Initial GH actions unit tests for crypto modules

Closes #14241
This commit is contained in:
mposolda 2022-09-02 16:45:01 +02:00 committed by Marek Posolda
parent 3af1134975
commit 47340e9318
5 changed files with 151 additions and 10 deletions

View file

@ -100,6 +100,50 @@ jobs:
path: reports-unit-tests.zip
if-no-files-found: ignore
crypto-tests:
name: Crypto Tests
runs-on: ubuntu-latest
needs: build
steps:
- uses: actions/checkout@v3
- uses: actions/setup-java@v3
with:
distribution: 'temurin'
java-version: ${{ env.DEFAULT_JDK_VERSION }}
cache: 'maven'
- name: Update maven settings
run: mkdir -p ~/.m2 ; cp .github/settings.xml ~/.m2/
- name: Cleanup org.keycloak artifacts
run: rm -rf ~/.m2/repository/org/keycloak >/dev/null || true
- name: Download built keycloak
id: download-keycloak
uses: actions/download-artifact@v3
with:
path: ~/.m2/repository/org/keycloak/
name: keycloak-artifacts.zip
- name: Run crypto tests (BCFIPS non-approved mode)
run: |
if ! ./mvnw install -nsu -B -f crypto/pom.xml -Dcom.redhat.fips=true; then
find . -path 'crypto/target/surefire-reports/*.xml' | zip -q reports-crypto-tests.zip -@
exit 1
fi
- name: Run crypto tests (BCFIPS approved mode)
run: |
if ! ./mvnw install -nsu -B -f crypto/pom.xml -Dcom.redhat.fips=true -Dorg.bouncycastle.fips.approved_only=true; then
find . -path 'crypto/target/surefire-reports/*.xml' | zip -q reports-crypto-tests.zip -@
exit 1
fi
- name: Crypto test reports
uses: actions/upload-artifact@v3
if: failure()
with:
name: reports-crypto-tests
retention-days: 14
path: reports-crypto-tests.zip
if-no-files-found: ignore
model-tests:
name: Model Tests
runs-on: ubuntu-latest

View file

@ -57,12 +57,17 @@ public abstract class KeyPairVerifierTest {
+ "PEuQrsfWRXm9/dTEavbfNkv5E53zWXjWyf93ezkVhBX0YoXmf6UO7PAlvsrjno3T\n" + "uwIDAQAB\n" + "-----END PUBLIC KEY-----";
@Test
public void verifyWithPrivateKeysInTraditionalRSAFormat() throws Exception {
verifyImpl(this.privateKey1, this.privateKey2048);
public void verifyWith1024PrivateKeyInTraditionalRSAFormat() throws Exception {
verifyImplRsa1024Key(this.privateKey1);
}
@Test
public void verifyWithPrivateKeysInPKCS8Format() throws Exception {
public void verifyWith2048PrivateKeyInTraditionalRSAFormat() throws Exception {
verifyImplRsa2048Key(this.privateKey2048);
}
@Test
public void verifyWith1024PrivateKeyInPKCS8Format() throws Exception {
String privateKey1 = "MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAKtWsK5O0CtuBpnM" +
"vWG+HTG0vmZzujQ2o9WdheQu+BzCILcGMsbDW0YQaglpcO5JpGWWhubnckGGPHfd" +
"Q2/7nP9QwbiTK0FbGF41UqcvoaCqU1psxoV88s8IXyQCAqeyLv00yj6foqdJjxh5" +
@ -78,6 +83,11 @@ public abstract class KeyPairVerifierTest {
"7KQ6+vVqJlQwVPvYdTSOeZB7YVV6S4b4slS3ZObsa0yNMWgal/QnCtW5k3f185gC" +
"Wj6dOLGB5btfxg==";
verifyImplRsa1024Key(privateKey1);
}
@Test
public void verifyWith2048PrivateKeyInPKCS8Format() throws Exception {
String privateKey2048 = "MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDhXcyk6e4qx0Ft" +
"HVTM2Mr2jmZ4QxDizlWnKSG/UOmpOKUo6IQftVD9e2M3HDTKOcUGKUKekrrI32YM" +
"QdsETNpGO12uBWGQh6OJpcUE/kwGFRDmX27wTchkLcTynAONUXRn27RHiUZ5SDaT" +
@ -105,21 +115,22 @@ public abstract class KeyPairVerifierTest {
"Zer7cRS4Vsn4uNvxhYGB4+NIcOhL/r7/7OoHVvm5Cn+NgVthCXnRQ9E9MX66XV5C" +
"jLsXjc2CPf/lwNFqsVl7dlPNmg==";
verifyImpl(privateKey1, privateKey2048);
verifyImplRsa2048Key(privateKey2048);
}
protected void verifyImpl(String privateKey1, String privateKey2048) throws Exception {
KeyPairVerifier.verify(privateKey1, publicKey1);
KeyPairVerifier.verify(privateKey2048, publicKey2048);
protected void verifyImplRsa1024Key(String rsaPrivateKey1024) throws Exception {
KeyPairVerifier.verify(rsaPrivateKey1024, publicKey1);
try {
KeyPairVerifier.verify(privateKey1, publicKey2048);
KeyPairVerifier.verify(rsaPrivateKey1024, publicKey2048);
Assert.fail("Expected VerificationException");
} catch (VerificationException e) {
}
}
protected void verifyImplRsa2048Key(String rsaPrivateKey2048) throws Exception {
KeyPairVerifier.verify(rsaPrivateKey2048, publicKey2048);
try {
KeyPairVerifier.verify(privateKey2048, publicKey1);
KeyPairVerifier.verify(rsaPrivateKey2048, publicKey1);
Assert.fail("Expected VerificationException");
} catch (VerificationException e) {
}

