Issue: 26568 - bcfips version bump and fixes
* bump BCFIPS to 1.0.2.5 * fix bc-fips related test error * remove unused imports Closes: #26568 Signed-off-by: Andre F de M <trixpan@users.noreply.github.com>
This commit is contained in:
parent
91efe37ec2
commit
0f061a75e2
8 changed files with 34 additions and 15 deletions
10
.github/scripts/run-fips-ut.sh
vendored
10
.github/scripts/run-fips-ut.sh
vendored
|
@ -6,7 +6,6 @@ fips-mode-setup --is-enabled
|
||||||
if [ $? -ne 0 ]; then
|
if [ $? -ne 0 ]; then
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
echo "fips.provider.7=XMLDSig" >>/etc/alternatives/java_sdk_21/conf/security/java.security
|
|
||||||
export JAVA_HOME=/etc/alternatives/java_sdk_21
|
export JAVA_HOME=/etc/alternatives/java_sdk_21
|
||||||
|
|
||||||
# Build all dependent modules
|
# Build all dependent modules
|
||||||
|
@ -16,4 +15,11 @@ export JAVA_HOME=/etc/alternatives/java_sdk_21
|
||||||
if [ $? -ne 0 ]; then
|
if [ $? -ne 0 ]; then
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
./mvnw test -nsu -B -pl crypto/default,crypto/fips1402 -Dcom.redhat.fips=true -Dorg.bouncycastle.fips.approved_only=true
|
|
||||||
|
# NOTE the use of "org.bouncycastle.rsa.allow_pkcs15_enc" as per BCFIPS release notes:
|
||||||
|
#
|
||||||
|
# End of 2023 transition for RSA PKCS1.5 encryption. The provider blocks RSA with PKCS1.5 encryption.
|
||||||
|
# The following property can be used to override the default behavior:
|
||||||
|
# org.bouncycastle.rsa.allow_pkcs15_enc (allow use of PKCS1.5)
|
||||||
|
# This is required by crypto/fips1402/src/test/java/org/keycloak/crypto/fips/test/FIPS1402JWETest.java
|
||||||
|
./mvnw test -nsu -B -pl crypto/default,crypto/fips1402 -Dcom.redhat.fips=true -Dorg.bouncycastle.fips.approved_only=true -Dorg.bouncycastle.rsa.allow_pkcs15_enc=true
|
||||||
|
|
|
@ -21,14 +21,12 @@ import org.jboss.logging.Logger;
|
||||||
import org.junit.Assert;
|
import org.junit.Assert;
|
||||||
import org.junit.ClassRule;
|
import org.junit.ClassRule;
|
||||||
import org.junit.Test;
|
import org.junit.Test;
|
||||||
import org.keycloak.common.util.BouncyIntegration;
|
|
||||||
import org.keycloak.jose.jws.JWSBuilder;
|
import org.keycloak.jose.jws.JWSBuilder;
|
||||||
import org.keycloak.jose.jws.JWSInput;
|
import org.keycloak.jose.jws.JWSInput;
|
||||||
import org.keycloak.jose.jws.crypto.HMACProvider;
|
import org.keycloak.jose.jws.crypto.HMACProvider;
|
||||||
import org.keycloak.rule.CryptoInitRule;
|
import org.keycloak.rule.CryptoInitRule;
|
||||||
|
|
||||||
import javax.crypto.SecretKey;
|
import javax.crypto.SecretKey;
|
||||||
import javax.crypto.SecretKeyFactory;
|
|
||||||
import javax.crypto.spec.SecretKeySpec;
|
import javax.crypto.spec.SecretKeySpec;
|
||||||
|
|
||||||
import java.util.UUID;
|
import java.util.UUID;
|
||||||
|
|
|
@ -13,11 +13,14 @@ public class Fips1402StrictCryptoProvider extends FIPS1402Provider {
|
||||||
|
|
||||||
static {
|
static {
|
||||||
System.setProperty("org.bouncycastle.fips.approved_only", Boolean.TRUE.toString());
|
System.setProperty("org.bouncycastle.fips.approved_only", Boolean.TRUE.toString());
|
||||||
|
// Since BC-FIPS 1.0.2.4 PKCS 1.5 is disabled by default under strict mode and must
|
||||||
|
// be enabled via flags
|
||||||
|
System.setProperty("org.bouncycastle.rsa.allow_pkcs15_enc",Boolean.TRUE.toString());
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public String[] getSupportedRsaKeySizes() {
|
public String[] getSupportedRsaKeySizes() {
|
||||||
// RSA key of 1024 bits not supported in BCFIPS approved mode
|
// RSA key of 1024 bits not supported in BC-FIPS approved mode
|
||||||
return new String[] {"2048", "4096"};
|
return new String[] {"2048", "4096"};
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -40,8 +40,8 @@ When {project_name} executes in fips mode, it will use the BCFIPS bits instead o
|
||||||
BouncyCastle FIPS can be downloaded from the https://www.bouncycastle.org/fips-java/[BouncyCastle official page]. Then you can add them to the directory
|
BouncyCastle FIPS can be downloaded from the https://www.bouncycastle.org/fips-java/[BouncyCastle official page]. Then you can add them to the directory
|
||||||
`KEYCLOAK_HOME/providers` of your distribution. Make sure to use proper versions compatible with BouncyCastle {project_name} dependencies. The supported BCFIPS bits needed are:
|
`KEYCLOAK_HOME/providers` of your distribution. Make sure to use proper versions compatible with BouncyCastle {project_name} dependencies. The supported BCFIPS bits needed are:
|
||||||
|
|
||||||
* `bc-fips-1.0.2.3.jar`
|
* `bc-fips-1.0.2.5.jar`
|
||||||
* `bctls-fips-1.0.18.jar`
|
* `bctls-fips-1.0.19.jar`
|
||||||
* `bcpkix-fips-1.0.7.jar`
|
* `bcpkix-fips-1.0.7.jar`
|
||||||
|
|
||||||
== Generating keystore
|
== Generating keystore
|
||||||
|
@ -143,6 +143,8 @@ requirement as they are longer than 14 characters.
