Upgrade BCFIPS to 2.0

closes #30415

Signed-off-by: mposolda <mposolda@gmail.com>

docs/documentation/upgrading/topics/changes/changes-26_0_0.adoc

@@ -300,6 +300,14 @@ The new event types are supported by the Email Event Listener.
 
 The following event types are now deprecated and will be removed in a future version: `UPDATE_PASSWORD`, `UPDATE_PASSWORD_ERROR`, `UPDATE_TOTP`, `UPDATE_TOTP_ERROR`, `REMOVE_TOTP`, `REMOVE_TOTP_ERROR`
 
+= BouncyCastle FIPS updated
+
+Our FIPS 140-2 integration is now tested and supported with version 2 of BouncyCastle FIPS libraries. This version is certified with Java 21. If you use FIPS 140-2 integration, it is recommended to
+upgrade BouncyCastle FIPS library to the versions mentioned in the latest documentation.
+
+The BouncyCastle FIPS version 2 is certified with FIPS 140-3. So {project_name} can be FIPS 140-3 compliant as long as it is used on the FIPS 140-3 compliant system.
+This might be the RHEL 9 based system, which itself is compliant with the FIPS 140-3. But note that RHEL 8 based system is only certified for the FIPS 140-2.
+
 = `setOrCreateChild()` method removed from JavaScript Admin Client
 
 The `groups.setOrCreateChild()` method has been removed from that JavaScript-based Admin Client. If you are still using this method then use the `createChildGroup()` or `updateChildGroup()` methods instead.

docs/guides/server/fips.adoc

@@ -37,12 +37,13 @@ When {project_name} executes in fips mode, it will use the BCFIPS bits instead o
 
 === BouncyCastle FIPS bits
 
-BouncyCastle FIPS can be downloaded from the https://www.bouncycastle.org/fips-java/[BouncyCastle official page]. Then you can add them to the directory
+BouncyCastle FIPS can be downloaded from the https://www.bouncycastle.org/download/bouncy-castle-java-fips/[BouncyCastle official page]. Then you can add them to the directory
 `KEYCLOAK_HOME/providers` of your distribution. Make sure to use proper versions compatible with BouncyCastle {project_name} dependencies. The supported BCFIPS bits needed are:
 
 * bc-fips version ${properties["bouncycastle.bcfips.version"]}.
 * bctls-fips version ${properties["bouncycastle.bctls-fips.version"]}.
 * bcpkix-fips version ${properties["bouncycastle.pkixfips.version"]}.
+* bcutil-fips version ${properties["bouncycastle.bcutilfips.version"]}.
 
 == Generating keystore
 
@@ -154,17 +155,18 @@ always fulfils this requirement.
 == Other restrictions
 
 To have SAML working, make sure that a `XMLDSig` security provider is available in your security providers.
-To have Kerberos working, make sure that a `SunJGSS` security provider is available. In FIPS enabled RHEL 9 in OpenJDK 17.0.6, these
-security providers are not present in the `java.security`, which means that they effectively cannot work.
+To have Kerberos working, make sure that a `SunJGSS` security provider is available. In FIPS enabled RHEL 9 in OpenJDK 21, the `XMLDSig` security provider may be already enabled
+in the `java.security` by default and the same applies with latest OpenJDK 17. But with older OpenJDK 17, it may not be enabled by default, which means that SAML effectively cannot work.
 
-To have SAML working, you can manually add the provider into `JAVA_HOME/conf/security/java.security` into the list fips providers. For example, add the line such as the following:
+To have SAML working, you can manually add the provider into `JAVA_HOME/conf/security/java.security` into the list fips providers. For example, add the line such as the following in case
+that it is not already available in your FIPS security providers:
 
 [source]
 ----
 fips.provider.7=XMLDSig
 ----
 
-Adding this security provider should work well. In fact, it is FIPS compliant and likely will be added by default in the future OpenJDK 17 micro version.
+Adding this security provider should work well. In fact, it is FIPS compliant and is already added by default in the OpenJDK 21.
 Details are in the https://bugzilla.redhat.com/show_bug.cgi?id=1940064[bugzilla].
 
