Upgrade BCFIPS to 2.0

closes #30415

Signed-off-by: mposolda <mposolda@gmail.com>
This commit is contained in:
mposolda 2024-09-23 20:10:24 +02:00 committed by Marek Posolda
parent 5bb23eb0fc
commit 8f038f19dd
9 changed files with 41 additions and 18 deletions

View file

@ -300,6 +300,14 @@ The new event types are supported by the Email Event Listener.
The following event types are now deprecated and will be removed in a future version: `UPDATE_PASSWORD`, `UPDATE_PASSWORD_ERROR`, `UPDATE_TOTP`, `UPDATE_TOTP_ERROR`, `REMOVE_TOTP`, `REMOVE_TOTP_ERROR`
= BouncyCastle FIPS updated
Our FIPS 140-2 integration is now tested and supported with version 2 of BouncyCastle FIPS libraries. This version is certified with Java 21. If you use FIPS 140-2 integration, it is recommended to
upgrade BouncyCastle FIPS library to the versions mentioned in the latest documentation.
The BouncyCastle FIPS version 2 is certified with FIPS 140-3. So {project_name} can be FIPS 140-3 compliant as long as it is used on the FIPS 140-3 compliant system.
This might be the RHEL 9 based system, which itself is compliant with the FIPS 140-3. But note that RHEL 8 based system is only certified for the FIPS 140-2.
= `setOrCreateChild()` method removed from JavaScript Admin Client
The `groups.setOrCreateChild()` method has been removed from that JavaScript-based Admin Client. If you are still using this method then use the `createChildGroup()` or `updateChildGroup()` methods instead.

View file

@ -37,12 +37,13 @@ When {project_name} executes in fips mode, it will use the BCFIPS bits instead o
=== BouncyCastle FIPS bits
BouncyCastle FIPS can be downloaded from the https://www.bouncycastle.org/fips-java/[BouncyCastle official page]. Then you can add them to the directory
BouncyCastle FIPS can be downloaded from the https://www.bouncycastle.org/download/bouncy-castle-java-fips/[BouncyCastle official page]. Then you can add them to the directory
`KEYCLOAK_HOME/providers` of your distribution. Make sure to use proper versions compatible with BouncyCastle {project_name} dependencies. The supported BCFIPS bits needed are:
* bc-fips version ${properties["bouncycastle.bcfips.version"]}.
* bctls-fips version ${properties["bouncycastle.bctls-fips.version"]}.
* bcpkix-fips version ${properties["bouncycastle.pkixfips.version"]}.
* bcutil-fips version ${properties["bouncycastle.bcutilfips.version"]}.
== Generating keystore
@ -154,17 +155,18 @@ always fulfils this requirement.
== Other restrictions
To have SAML working, make sure that a `XMLDSig` security provider is available in your security providers.
To have Kerberos working, make sure that a `SunJGSS` security provider is available. In FIPS enabled RHEL 9 in OpenJDK 17.0.6, these
security providers are not present in the `java.security`, which means that they effectively cannot work.
To have Kerberos working, make sure that a `SunJGSS` security provider is available. In FIPS enabled RHEL 9 in OpenJDK 21, the `XMLDSig` security provider may be already enabled
in the `java.security` by default and the same applies with latest OpenJDK 17. But with older OpenJDK 17, it may not be enabled by default, which means that SAML effectively cannot work.
To have SAML working, you can manually add the provider into `JAVA_HOME/conf/security/java.security` into the list fips providers. For example, add the line such as the following:
To have SAML working, you can manually add the provider into `JAVA_HOME/conf/security/java.security` into the list fips providers. For example, add the line such as the following in case
that it is not already available in your FIPS security providers:
[source]
----
fips.provider.7=XMLDSig
----
Adding this security provider should work well. In fact, it is FIPS compliant and likely will be added by default in the future OpenJDK 17 micro version.
Adding this security provider should work well. In fact, it is FIPS compliant and is already added by default in the OpenJDK 21.
Details are in the https://bugzilla.redhat.com/show_bug.cgi?id=1940064[bugzilla].
NOTE: It is recommended to look at `JAVA_HOME/conf/security/java.security` and check all configured providers here and make sure that the number matches. In other words, `fips.provider.7`
@ -195,6 +197,7 @@ it detects that corresponding BCFIPS jars are present (see above for the version
----
cp $KEYCLOAK_HOME/providers/bc-fips-*.jar $KEYCLOAK_HOME/bin/client/lib/
cp $KEYCLOAK_HOME/providers/bctls-fips-*.jar $KEYCLOAK_HOME/bin/client/lib/
cp $KEYCLOAK_HOME/providers/bcutil-fips-*.jar $KEYCLOAK_HOME/bin/client/lib/
----
NOTE: When trying to use BCFKS truststore/keystore with CLI, you may see issues due this truststore is not the default java keystore type. It can be good to specify it as default in java
@ -223,7 +226,7 @@ For example in the current directory, you can create sub-directory `files` and a
* BC FIPS jar files as described above
* Custom keystore file - named for example `keycloak-fips.keystore.bcfks`
* Security file `kc.java.security` with added provider for SAML
* Security file `kc.java.security` with added provider for SAML (Not needed with OpenJDK 21 or newer OpenJDK 17)
Then create `Containerfile` in the current directory similar to this:

