Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update SunJSSE fully qualified name for test cases #854

Merged
merged 1 commit into from
Dec 17, 2024

Conversation

taoliult
Copy link
Contributor

@taoliult taoliult commented Dec 6, 2024

In JDK11, the fully qualified name for SunJSSE provider is com.sun.net.ssl.internal.ssl.Provider. Update this for all the restricted security mode test cases. This update only applies to JDK11.

In JDK11, the fully qualified name for SunJSSE provider is
com.sun.net.ssl.internal.ssl.Provider. Update this for all
the restricted security mode test cases.

Signed-off-by: Tao Liu <[email protected]>
@taoliult taoliult marked this pull request as ready for review December 9, 2024 18:44
@keithc-ca keithc-ca self-requested a review December 9, 2024 20:48
@@ -36,7 +36,7 @@ RestrictedSecurity.TestBase.Version.jce.certpath.disabledAlgorithms =
RestrictedSecurity.TestBase.Version.jce.legacyAlgorithms =
RestrictedSecurity.TestBase.Version.jce.provider.1 = sun.security.provider.Sun
RestrictedSecurity.TestBase.Version.jce.provider.2 = com.sun.crypto.provider.SunJCE
RestrictedSecurity.TestBase.Version.jce.provider.3 = sun.security.ssl.SunJSSE
RestrictedSecurity.TestBase.Version.jce.provider.3 = com.sun.net.ssl.internal.ssl.Provider
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Isn't a change to RestrictedSecurity.TestBase.Version.desc.hash required because of this update?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the TestProperties.java file, all profiles except for Test-Profile-SameStartWithoutVersion are designed to test error messages. In these profiles, the error message is returned before the hash value is checked, so the hash value is not used.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be helpful to have comments to that effect directly in the property files and perhaps specify hashes of all zeros if they are not meaningful.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Or they could say something like this:

RestrictedSecurity.Test-Profile.Base.desc.hash = SHA256:not-checked

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since we don’t use these hash values, I think it’s fine to just leave them as they are. However, if we do want to make them more readable, like changing them to "SHA256:not-checked", I can update this by creating another PR. For two reasons:

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Deferring to a separate pull request is fine, but please create an issue to track that work and the suggestions in ibmruntimes/openj9-openjdk-jdk8#784.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please create an issue in a public repository, perhaps at https://github.com/eclipse-openj9/openj9/issues.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@@ -50,7 +50,7 @@ RestrictedSecurity.TestBase.Version-Extended.tls.disabledAlgorithms =
RestrictedSecurity.TestBase.Version-Extended.jce.provider.1 = sun.security.provider.Sun
RestrictedSecurity.TestBase.Version-Extended.jce.provider.2 = sun.security.rsa.SunRsaSign
RestrictedSecurity.TestBase.Version-Extended.jce.provider.3 = sun.security.ec.SunEC
RestrictedSecurity.TestBase.Version-Extended.jce.provider.4 = sun.security.ssl.SunJSSE
RestrictedSecurity.TestBase.Version-Extended.jce.provider.4 = com.sun.net.ssl.internal.ssl.Provider
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Again, shouldn't RestrictedSecurity.Test-Profile.Base.desc.hash also need to change?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as above, in the TestProperties.java file, all profiles except for Test-Profile-SameStartWithoutVersion are designed to test error messages. In these profiles, the error message is returned before the hash value is checked, so the hash value is not used.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the .hash property should make that clear, for example:

RestrictedSecurity.TestBase.Version.desc.hash = irrelevant

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Discussed within the team, we think that updating the value of .hash is unnecessary. Some test cases are designed for testing the error messages, so some properties in those test case profiles may not be used and checked, we keep them in the profile to maintain the integrity of the profile. The values of those properties do not actually matter, we just simply assign default values to them.

We can continue discussing this in the issue: eclipse-openj9/openj9#20815

@taoliult
Copy link
Contributor Author

@pshipton Could you help to approve this since Keith is on vacation?

@pshipton
Copy link
Member

Does this fix any existing OpenJ9 issues?
I assume you want the change in the 0.49 release?

@pshipton pshipton dismissed keithc-ca’s stale review December 16, 2024 22:09

Comments addressed.

@taoliult
Copy link
Contributor Author

Does this fix any existing OpenJ9 issues? I assume you want the change in the 0.49 release?

It updates the restricted security mode test cases for JDK 11 to correct the fully qualified name of the SunJSSE provider. This change is not a must for the current 0.49 release, it can be included in the next release if it doesn't make it for 0.49.

@pshipton
Copy link
Member

It updates the restricted security mode test cases for JDK 11 to correct the fully qualified name of the SunJSSE provider.

I understand, but are there any issues opened at https://github.com/eclipse-openj9/openj9/issues that describe the failure and will be closed by merging this?

@pshipton
Copy link
Member

@jasonkatonica maybe you can help with my question. Was the failure exposed by the triage of the jdk11 M2 builds?

@jasonkatonica
Copy link
Contributor

Hi Peter,

In terms of the comment #854 (comment) I don't believe that this update is necessary. This is a cosmetic update to make it clear that the hash is not used ( lots of configuration is not used in the tests ).

This update in general is not required for the M2 builds / .49. We do not currently run these tests as part of our automatons that I am aware of for this release.

@pshipton
Copy link
Member

It will likely end up in 0.49 just for convenience. It would be harder to keep it out.

@pshipton pshipton merged commit 7e3895a into ibmruntimes:openj9 Dec 17, 2024
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants