Skip to content

Commit

Permalink
Cxf-soap tests fail in FIPS environment
Browse files Browse the repository at this point in the history
  • Loading branch information
@JiriOndrusek
JiriOndrusek committed Nov 6, 2023
1 parent 82f1423 commit 343ea9a
Show file tree
Hide file tree
Showing 24 changed files with 231 additions and 217 deletions.
48 changes: 47 additions & 1 deletion integration-test-groups/cxf-soap/cxf-soap-ws-security-server/README.adoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,4 +16,50 @@ We test in two ways how the SOAP service endpoints are deployed: the Camel way a
* The service method then forwards to a Camel route defined in `WsSecurityPolicyServerRoutesCxfWay`
* See also `WssSecurityPolicyHelloServiceCxfWayImpl`
* This way may come in handy in situations when the Camel way does not work properly,
such as https://github.com/apache/camel-quarkus/issues/4291
such as https://github.com/apache/camel-quarkus/issues/4291

= FIPS

Please use profile `fips` if running the tests in the FIPS-enabled environment. The tests have to leverage BouncyCastle-fips dependency instead of standard BouncyCastle.

= Generating keystores

=== Generate keys

```
openssl genrsa -out alice.key 2048
openssl genrsa -out bob.key 2048
```

=== Certificate authority

When prompted for certificate information, confirm default values.
```
openssl genrsa -out cxfca.key 2048
openssl req -x509 -new -key cxfca.key -nodes -out cxfca.pem -config cxfca-openssl.cnf -days 3650 -extensions v3_req
openssl req -new -subj '/O=apache.org/OU=eng (NOT FOR PRODUCTION)/CN=cxfca' -x509 -key cxfca.key -out cxfca.crt
```

=== Generate certificates
```
openssl req -new -subj '/O=apache.org/OU=eng (NOT FOR PRODUCTION)/CN=cxfca' -x509 -key cxfca.key -out cxfca.crt

openssl req -new -subj '/O=apache.org/OU=eng (NOT FOR PRODUCTION)/CN=alice' -key alice.key -out alice.csr
openssl x509 -req -in alice.csr -CA cxfca.pem -CAkey cxfca.key -CAcreateserial -out alice.crt

openssl req -new -subj '/O=apache.org/OU=eng (NOT FOR PRODUCTION)/CN=bob' -key bob.key -out bob.csr
openssl x509 -req -in bob.csr -CA cxfca.pem -CAkey cxfca.key -CAcreateserial -out bob.crt
```

=== Export keystores

When prompted for password, type `password`.
When prompted whether to trust the certificate, type `yes`.

```
openssl pkcs12 -export -in alice.crt -inkey alice.key -certfile cxfca.crt -name "alice" -out alice.p12 -passout pass:password -keypbe aes-256-cbc -certpbe aes-256-cbc
openssl pkcs12 -export -in bob.crt -inkey bob.key -certfile cxfca.crt -name "bob" -out bob.p12 -passout pass:password -keypbe aes-256-cbc -certpbe aes-256-cbc

keytool -import -trustcacerts -alias bob -file bob.crt -keystore alice.p12
keytool -import -trustcacerts -alias alice -file alice.crt -keystore bob.p12
```
16 changes: 16 additions & 0 deletions integration-test-groups/cxf-soap/cxf-soap-ws-security-server/cxfca-openssl.cnf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req

[req_distinguished_name]
organizationName = Organization Name (eg, company)
organizationName_default = apache.org
organizationalUnitName = Organization Unit (eg, company)
organizationalUnitName_default = eng (NOT FOR PRODUCTION)
commonName = Common Name (eg, YOUR name)
commonName_default = cxfca

