Issue: 26568 - bcfips version bump and fixes

* bump BCFIPS to 1.0.2.5
               * fix bc-fips related test error
               * remove unused imports

               Closes: #26568

Signed-off-by: Andre F de M <trixpan@users.noreply.github.com>
This commit is contained in:
Andre F de M 2024-05-19 12:18:40 +10:00 committed by Marek Posolda
parent 91efe37ec2
commit 0f061a75e2
8 changed files with 34 additions and 15 deletions

View file

@ -6,7 +6,6 @@ fips-mode-setup --is-enabled
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
exit 1 exit 1
fi fi
echo "fips.provider.7=XMLDSig" >>/etc/alternatives/java_sdk_21/conf/security/java.security
export JAVA_HOME=/etc/alternatives/java_sdk_21 export JAVA_HOME=/etc/alternatives/java_sdk_21
# Build all dependent modules # Build all dependent modules
@ -16,4 +15,11 @@ export JAVA_HOME=/etc/alternatives/java_sdk_21
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
exit 1 exit 1
fi fi
./mvnw test -nsu -B -pl crypto/default,crypto/fips1402 -Dcom.redhat.fips=true -Dorg.bouncycastle.fips.approved_only=true
# NOTE the use of "org.bouncycastle.rsa.allow_pkcs15_enc" as per BCFIPS release notes:
#
# End of 2023 transition for RSA PKCS1.5 encryption. The provider blocks RSA with PKCS1.5 encryption.
# The following property can be used to override the default behavior:
# org.bouncycastle.rsa.allow_pkcs15_enc (allow use of PKCS1.5)
# This is required by crypto/fips1402/src/test/java/org/keycloak/crypto/fips/test/FIPS1402JWETest.java
./mvnw test -nsu -B -pl crypto/default,crypto/fips1402 -Dcom.redhat.fips=true -Dorg.bouncycastle.fips.approved_only=true -Dorg.bouncycastle.rsa.allow_pkcs15_enc=true

View file

@ -21,14 +21,12 @@ import org.jboss.logging.Logger;
import org.junit.Assert; import org.junit.Assert;
import org.junit.ClassRule; import org.junit.ClassRule;
import org.junit.Test; import org.junit.Test;
import org.keycloak.common.util.BouncyIntegration;
import org.keycloak.jose.jws.JWSBuilder; import org.keycloak.jose.jws.JWSBuilder;
import org.keycloak.jose.jws.JWSInput; import org.keycloak.jose.jws.JWSInput;
import org.keycloak.jose.jws.crypto.HMACProvider; import org.keycloak.jose.jws.crypto.HMACProvider;
import org.keycloak.rule.CryptoInitRule; import org.keycloak.rule.CryptoInitRule;
import javax.crypto.SecretKey; import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.SecretKeySpec; import javax.crypto.spec.SecretKeySpec;
import java.util.UUID; import java.util.UUID;

View file

@ -13,11 +13,14 @@ public class Fips1402StrictCryptoProvider extends FIPS1402Provider {
static { static {
System.setProperty("org.bouncycastle.fips.approved_only", Boolean.TRUE.toString()); System.setProperty("org.bouncycastle.fips.approved_only", Boolean.TRUE.toString());
// Since BC-FIPS 1.0.2.4 PKCS 1.5 is disabled by default under strict mode and must
// be enabled via flags
System.setProperty("org.bouncycastle.rsa.allow_pkcs15_enc",Boolean.TRUE.toString());
} }
@Override @Override
public String[] getSupportedRsaKeySizes() { public String[] getSupportedRsaKeySizes() {
// RSA key of 1024 bits not supported in BCFIPS approved mode // RSA key of 1024 bits not supported in BC-FIPS approved mode
return new String[] {"2048", "4096"}; return new String[] {"2048", "4096"};
} }
} }

View file

@ -40,8 +40,8 @@ When {project_name} executes in fips mode, it will use the BCFIPS bits instead o
BouncyCastle FIPS can be downloaded from the https://www.bouncycastle.org/fips-java/[BouncyCastle official page]. Then you can add them to the directory BouncyCastle FIPS can be downloaded from the https://www.bouncycastle.org/fips-java/[BouncyCastle official page]. Then you can add them to the directory
`KEYCLOAK_HOME/providers` of your distribution. Make sure to use proper versions compatible with BouncyCastle {project_name} dependencies. The supported BCFIPS bits needed are: `KEYCLOAK_HOME/providers` of your distribution. Make sure to use proper versions compatible with BouncyCastle {project_name} dependencies. The supported BCFIPS bits needed are:
* `bc-fips-1.0.2.3.jar` * `bc-fips-1.0.2.5.jar`
* `bctls-fips-1.0.18.jar` * `bctls-fips-1.0.19.jar`
* `bcpkix-fips-1.0.7.jar` * `bcpkix-fips-1.0.7.jar`
== Generating keystore == Generating keystore
@ -143,6 +143,8 @@ requirement as they are longer than 14 characters.
* RSA keys of 1024 bits do not work (2048 is the minimum). This applies for keys used by the {project_name} realm itself (Realm keys from the `Keys` tab in the admin console), but also client keys and IDP keys * RSA keys of 1024 bits do not work (2048 is the minimum). This applies for keys used by the {project_name} realm itself (Realm keys from the `Keys` tab in the admin console), but also client keys and IDP keys
* Since version 1.0.2.4, the Bouncy Castle FIPS library now requires a flag to allow the use of the RSA PKCS1.5 algorithm used by RS256. `-Dorg.bouncycastle.rsa.allow_pkcs15_enc=true`
* HMAC SHA-XXX keys must be at least 112 bits (or 14 characters long). For example if you use OIDC clients with the client authentication `Signed Jwt with Client Secret` (or `client-secret-jwt` in * HMAC SHA-XXX keys must be at least 112 bits (or 14 characters long). For example if you use OIDC clients with the client authentication `Signed Jwt with Client Secret` (or `client-secret-jwt` in
the OIDC notation), then your client secrets should be at least 14 characters long. Note that for good security, it is recommended to use client secrets generated by the {project_name} server, which the OIDC notation), then your client secrets should be at least 14 characters long. Note that for good security, it is recommended to use client secrets generated by the {project_name} server, which
always fulfils this requirement. always fulfils this requirement.
@ -258,6 +260,8 @@ In addition to the preceding requirements, be sure to doublecheck this before sw
* Make sure that clients relying on `Signed JWT with Client Secret` use at least 14 characters long secrets (ideally generated secrets) * Make sure that clients relying on `Signed JWT with Client Secret` use at least 14 characters long secrets (ideally generated secrets)
* Avoid using "RS256" OIDC algorithm. If this is required, ensure you properly configure the environment as documented above
* Password length restriction as described earlier. In case your users have shorter passwords, be sure to start the server with the max padding length set to 14 of PBKDF2 provider as mentioned * Password length restriction as described earlier. In case your users have shorter passwords, be sure to start the server with the max padding length set to 14 of PBKDF2 provider as mentioned
earlier. If you prefer to avoid this option, you can for instance ask all your users to reset their password (for example by the `Forgot password` link) during the first authentication in the new environment. earlier. If you prefer to avoid this option, you can for instance ask all your users to reset their password (for example by the `Forgot password` link) during the first authentication in the new environment.

