Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PR 433 follow ups #441

Merged
merged 3 commits into from
Mar 13, 2025

Conversation

WillChilds-Klein
Copy link
Contributor

@WillChilds-Klein WillChilds-Klein commented Mar 12, 2025

Issue #, if available:

Description of changes:

Notes

This PR contains a few follow ups to PR #433:

  • Now that AWS-LC has wired up EdDSA keygen failures through the EVP API, clean up a few TODOs
  • Adjust how we set CMake's CFlags due to a minor breakage incurred by our AWS-LC version bump.
  • To allow testing against AWS-LC artifacts that aren't built with BORINGSSL_FIPS_BREAK_TESTS, add a check/assumption in the relevant unit test
  • Enable CPU jitter in AWS-LC when ACCP's FIPS_SELF_TEST_SKIP_ABORT is set and incorporate a runtime check into the health status

Testing

With BORINGSSL_FIPS_BREAK_TESTS enabled in AWS-LC:

$ JAVA_HOME=/usr/lib/jvm/java-17-amazon-corretto/ ./gradlew cmake_clean singleTest -DEXPERIMENTAL_FIPS=true -DFIPS_SELF_TEST_SKIP_ABORT=true -DALLOW_FIPS_TEST_BREAK=true -DSINGLE_TEST=com.amazon.corretto.crypto.provider.test.FipsStatusTest
...
 [PASSED]           com.amazon.corretto.crypto.provider.test.FipsStatusTest.givenAccpBuiltWithFips_whenAWS_LC_fips_failure_callback_expectException: givenAccpBuiltWithFips_whenAWS_LC_fips_failure_callback_expectException()
AWS_LC_fips_failure_callback invoked with message: 'RSA keygen checks failed'
AWS_LC_fips_failure_callback invoked with message: 'RSA keygen checks failed'
AWS_LC_fips_failure_callback invoked with message: 'EC keygen checks failed'
AWS_LC_fips_failure_callback invoked with message: 'Ed25519 keygen PCT failed'
AWS_LC_fips_failure_callback invoked with message: 'ML-DSA keygen PCT failed'
AWS_LC_fips_failure_callback invoked with message: 'ML-DSA self tests failed'
AWS_LC_fips_failure_callback invoked with message: 'ML-DSA keygen PCT failed'
 [PASSED]           com.amazon.corretto.crypto.provider.test.FipsStatusTest.testPwctBreakageSkipAbort: testPwctBreakageSkipAbort()
...
Test run finished after 1221 ms
[         3 containers found      ]
[         0 containers skipped    ]
[         3 containers started    ]
[         0 containers aborted    ]
[         3 containers successful ]
[         0 containers failed     ]
[         2 tests found           ]
[         0 tests skipped         ]
[         2 tests started         ]
[         0 tests aborted         ]
[         2 tests successful      ]
[         0 tests failed          ]
...
BUILD SUCCESSFUL in 39s

With BORINGSSL_FIPS_BREAK_TESTS disabled in AWS-LC:

$ JAVA_HOME=/usr/lib/jvm/java-17-amazon-corretto/ ./gradlew cmake_clean singleTest -DEXPERIMENTAL_FIPS=true -DFIPS_SELF_TEST_SKIP_ABORT=true -DALLOW_FIPS_TEST_BREAK=false -DSINGLE_TEST=com.amazon.corretto.crypto.provider.test.FipsStatusTest
...
 [PASSED]           com.amazon.corretto.crypto.provider.test.FipsStatusTest.givenAccpBuiltWithFips_whenAWS_LC_fips_failure_callback_expectException: givenAccpBuiltWithFips_whenAWS_LC_fips_failure_callback_expectException()
 [FALSE_ASSUMPTION] com.amazon.corretto.crypto.provider.test.FipsStatusTest.testPwctBreakageSkipAbort: testPwctBreakageSkipAbort()org.opentest4j.TestAbortedException: Assumption failed: assumption is not true
 ...
Test run finished after 1051 ms
[         3 containers found      ]
[         0 containers skipped    ]
[         3 containers started    ]
[         0 containers aborted    ]
[         3 containers successful ]
[         0 containers failed     ]
[         2 tests found           ]
[         0 tests skipped         ]
[         2 tests started         ]
[         1 tests aborted         ]
[         1 tests successful      ]
[         0 tests failed          ]
...
BUILD SUCCESSFUL in 3m 7s

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@WillChilds-Klein WillChilds-Klein changed the title FipsStatusTest handles AWS-LC built without FIPS_BREAK_TEST PR 433 follow ups Mar 12, 2025
@WillChilds-Klein WillChilds-Klein marked this pull request as ready for review March 12, 2025 20:50
@WillChilds-Klein WillChilds-Klein requested a review from a team as a code owner March 12, 2025 20:50
@WillChilds-Klein WillChilds-Klein merged commit b5603dd into corretto:main Mar 13, 2025
11 checks passed
@WillChilds-Klein WillChilds-Klein deleted the skip-abort-followup branch March 13, 2025 17:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants