Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fips support #1893

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fips support #1893

wants to merge 1 commit into from

Conversation

ffang
Copy link
Contributor

@ffang ffang commented May 26, 2024

No description provided.

@jgoodyear
Copy link
Contributor

To help provide some testing of this PR , does one need to enable a profile or another parameter to test all the FIPS test cases or its all included in mvn install ?

@ffang
Copy link
Contributor Author

ffang commented May 26, 2024

what I have done in this PR

  1. introduce a system property "fips.enabled", when it's true, switch the security algorithms which are not allowed in fips to fips compliant ones.
    Mainly they are from AES_CBC to AES_GCM; from RSA_OAEP to RSA1_5. This needs the Apache WSS4J side change also. Please see
    https://issues.apache.org/jira/browse/WSS-711
    The default value of "fips.enabled" is false. So the default behaviour is the same as before.
  2. A maven profile "fips" is introduced. So just run "mvn clean install -Pfips" on a fips enabled machine/jdk should be sufficient.
  3. Several fips compliant ws-securitypolicy names are introduced to help easily run in fips mode
  4. A lot security related tests are revised to pick up the fips compliant configurations/keys/certs when running tests with fips profile.

@ffang
Copy link
Contributor Author

ffang commented May 26, 2024

To help provide some testing of this PR , does one need to enable a profile or another parameter to test all the FIPS test cases or its all included in mvn install ?

Hi @jgoodyear ,
A maven profile "fips" is introduced. So just run "mvn clean install -Pfips" on a fips enabled machine/jdk should be sufficient.

Cheers
Freeman

@jgoodyear
Copy link
Contributor

Is there a FIPS enabled build host on Apache infra? (CXF has ubuntu and windows test hosts, would be nice if the FIPS paths are regularly tested as well).

@jgoodyear
Copy link
Contributor

Non-FIPS builds of CXF-9008 branch:

Stream 9 OS with Eclipse Adoptium 17 on PPC64LE Passed.
Ubuntu 22.04 LTS with Eclipse Adoptium 17 on x64 Passed.

@jgoodyear
Copy link
Contributor

jgoodyear commented May 27, 2024

FIPS mode enabled on Stream 9 OS:

`
[jgoodyear@localhost cxf]$ fips-mode-setup --check

FIPS mode is enabled.

[jgoodyear@localhost ~]$ uname -a

Linux localhost.localdomain 5.14.0-447.el9.ppc64le #1 SMP Tue May 7 10:29:50 UTC 2024 ppc64le ppc64le ppc64le GNU/Linux
`

Invocation:

[jgoodyear@localhost cxf]$ mvn clean install -Dsemeru.fips=true -Pfips

Error Message:

`
[INFO]

[INFO] --- surefire:3.2.5:test (default-test) @ cxf-core ---

[INFO] Using auto detected provider org.apache.maven.surefire.junit4.JUnit4Provider

[INFO]

[INFO] -------------------------------------------------------

[INFO] T E S T S

[INFO] -------------------------------------------------------

java.lang.RuntimeException: Restricted security mode is not supported on this platform.
`

Maven/Java versions:

`
[jgoodyear@localhost cxf]$ mvn -version

Apache Maven 3.9.6 (bc0240f3c744dd6b6ec2920b3cd08dcc295161ae)

Maven home: /home/jgoodyear/Documents/x1/maven/apache-maven-3.9.6

Java version: 17.0.8.1, vendor: IBM Corporation, runtime: /usr/lib/jvm/ibm-semeru-open-17-jdk

Default locale: en_US, platform encoding: UTF-8

OS name: "linux", version: "5.14.0-447.el9.ppc64le", arch: "ppc64le", family: "unix"
`

Its very possible I do not have a complete FIPS configuration for this system, that being said, enabling FIPS on the OS, and passing to Semeru fips=true should be the out of the box requirement for basic use. Any pointers welcome :)

This is a very cool feature to support for CXF.

@ffang
Copy link
Contributor Author

ffang commented May 27, 2024

FIPS mode enabled on Stream 9 OS:

` [jgoodyear@localhost cxf]$ fips-mode-setup --check

FIPS mode is enabled.

[jgoodyear@localhost ~]$ uname -a

Linux localhost.localdomain 5.14.0-447.el9.ppc64le #1 SMP Tue May 7 10:29:50 UTC 2024 ppc64le ppc64le ppc64le GNU/Linux `

Invocation:

[jgoodyear@localhost cxf]$ mvn clean install -Dsemeru.fips=true -Pfips

Error Message:

` [INFO]

[INFO] --- surefire:3.2.5:test (default-test) @ cxf-core ---

[INFO] Using auto detected provider org.apache.maven.surefire.junit4.JUnit4Provider

[INFO]

[INFO] -------------------------------------------------------

[INFO] T E S T S

[INFO] -------------------------------------------------------

java.lang.RuntimeException: Restricted security mode is not supported on this platform. `

Maven/Java versions:

` [jgoodyear@localhost cxf]$ mvn -version

Apache Maven 3.9.6 (bc0240f3c744dd6b6ec2920b3cd08dcc295161ae)

Maven home: /home/jgoodyear/Documents/x1/maven/apache-maven-3.9.6

Java version: 17.0.8.1, vendor: IBM Corporation, runtime: /usr/lib/jvm/ibm-semeru-open-17-jdk

Default locale: en_US, platform encoding: UTF-8

OS name: "linux", version: "5.14.0-447.el9.ppc64le", arch: "ppc64le", family: "unix" `

Its very possible I do not have a complete FIPS configuration for this system, that being said, enabling FIPS on the OS, and passing to Semeru fips=true should be the out of the box requirement for basic use. Any pointers welcome :)

This is a very cool feature to support for CXF.

