Upgrade BCFIPS to 2.0
closes #30415 Signed-off-by: mposolda <mposolda@gmail.com>
This commit is contained in:
parent
5bb23eb0fc
commit
8f038f19dd
9 changed files with 41 additions and 18 deletions
|
@ -300,6 +300,14 @@ The new event types are supported by the Email Event Listener.
|
||||||
|
|
||||||
The following event types are now deprecated and will be removed in a future version: `UPDATE_PASSWORD`, `UPDATE_PASSWORD_ERROR`, `UPDATE_TOTP`, `UPDATE_TOTP_ERROR`, `REMOVE_TOTP`, `REMOVE_TOTP_ERROR`
|
The following event types are now deprecated and will be removed in a future version: `UPDATE_PASSWORD`, `UPDATE_PASSWORD_ERROR`, `UPDATE_TOTP`, `UPDATE_TOTP_ERROR`, `REMOVE_TOTP`, `REMOVE_TOTP_ERROR`
|
||||||
|
|
||||||
|
= BouncyCastle FIPS updated
|
||||||
|
|
||||||
|
Our FIPS 140-2 integration is now tested and supported with version 2 of BouncyCastle FIPS libraries. This version is certified with Java 21. If you use FIPS 140-2 integration, it is recommended to
|
||||||
|
upgrade BouncyCastle FIPS library to the versions mentioned in the latest documentation.
|
||||||
|
|
||||||
|
The BouncyCastle FIPS version 2 is certified with FIPS 140-3. So {project_name} can be FIPS 140-3 compliant as long as it is used on the FIPS 140-3 compliant system.
|
||||||
|
This might be the RHEL 9 based system, which itself is compliant with the FIPS 140-3. But note that RHEL 8 based system is only certified for the FIPS 140-2.
|
||||||
|
|
||||||
= `setOrCreateChild()` method removed from JavaScript Admin Client
|
= `setOrCreateChild()` method removed from JavaScript Admin Client
|
||||||
|
|
||||||
The `groups.setOrCreateChild()` method has been removed from that JavaScript-based Admin Client. If you are still using this method then use the `createChildGroup()` or `updateChildGroup()` methods instead.
|
The `groups.setOrCreateChild()` method has been removed from that JavaScript-based Admin Client. If you are still using this method then use the `createChildGroup()` or `updateChildGroup()` methods instead.
|
||||||
|
|
|
@ -37,12 +37,13 @@ When {project_name} executes in fips mode, it will use the BCFIPS bits instead o
|
||||||
|
|
||||||
=== BouncyCastle FIPS bits
|
=== BouncyCastle FIPS bits
|
||||||
|
|
||||||
BouncyCastle FIPS can be downloaded from the https://www.bouncycastle.org/fips-java/[BouncyCastle official page]. Then you can add them to the directory
|
BouncyCastle FIPS can be downloaded from the https://www.bouncycastle.org/download/bouncy-castle-java-fips/[BouncyCastle official page]. Then you can add them to the directory
|
||||||
`KEYCLOAK_HOME/providers` of your distribution. Make sure to use proper versions compatible with BouncyCastle {project_name} dependencies. The supported BCFIPS bits needed are:
|
`KEYCLOAK_HOME/providers` of your distribution. Make sure to use proper versions compatible with BouncyCastle {project_name} dependencies. The supported BCFIPS bits needed are:
|
||||||
|
|
||||||
* bc-fips version ${properties["bouncycastle.bcfips.version"]}.
|
* bc-fips version ${properties["bouncycastle.bcfips.version"]}.
|
||||||
* bctls-fips version ${properties["bouncycastle.bctls-fips.version"]}.
|
* bctls-fips version ${properties["bouncycastle.bctls-fips.version"]}.
|
||||||
* bcpkix-fips version ${properties["bouncycastle.pkixfips.version"]}.
|
* bcpkix-fips version ${properties["bouncycastle.pkixfips.version"]}.
|
||||||
|
* bcutil-fips version ${properties["bouncycastle.bcutilfips.version"]}.
|
||||||
|
|
||||||
== Generating keystore
|
== Generating keystore
|
||||||
|
|
||||||
|
@ -154,17 +155,18 @@ always fulfils this requirement.
|
||||||
== Other restrictions
|
== Other restrictions
|
||||||
|
|
||||||
To have SAML working, make sure that a `XMLDSig` security provider is available in your security providers.
|
To have SAML working, make sure that a `XMLDSig` security provider is available in your security providers.
