Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cxf-soap tests fail in FIPS environment (fix for JVM) #5485

Closed
wants to merge 1 commit into from
Closed

Cxf-soap tests fail in FIPS environment (fix for JVM) #5485

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 16 additions & 1 deletion integration-test-groups/cxf-soap/cxf-soap-ws-security-server/README.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,4 +16,19 @@ We test in two ways how the SOAP service endpoints are deployed: the Camel way a
* The service method then forwards to a Camel route defined in `WsSecurityPolicyServerRoutesCxfWay`
* See also `WssSecurityPolicyHelloServiceCxfWayImpl`
* This way may come in handy in situations when the Camel way does not work properly,
such as https://github.com/apache/camel-quarkus/issues/4291
such as https://github.com/apache/camel-quarkus/issues/4291

= FIPS

Please use profile `fips` if running the tests in the FIPS-enabled environment. The tests have to leverage BouncyCastle-fips dependency instead of standard BouncyCastle.

= Generating keystores

Run following script `keystores.sh` in a folder with `cxfca-openssl.config`.

Content of the script file:

[source,bash]
----
include::./keystores.sh[]
----
16 changes: 16 additions & 0 deletions integration-test-groups/cxf-soap/cxf-soap-ws-security-server/cxfca-openssl.cnf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req

[req_distinguished_name]
organizationName = Organization Name (eg, company)
organizationName_default = apache.org
organizationalUnitName = Organization Unit (eg, company)
organizationalUnitName_default = eng (NOT FOR PRODUCTION)
commonName = Common Name (eg, YOUR name)
commonName_default = cxfca

[v3_req]
basicConstraints = CA:true
keyUsage = critical, keyCertSign

42 changes: 42 additions & 0 deletions integration-test-groups/cxf-soap/cxf-soap-ws-security-server/keystores.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#

echo "*** Generate keys ***"
openssl genrsa -out alice.key 2048
openssl genrsa -out bob.key 2048

echo "*** Certificate authority ***"
echo "When prompted for certificate information, confirm default values."
openssl genrsa -out cxfca.key 2048
openssl req -x509 -new -key cxfca.key -nodes -out cxfca.pem -config cxfca-openssl.cnf -days 10000 -extensions v3_req
openssl req -new -subj '/O=apache.org/OU=eng (NOT FOR PRODUCTION)/CN=cxfca' -x509 -key cxfca.key -days 10000 -out cxfca.crt

echo "*** Generate certificates ***"
openssl req -new -subj '/O=apache.org/OU=eng (NOT FOR PRODUCTION)/CN=cxfca' -x509 -key cxfca.key -out cxfca.crt
openssl req -new -subj '/O=apache.org/OU=eng (NOT FOR PRODUCTION)/CN=alice' -key alice.key -out alice.csr
openssl x509 -req -in alice.csr -CA cxfca.pem -CAkey cxfca.key -CAcreateserial -days 10000 -out alice.crt
openssl req -new -subj '/O=apache.org/OU=eng (NOT FOR PRODUCTION)/CN=bob' -key bob.key -out bob.csr
openssl x509 -req -in bob.csr -CA cxfca.pem -CAkey cxfca.key -CAcreateserial -days 10000 -out bob.crt

echo "*** Export keystores ***"
openssl pkcs12 -export -in alice.crt -inkey alice.key -certfile cxfca.crt -name "alice" -out alice.p12 -passout pass:password -keypbe aes-256-cbc -certpbe aes-256-cbc
openssl pkcs12 -export -in bob.crt -inkey bob.key -certfile cxfca.crt -name "bob" -out bob.p12 -passout pass:password -keypbe aes-256-cbc -certpbe aes-256-cbc

