Upgrade BCFIPS to 2.0
closes #30415 Signed-off-by: mposolda <mposolda@gmail.com>
This commit is contained in:
parent
5bb23eb0fc
commit
8f038f19dd
9 changed files with 41 additions and 18 deletions
|
@ -300,6 +300,14 @@ The new event types are supported by the Email Event Listener.
|
|||
|
||||
The following event types are now deprecated and will be removed in a future version: `UPDATE_PASSWORD`, `UPDATE_PASSWORD_ERROR`, `UPDATE_TOTP`, `UPDATE_TOTP_ERROR`, `REMOVE_TOTP`, `REMOVE_TOTP_ERROR`
|
||||
|
||||
= BouncyCastle FIPS updated
|
||||
|
||||
Our FIPS 140-2 integration is now tested and supported with version 2 of BouncyCastle FIPS libraries. This version is certified with Java 21. If you use FIPS 140-2 integration, it is recommended to
|
||||
upgrade BouncyCastle FIPS library to the versions mentioned in the latest documentation.
|
||||
|
||||
The BouncyCastle FIPS version 2 is certified with FIPS 140-3. So {project_name} can be FIPS 140-3 compliant as long as it is used on the FIPS 140-3 compliant system.
|
||||
This might be the RHEL 9 based system, which itself is compliant with the FIPS 140-3. But note that RHEL 8 based system is only certified for the FIPS 140-2.
|
||||
|
||||
= `setOrCreateChild()` method removed from JavaScript Admin Client
|
||||
|
||||
The `groups.setOrCreateChild()` method has been removed from that JavaScript-based Admin Client. If you are still using this method then use the `createChildGroup()` or `updateChildGroup()` methods instead.
|
||||
|
|
|
@ -37,12 +37,13 @@ When {project_name} executes in fips mode, it will use the BCFIPS bits instead o
|
|||
|
||||
=== BouncyCastle FIPS bits
|
||||
|
||||
BouncyCastle FIPS can be downloaded from the https://www.bouncycastle.org/fips-java/[BouncyCastle official page]. Then you can add them to the directory
|
||||
BouncyCastle FIPS can be downloaded from the https://www.bouncycastle.org/download/bouncy-castle-java-fips/[BouncyCastle official page]. Then you can add them to the directory
|
||||
`KEYCLOAK_HOME/providers` of your distribution. Make sure to use proper versions compatible with BouncyCastle {project_name} dependencies. The supported BCFIPS bits needed are:
|
||||
|
||||
* bc-fips version ${properties["bouncycastle.bcfips.version"]}.
|
||||
* bctls-fips version ${properties["bouncycastle.bctls-fips.version"]}.
|
||||
* bcpkix-fips version ${properties["bouncycastle.pkixfips.version"]}.
|
||||
* bcutil-fips version ${properties["bouncycastle.bcutilfips.version"]}.
|
||||
|
||||
== Generating keystore
|
||||
|
||||
|
@ -154,17 +155,18 @@ always fulfils this requirement.
|
|||
== Other restrictions
|
||||
|
||||
To have SAML working, make sure that a `XMLDSig` security provider is available in your security providers.
|
||||
To have Kerberos working, make sure that a `SunJGSS` security provider is available. In FIPS enabled RHEL 9 in OpenJDK 17.0.6, these
|
||||
security providers are not present in the `java.security`, which means that they effectively cannot work.
|
||||
To have Kerberos working, make sure that a `SunJGSS` security provider is available. In FIPS enabled RHEL 9 in OpenJDK 21, the `XMLDSig` security provider may be already enabled
|
||||
in the `java.security` by default and the same applies with latest OpenJDK 17. But with older OpenJDK 17, it may not be enabled by default, which means that SAML effectively cannot work.
|
||||
|
||||
To have SAML working, you can manually add the provider into `JAVA_HOME/conf/security/java.security` into the list fips providers. For example, add the line such as the following:
|
||||
To have SAML working, you can manually add the provider into `JAVA_HOME/conf/security/java.security` into the list fips providers. For example, add the line such as the following in case
|
||||
that it is not already available in your FIPS security providers:
|
||||
|
||||
[source]
|
||||
----
|
||||
fips.provider.7=XMLDSig
|
||||
----
|
||||
|
||||
Adding this security provider should work well. In fact, it is FIPS compliant and likely will be added by default in the future OpenJDK 17 micro version.
|
||||
Adding this security provider should work well. In fact, it is FIPS compliant and is already added by default in the OpenJDK 21.
|
||||
Details are in the https://bugzilla.redhat.com/show_bug.cgi?id=1940064[bugzilla].
