Spring Cloud Config Client Native test: FIPS enabled native-image: "only SunJSSE TrustManagers may be used"

[Karm]

Describe the bug

Spring Cloud Config Client test works fine with FIPS aware HotSpot, but the test fails to start with FIPS aware native-image.

TODO: Check Wiremock in HotSpot vs Native and how it is used here.

Notes from Severin:
Only PKCS11 NSS certificates may be used in FIPS mode. See: https://access.redhat.com/documentation/en-us/openjdk/11/html-single/configuring_openjdk_11_on_rhel_with_fips/index#trust_anchor_certificates

HotSpot (FIPS enabled)

[INFO] Quarkus - Integration Tests - Spring Cloud Config Client SUCCESS [  8.551 s]

Native (FIPS disabled)

Starting WireMock with following params: --root-dir=/home/karm/quarkus/integration-tests/spring-cloud-config-client/target/classes --port=8089 --disable-banner
Logging initialized @6920ms
jetty-9.2.28.v20190418
Started o.e.j.s.ServletContextHandler@c194c4e{/__admin,null,AVAILABLE}
Started o.e.j.s.ServletContextHandler@4def900a{/,null,AVAILABLE}
Started NetworkTrafficServerConnector@6ab6ec33{HTTP/1.1}{0.0.0.0:8089}
Started @7010ms

The WireMock server is started .....
port:                         8089
enable-browser-proxying:      false
disable-banner:               true
no-request-journal:           false
verbose:                      false


--- maven-resources-plugin:3.1.0:testResources (default-testResources) @ quarkus-integration-test-spring-cloud-config-client ---
Using 'UTF-8' encoding to copy filtered resources.
skip non existing resourceDirectory /home/karm/quarkus/integration-tests/spring-cloud-config-client/src/test/resources

--- maven-compiler-plugin:3.8.1:testCompile (default-testCompile) @ quarkus-integration-test-spring-cloud-config-client ---
Nothing to compile - all classes are up to date

--- maven-surefire-plugin:3.0.0-M5:test (default-test) @ quarkus-integration-test-spring-cloud-config-client ---