|
||||||
To have Kerberos working, make sure that a `SunJGSS` security provider is available. In FIPS enabled RHEL 9 in OpenJDK 17.0.6, these
|
To have Kerberos working, make sure that a `SunJGSS` security provider is available. In FIPS enabled RHEL 9 in OpenJDK 21, the `XMLDSig` security provider may be already enabled
|
||||||
security providers are not present in the `java.security`, which means that they effectively cannot work.
|
in the `java.security` by default and the same applies with latest OpenJDK 17. But with older OpenJDK 17, it may not be enabled by default, which means that SAML effectively cannot work.
|
||||||
|
|
||||||
To have SAML working, you can manually add the provider into `JAVA_HOME/conf/security/java.security` into the list fips providers. For example, add the line such as the following:
|
To have SAML working, you can manually add the provider into `JAVA_HOME/conf/security/java.security` into the list fips providers. For example, add the line such as the following in case
|
||||||
|
that it is not already available in your FIPS security providers:
|
||||||
|
|
||||||
[source]
|
[source]
|
||||||
----
|
----
|
||||||
fips.provider.7=XMLDSig
|
fips.provider.7=XMLDSig
|
||||||
----
|
----
|
||||||
|
|
||||||
Adding this security provider should work well. In fact, it is FIPS compliant and likely will be added by default in the future OpenJDK 17 micro version.
|
Adding this security provider should work well. In fact, it is FIPS compliant and is already added by default in the OpenJDK 21.
|
||||||
Details are in the https://bugzilla.redhat.com/show_bug.cgi?id=1940064[bugzilla].
|
Details are in the https://bugzilla.redhat.com/show_bug.cgi?id=1940064[bugzilla].
|
||||||
|
|
||||||
NOTE: It is recommended to look at `JAVA_HOME/conf/security/java.security` and check all configured providers here and make sure that the number matches. In other words, `fips.provider.7`
|
NOTE: It is recommended to look at `JAVA_HOME/conf/security/java.security` and check all configured providers here and make sure that the number matches. In other words, `fips.provider.7`
|
||||||
|
@ -195,6 +197,7 @@ it detects that corresponding BCFIPS jars are present (see above for the version
|
||||||
----
|
----
|
||||||
cp $KEYCLOAK_HOME/providers/bc-fips-*.jar $KEYCLOAK_HOME/bin/client/lib/
|
cp $KEYCLOAK_HOME/providers/bc-fips-*.jar $KEYCLOAK_HOME/bin/client/lib/
|
||||||
cp $KEYCLOAK_HOME/providers/bctls-fips-*.jar $KEYCLOAK_HOME/bin/client/lib/
|
cp $KEYCLOAK_HOME/providers/bctls-fips-*.jar $KEYCLOAK_HOME/bin/client/lib/
|
||||||
|
cp $KEYCLOAK_HOME/providers/bcutil-fips-*.jar $KEYCLOAK_HOME/bin/client/lib/
|
||||||
----
|
----
|
||||||
|
|
||||||
NOTE: When trying to use BCFKS truststore/keystore with CLI, you may see issues due this truststore is not the default java keystore type. It can be good to specify it as default in java
|
NOTE: When trying to use BCFKS truststore/keystore with CLI, you may see issues due this truststore is not the default java keystore type. It can be good to specify it as default in java
|
||||||
|
@ -223,7 +226,7 @@ For example in the current directory, you can create sub-directory `files` and a
|
||||||
|
|
||||||
* BC FIPS jar files as described above
|
* BC FIPS jar files as described above
|
||||||
* Custom keystore file - named for example `keycloak-fips.keystore.bcfks`
|
* Custom keystore file - named for example `keycloak-fips.keystore.bcfks`
|
||||||
* Security file `kc.java.security` with added provider for SAML
|
* Security file `kc.java.security` with added provider for SAML (Not needed with OpenJDK 21 or newer OpenJDK 17)
|
||||||
|
|
||||||
Then create `Containerfile` in the current directory similar to this:
|
Then create `Containerfile` in the current directory similar to this:
