From 8f038f19ddf093ea3d23f6ebb778862aa81e5688 Mon Sep 17 00:00:00 2001 From: mposolda Date: Mon, 23 Sep 2024 20:10:24 +0200 Subject: [PATCH] Upgrade BCFIPS to 2.0 closes #30415 Signed-off-by: mposolda --- .../upgrading/topics/changes/changes-26_0_0.adoc | 8 ++++++++ docs/guides/server/fips.adoc | 15 +++++++++------ .../client/cli/util/ClassLoaderUtil.java | 2 +- pom.xml | 16 ++++++++++------ .../runtime/configuration/IgnoredArtifacts.java | 3 ++- quarkus/tests/integration/pom.xml | 5 +++++ .../org/keycloak/it/cli/dist/FipsDistTest.java | 5 +++-- .../servers/auth-server/quarkus/pom.xml | 4 ++-- .../integration-arquillian/tests/base/pom.xml | 1 + 9 files changed, 41 insertions(+), 18 deletions(-) diff --git a/docs/documentation/upgrading/topics/changes/changes-26_0_0.adoc b/docs/documentation/upgrading/topics/changes/changes-26_0_0.adoc index c4bd775d1c..62b010fe92 100644 --- a/docs/documentation/upgrading/topics/changes/changes-26_0_0.adoc +++ b/docs/documentation/upgrading/topics/changes/changes-26_0_0.adoc @@ -300,6 +300,14 @@ The new event types are supported by the Email Event Listener. The following event types are now deprecated and will be removed in a future version: `UPDATE_PASSWORD`, `UPDATE_PASSWORD_ERROR`, `UPDATE_TOTP`, `UPDATE_TOTP_ERROR`, `REMOVE_TOTP`, `REMOVE_TOTP_ERROR` += BouncyCastle FIPS updated + +Our FIPS 140-2 integration is now tested and supported with version 2 of BouncyCastle FIPS libraries. This version is certified with Java 21. If you use FIPS 140-2 integration, it is recommended to +upgrade BouncyCastle FIPS library to the versions mentioned in the latest documentation. + +The BouncyCastle FIPS version 2 is certified with FIPS 140-3. So {project_name} can be FIPS 140-3 compliant as long as it is used on the FIPS 140-3 compliant system. +This might be the RHEL 9 based system, which itself is compliant with the FIPS 140-3. But note that RHEL 8 based system is only certified for the FIPS 140-2. + = `setOrCreateChild()` method removed from JavaScript Admin Client The `groups.setOrCreateChild()` method has been removed from that JavaScript-based Admin Client. If you are still using this method then use the `createChildGroup()` or `updateChildGroup()` methods instead. diff --git a/docs/guides/server/fips.adoc b/docs/guides/server/fips.adoc index 4ce0aea24f..2b5cb10c41 100644 --- a/docs/guides/server/fips.adoc +++ b/docs/guides/server/fips.adoc @@ -37,12 +37,13 @@ When {project_name} executes in fips mode, it will use the BCFIPS bits instead o === BouncyCastle FIPS bits -BouncyCastle FIPS can be downloaded from the https://www.bouncycastle.org/fips-java/[BouncyCastle official page]. Then you can add them to the directory +BouncyCastle FIPS can be downloaded from the https://www.bouncycastle.org/download/bouncy-castle-java-fips/[BouncyCastle official page]. Then you can add them to the directory `KEYCLOAK_HOME/providers` of your distribution. Make sure to use proper versions compatible with BouncyCastle {project_name} dependencies. The supported BCFIPS bits needed are: * bc-fips version ${properties["bouncycastle.bcfips.version"]}. * bctls-fips version ${properties["bouncycastle.bctls-fips.version"]}. * bcpkix-fips version ${properties["bouncycastle.pkixfips.version"]}. +* bcutil-fips version ${properties["bouncycastle.bcutilfips.version"]}. == Generating keystore @@ -154,17 +155,18 @@ always fulfils this requirement. == Other restrictions To have SAML working, make sure that a `XMLDSig` security provider is available in your security providers. -To have Kerberos working, make sure that a `SunJGSS` security provider is available. In FIPS enabled RHEL 9 in OpenJDK 17.0.6, these -security providers are not present in the `java.security`, which means that they effectively cannot