Skip to content

PR 438 follow ups #440

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Mar 11, 2025
Merged

PR 438 follow ups #440

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
515178f
Tighten self test timeout and sleeps
WillChilds-Klein Mar 11, 2025
0a33ffe
Consolidate alternate provider logic in EvpKeyFactoryTest
WillChilds-Klein Mar 11, 2025
5d6c720
Adjust comment formatting
WillChilds-Klein Mar 11, 2025
8c79a73
Consider JDK version in ML-DSA check
WillChilds-Klein Mar 11, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions src/com/amazon/corretto/crypto/provider/AmazonCorrettoCryptoProvider.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -663,11 +663,11 @@ public boolean isFipsStatusOk() {
}
if (getSelfTestStatus() == SelfTestStatus.NOT_RUN) {
// If FIPS self tests haven't completed, give them a 5s timeout to complete.
final long timeout = 5 * 1000;
final long timeout = 3 * 1000;
final long deadline = System.currentTimeMillis() + timeout;
while (getSelfTestStatus() == SelfTestStatus.NOT_RUN) {
try {
Thread.sleep(10);
Thread.sleep(1);
} catch (Exception e) {
throw new RuntimeCryptoException(e);
}
Expand Down
64 changes: 31 additions & 33 deletions tst/com/amazon/corretto/crypto/provider/test/EvpKeyFactoryTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -86,17 +86,10 @@ public static void setupParameters() throws Exception {
}

for (String algorithm : ALGORITHMS) {
KeyPairGenerator kpg;
if (algorithm.startsWith("ML-DSA")
|| (algorithm.startsWith("Ed") && TestUtil.getJavaVersion() < 15)) {
// JCE doesn't support ML-DSA until JDK24, and BouncyCastle currently
// serializes ML-DSA private keys via seeds.
// TODO: switch to BouncyCastle once BC supports CHOICE-encoded private keys
// Similarly, JDK doesn't support EdDSA/Ed25519 until JDK15
kpg = KeyPairGenerator.getInstance(algorithm, NATIVE_PROVIDER);
} else {
kpg = KeyPairGenerator.getInstance(algorithm);
}
KeyPairGenerator kpg =
getAlternateProvider(algorithm) == null
? KeyPairGenerator.getInstance(algorithm)
: KeyPairGenerator.getInstance(algorithm, getAlternateProvider(algorithm));
List<Arguments> keys = new ArrayList<>();
if (algorithm.equals("EC")) {
// Different curves can excercise different areas of ASN.1/DER and so should all be tested.
Expand Down Expand Up @@ -236,17 +229,10 @@ public void testX509Encoding(final KeyPair keyPair, final String testName) throw
final String algorithm = pubKey.getAlgorithm();

final KeyFactory nativeFactory = KeyFactory.getInstance(algorithm, NATIVE_PROVIDER);
final KeyFactory jceFactory;
if (algorithm.startsWith("ML-DSA")
|| (algorithm.startsWith("Ed") && TestUtil.getJavaVersion() < 15)) {
// JCE doesn't support ML-DSA until JDK24, and BouncyCastle currently
// serializes ML-DSA private keys via seeds.
// TODO: switch to BouncyCastle once BC supports CHOICE-encoded private keys
// Similarly, JDK doesn't support EdDSA/Ed25519 until JDK15
jceFactory = KeyFactory.getInstance(algorithm, NATIVE_PROVIDER);
} else {
jceFactory = KeyFactory.getInstance(algorithm);
}
final KeyFactory jceFactory =
getAlternateProvider(algorithm) == null
? KeyFactory.getInstance(algorithm)
: KeyFactory.getInstance(algorithm, getAlternateProvider(algorithm));

final X509EncodedKeySpec nativeSpec =
nativeFactory.getKeySpec(pubKey, X509EncodedKeySpec.class);
Expand Down Expand Up @@ -315,17 +301,10 @@ public void testPKCS8Encoding(final KeyPair keyPair, final String testName) thro
final String algorithm = privKey.getAlgorithm();

final KeyFactory nativeFactory = KeyFactory.getInstance(algorithm, NATIVE_PROVIDER);
final KeyFactory jceFactory;
if (algorithm.startsWith("ML-DSA")
|| (algorithm.startsWith("Ed") && TestUtil.getJavaVersion() < 15)) {
// JCE doesn't support ML-DSA until JDK24, and BouncyCastle currently
// serializes ML-DSA private keys via seeds.
// TODO: switch to BouncyCastle once BC supports CHOICE-encoded private keys
// Similarly, JDK doesn't support EdDSA/Ed25519 until JDK15
jceFactory = KeyFactory.getInstance(algorithm, NATIVE_PROVIDER);
} else {
jceFactory = KeyFactory.getInstance(algorithm);
}
final KeyFactory jceFactory =
getAlternateProvider(algorithm) == null
? KeyFactory.getInstance(algorithm)
: KeyFactory.getInstance(algorithm, getAlternateProvider(algorithm));

final PKCS8EncodedKeySpec nativeSpec =
nativeFactory.getKeySpec(privKey, PKCS8EncodedKeySpec.class);
Expand Down Expand Up @@ -740,6 +719,25 @@ private static class Samples<T> {
}
}

// This method is used to determine whether tests should use an alternate provider for a given
// algorithm. In cases where JCE doesn't support the requested algorithm, the alternate provider
// will be returned. In cases where JCE does support the requested algorithm, null will be
// returned.
private static Provider getAlternateProvider(String algorithm) {
// JCE doesn't support ML-DSA until JDK24, and BouncyCastle currently serializes ML-DSA private
// keys via seeds.
// TODO: switch to BouncyCastle once BC supports CHOICE-encoded private keys
if (algorithm.startsWith("ML-DSA")
// Similarly, JDK doesn't support EdDSA/Ed25519 until JDK15
|| ((algorithm.equals("Ed25519")
|| algorithm.equals("Ed25519ph")
|| algorithm.equals("EdDSA"))
&& TestUtil.getJavaVersion() < 15)) {
return NATIVE_PROVIDER;
}
return null;
}

public static class NullDataKey implements Key {
private static final long serialVersionUID = 1;
private final Key delegate;
Expand Down