|
||||
|
||||
NOTE: It is recommended to look at `JAVA_HOME/conf/security/java.security` and check all configured providers here and make sure that the number matches. In other words, `fips.provider.7`
|
||||
|
@ -195,6 +197,7 @@ it detects that corresponding BCFIPS jars are present (see above for the version
|
|||
----
|
||||
cp $KEYCLOAK_HOME/providers/bc-fips-*.jar $KEYCLOAK_HOME/bin/client/lib/
|
||||
cp $KEYCLOAK_HOME/providers/bctls-fips-*.jar $KEYCLOAK_HOME/bin/client/lib/
|
||||
cp $KEYCLOAK_HOME/providers/bcutil-fips-*.jar $KEYCLOAK_HOME/bin/client/lib/
|
||||
----
|
||||
|
||||
NOTE: When trying to use BCFKS truststore/keystore with CLI, you may see issues due this truststore is not the default java keystore type. It can be good to specify it as default in java
|
||||
|
@ -223,7 +226,7 @@ For example in the current directory, you can create sub-directory `files` and a
|
|||
|
||||
* BC FIPS jar files as described above
|
||||
* Custom keystore file - named for example `keycloak-fips.keystore.bcfks`
|
||||
* Security file `kc.java.security` with added provider for SAML
|
||||
* Security file `kc.java.security` with added provider for SAML (Not needed with OpenJDK 21 or newer OpenJDK 17)
|
||||
|
||||
Then create `Containerfile` in the current directory similar to this:
|
||||
|
||||
|
|
|
@ -38,7 +38,7 @@ public class ClassLoaderUtil {
|
|||
|
||||
// Detect if BC FIPS jars are present in the "client/lib" directory
|
||||
boolean bcFipsJarPresent = Stream.of(jarsInDir).anyMatch(file -> file.getName().startsWith("bc-fips"));
|
||||
String[] validJarPrefixes = bcFipsJarPresent ? new String[] {"keycloak-crypto-fips1402", "bc-fips", "bctls-fips"} : new String[] {"keycloak-crypto-default", "bcprov-jdk18on"};
|
||||
String[] validJarPrefixes = bcFipsJarPresent ? new String[] {"keycloak-crypto-fips1402", "bc-fips", "bctls-fips","bcutil-fips"} : new String[] {"keycloak-crypto-default", "bcprov-jdk18on"};
|
||||
URL[] usedJars = Stream.of(jarsInDir)
|
||||
.filter(file -> {
|
||||
for (String prefix : validJarPrefixes) {
|
||||
|
|
16
pom.xml
16
pom.xml
|
@ -86,10 +86,10 @@
|
|||
<!-- Versions used mostly for Undertow server, aligned with WildFly -->
|
||||
<jboss.dmr.version>1.5.1.Final</jboss.dmr.version>
|
||||
|
||||
<!-- TODO Are these correct versions? -->
|
||||
<bouncycastle.pkixfips.version>1.0.7</bouncycastle.pkixfips.version>
|
||||
<bouncycastle.bcfips.version>1.0.2.5</bouncycastle.bcfips.version>
|
||||
<bouncycastle.bctls-fips.version>1.0.19</bouncycastle.bctls-fips.version>
|
||||
<bouncycastle.pkixfips.version>2.0.7</bouncycastle.pkixfips.version>
|
||||
<bouncycastle.bcfips.version>2.0.0</bouncycastle.bcfips.version>
|
||||
<bouncycastle.bctls-fips.version>2.0.19</bouncycastle.bctls-fips.version>
|
||||
<bouncycastle.bcutilfips.version>2.0.3</bouncycastle.bcutilfips.version>
|
||||
|
||||
<dom4j.version>2.1.3</dom4j.version>
|
||||
<h2.version>2.3.230</h2.version>
|
||||
|
@ -390,23 +390,27 @@
|
|||
<artifactId>xsom</artifactId>
|
||||
<version>${org.glassfish.jaxb.xsom.version}</version>
|
||||
</dependency>
|
||||
|
||||
<dependency>
|
||||
<groupId>org.bouncycastle</groupId>
|
||||
<artifactId>bcpkix-fips</artifactId>
|
||||
<version>${bouncycastle.pkixfips.version}</version>
|
||||
</dependency>
|
||||
|
||||
<dependency>
|
||||
<groupId>org.bouncycastle</groupId>
|
||||
<artifactId>bc-fips</artifactId>
|
||||
<version>${bouncycastle.bcfips.version}</version>
|
||||
</dependency>
|
||||
|
||||
<dependency>