-------------------------------------------------------
 T E S T S
-------------------------------------------------------
Running io.quarkus.spring.cloud.config.client.runtime.GreetingResourceTest
[org.jbo.threads] (main) JBoss Threads version 3.4.2.Final
[io.quarkus] (main) Quarkus 999-SNAPSHOT on JVM started in 1.810s. Listening on: http://localhost:8081
[io.quarkus] (main) Profile test activated. 
[io.quarkus] (main) Installed features: [cdi, config-yaml, resteasy, smallrye-context-propagation, spring-cloud-config-client, vertx]
[INFO] Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 4.26 s - in io.quarkus.spring.cloud.config.client.runtime.GreetingResourceTest
[io.quarkus] (main) a-bootiful-client stopped in 0.065s
[INFO] 
[INFO] Results:
[INFO] 
[INFO] Tests run: 1, Failures: 0, Errors: 0, Skipped: 0
[INFO] 
[INFO] 
[INFO] --- quarkus-maven-plugin:999-SNAPSHOT:build (default) @ quarkus-integration-test-spring-cloud-config-client ---
[INFO] [io.quarkus.deployment.pkg.steps.JarResultBuildStep] Building native image source jar: /home/karm/quarkus/integration-tests/spring-cloud-config-client/target/quarkus-integration-test-spring-cloud-config-client-999-SNAPSHOT-native-image-source-jar/quarkus-integration-test-spring-cloud-config-client-999-SNAPSHOT-runner.jar
[INFO] [io.quarkus.deployment.pkg.steps.NativeImageBuildStep] Building native image from /home/karm/quarkus/integration-tests/spring-cloud-config-client/target/quarkus-integration-test-spring-cloud-config-client-999-SNAPSHOT-native-image-source-jar/quarkus-integration-test-spring-cloud-config-client-999-SNAPSHOT-runner.jar
[INFO] [io.quarkus.deployment.pkg.steps.NativeImageBuildStep] Running Quarkus native-image plugin on native-image 21.3.1.0-Final Mandrel Distribution (Java Version 11.0.14+9)
[INFO] [io.quarkus.deployment.pkg.steps.NativeImageBuildRunner] /home/karm/mandrel-java11-21.3.1.0-Final/bin/native-image -J-Djava.util.logging.manager=org.jboss.logmanager.LogManager -J-Dsun.nio.ch.maxUpdateArraySize=100 -J-Dvertx.logger-delegate-factory-class-name=io.quarkus.vertx.core.runtime.VertxLogDelegateFactory -J-Dvertx.disableDnsResolver=true -J-Dio.netty.leakDetection.level=DISABLED -J-Dio.netty.allocator.maxOrder=3 -J-Duser.language=en -J-Duser.country=US -J-Dfile.encoding=UTF-8 -H:-ParseOnce -J--add-exports=java.security.jgss/sun.security.krb5=ALL-UNNAMED -J--add-opens=java.base/java.text=ALL-UNNAMED -H:InitialCollectionPolicy=com.oracle.svm.core.genscavenge.CollectionPolicy\$BySpaceAndTime -H:+JNI -H:+AllowFoldMethods -J-Djava.awt.headless=true -H:FallbackThreshold=0 -H:+ReportExceptionStackTraces -H:-AddAllCharsets -H:EnableURLProtocols=http,https -H:NativeLinkerOption=-no-pie -H:-UseServiceLoaderFeature -H:+StackTrace quarkus-integration-test-spring-cloud-config-client-999-SNAPSHOT-runner -jar quarkus-integration-test-spring-cloud-config-client-999-SNAPSHOT-runner.jar
[quarkus-integration-test-spring-cloud-config-client-999-SNAPSHOT-runner:40943]    classlist:   3,048.27 ms,  0.96 GB
[quarkus-integration-test-spring-cloud-config-client-999-SNAPSHOT-runner:40943]        (cap):     575.15 ms,  0.96 GB
[quarkus-integration-test-spring-cloud-config-client-999-SNAPSHOT-runner:40943]        setup:   2,560.47 ms,  0.96 GB
11:48:53,079 INFO  [org.jbo.threads] JBoss Threads version 3.4.2.Final
[quarkus-integration-test-spring-cloud-config-client-999-SNAPSHOT-runner:40943]     (clinit):     800.42 ms,  5.13 GB
[quarkus-integration-test-spring-cloud-config-client-999-SNAPSHOT-runner:40943]   (typeflow):   4,273.34 ms,  5.13 GB
[quarkus-integration-test-spring-cloud-config-client-999-SNAPSHOT-runner:40943]    (objects):  37,227.83 ms,  5.13 GB
[quarkus-integration-test-spring-cloud-config-client-999-SNAPSHOT-runner:40943]   (features):   1,744.40 ms,  5.13 GB
[quarkus-integration-test-spring-cloud-config-client-999-SNAPSHOT-runner:40943]     analysis:  45,948.94 ms,  5.13 GB
[quarkus-integration-test-spring-cloud-config-client-999-SNAPSHOT-runner:40943]     universe:   3,504.46 ms,  5.13 GB
[quarkus-integration-test-spring-cloud-config-client-999-SNAPSHOT-runner:40943]      (parse):   4,838.33 ms,  5.13 GB
[quarkus-integration-test-spring-cloud-config-client-999-SNAPSHOT-runner:40943]     (inline):   7,229.20 ms,  5.65 GB
[quarkus-integration-test-spring-cloud-config-client-999-SNAPSHOT-runner:40943]    (compile):  30,984.73 ms,  5.02 GB
[quarkus-integration-test-spring-cloud-config-client-999-SNAPSHOT-runner:40943]      compile:  45,348.73 ms,  5.02 GB
[quarkus-integration-test-spring-cloud-config-client-999-SNAPSHOT-runner:40943]        image:   3,500.98 ms,  5.02 GB
[quarkus-integration-test-spring-cloud-config-client-999-SNAPSHOT-runner:40943]        write:     577.36 ms,  5.02 GB
[quarkus-integration-test-spring-cloud-config-client-999-SNAPSHOT-runner:40943]      [total]: 104,823.76 ms,  5.02 GB
# Printing build artifacts to: /home/karm/quarkus/integration-tests/spring-cloud-config-client/target/quarkus-integration-test-spring-cloud-config-client-999-SNAPSHOT-native-image-source-jar/quarkus-integration-test-spring-cloud-config-client-999-SNAPSHOT-runner.build_artifacts.txt
[INFO] [io.quarkus.deployment.pkg.steps.NativeImageBuildRunner] objcopy --strip-debug quarkus-integration-test-spring-cloud-config-client-999-SNAPSHOT-runner
[INFO] [io.quarkus.deployment.QuarkusAugmentor] Quarkus augmentation completed in 108223ms
[INFO] 
[INFO] --- maven-failsafe-plugin:3.0.0-M5:integration-test (default) @ quarkus-integration-test-spring-cloud-config-client ---
[INFO] 
[INFO] -------------------------------------------------------
[INFO]  T E S T S
[INFO] -------------------------------------------------------
[INFO] Running io.quarkus.spring.cloud.config.client.runtime.GreetingResourceIT
[INFO] RequestHandlerClass from context returned com.github.tomakehurst.wiremock.http.StubRequestHandler. Normalized mapped under returned 'null'
[org.jbo.threads] (main) JBoss Threads version 3.4.2.Final
Executing "/home/karm/quarkus/integration-tests/spring-cloud-config-client/target/quarkus-integration-test-spring-cloud-config-client-999-SNAPSHOT-runner -Dquarkus.http.port=8081 -Dquarkus.http.ssl-port=8444 -Dtest.url=http://localhost:8081 -Dquarkus.log.file.path=/home/karm/quarkus/integration-tests/spring-cloud-config-client/target/quarkus.log -Dquarkus.log.file.enable=true"
__  ____  __  _____   ___  __ ____  ______ 
 --/ __ \/ / / / _ | / _ \/ //_/ / / / __/ 
 -/ /_/ / /_/ / __ |/ , _/ ,< / /_/ /\ \   
--\___\_\____/_/ |_/_/|_/_/|_|\____/___/   
[io.quarkus] (main) a-bootiful-client 999-SNAPSHOT native (powered by Quarkus 999-SNAPSHOT) started in 0.133s. Listening on: http://0.0.0.0:8081
[io.quarkus] (main) Profile prod activated. 
[io.quarkus] (main) Installed features: [cdi, config-yaml, resteasy, smallrye-context-propagation, spring-cloud-config-client, vertx]
[INFO] Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 3.183 s - in io.quarkus.spring.cloud.config.client.runtime.GreetingResourceIT
[INFO] 
[INFO] Results:
[INFO] 
[INFO] Tests run: 1, Failures: 0, Errors: 0, Skipped: 0

