Merge pull request #1351 from gtroitsk/oidc-client-mtls-pkcs12-fips

Enable OIDC mTLS tests on OpenJDK 17 and FIPS using PKCS12 keystore

security/oidc-client-mutual-tls/README.md

@@ -0,0 +1,42 @@
+# PKCS12 keystore and truststore generation for server and client
+
+
+1. Create a keystore for the client
+
+`keytool -genkey -alias Client -validity 3650 -keyalg RSA -keystore client-keystore.p12 -keysize 2048 -storetype PKCS12 -storepass password -dname "cn=localhost, ou=QuarkusQE, o=Redhat, L=Brno, st=BR, c=CZ"`
+
+2. Export the public certificate of the client
+
+`keytool -export -keystore client-keystore.p12 -alias Client -file client.crt`
+
+3. Create a keystore for the server
+
+`keytool -genkey -alias Server -validity 3650 -keyalg RSA -keystore server-keystore.p12 -keysize 2048 -storetype PKCS12 -storepass password -dname "cn=localhost, ou=QuarkusQE, o=Redhat, L=Brno, st=BR, c=CZ"`
+
+4. Export the public certificate of the server
+
+`keytool -export -keystore server-keystore.p12 -alias Server -file server.crt`
+
+5. Create a truststore for the client
+
+`keytool -genkey -alias ClientTrust -validity 3650 -keyalg RSA -keystore client-truststore.p12 -keysize 2048 -storetype PKCS12 -storepass password -dname "cn=localhost, ou=QuarkusQE, o=Redhat, L=Brno, st=BR, c=CZ"`
+
+6. Create a truststore for the server
+
+`keytool -genkey -alias ServerTrust -validity 3650 -keyalg RSA -keystore server-truststore.p12 -keysize 2048 -storetype PKCS12 -storepass password -dname "cn=localhost, ou=QuarkusQE, o=Redhat, L=Brno, st=BR, c=CZ"`
+
+7. Import the client public certificate into the server truststore
+
+`keytool -import -keystore server-truststore.p12 -alias Client -file client.crt`
+
+8. Import the server public certificate into the client truststore
+
+`keytool -import -keystore client-truststore.p12 -alias Server -file server.crt`
+
+9. Delete the existing private key of the server truststore
+
+`keytool -delete -alias serverTrust -keystore server-truststore.p12 -storepass password`
+
+10. Delete the existing private key of the client truststore
+
+`keytool -delete -alias clientTrust -keystore client-truststore.p12 -storepass password`

security/oidc-client-mutual-tls/src/main/resources/application.properties

@@ -11,6 +11,7 @@ quarkus.oidc.tls.key-store-password=${ks-pwd}
 quarkus.oidc.tls.trust-store-password=${ks-pwd}
 
 # TODO https://github.com/quarkusio/quarkus/issues/25972
+# We cannot test these properties before we configure all environment to run KeyCloak with BCFIPS provider in container
 #quarkus.oidc.tls.trust-store-provider=SunRsaSign,SunJCE
 #quarkus.oidc.tls.key-store-provider=SunRsaSign,SunJCE
 

security/oidc-client-mutual-tls/src/test/java/io/quarkus/ts/security/oidcclient/mtls/Pkcs12OidcMtlsIT.java

@@ -3,26 +3,30 @@
 import static io.quarkus.ts.security.oidcclient.mtls.MutualTlsKeycloakService.KC_DEV_MODE_P12_CMD;
 import static io.quarkus.ts.security.oidcclient.mtls.MutualTlsKeycloakService.newKeycloakInstance;
 
-import org.junit.jupiter.api.Tag;
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.List;
+
+import org.junit.jupiter.api.condition.DisabledIf;
 
 import io.quarkus.test.bootstrap.KeycloakService;
 import io.quarkus.test.bootstrap.RestService;
+import io.quarkus.test.configuration.PropertyLookup;
 import io.quarkus.test.scenarios.QuarkusScenario;
 import io.quarkus.test.services.KeycloakContainer;
 import io.quarkus.test.services.QuarkusApplication;
+import io.quarkus.test.utils.Command;
 
 /**
  * Keystore file type is automatically detected in following tests by its extension in quarkus-oidc.
  * Extension declared here is used by tests only.
  */
-@Tag("fips-incompatible")
+@DisabledIf(value = "cannotRunOnFIPS", disabledReason = "PKCS12 keystore is not FIPS compliant on Red Hat OpenJDK 11")
 @QuarkusScenario
 public class Pkcs12OidcMtlsIT extends KeycloakMtlsAuthN {
 
-    //TODO Remove workaround after Keycloak is fixed https://github.com/keycloak/keycloak/issues/9916
     @KeycloakContainer(command = KC_DEV_MODE_P12_CMD, port = KEYCLOAK_PORT)
     static KeycloakService keycloak = newKeycloakInstance(REALM_FILE_PATH, REALM_DEFAULT, "realms")
-            .withRedHatFipsDisabled()
             .withProperty("HTTPS_KEYSTORE", "resource_with_destination::/etc/|server-keystore." + P12_KEYSTORE_FILE_EXTENSION)
             .withProperty("HTTPS_TRUSTSTORE",
                     "resource_with_destination::/etc/|server-truststore." + P12_KEYSTORE_FILE_EXTENSION);
@@ -44,4 +48,25 @@ protected KeycloakService getKeycloakService() {
     protected String getKeystoreFileExtension() {
         return P12_KEYSTORE_FILE_EXTENSION;
     }
+
+    private static boolean cannotRunOnFIPS() {
+        String javaVersion = new PropertyLookup("java.version").get();
+        String javaVMVendor = new PropertyLookup("java.vm.vendor").get();
+
+        if (javaVersion.matches("11.*") && javaVMVendor.matches(".*Red.*Hat.*")) {
+            List<String> commandOutputLines = new ArrayList<>();
+
+            try {
+                new Command("sysctl", "crypto.fips_enabled").outputToLines(commandOutputLines).runAndWait();
+            } catch (IOException | InterruptedException e) {
+                return false;
+            }
+
+            boolean isFipsEnabled = commandOutputLines.get(0).matches(".*1");
+
+            return javaVersion.matches("11.*") && javaVMVendor.matches(".*Red.*Hat.*") && isFipsEnabled;
+        }
+
+        return false;
+    }
 }