[v3_req]
basicConstraints = CA:true
keyUsage = critical, keyCertSign

233 changes: 33 additions & 200 deletions integration-test-groups/cxf-soap/cxf-soap-ws-security-server/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -118,206 +118,6 @@
<storepass>password</storepass>
</configuration>
<executions>
<execution>
<id>generate-cxfca-keypair</id>
<phase>generate-sources</phase>
<goals>
<goal>clean</goal>
<goal>generateKeyPair</goal>
</goals>
<configuration>
<alias>cxfca</alias>
<dname>CN=cxfca, OU=eng, O=apache.org</dname>
<exts>
<ext>bc:c=ca:true,pathlen:2147483647</ext>
<ext>IssuerAlternativeName=DNS:NOT-FOR-PRODUCTION-USE</ext>
</exts>
<keystore>${project.build.outputDirectory}/cxfca.jks</keystore>
</configuration>
</execution>
<execution>
<id>export-cxfca-certificate</id>
<phase>generate-sources</phase>
<goals>
<goal>exportCertificate</goal>
</goals>
<configuration>
<alias>cxfca</alias>
<keystore>${project.build.outputDirectory}/cxfca.jks</keystore>
<rfc>true</rfc>
<file>${project.build.outputDirectory}/cxfca.pem</file>
</configuration>
</execution>
<execution>
<id>generate-alice-keypair</id>
<phase>generate-sources</phase>
<goals>
<goal>clean</goal>
<goal>generateKeyPair</goal>
</goals>
<configuration>
<alias>alice</alias>
<dname>CN=alice, OU=eng, O=apache.org</dname>
<exts>
<ext>IssuerAlternativeName=DNS:NOT-FOR-PRODUCTION-USE</ext>
<ext>SubjectAlternativeName=DNS:localhost,IP:127.0.0.1</ext>
</exts>
<keystore>${project.build.outputDirectory}/alice.jks</keystore>
</configuration>
</execution>
<execution>
<id>generate-bob-keypair</id>
<phase>generate-sources</phase>
<goals>
<goal>clean</goal>
<goal>generateKeyPair</goal>
</goals>
<configuration>
<alias>bob</alias>
<dname>CN=bob, OU=eng, O=apache.org</dname>
<exts>
<ext>IssuerAlternativeName=DNS:NOT-FOR-PRODUCTION-USE</ext>
<ext>SubjectAlternativeName=DNS:localhost,IP:127.0.0.1</ext>
</exts>
<keystore>${project.build.outputDirectory}/bob.jks</keystore>
</configuration>
</execution>
<execution>
<id>generate-alice-certificate-request</id>
<phase>generate-sources</phase>
<goals>
<goal>generateCertificateRequest</goal>
</goals>
<configuration>
<alias>alice</alias>
<keystore>${project.build.outputDirectory}/alice.jks</keystore>
<file>${project.build.outputDirectory}/alice.csr</file>
</configuration>
</execution>
<execution>
<id>generate-alice-certificate</id>
<phase>generate-sources</phase>
<goals>
<goal>generateCertificate</goal>
</goals>
<configuration>
<alias>cxfca</alias>
<keystore>${project.build.outputDirectory}/cxfca.jks</keystore>
<rfc>true</rfc>
<infile>${project.build.outputDirectory}/alice.csr</infile>
<outfile>${project.build.outputDirectory}/alice.pem</outfile>
</configuration>
</execution>
<execution>
<id>generate-bob-certificate-request</id>
<phase>generate-sources</phase>
<goals>
<goal>generateCertificateRequest</goal>
</goals>
<configuration>
<alias>bob</alias>
<keystore>${project.build.outputDirectory}/bob.jks</keystore>
<file>${project.build.outputDirectory}/bob.csr</file>
</configuration>
</execution>
<execution>
<id>generate-bob-certificate</id>
<phase>generate-sources</phase>
<goals>
<goal>generateCertificate</goal>
</goals>
<configuration>
<alias>cxfca</alias>
<keystore>${project.build.outputDirectory}/cxfca.jks</keystore>
<rfc>true</rfc>
<infile>${project.build.outputDirectory}/bob.csr</infile>
<outfile>${project.build.outputDirectory}/bob.pem</outfile>
</configuration>
</execution>
<execution>
<id>import-cxfca-certificate-to-alice</id>
<phase>generate-sources</phase>
<goals>
<goal>importCertificate</goal>
</goals>
<configuration>
<alias>cxfca</alias>
<trustcacerts>true</trustcacerts>
<noprompt>true</noprompt>
<keystore>${project.build.outputDirectory}/alice.jks</keystore>
<file>${project.build.outputDirectory}/cxfca.pem</file>
</configuration>
</execution>
<execution>
<id>import-cxfca-certificate-to-bob</id>
<phase>generate-sources</phase>
<goals>
<goal>importCertificate</goal>
</goals>
<configuration>
<alias>cxfca</alias>
<trustcacerts>true</trustcacerts>
<noprompt>true</noprompt>
<keystore>${project.build.outputDirectory}/bob.jks</keystore>
<file>${project.build.outputDirectory}/cxfca.pem</file>
</configuration>
</execution>
<execution>
<id>import-alice-certificate</id>
<phase>generate-sources</phase>
<goals>
<goal>importCertificate</goal>
</goals>
<configuration>
<alias>alice</alias>
<trustcacerts>true</trustcacerts>
<noprompt>true</noprompt>
<keystore>${project.build.outputDirectory}/alice.jks</keystore>
<file>${project.build.outputDirectory}/alice.pem</file>
</configuration>
</execution>
<execution>
<id>import-bob-certificate</id>
<phase>generate-sources</phase>
<goals>
<goal>importCertificate</goal>
</goals>
<configuration>
<alias>bob</alias>
<trustcacerts>true</trustcacerts>
<noprompt>true</noprompt>
<keystore>${project.build.outputDirectory}/bob.jks</keystore>
<file>${project.build.outputDirectory}/bob.pem</file>
</configuration>
</execution>
<execution>
<id>import-bob-certificate-to-alice</id>
<phase>generate-sources</phase>
<goals>
<goal>importCertificate</goal>
</goals>
<configuration>
<alias>bob</alias>
<trustcacerts>true</trustcacerts>
<noprompt>true</noprompt>
<keystore>${project.build.outputDirectory}/alice.jks</keystore>
<file>${project.build.outputDirectory}/bob.pem</file>
</configuration>
</execution>
<execution>
<id>import-alice-certificate-to-bob</id>
<phase>generate-sources</phase>
<goals>
<goal>importCertificate</goal>
</goals>
<configuration>
<alias>alice</alias>
<trustcacerts>true</trustcacerts>
<noprompt>true</noprompt>
<keystore>${project.build.outputDirectory}/bob.jks</keystore>
<file>${project.build.outputDirectory}/alice.pem</file>
</configuration>
</execution>
<!-- Uncomment execution block below for local testing -->
<!-- <execution>-->
<!-- <id>list</id>-->
Expand Down Expand Up @@ -383,6 +183,39 @@
<skipTests>true</skipTests>
</properties>
</profile>
<profile>
<id>fips</id>
<activation>
<property>
<name>fips</name>
</property>
</activation>
<properties>
<security.procide>quarkus.security.security-providers=BCFIPS</security.procide>
</properties>
<dependencies>
<dependency>
<groupId>io.quarkiverse.cxf</groupId>
<artifactId>quarkus-cxf-rt-ws-security</artifactId>
<exclusions>
<!-- BC-FIPS is used instead of BC-->
<exclusion>
<artifactId>*</artifactId>
<groupId>org.bouncycastle</groupId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bc-fips</artifactId>
</dependency>
<!--Required for registration of BCFIPS -->
<dependency>
<groupId>io.quarkus</groupId>
<artifactId>quarkus-security</artifactId>
</dependency>
</dependencies>
</profile>
</profiles>

</project>
Binary file added integration-test-groups/cxf-soap/cxf-soap-ws-security-server/src/main/resources/alice.p12
View file
Binary file not shown.
4 changes: 2 additions & 2 deletions ...tion-test-groups/cxf-soap/cxf-soap-ws-security-server/src/main/resources/alice.properties
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@
## limitations under the License.
## ---------------------------------------------------------------------------
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.type=pkcs12
org.apache.ws.security.crypto.merlin.keystore.password=password
org.apache.ws.security.crypto.merlin.keystore.alias=alice
org.apache.ws.security.crypto.merlin.file=alice.jks
org.apache.ws.security.crypto.merlin.file=alice.p12
5 changes: 4 additions & 1 deletion ...est-groups/cxf-soap/cxf-soap-ws-security-server/src/main/resources/application.properties
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,4 +19,7 @@ quarkus.cxf.path=/soapservice

quarkus.cxf.endpoint."/security-policy-hello-cxf-way".implementor=org.apache.camel.quarkus.component.cxf.soap.securitypolicy.server.cxf.way.it.WssSecurityPolicyHelloServiceCxfWayImpl

quarkus.native.resources.includes=bob.properties,alice.properties,alice.jks,bob.jks,encrypt-sign-policy.xml
quarkus.native.resources.includes=bob.properties,alice.properties,alice.p12,bob.p12,encrypt-sign-policy.xml

#If profile 'fips' is active, this property is used to select a security-provider.
quarkus.security.security-providers=BCFIPS
Binary file added integration-test-groups/cxf-soap/cxf-soap-ws-security-server/src/main/resources/bob.p12
View file
Binary file not shown.
4 changes: 2 additions & 2 deletions ...ration-test-groups/cxf-soap/cxf-soap-ws-security-server/src/main/resources/bob.properties
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@
## limitations under the License.
## ---------------------------------------------------------------------------
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.type=pkcs12
org.apache.ws.security.crypto.merlin.keystore.password=password
org.apache.ws.security.crypto.merlin.keystore.alias=bob
org.apache.ws.security.crypto.merlin.file=bob.jks
org.apache.ws.security.crypto.merlin.file=bob.p12
Loading

0 comments on commit 343ea9a

Please sign in to comment.