Native (FIPS enabled)

[INFO] Starting WireMock with following params: --root-dir=/home/karm/quarkus/integration-tests/spring-cloud-config-client/target/classes --port=8089 --disable-banner
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[ERROR] FIPS mode: only SunJSSE TrustManagers may be used

Expected behavior

Passes both for FIPS enabled HotSpot and FIPS enabled Native.

Actual behavior

FIPS enabled Native fails.

How to Reproduce?

On a FIPS enforcing system, using FIPS aware native-image:

./mvnw clean install -Dquickly -pl '!devtools/gradle,!devtools/gradle/gradle-model,!devtools/gradle/gradle-extension-plugin,!devtools/gradle/gradle-application-plugin,!integration-tests/gradle'
./mvnw verify -f integration-tests/pom.xml --fail-at-end --batch-mode -Dno-format -DfailIfNoTests=false -Dnative -pl spring-cloud-config-client

Output of uname -a or ver

Linux rhel9fips 5.14.0-63.el9.x86_64

Output of java -version

Red Hat build of OpenJDK 64-Bit Server VM 18.9 (build 11.0.14.1+1-LTS, mixed mode)

GraalVM version (if different from Java)

No response

Quarkus version or git rev

95cc838

Build tool (ie. output of mvnw --version or gradlew --version)

No response

Additional information

No response

[quarkus-bot]

/cc @galderz, @geoand, @jerboaa, @zakkak

[geoand]

How are these cases meant to be handled?

[jerboaa]

@Karm Last I've checked on this one, I think wiremock is only being used for the native test, but not for JVM mode. So in order to have an apples to apples comparison, we'd have to run wiremock in FIPS JVM mode too.

[Karm]

@geoand We will investigate and either provide a FIPS compatible fix or document it as FIPS incompatible for the time being.

[jerboaa]

Sorry, but I have no idea what this wiremock thing actually is.

[Karm]

@jerboaa Ack. I have used wiremock in the past. I will take a look at the setup here.
I am not dumping these issues on you to investigate immediately. My angle is to record those (two more I think) so as we can go deeper later and suggest changes.

[geoand]

Is this still an issue?