1.42
    Alg.Alias.Cipher.2.16.840.1.101.3.4.1.41
    Mac.HmacSHA1
    Signature.SHA224withRSA
    SecretKeyFactory.DESede
    Alg.Alias.MessageDigest.2.16.840.1.101.3.4.2.4
    KeyGenerator.SunTlsKeyMaterial
    Alg.Alias.MessageDigest.2.16.840.1.101.3.4.2.3
    Cipher.RSA/ECB/PKCS1Padding
    Alg.Alias.MessageDigest.2.16.840.1.101.3.4.2.2
    Alg.Alias.KeyPairGenerator.1.3.14.3.2.12
    Alg.Alias.MessageDigest.2.16.840.1.101.3.4.2.1
    Cipher.AES_256/GCM/NoPadding
    Alg.Alias.SecretKeyFactory.2.16.840.1.101.3.4.1
    Signature.SHA512withRSASSA-PSS
    Signature.SHA1withRSASSA-PSS
    KeyPairGenerator.RSA
    Mac.HmacSHA512
    Provider.id info
    Alg.Alias.KeyStore.PKCS11-NSS-FIPS
    Signature.MD5withRSA
    MessageDigest.SHA-256
    AlgorithmParameters.EC
    Signature.SHA384withRSA
    Alg.Alias.KeyAgreement.DiffieHellman
    Signature.SHA224withDSA
    Alg.Alias.Cipher.2.16.840.1.101.3.4.1.26
    Signature.SHA384withRSASSA-PSS
    Alg.Alias.Cipher.2.16.840.1.101.3.4.1.22
    Alg.Alias.Cipher.2.16.840.1.101.3.4.1.21
    Alg.Alias.KeyFactory.OID.1.2.840.113549.1.1
    Cipher.AES/CBC/PKCS5Padding
    Signature.MD2withRSA
    Signature.RawDSA
    Alg.Alias.Signature.OID.1.2.840.10040.4.3
    Alg.Alias.Cipher.RSA
    Alg.Alias.Cipher.OID.2.16.840.1.101.3.4.1.6
    Alg.Alias.KeyGenerator.SunTls12RsaPremasterSecret
    Cipher.AES_192/GCM/NoPadding
    Alg.Alias.Cipher.OID.2.16.840.1.101.3.4.1.2
    Alg.Alias.Cipher.OID.2.16.840.1.101.3.4.1.1
    KeyFactory.RSA
    Cipher.AES_128/GCM/NoPadding
    Alg.Alias.KeyPairGenerator.OID.1.2.840.10040.4.1
    KeyPairGenerator.DSA
    Alg.Alias.Signature.1.2.840.10040.4.3
    KeyGenerator.SunTlsRsaPremasterSecret
    SecretKeyFactory.DES
    Alg.Alias.Signature.OID.1.2.840.113549.1.1.14
    SecretKeyFactory.ARCFOUR
    Alg.Alias.Signature.OID.1.2.840.113549.1.1.13
    Provider.id name
    Alg.Alias.Signature.OID.1.2.840.113549.1.1.12
    Signature.SHA384withDSA
    Alg.Alias.Signature.OID.1.2.840.113549.1.1.11
    KeyAgreement.ECDH
    Alg.Alias.Signature.OID.1.2.840.113549.1.1.10
    Alg.Alias.Mac.1.2.840.113549.2.9
    Alg.Alias.Mac.1.2.840.113549.2.8
    Alg.Alias.Mac.1.2.840.113549.2.7
    Mac.HmacSHA256
    Alg.Alias.Signature.NONEwithDSA
    KeyAgreement.DH
    Alg.Alias.SecretKeyFactory.OID.2.16.840.1.101.3.4.1
    Alg.Alias.KeyFactory.1.2.840.113549.1.1
    Signature.SHA256withRSASSA-PSS
    KeyFactory.DSA
    Signature.SHA384withECDSA
    Cipher.DES/ECB/NoPadding
    Mac.HmacMD5
    Mac.SslMacMD5
    Cipher.DES/CBC/NoPadding
    MessageDigest.MD5
    Alg.Alias.MessageDigest.OID.2.16.840.1.101.3.4.2.4
    Alg.Alias.MessageDigest.OID.2.16.840.1.101.3.4.2.3
    Alg.Alias.MessageDigest.OID.2.16.840.1.101.3.4.2.2
    KeyFactory.EC
    MessageDigest.MD2
    Alg.Alias.MessageDigest.OID.2.16.840.1.101.3.4.2.1
    KeyPairGenerator.EC
    Signature.SHA512withRSA
    MessageDigest.SHA-224
    MessageDigest.SHA-384
    Signature.SHA224withRSASSA-PSS
    Alg.Alias.Cipher.DES
    Signature.SHA512withECDSA
    Alg.Alias.KeyFactory.OID.1.2.840.10040.4.1
    KeyStore.PKCS11
    KeyFactory.DH
    Alg.Alias.Mac.OID.1.2.840.113549.2.9
    Alg.Alias.Mac.OID.1.2.840.113549.2.8
    Alg.Alias.Mac.OID.1.2.840.113549.2.7
    Alg.Alias.Mac.OID.1.2.840.113549.2.11
    Alg.Alias.Mac.OID.1.2.840.113549.2.10
    KeyPairGenerator.DH
    Alg.Alias.MessageDigest.1.3.14.3.2.26
    Alg.Alias.Cipher.OID.2.16.840.1.101.3.4.1.46
    Alg.Alias.Signature.1.2.840.10045.4.3.4
    Alg.Alias.Signature.1.2.840.10045.4.3.3
    Alg.Alias.Signature.1.2.840.10045.4.3.2
    Alg.Alias.Signature.1.2.840.10045.4.3.1
