Skip to content

Commit

Permalink
Rest-assurance client is not working with BCFIPS certificates
Browse files Browse the repository at this point in the history 
Swapp to Vertx http client
  • Loading branch information
pablo gonzalez granados committed May 6, 2022
1 parent e8d171e commit 45c72a4
Show file tree
Hide file tree
Showing 8 changed files with 92 additions and 30 deletions.
28 changes: 10 additions & 18 deletions security/bouncycastle-fips/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,22 +2,14 @@

## Generate certificates steps (Keytool manual process)

Generate a self-signed PEM
```shell
openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem
```

Convert the certificate from PEM to PKCS12, using the following command:
```shell
openssl pkcs12 -export -out Cert.p12 -in cert.pem -inkey key.pem
```

Generate truststore from p12 file
```shell
keytool -importkeystore -srckeystore Cert.p12 -srcstoretype pkcs12 -destkeystore server-truststore.jks -deststoretype BCFKS -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath $PATH_TO_BC_FIPS_JAR -storetype BCFKS -validity 3000
```

Generate keystore
```shell
keytool -genkey -alias server -keyalg RSA -keystore server-keystore.jks -keysize 2048 -keypass password -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath $PATH_TO_BC_FIPS_JAR -storetype BCFKS -validity 3000
```
keytool -keystore server-keystore.jks -alias localhost -validity 3000 -genkeypair -keyalg RSA -keysize 2048 -storepass password -keypass password -storetype BCFKS -providerpath /home/pablojosegonzalezgranados/.m2/repository/org/bouncycastle/bc-fips/1.0.2.1/bc-fips-1.0.2.1.jar -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -dname "cn=Redhat, ou=QuarkusQE, o=Redhat,L=Madrid, st=MA, c=ES" -ext SAN="DNS:localhost,IP:127.0.0.1"
openssl req -new -x509 -keyout ca-key -out ca-cert -days 3000
keytool -keystore client-truststore.jks -storetype BCFKS -alias CARoot -import -file ca-cert -providerpath /home/pablojosegonzalezgranados/.m2/repository/org/bouncycastle/bc-fips/1.0.2.1/bc-fips-1.0.2.1.jar -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
keytool -keystore server-truststore.jks -storetype BCFKS -alias CARoot -importcert -file ca-cert -providerpath /home/pablojosegonzalezgranados/.m2/repository/org/bouncycastle/bc-fips/1.0.2.1/bc-fips-1.0.2.1.jar -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
keytool -keystore server-keystore.jks -alias localhost -storepass password -keypass password -storetype BCFKS -certreq -file cert-file -providerpath /home/pablojosegonzalezgranados/.m2/repository/org/bouncycastle/bc-fips/1.0.2.1/bc-fips-1.0.2.1.jar -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
openssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file -out cert-signed -days 3000 -CAcreateserial -passin pass:password
keytool -keystore server-keystore.jks -storetype BCFKS -alias CARoot -import -file ca-cert -storepass password -providerpath /home/pablojosegonzalezgranados/.m2/repository/org/bouncycastle/bc-fips/1.0.2.1/bc-fips-1.0.2.1.jar -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
cat ca-cert cert-signed > cert
keytool -keystore server-keystore.jks -storetype BCFKS -storepass password -alias localhost -import -file cert -providerpath /home/pablojosegonzalezgranados/.m2/repository/org/bouncycastle/bc-fips/1.0.2.1/bc-fips-1.0.2.1.jar -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
```
4 changes: 4 additions & 0 deletions security/bouncycastle-fips/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,5 +23,9 @@
<groupId>org.bouncycastle</groupId>
<artifactId>bc-fips</artifactId>
</dependency>
<dependency>
<groupId>io.smallrye.reactive</groupId>
<artifactId>smallrye-mutiny-vertx-web-client</artifactId>
</dependency>
</dependencies>
</project>
Binary file modified security/bouncycastle-fips/src/main/resources/server-keystore.jks
View file
Binary file not shown.
Binary file modified security/bouncycastle-fips/src/main/resources/server-truststore.jks
View file
Binary file not shown.
84 changes: 73 additions & 11 deletions ...e-fips/src/test/java/io/quarkus/ts/security/bouncycastle/fips/BouncyCastleFipsJsseIT.java
View file
Original file line number Diff line number Diff line change
@@ -1,36 +1,98 @@
package io.quarkus.ts.security.bouncycastle.fips;

import static io.restassured.RestAssured.given;
import static org.hamcrest.CoreMatchers.containsString;