|
||||||
|
|
||||||
|
|
|
@ -38,7 +38,7 @@ public class ClassLoaderUtil {
|
||||||
|
|
||||||
// Detect if BC FIPS jars are present in the "client/lib" directory
|
// Detect if BC FIPS jars are present in the "client/lib" directory
|
||||||
boolean bcFipsJarPresent = Stream.of(jarsInDir).anyMatch(file -> file.getName().startsWith("bc-fips"));
|
boolean bcFipsJarPresent = Stream.of(jarsInDir).anyMatch(file -> file.getName().startsWith("bc-fips"));
|
||||||
String[] validJarPrefixes = bcFipsJarPresent ? new String[] {"keycloak-crypto-fips1402", "bc-fips", "bctls-fips"} : new String[] {"keycloak-crypto-default", "bcprov-jdk18on"};
|
String[] validJarPrefixes = bcFipsJarPresent ? new String[] {"keycloak-crypto-fips1402", "bc-fips", "bctls-fips","bcutil-fips"} : new String[] {"keycloak-crypto-default", "bcprov-jdk18on"};
|
||||||
URL[] usedJars = Stream.of(jarsInDir)
|
URL[] usedJars = Stream.of(jarsInDir)
|
||||||
.filter(file -> {
|
.filter(file -> {
|
||||||
for (String prefix : validJarPrefixes) {
|
for (String prefix : validJarPrefixes) {
|
||||||
|
|
16
pom.xml
16
pom.xml
|
@ -86,10 +86,10 @@
|
||||||
<!-- Versions used mostly for Undertow server, aligned with WildFly -->
|
<!-- Versions used mostly for Undertow server, aligned with WildFly -->
|
||||||
<jboss.dmr.version>1.5.1.Final</jboss.dmr.version>
|
<jboss.dmr.version>1.5.1.Final</jboss.dmr.version>
|
||||||
|
|
||||||
<!-- TODO Are these correct versions? -->
|
<bouncycastle.pkixfips.version>2.0.7</bouncycastle.pkixfips.version>
|
||||||
<bouncycastle.pkixfips.version>1.0.7</bouncycastle.pkixfips.version>
|
<bouncycastle.bcfips.version>2.0.0</bouncycastle.bcfips.version>
|
||||||
<bouncycastle.bcfips.version>1.0.2.5</bouncycastle.bcfips.version>
|
<bouncycastle.bctls-fips.version>2.0.19</bouncycastle.bctls-fips.version>
|
||||||
<bouncycastle.bctls-fips.version>1.0.19</bouncycastle.bctls-fips.version>
|
<bouncycastle.bcutilfips.version>2.0.3</bouncycastle.bcutilfips.version>
|
||||||
|
|
||||||
<dom4j.version>2.1.3</dom4j.version>
|
<dom4j.version>2.1.3</dom4j.version>
|
||||||
<h2.version>2.3.230</h2.version>
|
<h2.version>2.3.230</h2.version>
|
||||||
|
@ -390,23 +390,27 @@
|
||||||
<artifactId>xsom</artifactId>
|
<artifactId>xsom</artifactId>
|
||||||
<version>${org.glassfish.jaxb.xsom.version}</version>
|
<version>${org.glassfish.jaxb.xsom.version}</version>
|
||||||
</dependency>
|
</dependency>
|
||||||
|
|
||||||
<dependency>
|
<dependency>
|
||||||
<groupId>org.bouncycastle</groupId>
|
<groupId>org.bouncycastle</groupId>
|
||||||
<artifactId>bcpkix-fips</artifactId>
|
<artifactId>bcpkix-fips</artifactId>
|
||||||
<version>${bouncycastle.pkixfips.version}</version>
|
<version>${bouncycastle.pkixfips.version}</version>
|
||||||
</dependency>
|
</dependency>
|
||||||
|
|
||||||
<dependency>
|
<dependency>
|
||||||
<groupId>org.bouncycastle</groupId>
|
<groupId>org.bouncycastle</groupId>
|
||||||
<artifactId>bc-fips</artifactId>
|
<artifactId>bc-fips</artifactId>
|
||||||
<version>${bouncycastle.bcfips.version}</version>
|
<version>${bouncycastle.bcfips.version}</version>
|
||||||
</dependency>
|
</dependency>
|
||||||
|
|
||||||
<dependency>
|
<dependency>
|
||||||
<groupId>org.bouncycastle</groupId>
|
<groupId>org.bouncycastle</groupId>
|
||||||
<artifactId>bctls-fips</artifactId>
|
<artifactId>bctls-fips</artifactId>
|
||||||
<version>${bouncycastle.bctls-fips.version}</version>
|
<version>${bouncycastle.bctls-fips.version}</version>
|
||||||
</dependency>
|
</dependency>
|
||||||
|
<dependency>
|
||||||
|
<groupId>org.bouncycastle</groupId>
|
||||||
|
<artifactId>bcutil-fips</artifactId>
|
||||||
|
<version>${bouncycastle.bcutilfips.version}</version>
|
||||||
|
</dependency>
|
||||||
|
|
||||||
<dependency>
|
<dependency>
|
||||||