    Alg.Alias.Cipher.OID.2.16.840.1.101.3.4.1.42
    Alg.Alias.Cipher.OID.2.16.840.1.101.3.4.1.41
    Signature.SHA224withECDSA
    Alg.Alias.KeyPairGenerator.1.2.840.10040.4.1
    Cipher.DESede/ECB/PKCS5Padding
    KeyGenerator.AES
    Signature.SHA512withDSA
    Alg.Alias.Cipher.RC4
    KeyGenerator.SunTls12KeyMaterial
    Mac.HmacSHA224
    Alg.Alias.Signature.1.3.14.3.2.29
    Mac.HmacSHA384
    Alg.Alias.Signature.1.3.14.3.2.27
    Provider.id className
    Cipher.AES/ECB/NoPadding
    AlgorithmParameters.GCM
    Alg.Alias.Signature.OID.2.16.840.1.101.3.4.3.4
    Alg.Alias.Signature.OID.2.16.840.1.101.3.4.3.3
    Alg.Alias.KeyPairGenerator.OID.1.2.840.113549.1.1
    Alg.Alias.Signature.OID.2.16.840.1.101.3.4.3.2
    Signature.SHA1withECDSA
    Alg.Alias.Signature.OID.2.16.840.1.101.3.4.3.1
    Cipher.AES/CBC/NoPadding
    Cipher.DES/ECB/PKCS5Padding
    KeyGenerator.SunTlsMasterSecret
    KeyGenerator.SunTlsPrf
    Signature.SHA256withRSA
    SecureRandom.PKCS11
    Alg.Alias.Signature.OID.1.2.840.113549.1.1.5
    Alg.Alias.Signature.OID.1.2.840.113549.1.1.4
    KeyGenerator.ARCFOUR
    Alg.Alias.Signature.OID.1.2.840.113549.1.1.2
    Alg.Alias.Cipher.OID.2.16.840.1.101.3.4.1.26
    Cipher.AES_256/ECB/NoPadding
    Alg.Alias.Cipher.OID.2.16.840.1.101.3.4.1.22
    Alg.Alias.Cipher.OID.2.16.840.1.101.3.4.1.21
    Alg.Alias.Signature.1.3.14.3.2.13
    Alg.Alias.KeyGenerator.RC4
    Alg.Alias.Signature.SHA1withDSA
    KeyGenerator.SunTls12MasterSecret
    Alg.Alias.Signature.OID.1.2.840.10045.4.3.4
    Alg.Alias.Signature.OID.1.2.840.10045.4.3.3
    Cipher.DESede/CBC/PKCS5Padding
    Alg.Alias.Signature.OID.1.2.840.10045.4.3.2
    Signature.SHA1withRSA
    Alg.Alias.Signature.OID.1.2.840.10045.4.3.1
    Cipher.AES_192/ECB/NoPadding
    KeyGenerator.SunTls12Prf
    Cipher.AES_128/ECB/NoPadding
    Cipher.AES_256/CBC/NoPadding
    Signature.SHA256withDSA
    Alg.Alias.Mac.1.2.840.113549.2.11
    Alg.Alias.Mac.1.2.840.113549.2.10
    MessageDigest.SHA1
    Alg.Alias.MessageDigest.SHA
    Alg.Alias.Signature.1.2.840.113549.1.1.14
    Alg.Alias.Signature.1.2.840.113549.1.1.13
    Alg.Alias.Signature.1.2.840.113549.1.1.12
    Alg.Alias.Signature.1.2.840.113549.1.1.11
    Alg.Alias.Signature.1.2.840.113549.1.1.10
    Alg.Alias.Cipher.2.16.840.1.101.3.4.1.6
    Signature.NONEwithECDSA
    Alg.Alias.Signature.2.16.840.1.101.3.4.3.4
    Alg.Alias.Signature.OID.1.2.840.10045.4.1
    Alg.Alias.Signature.2.16.840.1.101.3.4.3.3
    SecretKeyFactory.AES
    Alg.Alias.Signature.2.16.840.1.101.3.4.3.2
    Signature.RSASSA-PSS
    Alg.Alias.Cipher.2.16.840.1.101.3.4.1.2
    Alg.Alias.Signature.2.16.840.1.101.3.4.3.1
    Alg.Alias.Cipher.2.16.840.1.101.3.4.1.1
    Cipher.DES/CBC/PKCS5Padding
    Cipher.AES_192/CBC/NoPadding
    Alg.Alias.MessageDigest.OID.1.3.14.3.2.26
    Cipher.AES_128/CBC/NoPadding
    Alg.Alias.AlgorithmParameters.1.2.840.10045.2.1
    Alg.Alias.Signature.1.2.840.10045.4.1
    Alg.Alias.Signature.ECDSA
    Cipher.ARCFOUR
    Alg.Alias.Cipher.DESede
    Alg.Alias.MessageDigest.SHA-1
    Mac.SslMacSHA1
    Alg.Alias.KeyPairGenerator.1.2.840.113549.1.1
    Signature.DSA
    Alg.Alias.KeyPairGenerator.DiffieHellman
    Alg.Alias.Signature.1.2.840.113549.1.1.5
    Cipher.DESede/ECB/NoPadding
    Alg.Alias.Signature.1.2.840.113549.1.1.4
Provider Name: SUN
Provider Version: SUN version 1.8
    CertPathBuilder.PKIX ValidationAlgorithm
    CertStore.Collection
    CertificateFactory.X.509
    CertStore.LDAP LDAPSchema
    Provider.id className
    Provider.id version
    CertPathBuilder.PKIX