|
||||
<groupId>org.bouncycastle</groupId>
|
||||
<artifactId>bctls-fips</artifactId>
|
||||
<version>${bouncycastle.bctls-fips.version}</version>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.bouncycastle</groupId>
|
||||
<artifactId>bcutil-fips</artifactId>
|
||||
<version>${bouncycastle.bcutilfips.version}</version>
|
||||
</dependency>
|
||||
|
||||
<dependency>
|
||||
<groupId>com.github.ua-parser</groupId>
|
||||
|
|
|
@ -60,7 +60,8 @@ public class IgnoredArtifacts {
|
|||
"org.keycloak:keycloak-crypto-fips1402",
|
||||
"org.bouncycastle:bc-fips",
|
||||
"org.bouncycastle:bctls-fips",
|
||||
"org.bouncycastle:bcpkix-fips"
|
||||
"org.bouncycastle:bcpkix-fips",
|
||||
"org.bouncycastle:bcutil-fips"
|
||||
);
|
||||
|
||||
private static Set<String> fips() {
|
||||
|
|
|
@ -70,6 +70,11 @@
|
|||
<artifactId>bctls-fips</artifactId>
|
||||
<scope>test</scope>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.bouncycastle</groupId>
|
||||
<artifactId>bcutil-fips</artifactId>
|
||||
<scope>test</scope>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>com.fasterxml.jackson.core</groupId>
|
||||
<artifactId>jackson-databind</artifactId>
|
||||
|
|
|
@ -33,7 +33,7 @@ import io.quarkus.test.junit.main.LaunchResult;
|
|||
@RawDistOnly(reason = "Containers are immutable")
|
||||
public class FipsDistTest {
|
||||
|
||||
private static final String BCFIPS_VERSION = "BCFIPS version 1.000205";
|
||||
private static final String BCFIPS_VERSION = "BCFIPS version 2.0";
|
||||
|
||||
@Test
|
||||
void testFipsNonApprovedMode(KeycloakDistribution dist) {
|
||||
|
@ -57,7 +57,7 @@ public class FipsDistTest {
|
|||
cliResult.assertMessage("password must be at least 112 bits");
|
||||
cliResult.assertMessage("Java security providers: [ \n"
|
||||
+ " KC(" + BCFIPS_VERSION + " Approved Mode, FIPS-JVM: " + KeycloakFipsSecurityProvider.isSystemFipsEnabled() + ") version 1.0 - class org.keycloak.crypto.fips.KeycloakFipsSecurityProvider");
|
||||
|
||||
|
||||
dist.setEnvVar("KC_BOOTSTRAP_ADMIN_PASSWORD", "adminadminadmin");
|
||||
cliResult = dist.run("start", "--fips-mode=strict");
|
||||
cliResult.assertStarted();
|
||||
|
@ -174,6 +174,7 @@ public class FipsDistTest {
|
|||
rawDist.copyProvider("org.bouncycastle", "bc-fips");
|
||||
rawDist.copyProvider("org.bouncycastle", "bctls-fips");
|
||||
rawDist.copyProvider("org.bouncycastle", "bcpkix-fips");
|
||||
rawDist.copyProvider("org.bouncycastle", "bcutil-fips");
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
@ -346,7 +346,7 @@
|
|||
</goals>
|
||||
<configuration>
|
||||
<outputDirectory>${auth.server.home}/providers</outputDirectory>
|
||||
<includeArtifactIds>bc-fips,bctls-fips,bcpkix-fips</includeArtifactIds>
|
||||
<includeArtifactIds>bc-fips,bctls-fips,bcpkix-fips,bcutil-fips</includeArtifactIds>
|
||||
</configuration>
|
||||
</execution>
|
||||
<execution>
|
||||
|
@ -357,7 +357,7 @@
|
|||
</goals>
|
||||
<configuration>
|
||||
<outputDirectory>${auth.server.home}/bin/client/lib</outputDirectory>
|
||||
<includeArtifactIds>bc-fips,bctls-fips</includeArtifactIds>
|
||||
<includeArtifactIds>bc-fips,bctls-fips,bcutil-fips</includeArtifactIds>
|
||||
</configuration>
|
||||
</execution>
|
||||
</executions>
|
||||
|
|
|
@ -706,6 +706,7 @@
|
|||
<includes>
|
||||
<include>bc-fips-*</include>
|
||||
<include>bctls-fips-*</include>
|
||||
<include>bcutil-fips-*</include>
|
||||
</includes>
|
||||
</resource>
|
||||
</resources>
|
||||
|
|
Loading…
Reference in a new issue