|
||||||
|
|
||||||
* RSA keys of 1024 bits do not work (2048 is the minimum). This applies for keys used by the {project_name} realm itself (Realm keys from the `Keys` tab in the admin console), but also client keys and IDP keys
|
* RSA keys of 1024 bits do not work (2048 is the minimum). This applies for keys used by the {project_name} realm itself (Realm keys from the `Keys` tab in the admin console), but also client keys and IDP keys
|
||||||
|
|
||||||
|
* Since version 1.0.2.4, the Bouncy Castle FIPS library now requires a flag to allow the use of the RSA PKCS1.5 algorithm used by RS256. `-Dorg.bouncycastle.rsa.allow_pkcs15_enc=true`
|
||||||
|
|
||||||
* HMAC SHA-XXX keys must be at least 112 bits (or 14 characters long). For example if you use OIDC clients with the client authentication `Signed Jwt with Client Secret` (or `client-secret-jwt` in
|
* HMAC SHA-XXX keys must be at least 112 bits (or 14 characters long). For example if you use OIDC clients with the client authentication `Signed Jwt with Client Secret` (or `client-secret-jwt` in
|
||||||
the OIDC notation), then your client secrets should be at least 14 characters long. Note that for good security, it is recommended to use client secrets generated by the {project_name} server, which
|
the OIDC notation), then your client secrets should be at least 14 characters long. Note that for good security, it is recommended to use client secrets generated by the {project_name} server, which
|
||||||
always fulfils this requirement.
|
always fulfils this requirement.
|
||||||
|
@ -258,6 +260,8 @@ In addition to the preceding requirements, be sure to doublecheck this before sw
|
||||||
|
|
||||||
* Make sure that clients relying on `Signed JWT with Client Secret` use at least 14 characters long secrets (ideally generated secrets)
|
* Make sure that clients relying on `Signed JWT with Client Secret` use at least 14 characters long secrets (ideally generated secrets)
|
||||||
|
|
||||||
|
* Avoid using "RS256" OIDC algorithm. If this is required, ensure you properly configure the environment as documented above
|
||||||
|
|
||||||
* Password length restriction as described earlier. In case your users have shorter passwords, be sure to start the server with the max padding length set to 14 of PBKDF2 provider as mentioned
|
* Password length restriction as described earlier. In case your users have shorter passwords, be sure to start the server with the max padding length set to 14 of PBKDF2 provider as mentioned
|
||||||
earlier. If you prefer to avoid this option, you can for instance ask all your users to reset their password (for example by the `Forgot password` link) during the first authentication in the new environment.
|
earlier. If you prefer to avoid this option, you can for instance ask all your users to reset their password (for example by the `Forgot password` link) during the first authentication in the new environment.