    CertStore.com.sun.security.IndexedCollection
    Alg.Alias.CertificateFactory.X509
    CertStore.LDAP
    CertPathValidator.PKIX
    Provider.id name
    Configuration.JavaLoginConfig
    CertPathValidator.PKIX ValidationAlgorithm
    Provider.id info
    Policy.JavaPolicy
Provider Name: SunEC
Provider Version: SunEC version 1.8
    AlgorithmParameters.EC
    KeyAgreement.ECDH SupportedKeyClasses
    Signature.SHA256withECDSA ImplementedIn
    Provider.id name
    Signature.NONEwithECDSA SupportedKeyClasses
    Signature.SHA224withECDSA ImplementedIn
    Signature.SHA1withECDSA
    Alg.Alias.Signature.OID.1.2.840.10045.4.1
    Signature.SHA256withECDSA SupportedKeyClasses
    Signature.SHA224withECDSA SupportedKeyClasses
    KeyPairGenerator.EC KeySize
    KeyFactory.EC ImplementedIn
    Provider.id version
    AlgorithmParameters.EC KeySize
    Signature.NONEwithECDSA
    Signature.SHA512withECDSA ImplementedIn
    Alg.Alias.KeyFactory.EllipticCurve
    Alg.Alias.KeyPairGenerator.EllipticCurve
    Signature.SHA256withECDSA
    Signature.SHA512withECDSA
    Signature.SHA1withECDSA KeySize
    Signature.SHA1withECDSA SupportedKeyClasses
    Signature.SHA384withECDSA SupportedKeyClasses
    Alg.Alias.AlgorithmParameters.EllipticCurve
    Alg.Alias.AlgorithmParameters.1.2.840.10045.2.1
    Alg.Alias.Signature.1.2.840.10045.4.1
    Signature.SHA224withECDSA
    Signature.SHA384withECDSA ImplementedIn
    AlgorithmParameters.EC ImplementedIn
    Provider.id info
    Signature.SHA512withECDSA SupportedKeyClasses
    KeyPairGenerator.EC
    Alg.Alias.Signature.OID.1.2.840.10045.4.3.4
    Alg.Alias.Signature.OID.1.2.840.10045.4.3.3
    KeyAgreement.ECDH
    Alg.Alias.Signature.OID.1.2.840.10045.4.3.2
    Alg.Alias.Signature.1.2.840.10045.4.3.4
    Alg.Alias.Signature.OID.1.2.840.10045.4.3.1
    Signature.SHA384withECDSA
    Alg.Alias.Signature.1.2.840.10045.4.3.3
    Alg.Alias.Signature.1.2.840.10045.4.3.2
    Alg.Alias.Signature.1.2.840.10045.4.3.1
    Signature.SHA1withECDSA ImplementedIn
    Signature.NONEwithECDSA ImplementedIn
    Provider.id className
    AlgorithmParameters.EC SupportedCurves
    KeyPairGenerator.EC ImplementedIn
    KeyAgreement.ECDH ImplementedIn
    KeyFactory.EC
Provider Name: SunJSSE
Provider Version: SunJSSE version 1.8
    Signature.MD5andSHA1withRSA
    Alg.Alias.Signature.OID.1.2.840.113549.1.1.2
    Alg.Alias.KeyManagerFactory.PKIX
    Provider.id name
    KeyManagerFactory.NewSunX509
    Alg.Alias.Signature.OID.1.3.14.3.2.29
    Signature.MD2withRSA
    Alg.Alias.KeyPairGenerator.OID.1.2.840.113549.1.1
    Provider.id version
    KeyManagerFactory.SunX509
    KeyFactory.RSA
    TrustManagerFactory.SunX509
    Alg.Alias.TrustManagerFactory.X.509
    SSLContext.TLSv1.3
    SSLContext.TLSv1.2
    SSLContext.TLSv1.1
    Signature.MD5withRSA
    Alg.Alias.SSLContext.SSLv3
    Alg.Alias.SSLContext.SSL
    KeyStore.PKCS12
    Alg.Alias.TrustManagerFactory.SunPKIX
    Alg.Alias.KeyFactory.OID.1.2.840.113549.1.1
    SSLContext.Default
    Alg.Alias.KeyPairGenerator.1.2.840.113549.1.1
    Provider.id info
    Signature.SHA1withRSA
    TrustManagerFactory.PKIX
    SSLContext.TLS
    SSLContext.TLSv1
    Alg.Alias.Signature.1.3.14.3.2.29
    Alg.Alias.Signature.1.2.840.113549.1.1.5
    Alg.Alias.TrustManagerFactory.X509
    Provider.id className
    Alg.Alias.Signature.1.2.840.113549.1.1.4
    Alg.Alias.KeyFactory.1.2.840.113549.1.1
    Alg.Alias.Signature.1.2.840.113549.1.1.2
    KeyPairGenerator.RSA
    Alg.Alias.Signature.OID.1.2.840.113549.1.1.5
    Alg.Alias.Signature.OID.1.2.840.113549.1.1.4

FYI @taoliult , @WilburZjh

llxia commented 1 year ago

how can these be excluded for FIPS?

permanently exclude test for FIPS. In playlist.xml, add

        <features>
            <feature>FIPS:nonapplicable</feature>
        </features>

https://github.com/eclipse-openj9/openj9/blob/master/test/docs/OpenJ9TestUserGuide.md#run-tests-against-specific-feature

JasonFengJ9 commented 1 year ago

As you pasted above we do enable some algorithms using this provider list in the restricted security mode settings. This does make it difficult to see the complete list and each algorithms alias names this way. Additionally some FIPS certified algorithms are dynamically registered by the PKCS11 provider. I have been running the below snippet of code which prints all the algorithms while running in FIPS mode to get a more accurate list of FIPS algorithms configured in a given environment:

This produces a quick reference to determine if a NoSuchProviderException or NoSuchAlgorithmException is expected, thanks.

pshipton commented 1 year ago

@jasonkatonica as in the past, as appropriate pls have your team open PR(s) to exclude the non applicable tests.

jasonkatonica commented 1 year ago

Yes we will continue to work on eliminating tests from being executed as appropriate. I believe that there are numerous tests remaining that need to be excluded and many more to be investigated that are failing when running in FIPS mode.

paritkum commented 1 year ago

Testcase was excluded for FIPS mode in PR 4576