 NOTE: It is recommended to look at `JAVA_HOME/conf/security/java.security` and check all configured providers here and make sure that the number matches. In other words, `fips.provider.7`
@@ -195,6 +197,7 @@ it detects that corresponding BCFIPS jars are present (see above for the version
 ----
 cp $KEYCLOAK_HOME/providers/bc-fips-*.jar $KEYCLOAK_HOME/bin/client/lib/
 cp $KEYCLOAK_HOME/providers/bctls-fips-*.jar $KEYCLOAK_HOME/bin/client/lib/
+cp $KEYCLOAK_HOME/providers/bcutil-fips-*.jar $KEYCLOAK_HOME/bin/client/lib/
 ----
 
 NOTE: When trying to use BCFKS truststore/keystore with CLI, you may see issues due this truststore is not the default java keystore type. It can be good to specify it as default in java
@@ -223,7 +226,7 @@ For example in the current directory, you can create sub-directory `files` and a
 
 * BC FIPS jar files as described above
 * Custom keystore file - named for example `keycloak-fips.keystore.bcfks`
-* Security file `kc.java.security` with added provider for SAML
+* Security file `kc.java.security` with added provider for SAML (Not needed with OpenJDK 21 or newer OpenJDK 17)
 
 Then create `Containerfile` in the current directory similar to this:
 

integration/client-cli/admin-cli/src/main/java/org/keycloak/client/cli/util/ClassLoaderUtil.java

@@ -38,7 +38,7 @@ public class ClassLoaderUtil {
 
         // Detect if BC FIPS jars are present in the "client/lib" directory
         boolean bcFipsJarPresent = Stream.of(jarsInDir).anyMatch(file -> file.getName().startsWith("bc-fips"));
-        String[] validJarPrefixes = bcFipsJarPresent ?  new String[] {"keycloak-crypto-fips1402", "bc-fips", "bctls-fips"} : new String[] {"keycloak-crypto-default", "bcprov-jdk18on"};
+        String[] validJarPrefixes = bcFipsJarPresent ?  new String[] {"keycloak-crypto-fips1402", "bc-fips", "bctls-fips","bcutil-fips"} : new String[] {"keycloak-crypto-default", "bcprov-jdk18on"};
         URL[] usedJars = Stream.of(jarsInDir)
                 .filter(file -> {
                     for (String prefix : validJarPrefixes) {

pom.xml

@@ -86,10 +86,10 @@
         <!-- Versions used mostly for Undertow server, aligned with WildFly -->
         <jboss.dmr.version>1.5.1.Final</jboss.dmr.version>
 
-        <!-- TODO Are these correct versions? -->
-        <bouncycastle.pkixfips.version>1.0.7</bouncycastle.pkixfips.version>
-        <bouncycastle.bcfips.version>1.0.2.5</bouncycastle.bcfips.version>
-        <bouncycastle.bctls-fips.version>1.0.19</bouncycastle.bctls-fips.version>
+        <bouncycastle.pkixfips.version>2.0.7</bouncycastle.pkixfips.version>
+        <bouncycastle.bcfips.version>2.0.0</bouncycastle.bcfips.version>
+        <bouncycastle.bctls-fips.version>2.0.19</bouncycastle.bctls-fips.version>
+        <bouncycastle.bcutilfips.version>2.0.3</bouncycastle.bcutilfips.version>
 
         <dom4j.version>2.1.3</dom4j.version>
         <h2.version>2.3.230</h2.version>
@@ -390,23 +390,27 @@
                 <artifactId>xsom</artifactId>
                 <version>${org.glassfish.jaxb.xsom.version}</version>
             </dependency>
+
             <dependency>
                 <groupId>org.bouncycastle</groupId>
                 <artifactId>bcpkix-fips</artifactId>
                 <version>${bouncycastle.pkixfips.version}</version>
             </dependency>
-
             <dependency>
                 <groupId>org.bouncycastle</groupId>
                 <artifactId>bc-fips</artifactId>
                 <version>${bouncycastle.bcfips.version}</version>
             </dependency>
-
             <dependency>
                 <groupId>org.bouncycastle</groupId>
                 <artifactId>bctls-fips</artifactId>
                 <version>${bouncycastle.bctls-fips.version}</version>
             </dependency>
+            <dependency>
+                <groupId>org.bouncycastle</groupId>
+                <artifactId>bcutil-fips</artifactId>
+                <version>${bouncycastle.bcutilfips.version}</version>
+            </dependency>
 