13
pom.xml
View file

@ -88,8 +88,11 @@
<!-- TODO Are these correct versions? --> <!-- TODO Are these correct versions? -->
<bouncycastle.pkixfips.version>1.0.7</bouncycastle.pkixfips.version> <bouncycastle.pkixfips.version>1.0.7</bouncycastle.pkixfips.version>
<!-- 1.0.2.4 exhibits class loading issues -->
<bouncycastle.bcfips.version>1.0.2.3</bouncycastle.bcfips.version> <bouncycastle.bcfips.version>1.0.2.5</bouncycastle.bcfips.version>
<bouncycastle.bctls-fips.version>1.0.19</bouncycastle.bctls-fips.version>
<cxf.version>3.3.10</cxf.version> <cxf.version>3.3.10</cxf.version>
<cxf.jetty.version>3.3.10</cxf.jetty.version> <cxf.jetty.version>3.3.10</cxf.jetty.version>
@ -406,6 +409,12 @@
<version>${bouncycastle.bcfips.version}</version> <version>${bouncycastle.bcfips.version}</version>
</dependency> </dependency>
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bctls-fips</artifactId>
<version>${bouncycastle.bctls-fips.version}</version>
</dependency>
<dependency> <dependency>
<groupId>com.github.ua-parser</groupId> <groupId>com.github.ua-parser</groupId>
<artifactId>uap-java</artifactId> <artifactId>uap-java</artifactId>

View file

@ -8,7 +8,7 @@ keytool -importkeystore -srckeystore keycloak-fips.keystore.pkcs12 -destkeystore
-providername BCFIPS \ -providername BCFIPS \
-providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \ -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \
-provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \ -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \
-providerpath $MAVEN_REPO_HOME/org/bouncycastle/bc-fips/1.0.2.3/bc-fips-1.0.2.3.jar \ -providerpath $MAVEN_REPO_HOME/org/bouncycastle/bc-fips/1.0.2.5/bc-fips-1.0.2.5.jar \
-J-Djava.security.properties=$KEYCLOAK_SOURCES/testsuite/integration-arquillian/servers/auth-server/common/fips/kc.keystore-create.java.security -J-Djava.security.properties=$KEYCLOAK_SOURCES/testsuite/integration-arquillian/servers/auth-server/common/fips/kc.keystore-create.java.security
``` ```
Default password is `passwordpassword`. Default password is `passwordpassword`.

View file

@ -1,4 +1,4 @@
# Configuration file just with the security properties, which are supposed to be overriden. The properties, which are not mentioned in this file, # Configuration file just with the security properties, which are supposed to be overridden. The properties, which are not mentioned in this file,
# are inherited from the default java.security file bundled within the Java distribution. # are inherited from the default java.security file bundled within the Java distribution.
# #
# NOTE: Each property is specified 2 times. This is so the same file can be used on both FIPS based RHEL host (which uses "fips" prefixed properties by default) # NOTE: Each property is specified 2 times. This is so the same file can be used on both FIPS based RHEL host (which uses "fips" prefixed properties by default)
@ -12,3 +12,6 @@
# TODO: Comment/remove this once https://bugzilla.redhat.com/show_bug.cgi?id=1940064 is fixed and OpenJDK 17 updated to corresponding version where XMLDSig is available by default # TODO: Comment/remove this once https://bugzilla.redhat.com/show_bug.cgi?id=1940064 is fixed and OpenJDK 17 updated to corresponding version where XMLDSig is available by default
# #
fips.provider.7=XMLDSig fips.provider.7=XMLDSig
# TODO: Comment/remove this once https://issues.redhat.com/browse/RHEL-3478 is fixed.
securerandom.strongAlgorithms=PKCS11:SunPKCS11-NSS-FIPS

View file

@ -11,10 +11,6 @@ org.keycloak.testsuite.x509.**
MutualTLSClientTest MutualTLSClientTest
FAPI1Test FAPI1Test
FAPICIBATest FAPICIBATest
KcRegTest
KcRegCreateTest
KcAdmTest
KcAdmCreateTest
SAMLServletAdapterTest SAMLServletAdapterTest
SamlSignatureTest SamlSignatureTest
KcOidcBrokerJWETest KcOidcBrokerJWETest