echo "When prompted for password, type 'password'."
echo "When prompted whether to trust the certificate, type 'yes'."
keytool -import -trustcacerts -alias bob -file bob.crt -keystore alice.p12
keytool -import -trustcacerts -alias alice -file alice.crt -keystore bob.p12
230 changes: 30 additions & 200 deletions integration-test-groups/cxf-soap/cxf-soap-ws-security-server/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -118,206 +118,6 @@
<storepass>password</storepass>
</configuration>
<executions>
<execution>
<id>generate-cxfca-keypair</id>
<phase>generate-sources</phase>
<goals>
<goal>clean</goal>
<goal>generateKeyPair</goal>
</goals>
<configuration>
<alias>cxfca</alias>
<dname>CN=cxfca, OU=eng, O=apache.org</dname>
<exts>
<ext>bc:c=ca:true,pathlen:2147483647</ext>
<ext>IssuerAlternativeName=DNS:NOT-FOR-PRODUCTION-USE</ext>
</exts>
<keystore>${project.build.outputDirectory}/cxfca.jks</keystore>
</configuration>
</execution>
<execution>
<id>export-cxfca-certificate</id>
<phase>generate-sources</phase>
<goals>
<goal>exportCertificate</goal>
</goals>
<configuration>
<alias>cxfca</alias>
<keystore>${project.build.outputDirectory}/cxfca.jks</keystore>
<rfc>true</rfc>
<file>${project.build.outputDirectory}/cxfca.pem</file>
</configuration>
</execution>
<execution>
<id>generate-alice-keypair</id>
<phase>generate-sources</phase>
<goals>
<goal>clean</goal>
<goal>generateKeyPair</goal>
</goals>
<configuration>
<alias>alice</alias>
<dname>CN=alice, OU=eng, O=apache.org</dname>
<exts>
<ext>IssuerAlternativeName=DNS:NOT-FOR-PRODUCTION-USE</ext>
<ext>SubjectAlternativeName=DNS:localhost,IP:127.0.0.1</ext>
</exts>
<keystore>${project.build.outputDirectory}/alice.jks</keystore>
</configuration>
</execution>
<execution>
<id>generate-bob-keypair</id>
<phase>generate-sources</phase>
<goals>
<goal>clean</goal>
<goal>generateKeyPair</goal>
</goals>
<configuration>
<alias>bob</alias>
<dname>CN=bob, OU=eng, O=apache.org</dname>
<exts>
<ext>IssuerAlternativeName=DNS:NOT-FOR-PRODUCTION-USE</ext>
<ext>SubjectAlternativeName=DNS:localhost,IP:127.0.0.1</ext>
</exts>
<keystore>${project.build.outputDirectory}/bob.jks</keystore>
</configuration>
</execution>
<execution>
<id>generate-alice-certificate-request</id>
<phase>generate-sources</phase>
<goals>
<goal>generateCertificateRequest</goal>
</goals>
<configuration>
<alias>alice</alias>
<keystore>${project.build.outputDirectory}/alice.jks</keystore>
<file>${project.build.outputDirectory}/alice.csr</file>
</configuration>
</execution>
<execution>
<id>generate-alice-certificate</id>
<phase>generate-sources</phase>
<goals>
<goal>generateCertificate</goal>
</goals>
<configuration>
<alias>cxfca</alias>
<keystore>${project.build.outputDirectory}/cxfca.jks</keystore>
<rfc>true</rfc>
<infile>${project.build.outputDirectory}/alice.csr</infile>
<outfile>${project.build.outputDirectory}/alice.pem</outfile>
</configuration>
</execution>
<execution>
<id>generate-bob-certificate-request</id>
<phase>generate-sources</phase>
<goals>
<goal>generateCertificateRequest</goal>
</goals>
<configuration>
<alias>bob</alias>
<keystore>${project.build.outputDirectory}/bob.jks</keystore>
<file>${project.build.outputDirectory}/bob.csr</file>
</configuration>
</execution>
<execution>
<id>generate-bob-certificate</id>
<phase>generate-sources</phase>
<goals>
<goal>generateCertificate</goal>
</goals>
<configuration>
<alias>cxfca</alias>
<keystore>${project.build.outputDirectory}/cxfca.jks</keystore>
<rfc>true</rfc>
<infile>${project.build.outputDirectory}/bob.csr</infile>
<outfile>${project.build.outputDirectory}/bob.pem</outfile>
</configuration>
</execution>
<execution>
<id>import-cxfca-certificate-to-alice</id>
<phase>generate-sources</phase>
<goals>
<goal>importCertificate</goal>
</goals>
<configuration>
<alias>cxfca</alias>
<trustcacerts>true</trustcacerts>
<noprompt>true</noprompt>
<keystore>${project.build.outputDirectory}/alice.jks</keystore>
<file>${project.build.outputDirectory}/cxfca.pem</file>
</configuration>
</execution>
<execution>
<id>import-cxfca-certificate-to-bob</id>
<phase>generate-sources</phase>
<goals>
<goal>importCertificate</goal>
</goals>
<configuration>
<alias>cxfca</alias>
<trustcacerts>true</trustcacerts>
<noprompt>true</noprompt>
<keystore>${project.build.outputDirectory}/bob.jks</keystore>
<file>${project.build.outputDirectory}/cxfca.pem</file>
</configuration>
</execution>
<execution>
<id>import-alice-certificate</id>
<phase>generate-sources</phase>
<goals>
<goal>importCertificate</goal>
</goals>
<configuration>
<alias>alice</alias>
<trustcacerts>true</trustcacerts>
<noprompt>true</noprompt>
<keystore>${project.build.outputDirectory}/alice.jks</keystore>
<file>${project.build.outputDirectory}/alice.pem</file>
</configuration>
</execution>
<execution>
<id>import-bob-certificate</id>
<phase>generate-sources</phase>
<goals>
<goal>importCertificate</goal>
</goals>
<configuration>
<alias>bob</alias>
<trustcacerts>true</trustcacerts>
<noprompt>true</noprompt>
<keystore>${project.build.outputDirectory}/bob.jks</keystore>
<file>${project.build.outputDirectory}/bob.pem</file>
</configuration>
</execution>
<execution>
<id>import-bob-certificate-to-alice</id>
<phase>generate-sources</phase>
<goals>
<goal>importCertificate</goal>
</goals>
<configuration>
<alias>bob</alias>
<trustcacerts>true</trustcacerts>
<noprompt>true</noprompt>
<keystore>${project.build.outputDirectory}/alice.jks</keystore>
<file>${project.build.outputDirectory}/bob.pem</file>
</configuration>
</execution>
<execution>
<id>import-alice-certificate-to-bob</id>
<phase>generate-sources</phase>
<goals>
<goal>importCertificate</goal>
</goals>
<configuration>
<alias>alice</alias>
<trustcacerts>true</trustcacerts>
<noprompt>true</noprompt>
<keystore>${project.build.outputDirectory}/bob.jks</keystore>
<file>${project.build.outputDirectory}/alice.pem</file>
</configuration>
</execution>
<!-- Uncomment execution block below for local testing -->
<!-- <execution>-->
<!-- <id>list</id>-->
Expand Down Expand Up @@ -383,6 +183,36 @@
<skipTests>true</skipTests>
</properties>
</profile>
<profile>
<id>fips</id>
<activation>
<property>
<name>fips</name>
</property>
</activation>
<dependencies>
<dependency>
<groupId>io.quarkiverse.cxf</groupId>
<artifactId>quarkus-cxf-rt-ws-security</artifactId>
<exclusions>
<!-- BC-FIPS is used instead of BC-->
<exclusion>
<artifactId>*</artifactId>
<groupId>org.bouncycastle</groupId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bc-fips</artifactId>
</dependency>
<!--Required for registration of BCFIPS -->
<dependency>
<groupId>io.quarkus</groupId>
<artifactId>quarkus-security</artifactId>
</dependency>
</dependencies>
</profile>
</profiles>

