Conversation
|
To help provide some testing of this PR , does one need to enable a profile or another parameter to test all the FIPS test cases or its all included in mvn install ? |
|
what I have done in this PR
|
Hi @jgoodyear , Cheers |
|
Is there a FIPS enabled build host on Apache infra? (CXF has ubuntu and windows test hosts, would be nice if the FIPS paths are regularly tested as well). |
|
Non-FIPS builds of CXF-9008 branch: Stream 9 OS with Eclipse Adoptium 17 on PPC64LE Passed. |
|
FIPS mode enabled on Stream 9 OS: ` FIPS mode is enabled. [jgoodyear@localhost ~]$ uname -a Linux localhost.localdomain 5.14.0-447.el9.ppc64le #1 SMP Tue May 7 10:29:50 UTC 2024 ppc64le ppc64le ppc64le GNU/Linux Invocation:
Error Message: ` [INFO] --- surefire:3.2.5:test (default-test) @ cxf-core --- [INFO] Using auto detected provider org.apache.maven.surefire.junit4.JUnit4Provider [INFO] [INFO] ------------------------------------------------------- [INFO] T E S T S [INFO] ------------------------------------------------------- java.lang.RuntimeException: Restricted security mode is not supported on this platform. Maven/Java versions: ` Apache Maven 3.9.6 (bc0240f3c744dd6b6ec2920b3cd08dcc295161ae) Maven home: /home/jgoodyear/Documents/x1/maven/apache-maven-3.9.6 Java version: 17.0.8.1, vendor: IBM Corporation, runtime: /usr/lib/jvm/ibm-semeru-open-17-jdk Default locale: en_US, platform encoding: UTF-8 OS name: "linux", version: "5.14.0-447.el9.ppc64le", arch: "ppc64le", family: "unix" Its very possible I do not have a complete FIPS configuration for this system, that being said, enabling FIPS on the OS, and passing to Semeru fips=true should be the out of the box requirement for basic use. Any pointers welcome :) This is a very cool feature to support for CXF. |
Hi @jgoodyear , Thanks for testing with this PR. I'm not sure how to configure the environment you are using. Just FYI, my FIPS testing machine is like And If I do "mvn clean install -Pfips" I get a green build on that machine Freeman |
|
No additions to your settings xml ? I'll try the older Maven version, and RH OpenJDK 17 (want to verify using FIPS doesn't require a higher version than main builds). |
No additions to my settings.xml. And I think you need to use JDK21(LTS version) to get all tests passed with FIPS mode, because KW and KWP were added to PKCS11 provider(this is the FIPS compliant security provider) since JDK18, JDK17 missed this part. Please see |
|
Interesting, thanks for that heads up -- will re-try Semeru on version 21 as well. |
|
As a heads up, IBM Semeru 17.0.10 is where FIPS support begins - i had 17.0.8. |
|
Using Semeru 17.0.10 I got to : In which the error messages were of the form: ` or org.apache.cxf.binding.soap.SoapFault: Security processing failed.
Will try Semeru 21 now |
|
Semeru 21 had class not found error, ` [INFO] Apache CXF ......................................... SUCCESS [ 0.217 s] [INFO] Apache CXF BOM ..................................... SUCCESS [ 0.011 s] [INFO] Apache CXF Parent .................................. SUCCESS [ 1.125 s] [INFO] Apache CXF Core .................................... FAILURE [ 19.362 s] I'll take a deeper look on Semeru 17 tomorrow. |
A quick question, did you manually applied this PR to WSS4J first and build locally |
Hi @jgoodyear , Not an expert for IBM JDK configuration, but per the IBM doc here I guess somehow the testing environment/machine/jdk isn't fully FIPS ready? Best Regards |
|
Ah, no - will update for that tomorrow :) |
|
Hi @coheigea , Could you please review this PR when you have free cycle? This also requires a PR from Apache WSS4J side Thanks! |
# Conflicts: # parent/pom.xml # rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/WSS4JInOutWithAttachmentsTest.java # systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jose/jwejws/JAXRSJweJwsTest.java
RSA 1.5 (PKCS#1 v1.5) is not FIPS-approved for key transport. Replace all FIPS-mode RSA 1.5 defaults with proper FIPS-approved alternatives: - JOSE: RSA1_5 -> RSA_OAEP_256 (SHA-256 based) - XML Security: RSA_v1dot5 -> RSA_OAEP_11 (xenc11, SHA-256 based) - WS-Security/STS: KEYTRANSPORT_RSA15 -> KEYTRANSPORT_RSAOAEP_XENC11 Also: - Add configurable FIPS security provider via fips.security.provider system property instead of hardcoding SunPKCS11-NSS-FIPS - Fix Boolean.valueOf -> Boolean.parseBoolean for FIPS property - Fix tab character in parent/pom.xml - Fix misleading 'fips compliant' comment on RSA 1.5 algorithm suites - Update JoseConstants javadoc
- JavaUtilsTest: tests isFIPSEnabled(), getFIPSSecurityProvider(), isJavaKeyword(), and makeNonJavaKeyword() - JweFipsAlgorithmTest: verifies RSA-OAEP-256 is selected in FIPS mode and RSA-OAEP in non-FIPS mode for JWE key algorithms and RSAKeyDecryptionAlgorithm defaults
- DefaultSignatureConstants: move private constructor before static method to satisfy DeclarationOrder rule - alice-enc-fips.properties, bob-enc-fips.properties: add required license header comment prefix/suffix lines
Add required #/# prefix and suffix lines around the ASF license header in all FIPS properties files under systests/rs-security to comply with the RegexpHeader checkstyle rule. Also add missing trailing newlines.