             <dependency>
                 <groupId>com.github.ua-parser</groupId>

quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/configuration/IgnoredArtifacts.java

@@ -60,7 +60,8 @@ public class IgnoredArtifacts {
             "org.keycloak:keycloak-crypto-fips1402",
             "org.bouncycastle:bc-fips",
             "org.bouncycastle:bctls-fips",
-            "org.bouncycastle:bcpkix-fips"
+            "org.bouncycastle:bcpkix-fips",
+            "org.bouncycastle:bcutil-fips"
     );
 
     private static Set<String> fips() {

quarkus/tests/integration/pom.xml

@@ -70,6 +70,11 @@
             <artifactId>bctls-fips</artifactId>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>org.bouncycastle</groupId>
+            <artifactId>bcutil-fips</artifactId>
+            <scope>test</scope>
+        </dependency>
         <dependency>
             <groupId>com.fasterxml.jackson.core</groupId>
             <artifactId>jackson-databind</artifactId>

quarkus/tests/integration/src/test/java/org/keycloak/it/cli/dist/FipsDistTest.java

@@ -33,7 +33,7 @@ import io.quarkus.test.junit.main.LaunchResult;
 @RawDistOnly(reason = "Containers are immutable")
 public class FipsDistTest {
 
-    private static final String BCFIPS_VERSION = "BCFIPS version 1.000205";
+    private static final String BCFIPS_VERSION = "BCFIPS version 2.0";
 
     @Test
     void testFipsNonApprovedMode(KeycloakDistribution dist) {
@@ -57,7 +57,7 @@ public class FipsDistTest {
             cliResult.assertMessage("password must be at least 112 bits");
             cliResult.assertMessage("Java security providers: [ \n"
                     + " KC(" + BCFIPS_VERSION + " Approved Mode, FIPS-JVM: " + KeycloakFipsSecurityProvider.isSystemFipsEnabled() + ") version 1.0 - class org.keycloak.crypto.fips.KeycloakFipsSecurityProvider");
-            
+
             dist.setEnvVar("KC_BOOTSTRAP_ADMIN_PASSWORD", "adminadminadmin");
             cliResult = dist.run("start", "--fips-mode=strict");
             cliResult.assertStarted();
@@ -174,6 +174,7 @@ public class FipsDistTest {
         rawDist.copyProvider("org.bouncycastle", "bc-fips");
         rawDist.copyProvider("org.bouncycastle", "bctls-fips");
         rawDist.copyProvider("org.bouncycastle", "bcpkix-fips");
+        rawDist.copyProvider("org.bouncycastle", "bcutil-fips");
     }
 
 }

testsuite/integration-arquillian/servers/auth-server/quarkus/pom.xml

@@ -346,7 +346,7 @@
                                 </goals>
                                 <configuration>
                                     <outputDirectory>${auth.server.home}/providers</outputDirectory>
-                                    <includeArtifactIds>bc-fips,bctls-fips,bcpkix-fips</includeArtifactIds>
+                                    <includeArtifactIds>bc-fips,bctls-fips,bcpkix-fips,bcutil-fips</includeArtifactIds>
                                 </configuration>
                             </execution>
                             <execution>
@@ -357,7 +357,7 @@
                                 </goals>
                                 <configuration>
                                     <outputDirectory>${auth.server.home}/bin/client/lib</outputDirectory>
-                                    <includeArtifactIds>bc-fips,bctls-fips</includeArtifactIds>
+                                    <includeArtifactIds>bc-fips,bctls-fips,bcutil-fips</includeArtifactIds>
                                 </configuration>
                             </execution>
                         </executions>

testsuite/integration-arquillian/tests/base/pom.xml

@@ -706,6 +706,7 @@
                                             <includes>
                                                 <include>bc-fips-*</include>
                                                 <include>bctls-fips-*</include>
+                                                <include>bcutil-fips-*</include>
                                             </includes>
                                         </resource>
                                     </resources>