</project>
Binary file added integration-test-groups/cxf-soap/cxf-soap-ws-security-server/src/main/resources/alice.p12
View file
Open in desktop
Binary file not shown.
4 changes: 2 additions & 2 deletions ...tion-test-groups/cxf-soap/cxf-soap-ws-security-server/src/main/resources/alice.properties
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@
## limitations under the License.
## ---------------------------------------------------------------------------
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.type=pkcs12
org.apache.ws.security.crypto.merlin.keystore.password=password
org.apache.ws.security.crypto.merlin.keystore.alias=alice
org.apache.ws.security.crypto.merlin.file=alice.jks
org.apache.ws.security.crypto.merlin.file=alice.p12
5 changes: 4 additions & 1 deletion ...est-groups/cxf-soap/cxf-soap-ws-security-server/src/main/resources/application.properties
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,4 +19,7 @@ quarkus.cxf.path=/soapservice

quarkus.cxf.endpoint."/security-policy-hello-cxf-way".implementor=org.apache.camel.quarkus.component.cxf.soap.securitypolicy.server.cxf.way.it.WssSecurityPolicyHelloServiceCxfWayImpl

quarkus.native.resources.includes=bob.properties,alice.properties,alice.jks,bob.jks,encrypt-sign-policy.xml
quarkus.native.resources.includes=bob.properties,alice.properties,alice.p12,bob.p12,encrypt-sign-policy.xml

#If profile 'fips' is active, this property is used to select a security-provider.
quarkus.security.security-providers=BCFIPS
Binary file added integration-test-groups/cxf-soap/cxf-soap-ws-security-server/src/main/resources/bob.p12
View file
Open in desktop
Binary file not shown.
4 changes: 2 additions & 2 deletions ...ration-test-groups/cxf-soap/cxf-soap-ws-security-server/src/main/resources/bob.properties
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@
## limitations under the License.
## ---------------------------------------------------------------------------
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.type=pkcs12
org.apache.ws.security.crypto.merlin.keystore.password=password
org.apache.ws.security.crypto.merlin.keystore.alias=bob
org.apache.ws.security.crypto.merlin.file=bob.jks
org.apache.ws.security.crypto.merlin.file=bob.p12
Loading