apache
fips support
To help provide some testing of this PR , does one need to enable a profile or another parameter to test all the FIPS test cases or its all included in mvn install ?
what I have done in this PR
- introduce a system property "fips.enabled", when it's true, switch the security algorithms which are not allowed in fips to fips compliant ones. Mainly they are from AES_CBC to AES_GCM; from RSA_OAEP to RSA1_5. This needs the Apache WSS4J side change also. Please see https://issues.apache.org/jira/browse/WSS-711 The default value of "fips.enabled" is false. So the default behaviour is the same as before.
- A maven profile "fips" is introduced. So just run "mvn clean install -Pfips" on a fips enabled machine/jdk should be sufficient.
- Several fips compliant ws-securitypolicy names are introduced to help easily run in fips mode
- A lot security related tests are revised to pick up the fips compliant configurations/keys/certs when running tests with fips profile.
To help provide some testing of this PR , does one need to enable a profile or another parameter to test all the FIPS test cases or its all included in mvn install ?
Hi @jgoodyear , A maven profile "fips" is introduced. So just run "mvn clean install -Pfips" on a fips enabled machine/jdk should be sufficient.
Cheers Freeman
Is there a FIPS enabled build host on Apache infra? (CXF has ubuntu and windows test hosts, would be nice if the FIPS paths are regularly tested as well).
Non-FIPS builds of CXF-9008 branch:
Stream 9 OS with Eclipse Adoptium 17 on PPC64LE Passed. Ubuntu 22.04 LTS with Eclipse Adoptium 17 on x64 Passed.
FIPS mode enabled on Stream 9 OS:
` [jgoodyear@localhost cxf]$ fips-mode-setup --check
FIPS mode is enabled.
[jgoodyear@localhost ~]$ uname -a
Linux localhost.localdomain 5.14.0-447.el9.ppc64le #1 SMP Tue May 7 10:29:50 UTC 2024 ppc64le ppc64le ppc64le GNU/Linux `
Invocation:
[jgoodyear@localhost cxf]$ mvn clean install -Dsemeru.fips=true -Pfips
Error Message:
` [INFO]
[INFO] --- surefire:3.2.5:test (default-test) @ cxf-core ---
[INFO] Using auto detected provider org.apache.maven.surefire.junit4.JUnit4Provider
[INFO]
[INFO] -------------------------------------------------------
[INFO] T E S T S
[INFO] -------------------------------------------------------
java.lang.RuntimeException: Restricted security mode is not supported on this platform. `
Maven/Java versions:
` [jgoodyear@localhost cxf]$ mvn -version
Apache Maven 3.9.6 (bc0240f3c744dd6b6ec2920b3cd08dcc295161ae)
Maven home: /home/jgoodyear/Documents/x1/maven/apache-maven-3.9.6
Java version: 17.0.8.1, vendor: IBM Corporation, runtime: /usr/lib/jvm/ibm-semeru-open-17-jdk
Default locale: en_US, platform encoding: UTF-8
OS name: "linux", version: "5.14.0-447.el9.ppc64le", arch: "ppc64le", family: "unix" `
Its very possible I do not have a complete FIPS configuration for this system, that being said, enabling FIPS on the OS, and passing to Semeru fips=true should be the out of the box requirement for basic use. Any pointers welcome :)
This is a very cool feature to support for CXF.
FIPS mode enabled on Stream 9 OS:
` [jgoodyear@localhost cxf]$ fips-mode-setup --check
FIPS mode is enabled.
[jgoodyear@localhost ~]$ uname -a
Linux localhost.localdomain 5.14.0-447.el9.ppc64le #1 SMP Tue May 7 10:29:50 UTC 2024 ppc64le ppc64le ppc64le GNU/Linux `
Invocation:
[jgoodyear@localhost cxf]$ mvn clean install -Dsemeru.fips=true -PfipsError Message:
` [INFO]
[INFO] --- surefire:3.2.5:test (default-test) @ cxf-core ---
[INFO] Using auto detected provider org.apache.maven.surefire.junit4.JUnit4Provider
[INFO]
[INFO] -------------------------------------------------------
[INFO] T E S T S
[INFO] -------------------------------------------------------
java.lang.RuntimeException: Restricted security mode is not supported on this platform. `
Maven/Java versions:
` [jgoodyear@localhost cxf]$ mvn -version
Apache Maven 3.9.6 (bc0240f3c744dd6b6ec2920b3cd08dcc295161ae)
Maven home: /home/jgoodyear/Documents/x1/maven/apache-maven-3.9.6
Java version: 17.0.8.1, vendor: IBM Corporation, runtime: /usr/lib/jvm/ibm-semeru-open-17-jdk
Default locale: en_US, platform encoding: UTF-8
OS name: "linux", version: "5.14.0-447.el9.ppc64le", arch: "ppc64le", family: "unix" `
Its very possible I do not have a complete FIPS configuration for this system, that being said, enabling FIPS on the OS, and passing to Semeru fips=true should be the out of the box requirement for basic use. Any pointers welcome :)
This is a very cool feature to support for CXF.
