Added test for openJDK in FIPS mode. Fix issue #614

tests/files/JCEProviderInfo.java

@@ -0,0 +1,42 @@
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.security.Provider;
+import java.security.Provider.Service;
+import java.security.Security;
+
+public class JCEProviderInfo
+{
+    public static void main(String[] args) throws NoSuchAlgorithmException, NoSuchProviderException
+    {
+        System.out.printf("JCE Provider Info: %s %s/%s on %s %s%n", System.getProperty("java.vm.name"),
+                          System.getProperty("java.runtime.version"),
+                          System.getProperty("java.vm.version"),
+                          System.getProperty("os.name"),
+                          System.getProperty("os.version"));
+
+        Provider[] ps;
+        if (args.length > 0)
+        {
+            System.out.printf("Searching for JCA Security Providers with filter=\"%s\"%n", args[0]);
+            ps = Security.getProviders(args[0]);
+
+        } else {
+            System.out.printf("Listing all JCA Security Providers.%n");
+            ps = (args.length>0)?Security.getProviders(args[0]):Security.getProviders();
+        }
+        if (ps == null || ps.length == 0)
+        {
+            System.out.printf("No Results.%n");
+            return;
+        }
+        for(Provider p : ps)
+        {
+            System.out.printf("--- Provider %s %s%n    info %s%n", p.getName(), p.getVersion(), p.getInfo());
+            for(Service s : p.getServices())
+            {
+                    System.out.printf(" + %s.%s : %s (%s)%n  tostring=%s%n", s.getType(), s.getAlgorithm(), s.getClassName(), s.getProvider().getName(), s.toString());
+            }
+        }
+    }
+
+}

tests/files/Tcheck.java

@@ -0,0 +1,17 @@
+import javax.net.ssl.SSLContext;
+import java.security.NoSuchAlgorithmException;
+import java.security.Provider;
+import java.security.Security;
+
+public class Tcheck {
+
+	public static void main(String[] args) {
+		int i = 1;
+		System.out.println("Supported Security Providers:");
+		Provider [] providers = Security.getProviders();
+
+		for (Provider provider: providers) {
+			System.out.println(" " + i++ + ". " + provider.getInfo());
+		}
+	}
+}

tests/test_openjdk.py

@@ -26,6 +26,23 @@
 COPY {HOST_TEST_DIR} {CONTAINER_TEST_DIR}
 """
 
+DOCKERFILE_OPENJDK_FIPS = """WORKDIR /src/
+COPY tests/files/Tcheck.java tests/files/JCEProviderInfo.java /src/
+ENV NSS_FIPS 1
+RUN zypper -n in mozilla-nss* git-core java-$JAVA_VERSION-openjdk-devel
+"""
+
+FIPS_OPENJDK_IMAGES = []
+
+for param in [OPENJDK_17_CONTAINER, OPENJDK_21_CONTAINER]:
+    ctr, marks = container_and_marks_from_pytest_param(param)
+    tester_ctr = DerivedContainer(
+        containerfile=DOCKERFILE_OPENJDK_FIPS, base=ctr
+    )
+    FIPS_OPENJDK_IMAGES.append(
+        pytest.param(tester_ctr, marks=marks, id=param.id)
+    )
+
 DOCKERF_CASSANDRA = """
 RUN zypper -n in tar gzip git-core util-linux
 """
@@ -280,3 +297,24 @@ def test_jdk_cassandra(container_per_test):
     container_per_test.connection.check_output(
         f"cd /tmp/{cassandra_base}/tools/bin/ && ./cassandra-stress write n=1 && ./cassandra-stress read n=1",
     )
+
+
+@pytest.mark.parametrize(
+    "container",
+    FIPS_OPENJDK_IMAGES,
+    indirect=True,
+)
+def test_openjdk_sec_providers(container: ContainerData) -> None:
+    """
+    Verifies that the primary security provider in FIPS-enabled OpenJDK
+    containers is `SunPKCS11-NSS-FIPS`. The test uses Java scripts to list and
+    validate security providers, ensuring FIPS compliance.
+    """
+    c = container.connection
+
+    assert "Listing all JCA Security Providers" in c.check_output(
+        "javac JCEProviderInfo.java && java JCEProviderInfo"
+    )
+    assert "1. SunPKCS11-NSS-FIPS" in c.check_output(
+        "javac Tcheck.java && java Tcheck"
+    )