Open
Conversation
There was a problem hiding this comment.
Pull request overview
This pull request adds Spring Boot SSL test infrastructure for wolfJSSE FIPS mode. It creates a Docker-based test environment that patches Spring Boot 3.4.1 to work with wolfJSSE in FIPS mode, handling FIPS-specific requirements such as WKS keystore format, FIPS-compliant passwords (minimum 14 characters), and CA-signed certificates. The tests require wolfssljni PR #310 to pass, and many tests are skipped due to FIPS restrictions on certain cryptographic algorithms like DSA, EdDSA, and PBES2.
Changes:
- Added build script for creating Spring Boot test Docker images with wolfJSSE FIPS support
- Implemented comprehensive patching script to modify Spring Boot source code for FIPS compliance
- Created multi-stage Dockerfile with test orchestration and WKS keystore generation utilities
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 8 comments.
| File | Description |
|---|---|
| build.sh | Shell script to build the Spring Boot test Docker image with command-line options for customization |
| apply_spring_fips_fixes.sh | Comprehensive bash script that patches Spring Boot source code to support wolfJSSE FIPS requirements |
| Dockerfile | Multi-stage Docker build that clones Spring Boot, applies patches, and sets up test environment with proper keystores |
| README.md | Repository documentation (currently duplicates root README) |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
java/wolfssl-openjdk-fips-root/test-images/spring-boot-tests/Dockerfile
Outdated
Show resolved
Hide resolved
java/wolfssl-openjdk-fips-root/test-images/spring-boot-tests/Dockerfile
Outdated
Show resolved
Hide resolved
java/wolfssl-openjdk-fips-root/test-images/spring-boot-tests/Dockerfile
Outdated
Show resolved
Hide resolved
java/wolfssl-openjdk-fips-root/test-images/spring-boot-tests/Dockerfile
Outdated
Show resolved
Hide resolved
java/wolfssl-openjdk-fips-root/test-images/spring-boot-tests/Dockerfile
Outdated
Show resolved
Hide resolved
java/wolfssl-openjdk-fips-root/test-images/spring-boot-tests/apply_spring_fips_fixes.sh
Outdated
Show resolved
Hide resolved
java/wolfssl-openjdk-fips-root/test-images/spring-boot-tests/Dockerfile
Outdated
Show resolved
Hide resolved
JeremiahM37
force-pushed
the
spring-boot-tests
branch
2 times, most recently
from
fa07559 to
7b87e1f
Compare
cconlon
requested changes
Feb 11, 2026
java/wolfssl-openjdk-fips-root/test-images/spring-boot-tests/apply_spring_fips_fixes.sh
Outdated
Show resolved
Hide resolved
java/wolfssl-openjdk-fips-root/test-images/spring-boot-tests/apply_spring_fips_fixes.sh
Outdated
Show resolved
Hide resolved
java/wolfssl-openjdk-fips-root/test-images/spring-boot-tests/apply_spring_fips_fixes.sh
Outdated
Show resolved
Hide resolved
java/wolfssl-openjdk-fips-root/test-images/spring-boot-tests/apply_spring_fips_fixes.sh
Outdated
Show resolved
Hide resolved
java/wolfssl-openjdk-fips-root/test-images/spring-boot-tests/apply_spring_fips_fixes.sh
Outdated
Show resolved
Hide resolved
java/wolfssl-openjdk-fips-root/test-images/spring-boot-tests/apply_spring_fips_fixes.sh
Show resolved
Hide resolved
java/wolfssl-openjdk-fips-root/test-images/spring-boot-tests/apply_spring_fips_fixes.sh
Outdated
Show resolved
Hide resolved
java/wolfssl-openjdk-fips-root/test-images/spring-boot-tests/apply_spring_fips_fixes.sh
Show resolved
Hide resolved
java/wolfssl-openjdk-fips-root/test-images/spring-boot-tests/apply_spring_fips_fixes.sh
Outdated
Show resolved
Hide resolved
JeremiahM37
added a commit
to JeremiahM37/wolfssl-containers
that referenced
this pull request
Feb 17, 2026
…reload - Re-enable SslInfoTests (all 6 tests): use faketime+openssl to generate self-signed certs with exact validity dates, WksUtil to create WKS keystores, and sed/perl to patch test assertions for WKS structure - Re-enable shouldUpdateSslWhenReloadingSslBundles: replace ED25519 certs with RSA, fix PemSslStoreBundle null password and getKeyStorePassword - Fix password replacement to catch =pwd" property format (fixes Cassandra, MongoReactive, RabbitMQ SSL bundle tests) - Add CA cert extensions (basicConstraints, keyUsage) per review feedback - Replace python3 patching with sed/perl (removes python3 dependency) - Add detailed root cause comments for all disabled tests - Improve Section 9 Netty/InsecureTrustManagerFactory documentation Test results: 392 tests, 277 passed, 0 failed, 115 skipped Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
JeremiahM37
force-pushed
the
spring-boot-tests
branch
2 times, most recently
from
f4572fc to
75a585e
Compare
JeremiahM37
force-pushed
the
spring-boot-tests
branch
from
75a585e to
98cb4be
Compare
JeremiahM37
added a commit
to JeremiahM37/wolfssl-containers
that referenced
this pull request
Feb 26, 2026
…reload - Re-enable SslInfoTests (all 6 tests): use faketime+openssl to generate self-signed certs with exact validity dates, WksUtil to create WKS keystores, and sed/perl to patch test assertions for WKS structure - Re-enable shouldUpdateSslWhenReloadingSslBundles: replace ED25519 certs with RSA, fix PemSslStoreBundle null password and getKeyStorePassword - Fix password replacement to catch =pwd" property format (fixes Cassandra, MongoReactive, RabbitMQ SSL bundle tests) - Add CA cert extensions (basicConstraints, keyUsage) per review feedback - Replace python3 patching with sed/perl (removes python3 dependency) - Add detailed root cause comments for all disabled tests - Improve Section 9 Netty/InsecureTrustManagerFactory documentation Test results: 392 tests, 277 passed, 0 failed, 115 skipped
cconlon
requested changes
Mar 6, 2026
| fi | ||
| done | ||
| } | ||
|
|
| fi | ||
| disable_test_method "${BOOT_TEST}/ssl/pem/PemSslStoreBundleTests.java" \ | ||
| "createWithDetailsWhenHasKeyStoreDetailsCertAndEncryptedKey" "wolfJCE FIPS: PBES2 encrypted key" | ||
| # RE-ENABLED after WKS/FIPS password patch: |
Member
There was a problem hiding this comment.
Comments about tests re-enabled are not needed
| # used ED25519 certs (not FIPS-approved). The Dockerfile now replaces 1.crt/1.key | ||
| # and 2.crt/2.key with RSA equivalents. The test also uses TrustAllStrategy on the | ||
| # client side (Apache HttpClient), which works with wolfJSSE for Tomcat tests. | ||
| # RE-ENABLED - ED25519 certs replaced with RSA in Dockerfile. |
Member
There was a problem hiding this comment.
This comment can be reworded to just state the current facts, not referencing previous state of review.
| # 1. Replaces PEM files with CA-signed versions (Dockerfile) | ||
| # 2. Patches TrustSelfSignedStrategy -> TrustAllStrategy (Section 8) | ||
| # 3. Converts client keystores from PKCS12 to WKS (Sections 3-4) | ||
| # RE-ENABLED - the "inline PEM" label was incorrect; all PEM data is from files. |
Member
There was a problem hiding this comment.
We can remove "RE-ENABED". Future engineers won't know what the previous behavior was, or history around it.
| # and verify their structure. No TLS connections are made. Previously disabled for | ||
| # HMAC password length errors, but Section 1 (password replacement) and Section 2 | ||
| # (null password handling) should now handle the WKS password requirements. | ||
| # RE-ENABLED - password handling fixes should resolve WKS keystore creation. |
Member
There was a problem hiding this comment.
Same here, don't need RE-ENABLED wording
| sed -i 's/isEqualTo("secret2")/isEqualTo("'"${FIPS_PASSWORD}"'")/g' "$SSL_AUTO_TESTS" | ||
| echo " Fixed type and password assertions in SslAutoConfigurationTests.java" | ||
| fi | ||
| # RE-ENABLED: sslBundlesCreatedWithCertificates and sslBundlesCreatedWithCustomSslBundle |
Member
There was a problem hiding this comment.
Same here, don't need RE-ENABLED wording
| disable_test_method "${AUTOCONFIG_TEST}/ssl/SslPropertiesBundleRegistrarTests.java" \ | ||
| "shouldUseResourceLoader" "FIPS: JKS requires SUN provider" | ||
|
|
||
| # Cassandra, MongoReactive, and RabbitMQ enableSslWithBundle tests |
Member
There was a problem hiding this comment.
Looks like we can get rid of this comment block
| "shouldUseSslWhenRocketServerSslIsConfigured" \ | ||
| "wolfJSSE FIPS: JKS test resource not converted to WKS" | ||
|
|
||
| # MongoDB non-reactive configuresSslWithBundle: RE-ENABLED |
Member
There was a problem hiding this comment.
Looks like we can get rid of this comment block
|
|
||
| | Error Code | Name | Meaning | | ||
| |------------|------|---------| | ||
| | -313 | FATAL_ERROR | Certificate validation failed at native wolfSSL level | |
Member
There was a problem hiding this comment.
Native wolfSSL -313 is a "recvd alert fatal error", which may happen for a variety of reasons. Pinning that to cert validation logic here seems potentially misleading.
Author
There was a problem hiding this comment.
Removed this file, the comments in the patch script explain what is disabled and why so this is redundant and outdated.
| @@ -0,0 +1,528 @@ | |||
| ================================================================================ | |||
| PR #7 Review Comment Status - wolfSSL/wolfssl-containers | |||
Member
There was a problem hiding this comment.
This file should not be part of this PR.
JeremiahM37
force-pushed
the
spring-boot-tests
branch
from
98cb4be to
9cbbd79
Compare
JeremiahM37
force-pushed
the
spring-boot-tests
branch
from
9cbbd79 to
846c29c
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Added springboot test image for wolfjsse FIPS
Requires wolfSSL/wolfssljni#310 to be merged for the tests to pass which I'm still cleaning up a bit and should be done soon.
All tests that are skipped are due to fips restrictions as every single test passes with non-fips.