JinhangZhang
commented
6 months ago @jasonkatonica @pshipton FYI
Closed JinhangZhang closed 5 months ago
JinhangZhang
commented
6 months ago @jasonkatonica @pshipton FYI
pshipton
commented
6 months ago If you are referring to an issue pls provide a link not just a number. This should be added to the head stream (openj9-openjdk-jdk) first and then backported. If it doesn't apply to newer versions, pls explain.
JinhangZhang
commented
6 months ago If you are referring to an issue pls provide a link not just a number. This should be added to the head stream (openj9-openjdk-jdk) first and then backported. If it doesn't apply to newer versions, pls explain.
@pshipton This only happens at 11. Case 18320 is failed on this line of code. The size of 192 is not supported by a FIPS version of OpenSSL. This 192 size of EC key is not declared in other versions such as 17, 21 and next. For 11, the native code path will not be used, instead a java code will be used.
keithc-ca
commented
6 months ago Perhaps it makes more sense to just remove the 192-bit test from DefaultSignatureAlgorithm (or at least in FIPS mode)?
JinhangZhang
commented
6 months ago Perhaps it makes more sense to just remove the 192-bit test from
DefaultSignatureAlgorithm(or at least in FIPS mode)?
Remove the 192-bit test to align with other versions makes sense to me.
JinhangZhang
commented
6 months ago Removed 192-bit test
pshipton
commented
6 months ago Isn't that just leaving the problem to be found by a customer?
keithc-ca
commented
6 months ago It's not clear that is the result: The failing test involves a replacement key-pair generator, not the one customers would be using.
keithc-ca
commented
6 months ago Please update the commit message and the description here to more accurately describe this change.
JinhangZhang
commented
5 months ago Please update the commit message and the description here to more accurately describe this change.
updated
keithc-ca
commented
5 months ago Please update the commit message and the description here to more accurately describe this change.
updated
This doesn't "implement" anything as the commit message and description say, instead it removes testing of a specific EC key size. Perhaps the summary should be (paraphrasing the last line and editing for grammar):
Remove test of 192-bit EC or consistency with other JDK versions
JinhangZhang
commented
5 months ago Please update the commit message and the description here to more accurately describe this change.
updated
This doesn't "implement" anything as the commit message and description say, instead it removes testing of a specific EC key size. Perhaps the summary should be (paraphrasing the last line and editing for grammar):
Remove test of 192-bit EC or consistency with other JDK versions
Updated
keithc-ca
commented
5 months ago Jenkins compile plinux jdk11
keithc-ca
commented
5 months ago All plinux build systems are offline.
keithc-ca
commented
5 months ago Jenkins compile zlinux jdk11
This patch eliminates the 192-bit EC test which causes exceptions seen in issue #18320.
DefaultSignatureAlgorithm test was run in those Redhat OS based machines in a non-FIPS mode, but with a FIPS version of openssl. So, a 192-bit size of EC key pair generator is not allowed by the native code in a FIPS version of openssl. The code path went to a replacement EC key-pair generator Java implementation.
issue: https://github.com/eclipse-openj9/openj9/issues/18320