Android test fixes and add Android FIPS Ready workflow#209
Android test fixes and add Android FIPS Ready workflow#209rlm2002 merged 10 commits intowolfSSL:masterfrom
Conversation
There was a problem hiding this comment.
Pull request overview
This pull request improves Android (instrumented) test stability and adds CI support for running wolfCrypt JNI/JCE on Android with wolfSSL FIPS Ready.
Changes:
- Add FIPS-mode RSA key generation retry logic and refine ECC curve enablement checks in tests.
- Improve Android test reporting by switching ChaCha/3DES availability checks from
@BeforeClassassumptions to per-test@Ruleskipping. - Add BKS keystore conversion tooling/docs and introduce a new GitHub Actions workflow to build/test Android against the latest FIPS Ready archive.
Reviewed changes
Copilot reviewed 8 out of 9 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
src/test/java/com/wolfssl/wolfcrypt/test/RsaTest.java |
Adds RSA keygen retry helper for transient FIPS prime-gen failures. |
src/test/java/com/wolfssl/wolfcrypt/test/Des3Test.java |
Adjusts class-level setup to print class name while availability is handled via a Rule. |
src/test/java/com/wolfssl/wolfcrypt/test/ChachaTest.java |
Moves ChaCha availability logic into a Rule so skips are reported per-test. |
src/test/java/com/wolfssl/provider/jce/test/WolfCryptKeyPairGeneratorTest.java |
Filters unsupported EC curves by trial key generation; expands expected error matching. |
src/main/java/com/wolfssl/provider/jce/WolfCryptKeyGenerator.java |
Changes FIPS SecureRandom sanitization to replace non-wolfJCE RNGs with HashDRBG. |
IDE/Android/README.md |
Documents converting JKS keystores to BKS for Android tests and updates setup steps. |
examples/certs/convert-to-bks.sh |
Adds a helper script to convert test JKS keystores into BKS format. |
.gitignore |
Ignores an additional Android Studio .idea file. |
.github/workflows/android_gradle_fipsready.yml |
Adds a CI workflow to download FIPS Ready, do 2-pass build for integrity hash, generate BKS, and run instrumented tests. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 9 out of 10 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
src/test/java/com/wolfssl/provider/jce/test/WolfCryptKeyPairGeneratorTest.java
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 16 out of 17 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Summary
Fixes and improvements for running wolfCrypt JNI/JCE on Android with wolfSSL FIPS Ready, plus security hardening and dependency updates.
sanitizeSecureRandom()now replaces a non-wolfJCE SecureRandom (e.g. AndroidOpenSSL) with a wolfJCE HashDRBG instead of throwing, fixingKeyGenerator.init(keysize)calls where the JDK auto-provides a platform default. BothengineInit(SecureRandom)andengineInit(int, SecureRandom)paths are now sanitized.WolfCryptKeyPairGeneratorTestvia trial key generation in@BeforeClass, skip ECC setup entirely when not compiled in, and assert at least one curve is usable when ECC is enabled@BeforeClass Assumeto@Ruleso tests are individually reported as skipped on Android instead of silently dropped from the instrumented test countPRIME_GEN_EinRsaTest.testMakeKeyfor FIPS builds where the prime generation loop has a finite retry countconvert-to-bks.shscript and updateIDE/Android/README.mdwith instructions for converting JKS KeyStores to BKS formatandroid_gradle_fipsready.ymlthat downloads the latest wolfSSL FIPS Ready archive, uses a two-pass build to capture and set the in-core integrity hash, generates BKS files, and runs the full instrumented test suiteCryptoBenchmark.shand verify SHA-256 hashes on download instead of fetching unpinned latest from Maven Centraljcenter()withmavenCentral()in Android Gradle config, migrate from Android Support Library to AndroidXWolfSSLKeyStoreTestto avoid failures on loaded CI runners