<groupId>com.github.ua-parser</groupId>
|
<groupId>com.github.ua-parser</groupId>
|
||||||
|
|
|
@ -60,7 +60,8 @@ public class IgnoredArtifacts {
|
||||||
"org.keycloak:keycloak-crypto-fips1402",
|
"org.keycloak:keycloak-crypto-fips1402",
|
||||||
"org.bouncycastle:bc-fips",
|
"org.bouncycastle:bc-fips",
|
||||||
"org.bouncycastle:bctls-fips",
|
"org.bouncycastle:bctls-fips",
|
||||||
"org.bouncycastle:bcpkix-fips"
|
"org.bouncycastle:bcpkix-fips",
|
||||||
|
"org.bouncycastle:bcutil-fips"
|
||||||
);
|
);
|
||||||
|
|
||||||
private static Set<String> fips() {
|
private static Set<String> fips() {
|
||||||
|
|
|
@ -70,6 +70,11 @@
|
||||||
<artifactId>bctls-fips</artifactId>
|
<artifactId>bctls-fips</artifactId>
|
||||||
<scope>test</scope>
|
<scope>test</scope>
|
||||||
</dependency>
|
</dependency>
|
||||||
|
<dependency>
|
||||||
|
<groupId>org.bouncycastle</groupId>
|
||||||
|
<artifactId>bcutil-fips</artifactId>
|
||||||
|
<scope>test</scope>
|
||||||
|
</dependency>
|
||||||
<dependency>
|
<dependency>
|
||||||
<groupId>com.fasterxml.jackson.core</groupId>
|
<groupId>com.fasterxml.jackson.core</groupId>
|
||||||
<artifactId>jackson-databind</artifactId>
|
<artifactId>jackson-databind</artifactId>
|
||||||
|
|
|
@ -33,7 +33,7 @@ import io.quarkus.test.junit.main.LaunchResult;
|
||||||
@RawDistOnly(reason = "Containers are immutable")
|
@RawDistOnly(reason = "Containers are immutable")
|
||||||
public class FipsDistTest {
|
public class FipsDistTest {
|
||||||
|
|
||||||
private static final String BCFIPS_VERSION = "BCFIPS version 1.000205";
|
private static final String BCFIPS_VERSION = "BCFIPS version 2.0";
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
void testFipsNonApprovedMode(KeycloakDistribution dist) {
|
void testFipsNonApprovedMode(KeycloakDistribution dist) {
|
||||||
|
@ -174,6 +174,7 @@ public class FipsDistTest {
|
||||||
rawDist.copyProvider("org.bouncycastle", "bc-fips");
|
rawDist.copyProvider("org.bouncycastle", "bc-fips");
|
||||||
rawDist.copyProvider("org.bouncycastle", "bctls-fips");
|
rawDist.copyProvider("org.bouncycastle", "bctls-fips");
|
||||||
rawDist.copyProvider("org.bouncycastle", "bcpkix-fips");
|
rawDist.copyProvider("org.bouncycastle", "bcpkix-fips");
|
||||||
|
rawDist.copyProvider("org.bouncycastle", "bcutil-fips");
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -346,7 +346,7 @@
|
||||||
</goals>
|
</goals>
|
||||||
<configuration>
|
<configuration>
|
||||||
<outputDirectory>${auth.server.home}/providers</outputDirectory>
|
<outputDirectory>${auth.server.home}/providers</outputDirectory>
|
||||||
<includeArtifactIds>bc-fips,bctls-fips,bcpkix-fips</includeArtifactIds>
|
<includeArtifactIds>bc-fips,bctls-fips,bcpkix-fips,bcutil-fips</includeArtifactIds>
|
||||||
</configuration>
|
</configuration>
|
||||||
</execution>
|
</execution>
|
||||||
<execution>
|
<execution>
|
||||||
|
@ -357,7 +357,7 @@
|
||||||
</goals>
|
</goals>
|
||||||
<configuration>
|
<configuration>
|
||||||
<outputDirectory>${auth.server.home}/bin/client/lib</outputDirectory>
|
<outputDirectory>${auth.server.home}/bin/client/lib</outputDirectory>
|
||||||
<includeArtifactIds>bc-fips,bctls-fips</includeArtifactIds>
|
<includeArtifactIds>bc-fips,bctls-fips,bcutil-fips</includeArtifactIds>
|
||||||
</configuration>
|
</configuration>
|
||||||
</execution>
|
</execution>
|
||||||
</executions>
|
</executions>
|
||||||
|
|
|
@ -706,6 +706,7 @@
|
||||||
<includes>
|
<includes>
|
||||||
<include>bc-fips-*</include>
|
<include>bc-fips-*</include>
|
||||||
<include>bctls-fips-*</include>
|
<include>bctls-fips-*</include>
|
||||||
|
<include>bcutil-fips-*</include>
|
||||||
</includes>
|
</includes>
|
||||||
</resource>
|
</resource>
|
||||||
</resources>
|
</resources>
|
||||||
|
|
Loading…
Reference in a new issue