|
||||||
|
|
||||||
|
|
13
pom.xml
13
pom.xml
|
@ -88,8 +88,11 @@
|
||||||
|
|
||||||
<!-- TODO Are these correct versions? -->
|
<!-- TODO Are these correct versions? -->
|
||||||
<bouncycastle.pkixfips.version>1.0.7</bouncycastle.pkixfips.version>
|
<bouncycastle.pkixfips.version>1.0.7</bouncycastle.pkixfips.version>
|
||||||
<!-- 1.0.2.4 exhibits class loading issues -->
|
|
||||||
<bouncycastle.bcfips.version>1.0.2.3</bouncycastle.bcfips.version>
|
<bouncycastle.bcfips.version>1.0.2.5</bouncycastle.bcfips.version>
|
||||||
|
|
||||||
|
<bouncycastle.bctls-fips.version>1.0.19</bouncycastle.bctls-fips.version>
|
||||||
|
|
||||||
|
|
||||||
<cxf.version>3.3.10</cxf.version>
|
<cxf.version>3.3.10</cxf.version>
|
||||||
<cxf.jetty.version>3.3.10</cxf.jetty.version>
|
<cxf.jetty.version>3.3.10</cxf.jetty.version>
|
||||||
|
@ -406,6 +409,12 @@
|
||||||
<version>${bouncycastle.bcfips.version}</version>
|
<version>${bouncycastle.bcfips.version}</version>
|
||||||
</dependency>
|
</dependency>
|
||||||
|
|
||||||
|
<dependency>
|
||||||
|
<groupId>org.bouncycastle</groupId>
|
||||||
|
<artifactId>bctls-fips</artifactId>
|
||||||
|
<version>${bouncycastle.bctls-fips.version}</version>
|
||||||
|
</dependency>
|
||||||
|
|
||||||
<dependency>
|
<dependency>
|
||||||
<groupId>com.github.ua-parser</groupId>
|
<groupId>com.github.ua-parser</groupId>
|
||||||
<artifactId>uap-java</artifactId>
|
<artifactId>uap-java</artifactId>
|
||||||
|
|
|
@ -8,7 +8,7 @@ keytool -importkeystore -srckeystore keycloak-fips.keystore.pkcs12 -destkeystore
|
||||||
-providername BCFIPS \
|
-providername BCFIPS \
|
||||||
-providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \
|
-providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \
|
||||||
-provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \
|
-provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \
|
||||||
-providerpath $MAVEN_REPO_HOME/org/bouncycastle/bc-fips/1.0.2.3/bc-fips-1.0.2.3.jar \
|
-providerpath $MAVEN_REPO_HOME/org/bouncycastle/bc-fips/1.0.2.5/bc-fips-1.0.2.5.jar \
|
||||||
-J-Djava.security.properties=$KEYCLOAK_SOURCES/testsuite/integration-arquillian/servers/auth-server/common/fips/kc.keystore-create.java.security
|
-J-Djava.security.properties=$KEYCLOAK_SOURCES/testsuite/integration-arquillian/servers/auth-server/common/fips/kc.keystore-create.java.security
|
||||||
```
|
```
|
||||||
Default password is `passwordpassword`.
|
Default password is `passwordpassword`.
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
# Configuration file just with the security properties, which are supposed to be overriden. The properties, which are not mentioned in this file,
|
# Configuration file just with the security properties, which are supposed to be overridden. The properties, which are not mentioned in this file,
|
||||||
# are inherited from the default java.security file bundled within the Java distribution.
|
# are inherited from the default java.security file bundled within the Java distribution.
|
||||||
#
|
#
|
||||||
# NOTE: Each property is specified 2 times. This is so the same file can be used on both FIPS based RHEL host (which uses "fips" prefixed properties by default)
|
# NOTE: Each property is specified 2 times. This is so the same file can be used on both FIPS based RHEL host (which uses "fips" prefixed properties by default)
|
||||||
|
@ -12,3 +12,6 @@
|
||||||
# TODO: Comment/remove this once https://bugzilla.redhat.com/show_bug.cgi?id=1940064 is fixed and OpenJDK 17 updated to corresponding version where XMLDSig is available by default
|
# TODO: Comment/remove this once https://bugzilla.redhat.com/show_bug.cgi?id=1940064 is fixed and OpenJDK 17 updated to corresponding version where XMLDSig is available by default
|
||||||
#
|
#
|
||||||
fips.provider.7=XMLDSig
|
fips.provider.7=XMLDSig
|
||||||
|
|
||||||
|
# TODO: Comment/remove this once https://issues.redhat.com/browse/RHEL-3478 is fixed.
|
||||||
|
securerandom.strongAlgorithms=PKCS11:SunPKCS11-NSS-FIPS
|
|
@ -11,10 +11,6 @@ org.keycloak.testsuite.x509.**
|
||||||
MutualTLSClientTest
|
MutualTLSClientTest
|
||||||
FAPI1Test
|
FAPI1Test
|
||||||
FAPICIBATest
|
FAPICIBATest
|
||||||
KcRegTest
|
|
||||||
KcRegCreateTest
|
|
||||||
KcAdmTest
|
|
||||||
KcAdmCreateTest
|
|
||||||
SAMLServletAdapterTest
|
SAMLServletAdapterTest
|
||||||
SamlSignatureTest
|
SamlSignatureTest
|
||||||
KcOidcBrokerJWETest
|
KcOidcBrokerJWETest
|
||||||
|
|
Loading…
Reference in a new issue