Hi @jgoodyear ,
Thanks for testing with this PR.
I'm not sure how to configure the environment you are using. Just FYI, my FIPS testing machine is like Maven home: /tools/opt/apache-maven-3.8.6 Java version: 21.0.2, vendor: Red Hat, Inc., runtime: /usr/lib/jvm/java-21-openjdk-21.0.2.0.13-1.el8.x86_64 Default locale: en_CA, platform encoding: UTF-8 OS name: "linux", version: "4.18.0-477.27.1.el8_8.x86_64", arch: "amd64", family: "unix"
And If I do "mvn clean install -Pfips" I get a green build on that machine
Freeman
No additions to your settings xml ?
I'll try the older Maven version, and RH OpenJDK 17 (want to verify using FIPS doesn't require a higher version than main builds).
No additions to your settings xml ?
I'll try the older Maven version, and RH OpenJDK 17 (want to verify using FIPS doesn't require a higher version than main builds).
No additions to my settings.xml.
And I think you need to use JDK21(LTS version) to get all tests passed with FIPS mode, because KW and KWP were added to PKCS11 provider(this is the FIPS compliant security provider) since JDK18, JDK17 missed this part.
Please see https://bugs.openjdk.org/browse/JDK-8264849
Interesting, thanks for that heads up -- will re-try Semeru on version 21 as well.
As a heads up, IBM Semeru 17.0.10 is where FIPS support begins - i had 17.0.8. I have a build currently in flight, will update when complete.
Using Semeru 17.0.10 I got to :
[INFO] Apache CXF Runtime WS Security ..................... FAILURE [ 35.135 s]
In which the error messages were of the form:
` NoSuchAlgorithmException: PKCS11 SecureRandom not available
or
org.apache.cxf.binding.soap.SoapFault: Security processing failed. `
[ERROR] Tests run: 228, Failures: 3, Errors: 60, Skipped: 19
Will try Semeru 21 now
Semeru 21 had class not found error, RH OpenJDK 22 (latest) was not happy either.
` [INFO]
[INFO] Apache CXF ......................................... SUCCESS [ 0.217 s]
[INFO] Apache CXF BOM ..................................... SUCCESS [ 0.011 s]
[INFO] Apache CXF Parent .................................. SUCCESS [ 1.125 s]
[INFO] Apache CXF Core .................................... FAILURE [ 19.362 s] `
I'll take a deeper look on Semeru 17 tomorrow.
Semeru 21 had class not found error, RH OpenJDK 22 (latest) was not happy either.
` [INFO]
[INFO] Apache CXF ......................................... SUCCESS [ 0.217 s]
[INFO] Apache CXF BOM ..................................... SUCCESS [ 0.011 s]
[INFO] Apache CXF Parent .................................. SUCCESS [ 1.125 s]
[INFO] Apache CXF Core .................................... FAILURE [ 19.362 s] `
I'll take a deeper look on Semeru 17 tomorrow.
A quick question, did you manually applied this PR to WSS4J first and build locally https://github.com/apache/ws-wss4j/pull/313 This CXF PR relies on the WSS4J PR
Using Semeru 17.0.10 I got to :
[INFO] Apache CXF Runtime WS Security ..................... FAILURE [ 35.135 s]In which the error messages were of the form:
` NoSuchAlgorithmException: PKCS11 SecureRandom not available
or
org.apache.cxf.binding.soap.SoapFault: Security processing failed. `
[ERROR] Tests run: 228, Failures: 3, Errors: 60, Skipped: 19Will try Semeru 21 now
Hi @jgoodyear ,
Not an expert for IBM JDK configuration, but per the IBM doc here https://www.ibm.com/support/pages/fips-certified-cryptography-ibm-semeru-runtimes PKCS11 SecureRandom should be available with IBM fips certified JDK.
I guess somehow the testing environment/machine/jdk isn't fully FIPS ready?
Best Regards Freeman
Hi @coheigea ,
Could you please review this PR when you have free cycle?
This also requires a PR from Apache WSS4J side https://github.com/apache/ws-wss4j/pull/313
Thanks! Freeman