import static org.hamcrest.MatcherAssert.assertThat;

import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.security.Security;

import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider;
import org.junit.jupiter.api.Test;

import io.quarkus.runtime.util.ClassPathUtils;
import io.quarkus.test.bootstrap.Protocol;
import io.quarkus.test.bootstrap.RestService;
import io.quarkus.test.scenarios.QuarkusScenario;
import io.quarkus.test.services.Dependency;
import io.quarkus.test.services.QuarkusApplication;
import io.vertx.core.Vertx;
import io.vertx.core.buffer.Buffer;
import io.vertx.core.net.KeyStoreOptions;
import io.vertx.ext.web.client.WebClientOptions;
import io.vertx.mutiny.ext.web.client.WebClient;

@QuarkusScenario
public class BouncyCastleFipsJsseIT {

private static final String PASSWORD = "password";

@QuarkusApplication(dependencies = {
@QuarkusApplication(ssl = true, dependencies = {
@Dependency(groupId = "org.bouncycastle", artifactId = "bctls-fips", version = "${bouncycastle.bctls-fips.version}")
})
private static final RestService app = new RestService().withProperties("jsse.properties");

@Test
public void verifyBouncyCastleFipsAndJsseProviderAvailability() {
given()
.keyStore(Paths.get("client-keystore.jks").toFile(), PASSWORD)
.trustStore(Paths.get("client-truststore.jks").toFile(), PASSWORD)
.when()
.get("/api/listProviders")
.then()
.statusCode(200)
.body(containsString("BCFIPS,BCJSSE"));
public void verifyBouncyCastleFipsAndJsseProviderAvailability() throws Exception {
Security.insertProviderAt(new BouncyCastleFipsProvider(), 1);
WebClient webClient = WebClient.create(new io.vertx.mutiny.core.Vertx(Vertx.vertx()), createWebClientOptions());
String endpoint = app.getHost(Protocol.HTTPS) + ":" + app.getPort(Protocol.HTTPS) + "/api/listProviders";
String body = webClient
.getAbs(endpoint)
.sendAndAwait().bodyAsString();

assertThat(body, containsString("BCFIPS,BCJSSE"));
}

private WebClientOptions createWebClientOptions() throws Exception {
WebClientOptions webClientOptions = new WebClientOptions();

byte[] keyStoreData = getFileContent(Paths.get("src", "test", "resources", "client-keystore.jks"));
KeyStoreOptions keyStoreOptions = new KeyStoreOptions()
.setPassword(PASSWORD)
.setValue(Buffer.buffer(keyStoreData))
.setType("BCFKS")
.setProvider("BCFIPS");
webClientOptions.setKeyCertOptions(keyStoreOptions);

byte[] trustStoreData = getFileContent(Paths.get("src", "test", "resources", "client-truststore.jks"));
KeyStoreOptions trustStoreOptions = new KeyStoreOptions()
.setPassword(PASSWORD)
.setValue(Buffer.buffer(trustStoreData))
.setType("BCFKS")
.setProvider("BCFIPS");
webClientOptions.setVerifyHost(false).setTrustAll(true).setTrustOptions(trustStoreOptions);

return webClientOptions;
}

private static byte[] getFileContent(Path path) throws IOException {
byte[] data;
final InputStream resource = Thread.currentThread().getContextClassLoader()
.getResourceAsStream(ClassPathUtils.toResourceName(path));
if (resource != null) {
try (InputStream is = resource) {
data = doRead(is);
}
} else {
try (InputStream is = Files.newInputStream(path)) {
data = doRead(is);
}
}
return data;
}

private static byte[] doRead(InputStream is) throws IOException {
ByteArrayOutputStream out = new ByteArrayOutputStream();
byte[] buf = new byte[1024];
int r;
while ((r = is.read(buf)) > 0) {
out.write(buf, 0, r);
}
return out.toByteArray();
}
}
Binary file modified security/bouncycastle-fips/src/test/resources/client-keystore.jks
View file
Binary file not shown.
Binary file modified security/bouncycastle-fips/src/test/resources/client-truststore.jks
View file
Binary file not shown.
6 changes: 5 additions & 1 deletion security/bouncycastle-fips/src/test/resources/jsse.properties
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,4 +10,8 @@ quarkus.http.ssl.certificate.trust-store-file=server-truststore.jks
quarkus.http.ssl.certificate.trust-store-password=password
quarkus.http.ssl.certificate.trust-store-file-type=BCFKS
quarkus.http.ssl.certificate.trust-store-provider=BCFIPS
quarkus.native.additional-build-args=-H:IncludeResources=.*\\.jks
#quarkus.native.additional-build-args=-H:IncludeResources=.*\\.jks

quarkus.log.category."org.bouncycastle.jsse".min-level=TRACE
quarkus.log.category."org.bouncycastle.jsse".level=TRACE
quarkus.log.file.enable=true

0 comments on commit 45c72a4

Please sign in to comment.