View file

@ -38,7 +38,7 @@ public class ClassLoaderUtil {
// Detect if BC FIPS jars are present in the "client/lib" directory
boolean bcFipsJarPresent = Stream.of(jarsInDir).anyMatch(file -> file.getName().startsWith("bc-fips"));
String[] validJarPrefixes = bcFipsJarPresent ? new String[] {"keycloak-crypto-fips1402", "bc-fips", "bctls-fips"} : new String[] {"keycloak-crypto-default", "bcprov-jdk18on"};
String[] validJarPrefixes = bcFipsJarPresent ? new String[] {"keycloak-crypto-fips1402", "bc-fips", "bctls-fips","bcutil-fips"} : new String[] {"keycloak-crypto-default", "bcprov-jdk18on"};
URL[] usedJars = Stream.of(jarsInDir)
.filter(file -> {
for (String prefix : validJarPrefixes) {

16
pom.xml
View file

@ -86,10 +86,10 @@
<!-- Versions used mostly for Undertow server, aligned with WildFly -->
<jboss.dmr.version>1.5.1.Final</jboss.dmr.version>
<!-- TODO Are these correct versions? -->
<bouncycastle.pkixfips.version>1.0.7</bouncycastle.pkixfips.version>
<bouncycastle.bcfips.version>1.0.2.5</bouncycastle.bcfips.version>
<bouncycastle.bctls-fips.version>1.0.19</bouncycastle.bctls-fips.version>
<bouncycastle.pkixfips.version>2.0.7</bouncycastle.pkixfips.version>
<bouncycastle.bcfips.version>2.0.0</bouncycastle.bcfips.version>
<bouncycastle.bctls-fips.version>2.0.19</bouncycastle.bctls-fips.version>
<bouncycastle.bcutilfips.version>2.0.3</bouncycastle.bcutilfips.version>
<dom4j.version>2.1.3</dom4j.version>
<h2.version>2.3.230</h2.version>
@ -390,23 +390,27 @@
<artifactId>xsom</artifactId>
<version>${org.glassfish.jaxb.xsom.version}</version>
</dependency>
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcpkix-fips</artifactId>
<version>${bouncycastle.pkixfips.version}</version>
</dependency>
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bc-fips</artifactId>
<version>${bouncycastle.bcfips.version}</version>
</dependency>
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bctls-fips</artifactId>
<version>${bouncycastle.bctls-fips.version}</version>
</dependency>
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcutil-fips</artifactId>
<version>${bouncycastle.bcutilfips.version}</version>
</dependency>
<dependency>
<groupId>com.github.ua-parser</groupId>

View file

@ -60,7 +60,8 @@ public class IgnoredArtifacts {
"org.keycloak:keycloak-crypto-fips1402",
"org.bouncycastle:bc-fips",
"org.bouncycastle:bctls-fips",
"org.bouncycastle:bcpkix-fips"
"org.bouncycastle:bcpkix-fips",
"org.bouncycastle:bcutil-fips"
);
private static Set<String> fips() {

View file

@ -70,6 +70,11 @@
<artifactId>bctls-fips</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcutil-fips</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>

View file

@ -33,7 +33,7 @@ import io.quarkus.test.junit.main.LaunchResult;
@RawDistOnly(reason = "Containers are immutable")
public class FipsDistTest {
private static final String BCFIPS_VERSION = "BCFIPS version 1.000205";
private static final String BCFIPS_VERSION = "BCFIPS version 2.0";
@Test
void testFipsNonApprovedMode(KeycloakDistribution dist) {
@ -57,7 +57,7 @@ public class FipsDistTest {
cliResult.assertMessage("password must be at least 112 bits");
cliResult.assertMessage("Java security providers: [ \n"
+ " KC(" + BCFIPS_VERSION + " Approved Mode, FIPS-JVM: " + KeycloakFipsSecurityProvider.isSystemFipsEnabled() + ") version 1.0 - class org.keycloak.crypto.fips.KeycloakFipsSecurityProvider");
dist.setEnvVar("KC_BOOTSTRAP_ADMIN_PASSWORD", "adminadminadmin");
cliResult = dist.run("start", "--fips-mode=strict");
cliResult.assertStarted();
@ -174,6 +174,7 @@ public class FipsDistTest {
rawDist.copyProvider("org.bouncycastle", "bc-fips");
rawDist.copyProvider("org.bouncycastle", "bctls-fips");
rawDist.copyProvider("org.bouncycastle", "bcpkix-fips");
rawDist.copyProvider("org.bouncycastle", "bcutil-fips");
}
}

View file

@ -346,7 +346,7 @@
</goals>
<configuration>
<outputDirectory>${auth.server.home}/providers</outputDirectory>
<includeArtifactIds>bc-fips,bctls-fips,bcpkix-fips</includeArtifactIds>
<includeArtifactIds>bc-fips,bctls-fips,bcpkix-fips,bcutil-fips</includeArtifactIds>
</configuration>
</execution>
<execution>
@ -357,7 +357,7 @@
</goals>
<configuration>
<outputDirectory>${auth.server.home}/bin/client/lib</outputDirectory>
<includeArtifactIds>bc-fips,bctls-fips</includeArtifactIds>
<includeArtifactIds>bc-fips,bctls-fips,bcutil-fips</includeArtifactIds>
</configuration>
</execution>
</executions>

View file

@ -706,6 +706,7 @@
<includes>
<include>bc-fips-*</include>
<include>bctls-fips-*</include>
<include>bcutil-fips-*</include>
</includes>
</resource>
</resources>