Hi @jgoodyear ,

Thanks for testing with this PR.

I'm not sure how to configure the environment you are using. Just FYI, my FIPS testing machine is like
Maven home: /tools/opt/apache-maven-3.8.6
Java version: 21.0.2, vendor: Red Hat, Inc., runtime: /usr/lib/jvm/java-21-openjdk-21.0.2.0.13-1.el8.x86_64
Default locale: en_CA, platform encoding: UTF-8
OS name: "linux", version: "4.18.0-477.27.1.el8_8.x86_64", arch: "amd64", family: "unix"

And If I do "mvn clean install -Pfips" I get a green build on that machine

Freeman

@jgoodyear
Copy link
Contributor

No additions to your settings xml ?

I'll try the older Maven version, and RH OpenJDK 17 (want to verify using FIPS doesn't require a higher version than main builds).

@ffang
Copy link
Contributor Author

ffang commented May 27, 2024

No additions to your settings xml ?

I'll try the older Maven version, and RH OpenJDK 17 (want to verify using FIPS doesn't require a higher version than main builds).

No additions to my settings.xml.

And I think you need to use JDK21(LTS version) to get all tests passed with FIPS mode, because KW and KWP were added to PKCS11 provider(this is the FIPS compliant security provider) since JDK18, JDK17 missed this part.

Please see
https://bugs.openjdk.org/browse/JDK-8264849

@jgoodyear
Copy link
Contributor

Interesting, thanks for that heads up -- will re-try Semeru on version 21 as well.

@jgoodyear
Copy link
Contributor

As a heads up, IBM Semeru 17.0.10 is where FIPS support begins - i had 17.0.8.
I have a build currently in flight, will update when complete.

@jgoodyear
Copy link
Contributor

Using Semeru 17.0.10 I got to :
[INFO] Apache CXF Runtime WS Security ..................... FAILURE [ 35.135 s]

In which the error messages were of the form:

`
NoSuchAlgorithmException: PKCS11 SecureRandom not available

or

org.apache.cxf.binding.soap.SoapFault: Security processing failed.
`

[ERROR] Tests run: 228, Failures: 3, Errors: 60, Skipped: 19

Will try Semeru 21 now

@jgoodyear
Copy link
Contributor

Semeru 21 had class not found error,
RH OpenJDK 22 (latest) was not happy either.

`
[INFO]

[INFO] Apache CXF ......................................... SUCCESS [ 0.217 s]

[INFO] Apache CXF BOM ..................................... SUCCESS [ 0.011 s]

[INFO] Apache CXF Parent .................................. SUCCESS [ 1.125 s]

[INFO] Apache CXF Core .................................... FAILURE [ 19.362 s]
`

I'll take a deeper look on Semeru 17 tomorrow.

@ffang
Copy link
Contributor Author

ffang commented May 27, 2024

Semeru 21 had class not found error, RH OpenJDK 22 (latest) was not happy either.

` [INFO]

[INFO] Apache CXF ......................................... SUCCESS [ 0.217 s]

[INFO] Apache CXF BOM ..................................... SUCCESS [ 0.011 s]

[INFO] Apache CXF Parent .................................. SUCCESS [ 1.125 s]

[INFO] Apache CXF Core .................................... FAILURE [ 19.362 s] `

I'll take a deeper look on Semeru 17 tomorrow.

A quick question, did you manually applied this PR to WSS4J first and build locally
apache/ws-wss4j#313
This CXF PR relies on the WSS4J PR

@ffang
Copy link
Contributor Author

ffang commented May 27, 2024

Using Semeru 17.0.10 I got to : [INFO] Apache CXF Runtime WS Security ..................... FAILURE [ 35.135 s]

In which the error messages were of the form:

` NoSuchAlgorithmException: PKCS11 SecureRandom not available

or

org.apache.cxf.binding.soap.SoapFault: Security processing failed. `

[ERROR] Tests run: 228, Failures: 3, Errors: 60, Skipped: 19

Will try Semeru 21 now

Hi @jgoodyear ,

Not an expert for IBM JDK configuration, but per the IBM doc here
https://www.ibm.com/support/pages/fips-certified-cryptography-ibm-semeru-runtimes
PKCS11 SecureRandom should be available with IBM fips certified JDK.

I guess somehow the testing environment/machine/jdk isn't fully FIPS ready?

Best Regards
Freeman

@jgoodyear
Copy link
Contributor

Ah, no - will update for that tomorrow :)
Thanks for the catch

@ffang ffang requested a review from coheigea May 30, 2024 15:59
@ffang
Copy link
Contributor Author

ffang commented May 30, 2024

Hi @coheigea ,

Could you please review this PR when you have free cycle?

This also requires a PR from Apache WSS4J side
apache/ws-wss4j#313

Thanks!
Freeman

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants