-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
BouncyCastle FIPS/JSSE test does not work in native image #14139
Comments
|
We see this failure:
You can use |
Hi @galderz This is what I've got after tracing one of the problems,
It is similar to BC FIPS case - but there it was originating at the method level so it was just stubbed it |
@zakkak Hi - for this specific issue I can remove the native test for now for your builds not to be affected - as I only kept that test for me to experiment locally - as @galderz spotted earlier this test is not in CI anyway. |
No, there is no need for that, we can skip them on our end! (cc @Karm ) |
I'm progressing - the current problem is:
If I try to runtime-reinitialize
|
This comment is of some concern - would it explain the error above ? |
Yes. Since |
@zakkak thanks; FYI, I'm getting it with this PR, #16105, when running |
@zakkak FYI, the error I'm getting on
|
@sberyozkin the following gets me past the above issue: diff --git a/extensions/security/runtime/src/main/java/io/quarkus/security/runtime/graal/BouncyCastleSubstitutions.java b/extensions/security/runtime/src/main/java/io/quarkus/security/runtime/graal/BouncyCastleSubstitutions.java
index c22895906b..fbbc119975 100644
--- a/extensions/security/runtime/src/main/java/io/quarkus/security/runtime/graal/BouncyCastleSubstitutions.java
+++ b/extensions/security/runtime/src/main/java/io/quarkus/security/runtime/graal/BouncyCastleSubstitutions.java
@@ -1,10 +1,14 @@
package io.quarkus.security.runtime.graal;
+import java.security.SecureRandom;
import java.util.Arrays;
import java.util.Set;
import java.util.function.BooleanSupplier;
import java.util.stream.Collectors;
+import com.oracle.svm.core.annotate.Alias;
+import com.oracle.svm.core.annotate.RecomputeFieldValue;
+
final class BouncyCastlePackages {
static final String ORG_BOUNCYCASTLE_CRYPTO_PACKAGE = "org.bouncycastle.crypto";
static final String ORG_BOUNCYCASTLE_CRYPTO_FIPS_PACKAGE = "org.bouncycastle.crypto.fips";
@@ -86,6 +90,17 @@ final class Target_org_bouncycastle_crypto_internal_AsymmetricCipherKeyPair {
final class Target_org_bouncycastle_crypto_fips_RsaBlindedEngine {
}
+@com.oracle.svm.core.annotate.TargetClass(className = "org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider", onlyWith = BouncyCastleCryptoFips.class)
+final class Target_org_bouncycastle_jcajce_provider_BouncyCastleFipsProvider {
+ @Alias //
+ @RecomputeFieldValue(kind = RecomputeFieldValue.Kind.Reset) //
+ private SecureRandom entropySource;
+
+ @Alias //
+ @RecomputeFieldValue(kind = RecomputeFieldValue.Kind.Reset) //
+ private SecureRandom providerDefaultRandom;
+}
+
class BouncyCastleCryptoFips implements BooleanSupplier {
@Override
public boolean getAsBoolean() { But it looks like the JUNIT tests are not native-image friendly. I am now getting:
|
@zakkak Great, how does that work, is that essentially Re Thanks |
Sorry, I did not scroll :-), see you've taken care of it, thanks |
Kind of, it essentially instructs GraalVM to initialize this field to a specific value different than the one it had during compilation. In that particular case I am resetting the field so its value will be null in the native image heap. Note that the value is calculated and stored during build-time so there is no (re) initialization at run-time in contrast to
I tried that and now it results in:
So you probably need to add BCFKS as well :) |
@zakkak Thanks for the explanation, and sure, I will try to update my PR accordingly |
👍
In case it helps I have pushed my changes (on top of your branch) in https://github.com/zakkak/quarkus/tree/bc_keypair_ecdsa_xdh-zakkak |
Hi @zakkak Here is an extra code I've added:
to get it registered in the feature as well, so alongside your changes it is progressing, now I'm getting a bunch of errors related to
and then, in the same class
We've been able to sub some test methods using static SecureRandom with no ops methods, but I'm not sure what can be done here, can you recommend something ? Thanks |
By the way, |
Actually that is what is causing the issue :) In general the logic to approach issues with
Practically, applying the following on top of your patch: diff --git a/extensions/security/deployment/src/main/java/io/quarkus/security/deployment/SecurityProcessor.java b/extensions/security/deployment/src/main/java/io/quarkus/security/deployment/SecurityProcessor.java
index 72061ca374..67e3c7aad7 100644
--- a/extensions/security/deployment/src/main/java/io/quarkus/security/deployment/SecurityProcessor.java
+++ b/extensions/security/deployment/src/main/java/io/quarkus/security/deployment/SecurityProcessor.java
@@ -179,13 +179,6 @@ public class SecurityProcessor {
} else {
reflection.produce(new ReflectiveClassBuildItem(true, true, true, "org.bouncycastle.crypto.general.AES"));
runtimeReInitialized.produce(new RuntimeReinitializedClassBuildItem("org.bouncycastle.crypto.general.AES"));
- runtimeReInitialized
- .produce(new RuntimeReinitializedClassBuildItem("org.bouncycastle.math.ec.custom.sec.SecP521R1Curve"));
- runtimeReInitialized
- .produce(new RuntimeReinitializedClassBuildItem("org.bouncycastle.math.ec.custom.sec.SecP384R1Curve"));
- runtimeReInitialized
- .produce(new RuntimeReinitializedClassBuildItem("org.bouncycastle.math.ec.custom.sec.SecP256R1Curve"));
- runtimeReInitialized.produce(new RuntimeReinitializedClassBuildItem("org.bouncycastle.math.ec.ECPoint"));
runtimeReInitialized
.produce(new RuntimeReinitializedClassBuildItem(
"org.bouncycastle.crypto.asymmetric.NamedECDomainParameters")); Makes the test pass on my machine 🎉 (Disclaimer, I didn't check to see if it breaks something else though :) ) |
Hi @zakkak Great stuff, and thanks for the nice explanation (can't promise I won't ask again for some clarifications though :-) ). At some point in the past adding those lines helped to get past some of the native build issues, I'd not otherwise be even aware of those I think it is safe to remove them, so I'll clean up my PR later on and this issue will also be resolved. As a side note, if someone did want to use say |
No worries :)
In @com.oracle.svm.core.annotate.TargetClass(className = "org.bouncycastle.math.ec.ECPoint", onlyWith = BouncyCastleCryptoFips.class)
final class Target_org_bouncycastle_math_ec_ECPoint {
@Alias //
@RecomputeFieldValue(kind = RecomputeFieldValue.Kind.Reset) //
private SecureRandom testRandom;
} Note this is similar to what I did in zakkak@78ec0db for It actually seems a good idea to add the above in the PR you are preparing :) |
Nice, good point; so yeah, I'll get that reset as you recommend; for now I got the test running, it was disabled :-), but now at least it runs and fails with the same one, |
@sberyozkin this PR is based on your previous work and is related to this PR quarkus-qe/quarkus-test-suite#638 I think that could be handy. |
Describe the bug
integration-tests/bouncycastle-fips-jsse
is only running in the JVM mode.Expected behavior
Both tests pass in the native image
The text was updated successfully, but these errors were encountered: