Skip to content

test: [Connectivity] Fips profile for BC provider#1187

Merged
rpanackal merged 12 commits into
fips-keystore-changefrom
fips-compatibility
Jun 9, 2026
Merged

test: [Connectivity] Fips profile for BC provider#1187
rpanackal merged 12 commits into
fips-keystore-changefrom
fips-compatibility

Conversation

@rpanackal

@rpanackal rpanackal commented Jun 2, 2026

Copy link
Copy Markdown
Member

Context

Builds on top of the FIPS keystore fix PR. Adds a CI test profile that validates the PKCS12 fix works in a simulated FIPS environment using Bouncy Castle FIPS in approved_only mode.

This change adds the fips-approved Maven profile and the FipsProviderTest regression guard. It does not change any production code — all production changes are in the base PR.

Feature scope:

  • Add fips-approved Maven profile to root pom.xml
    • Sets -Dorg.bouncycastle.fips.approved_only=true in test JVM args
    • Filters Surefire to run only @Tag("fips-approved") tests
  • Add fips-approved profile to connectivity-apache-httpclient4/pom.xml
    • Excludes non-FIPS Bouncy Castle (bcprov-jdk18on, bcpkix-jdk18on)
    • Adds BC FIPS artifacts (bc-fips:2.1.2, bcpkix-fips:2.1.9) as test-scope dependencies
    • Replicates the dependency swap users must perform in their own applications
  • Add FipsProviderTest regression test
    • Registers BouncyCastleFipsProvider in @BeforeAll, removes it in @AfterAll (self-contained)
    • Asserts KeyStoreReader.createKeyStore() produces a PKCS12 keystore

Run the test:

mvn test -P fips-approved -pl cloudplatform/connectivity-apache-httpclient4 -am

rpanackal added 9 commits May 20, 2026 14:19
@rpanackal
Change KeyStore type
34d02f9 
Assumptions
- Only changes memory representation of key.
- Key never serialized and directly passed to SSLContextBuilder.loadKeyMaterial which accepts any.
@rpanackal
Same as before.
9d26587 
- Only change internal representation and directly forwared to apache SSLContextBuilder
@rpanackal
Use standard notation X.509 instead of X509
2642905
@rpanackal
Update test to show default keystore type used
d35ed4c
@rpanackal
added a test profile
c8a0f3b
@rpanackal
Merge branch 'main' into fips-compatibility
3ddc1ee
@rpanackal
Cleanup
5ba452c
@rpanackal
Merge branch 'fips-keystore-change' into fips-compatibility
d27cfca
@rpanackal
Add test to confirm BCFIPS is working correctly
18a346a
@rpanackal rpanackal changed the title test: [Connectivity] Fips profile for BCFIPS addition test: [Connectivity] Fips profile for BC provider Jun 2, 2026
rpanackal
rpanackal commented Jun 3, 2026
View reviewed changes
Comment thread ...lient4/src/test-fips/java/com/sap/cloud/sdk/cloudplatform/connectivity/FipsProviderTest.java

@rpanackal rpanackal Jun 3, 2026

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This file lives outside regular test root to avoid being scanned for test-compile in default profile

@rpanackal rpanackal changed the base branch from main to fips-keystore-change June 3, 2026 10:24
@rpanackal rpanackal self-assigned this Jun 3, 2026
@rpanackal rpanackal added the do not merge Pull request must not be merged label Jun 5, 2026
@rpanackal rpanackal mentioned this pull request Jun 5, 2026
Merged
10 tasks
@rpanackal rpanackal marked this pull request as draft June 8, 2026 14:12
@rpanackal rpanackal merged commit 72a1d73 into fips-keystore-change Jun 9, 2026
13 checks passed
@rpanackal rpanackal deleted the fips-compatibility branch June 9, 2026 09:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@rpanackal rpanackal

Labels

do not merge Pull request must not be merged

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@rpanackal