work. +To have Kerberos working, make sure that a `SunJGSS` security provider is available. In FIPS enabled RHEL 9 in OpenJDK 21, the `XMLDSig` security provider may be already enabled +in the `java.security` by default and the same applies with latest OpenJDK 17. But with older OpenJDK 17, it may not be enabled by default, which means that SAML effectively cannot work. -To have SAML working, you can manually add the provider into `JAVA_HOME/conf/security/java.security` into the list fips providers. For example, add the line such as the following: +To have SAML working, you can manually add the provider into `JAVA_HOME/conf/security/java.security` into the list fips providers. For example, add the line such as the following in case +that it is not already available in your FIPS security providers: [source] ---- fips.provider.7=XMLDSig ---- -Adding this security provider should work well. In fact, it is FIPS compliant and likely will be added by default in the future OpenJDK 17 micro version. +Adding this security provider should work well. In fact, it is FIPS compliant and is already added by default in the OpenJDK 21. Details are in the https://bugzilla.redhat.com/show_bug.cgi?id=1940064[bugzilla]. NOTE: It is recommended to look at `JAVA_HOME/conf/security/java.security` and check all configured providers here and make sure that the number matches. In other words, `fips.provider.7` @@ -195,6 +197,7 @@ it detects that corresponding BCFIPS jars are present (see above for the version ---- cp $KEYCLOAK_HOME/providers/bc-fips-*.jar $KEYCLOAK_HOME/bin/client/lib/ cp $KEYCLOAK_HOME/providers/bctls-fips-*.jar $KEYCLOAK_HOME/bin/client/lib/ +cp $KEYCLOAK_HOME/providers/bcutil-fips-*.jar $KEYCLOAK_HOME/bin/client/lib/ ---- NOTE: When trying to use BCFKS truststore/keystore with CLI, you may see issues due this truststore is not the default java keystore type. It can be good to specify it as default in java @@ -223,7 +226,7 @@ For example in the current directory, you can create sub-directory `files` and a * BC FIPS jar files as described above * Custom keystore file - named for example `keycloak-fips.keystore.bcfks` -* Security file `kc.java.security` with added provider for SAML +* Security file `kc.java.security` with added provider for SAML (Not needed with OpenJDK 21 or newer OpenJDK 17) Then create `Containerfile` in the current directory similar to this: diff --git a/integration/client-cli/admin-cli/src/main/java/org/keycloak/client/cli/util/ClassLoaderUtil.java b/integration/client-cli/admin-cli/src/main/java/org/keycloak/client/cli/util/ClassLoaderUtil.java index 3ce4afaa08..6ce16c28aa 100644 --- a/integration/client-cli/admin-cli/src/main/java/org/keycloak/client/cli/util/ClassLoaderUtil.java +++ b/integration/client-cli/admin-cli/src/main/java/org/keycloak/client/cli/util/ClassLoaderUtil.java @@ -38,7 +38,7 @@ public class ClassLoaderUtil { // Detect if BC FIPS jars are present in the "client/lib" directory boolean bcFipsJarPresent = Stream.of(jarsInDir).anyMatch(file -> file.getName().startsWith("bc-fips")); - String[] validJarPrefixes = bcFipsJarPresent ? new String[] {"keycloak-crypto-fips1402", "bc-fips", "bctls-fips"} : new String[] {"keycloak-crypto-default", "bcprov-jdk18on"}; + String[] validJarPrefixes = bcFipsJarPresent ? new String[] {"keycloak-crypto-fips1402", "bc-fips", "bctls-fips","bcutil-fips"} : new String[] {"keycloak-crypto-default", "bcprov-jdk18on"}; URL[] usedJars = Stream.of(jarsInDir) .filter(file -> { for (String prefix : validJarPrefixes) { diff --git a/pom.xml b/pom.xml index 19666b124a..ea63d2d03c 100644 --- a/pom.xml +++ b/pom.xml @@ -86,10 +86,10 @@ 1.5.1.Final - - 1.0.7 - 1.0.2.5 - 1.0.19 + 2.0.7 + 2.0.0 + 2.0.19 + 2.0.3 2.1.3 2.3.230 @@ -390,23 +390,27 @@ xsom ${org.glassfish.jaxb.xsom.version} + org.bouncycastle bcpkix-fips ${bouncycastle.pkixfips.version} - org.bouncycastle bc-fips ${bouncycastle.bcfips.version} - org.bouncycastle bctls-fips ${bouncycastle.bctls-fips.version} + + org.bouncycastle + bcutil-fips + ${bouncycastle.bcutilfips.version} + com.github.ua-parser diff --git a/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/configuration/IgnoredArtifacts.java b/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/configuration/IgnoredArtifacts.java index f4861a776e..dbc49654e7 100644 --- a/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/configuration/IgnoredArtifacts.java +++ b/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/configuration/IgnoredArtifacts.java @@ -60,7 +60,8 @@ public class IgnoredArtifacts { "org.keycloak:keycloak-crypto-fips1402", "org.bouncycastle:bc-fips", "org.bouncycastle:bctls-fips", - "org.bouncycastle:bcpkix-fips" + "org.bouncycastle:bcpkix-fips", + "org.bouncycastle:bcutil-fips" ); private static Set fips() { diff --git a/quarkus/tests/integration/pom.xml b/quarkus/tests/integration/pom.xml index a872993a63..b7d547ed0f 100644 --- a/quarkus/tests/integration/pom.xml +++ b/quarkus/tests/integration/pom.xml @@ -70,6 +70,11 @@ bctls-fips test + + org.bouncycastle + bcutil-fips + test + com.fasterxml.jackson.core jackson-databind diff --git a/quarkus/tests/integration/src/test/java/org/keycloak/it/cli/dist/FipsDistTest.java b/quarkus/tests/integration/src/test/java/org/keycloak/it/cli/dist/FipsDistTest.java index cf16e198e3..c5860a6e4a 100644 --- a/quarkus/tests/integration/src/test/java/org/keycloak/it/cli/dist/FipsDistTest.java +++ b/quarkus/tests/integration/src/test/java/org/keycloak/it/cli/dist/FipsDistTest.java @@ -33,7 +33,7 @@ import io.quarkus.test.junit.main.LaunchResult; @RawDistOnly(reason = "Containers are immutable") public class FipsDistTest { - private static final String BCFIPS_VERSION = "BCFIPS version 1.000205"; + private static final String BCFIPS_VERSION = "BCFIPS version 2.0"; @Test void testFipsNonApprovedMode(KeycloakDistribution dist) { @@ -57,7 +57,7 @@ public class FipsDistTest { cliResult.assertMessage("password must be at least 112 bits"); cliResult.assertMessage("Java security providers: [ \n" + " KC(" + BCFIPS_VERSION + " Approved Mode, FIPS-JVM: " + KeycloakFipsSecurityProvider.isSystemFipsEnabled() + ") version 1.0 - class org.keycloak.crypto.fips.KeycloakFipsSecurityProvider"); - + dist.setEnvVar("KC_BOOTSTRAP_ADMIN_PASSWORD", "adminadminadmin"); cliResult = dist.run("start", "--fips-mode=strict"); cliResult.assertStarted(); @@ -174,6 +174,7 @@ public class FipsDistTest { rawDist.copyProvider("org.bouncycastle", "bc-fips"); rawDist.copyProvider("org.bouncycastle", "bctls-fips"); rawDist.copyProvider("org.bouncycastle", "bcpkix-fips"); + rawDist.copyProvider("org.bouncycastle", "bcutil-fips"); } } diff --git a/testsuite/integration-arquillian/servers/auth-server/quarkus/pom.xml b/testsuite/integration-arquillian/servers/auth-server/quarkus/pom.xml index fc10679b00..64846bdfce 100644 --- a/testsuite/integration-arquillian/servers/auth-server/quarkus/pom.xml +++ b/testsuite/integration-arquillian/servers/auth-server/quarkus/pom.xml @@ -346,7 +346,7 @@ ${auth.server.home}/providers - bc-fips,bctls-fips,bcpkix-fips + bc-fips,bctls-fips,bcpkix-fips,bcutil-fips @@ -357,7 +357,7 @@ ${auth.server.home}/bin/client/lib - bc-fips,bctls-fips + bc-fips,bctls-fips,bcutil-fips diff --git a/testsuite/integration-arquillian/tests/base/pom.xml b/testsuite/integration-arquillian/tests/base/pom.xml index d250e6998b..3e7c56144d 100644 --- a/testsuite/integration-arquillian/tests/base/pom.xml +++ b/testsuite/integration-arquillian/tests/base/pom.xml @@ -706,6 +706,7 @@ bc-fips-* bctls-fips-* + bcutil-fips-*