View file

@ -85,4 +85,19 @@
</dependency>
</dependencies>
<build>
<pluginManagement>
<plugins>
<plugin>
<artifactId>maven-surefire-plugin</artifactId>
<configuration>
<systemPropertyVariables>
<java.security.properties>${basedir}/target/test-classes/kc.java.security</java.security.properties>
</systemPropertyVariables>
</configuration>
</plugin>
</plugins>
</pluginManagement>
</build>
</project>

View file

@ -1,7 +1,11 @@
package org.keycloak.crypto.fips.test;
import org.bouncycastle.crypto.CryptoServicesRegistrar;
import org.bouncycastle.crypto.fips.FipsUnapprovedOperationError;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Assume;
import org.junit.Test;
import org.keycloak.KeyPairVerifierTest;
import org.keycloak.common.util.Environment;
@ -17,4 +21,42 @@ public class FIPS1402KeyPairVerifierTest extends KeyPairVerifierTest {
// Run this test just if java is in FIPS mode
Assume.assumeTrue("Java is not in FIPS mode. Skipping the test.", Environment.isJavaInFipsMode());
}
@Test
public void verifyWith1024PrivateKeyInTraditionalRSAFormat() throws Exception {
// Signature generation with RSA 1024 key works just in non-approved mode
Assume.assumeFalse(CryptoServicesRegistrar.isInApprovedOnlyMode());
super.verifyWith1024PrivateKeyInTraditionalRSAFormat();
}
@Test
public void verifyWith1024PrivateKeyInPKCS8Format() throws Exception {
// Signature generation with RSA 1024 key works just in non-approved mode
Assume.assumeFalse(CryptoServicesRegistrar.isInApprovedOnlyMode());
super.verifyWith1024PrivateKeyInPKCS8Format();
}
@Test
public void verifyWith1024PrivateKeyInTraditionalRSAFormatShouldFail() throws Exception {
// Signature generation with RSA 1024 key works just in non-approved mode
Assume.assumeTrue(CryptoServicesRegistrar.isInApprovedOnlyMode());
try {
super.verifyWith1024PrivateKeyInTraditionalRSAFormat();
Assert.fail("Should not successfully generate signature with RSA 1024 key in BC approved mode");
} catch (FipsUnapprovedOperationError fipsError) {
// expected
}
}
@Test
public void verifyWith1024PrivateKeyInPKCS8FormatShouldFail() throws Exception {
// Signature generation with RSA 1024 key works just in non-approved mode
Assume.assumeTrue(CryptoServicesRegistrar.isInApprovedOnlyMode());
try {
super.verifyWith1024PrivateKeyInPKCS8Format();
Assert.fail("Should not successfully generate signature with RSA 1024 key in BC approved mode");
} catch (FipsUnapprovedOperationError fipsError) {
// expected
}
}
}

View file

@ -0,0 +1,29 @@
# Configuration file just with the security properties, which are supposed to be overriden. The properties, which are not mentioned in this file,
# are inherited from the default java.security file bundled within the distribution.
#
# NOTE: Each property is specified 2 times. This is so the same file can be used on both FIPS based RHEL host (which uses "fips" prefixed properties by default)
# and the non-fips based (EG. when running the tests on GH actions)
#
# List of providers and their preference orders (see above). Used on the host without FIPS (EG. when running the tests on GH actions)
# NOTE: List is empty for now, so we test just with BCFIPS provider, which is registered programatically
#
security.provider.1=
#
# Security providers used when global crypto-policies are set to FIPS.
# NOTE: List is empty for now, so we test just with BCFIPS provider, which is registered programatically
#
fips.provider.1=
#fips.provider.1=SunPKCS11 ${java.home}/conf/security/nss.fips.cfg
#fips.provider.2=SunEC
#fips.provider.3=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-NSS-FIPS
# Commented this provider for now as it uses lots of non-FIPS services. See https://access.redhat.com/documentation/en-us/openjdk/11/html-single/configuring_openjdk_11_on_rhel_with_fips/index#ref_openjdk-default-fips-configuration_openjdk
# fips.provider.2=SUN
#
# Default keystore type.
#
keystore.type=PKCS11
fips.keystore.type=PKCS11