AbstractServerRestricted.java was using UXPingServiceFips instead of UXNoTimestampPingServiceFips for the /UX-NoTimestampPingService endpoint in FIPS mode, which would bind the wrong WSDL port to that endpoint.
- Reject RSA1_5 key encryption in FIPS mode in RSAKeyDecryptionAlgorithm - Make CustomAlgorithmSuite FIPS-aware (use RSA-OAEP instead of RSA15) - Remove hardcoded SunPKCS11-NSS-FIPS provider, use configurable FIPS provider - Fix inverted FIPS ternary in JweCompactReaderWriterTest encryptContent helper - Add RSA1_5 rejection test and FIPS state restoration to JweFipsAlgorithmTest - Skip RSA15/CBC test in FIPS mode (not FIPS-approved algorithms)
- Extract duplicated setFipsEnabled/setFipsProvider reflection helpers into FipsTestUtils utility classes in core and jose test sources - Update FIPS test properties files to use RSA-OAEP-256 instead of RSA1_5 for stricter FIPS compliance
gnodet
left a comment
gnodet
left a comment
There was a problem hiding this comment.
All CI checks pass. FIPS 140-2 compliance support looks good — algorithm selection, enforcement, and test coverage are solid.
Thanks so much @gnodet ! |
3 participants
Summary
Add support for running Apache CXF in FIPS 140-2 compliant mode. When a FIPS-approved security provider is detected, CXF automatically selects FIPS-compliant algorithms across WS-Security, JOSE/JWT, RS-Security XML encryption, and STS components.
Key Changes
Core Infrastructure
JavaUtils: AddisFIPSEnabled()andgetFIPSSecurityProvider()utility methods for runtime FIPS detection, configurable via system properties (fips.enabled,fips.security.provider)parent/pom.xml: Add FIPS-specific test profilesAlgorithm Selection (FIPS mode defaults)
RSA-OAEP-256instead ofRSA-OAEPfor key encryption (RSA 1.5 is not FIPS-approved); rejectRSA1_5during decryption in FIPS modeRSA-OAEP-11(xenc11) instead ofRSA-OAEPfor key transportKEYTRANSPORT_RSAOAEP_XENC11instead ofKEYTRANSPORT_RSAOAEPfor key wrapping; exclude RSA 1.5 from accepted key wrap algorithms in FIPS modeJavaUtils.getFIPSSecurityProvider())WS-Security Policy
DefaultAlgorithmSuiteLoader: Add FIPS-compliant algorithm suite policies using GCM ciphers with RSA-OAEP key transport;CustomAlgorithmSuiteuses RSA-OAEP instead of RSA15 in FIPS modeTest Infrastructure
JavaUtils.isFIPSEnabled()to select appropriate algorithms and configsJavaUtilsTestandJweFipsAlgorithmTestRSA-OAEP-256(FIPS-approved key encryption algorithm)FipsTestUtilsfor FIPS state manipulation in testsModules Affected
cxf-core— FIPS utility methodscxf-rt-rs-security-jose— JOSE/JWE algorithm selection and enforcementcxf-rt-rs-security-xml— RS XML encryption algorithm selectioncxf-rt-rs-security-http-signature— Security provider selectioncxf-rt-ws-security— WS-Security algorithm suite loadercxf-services-sts-core— STS encryption and key wrap algorithmscxf-rt-rs-security-oauth2— OAuth JWT producercxf-systests-ws-security,cxf-systests-rs-security,cxf-systests-sts— FIPS test configurationsJIRA
CXF-9008