From b3a0a735dc9359bd5de42f42a8fbb8f017e7b94c Mon Sep 17 00:00:00 2001 From: "James R. Perkins" Date: Tue, 9 Jul 2024 11:20:51 -0700 Subject: [PATCH 1/7] Initial commit for upgrading the Jakarta Security TCK. Signed-off-by: James R. Perkins --- security/clean-tck.sh | 6 +-- security/run-tck.sh | 77 ++++++++++++++++++--------- security/wildfly-mods/arquillian.xml | 2 +- security/wildfly-mods/profile.xml | 18 +++++++ security/wildfly/configure-server.cli | 10 ++++ security/wildfly/pom.xml | 5 ++ 6 files changed, 88 insertions(+), 30 deletions(-) diff --git a/security/clean-tck.sh b/security/clean-tck.sh index c04598b..242edf2 100755 --- a/security/clean-tck.sh +++ b/security/clean-tck.sh @@ -1,7 +1,7 @@ #! /bin/bash - -TCK_ZIP=jakarta-security-tck-3.0.0.zip -TCK_HOME=security-tck-3.0.0 +TCK_VERSION="3.0.2" +TCK_ZIP=jakarta-security-tck-${TCK_VERSION}.zip +TCK_HOME=security-tck-${TCK_VERSION} OLD_TCK_HOME=security-tck ANT_ZIP=apache-ant-1.9.16-bin.zip ANT_HOME=apache-ant-1.9.16 diff --git a/security/run-tck.sh b/security/run-tck.sh index 70fcacd..ebbd2ce 100755 --- a/security/run-tck.sh +++ b/security/run-tck.sh @@ -1,10 +1,11 @@ #! /bin/bash set -e - -TCK_URL=https://download.eclipse.org/jakartaee/security/3.0/jakarta-security-tck-3.0.0.zip -TCK_ZIP=jakarta-security-tck-3.0.0.zip -TCK_HOME=security-tck-3.0.0 +TCK_VERSION="3.0.2" +#TCK_URL=https://download.eclipse.org/jakartaee/security/3.0/jakarta-security-tck-${TCK_VERSION}.zip +TCK_URL=https://eclipse.mirror.rafal.ca/security/jakartaee10/staged/eftl/jakarta-security-tck-${TCK_VERSION}.zip +TCK_ZIP=jakarta-security-tck-${TCK_VERSION}.zip +TCK_HOME=security-tck-${TCK_VERSION} TCK_ROOT=$TCK_HOME/tck WILDFLY_HOME=wildfly/target/wildfly NEW_WILDFLY=servers/new-wildfly @@ -59,6 +60,50 @@ while getopts ":v" opt; do esac done +############################################################## +# Install and configure the TCK if not previously installed. # +############################################################## + +# This must be executed first as CLI needs the files generated below to configure the keystore on the server + +if test -f $TCK_ZIP +then + echo "TCK Already Downloaded." +else + echo "Downloading TCK." + curl $TCK_URL -o $TCK_ZIP +fi + +if test -d $TCK_HOME +then + echo "TCK Already Configured." +else + echo "Configuring TCK." + unzip ${UNZIP_ARGS} $TCK_ZIP + cp $TCK_ROOT/pom.xml $TCK_ROOT/original-pom.xml + xsltproc wildfly-mods/transform.xslt $TCK_ROOT/original-pom.xml > $TCK_ROOT/pom.xml +fi + +# Recreate the keystore and cert +echo "Recreate the keystore and cert" +DNAME="CN=localhost, OU=jakarta, O=eclipse, L=amsterdam, S=holland, C=nl" +rm -rfv ${TCK_ROOT}/app-openid2/localhost-rsa.jks +rm -rfv ${TCK_ROOT}/app-openid2/tomcat.cert +rm -rfv ${TCK_ROOT}/app-openid3/localhost-rsa.jks +rm -rfv ${TCK_ROOT}/app-openid3/tomcat.cert + +keytool -v -genkeypair -alias tomcat -keyalg RSA -keysize 2048 \ + -dname "${DNAME}" \ + -storepass changeit -keystore ${TCK_ROOT}/app-openid2/localhost-rsa.jks + +keytool -v -certreq -alias tomcat -keypass changeit -storepass changeit \ + -dname "${DNAME}" \ + -keystore ${TCK_ROOT}/app-openid2/localhost-rsa.jks -file ${TCK_ROOT}/app-openid2/tomcat.cert + +# Copy the files to app-openid3 +cp -v ${TCK_ROOT}/app-openid2/localhost-rsa.jks ${TCK_ROOT}/app-openid3/localhost-rsa.jks +cp -v ${TCK_ROOT}/app-openid2/tomcat.cert ${TCK_ROOT}/app-openid3/tomcat.cert + ################################################ # Install WildFly if not previously installed. # ################################################ @@ -85,6 +130,7 @@ else popd fi fi + # At this point WILDFLY_HOME points to the clean server. #################################### @@ -107,31 +153,10 @@ NEW_WILDFLY=`pwd` popd pushd wildfly +export TCK_HOME mvn ${MVN_ARGS} install -Dwildfly.home=$NEW_WILDFLY -Dprovision.skip=true -Dconfigure.skip=false popd -############################################################## -# Install and configure the TCK if not previously installed. # -############################################################## - -if test -f $TCK_ZIP -then - echo "TCK Already Downloaded." -else - echo "Downloading TCK." - curl $TCK_URL -o $TCK_ZIP -fi - -if test -d $TCK_HOME -then - echo "TCK Already Configured." -else - echo "Configuring TCK." - unzip ${UNZIP_ARGS} $TCK_ZIP - cp $TCK_ROOT/pom.xml $TCK_ROOT/original-pom.xml - xsltproc wildfly-mods/transform.xslt $TCK_ROOT/original-pom.xml > $TCK_ROOT/pom.xml -fi - ####################### # Execute the New TCK # ####################### diff --git a/security/wildfly-mods/arquillian.xml b/security/wildfly-mods/arquillian.xml index cc2e5a4..5b099fc 100644 --- a/security/wildfly-mods/arquillian.xml +++ b/security/wildfly-mods/arquillian.xml @@ -6,7 +6,7 @@ ${test.wildfly.home} - ${debugJvmArgs} + ${debugJvmArgs} -Djboss.https.port=9443 wildfly localhost diff --git a/security/wildfly-mods/profile.xml b/security/wildfly-mods/profile.xml index 014fd1f..374784e 100644 --- a/security/wildfly-mods/profile.xml +++ b/security/wildfly-mods/profile.xml @@ -125,6 +125,24 @@ + + + org.codehaus.mojo + keytool-maven-plugin + 1.7 + + true + + + + org.apache.maven.plugins + maven-failsafe-plugin + + + + + + diff --git a/security/wildfly/configure-server.cli b/security/wildfly/configure-server.cli index f4318f0..6cd1ebd 100644 --- a/security/wildfly/configure-server.cli +++ b/security/wildfly/configure-server.cli @@ -18,4 +18,14 @@ if (outcome != success) of /subsystem=elytron/policy=jacc:read-resource end-if /subsystem=ee:write-attribute(name=global-modules, value=[{name=com.nimbusds.nimbus-jose-jwt}]) +# Configure the keystore +if (outcome != success) of /subsystem=elytron/key-store=tck:read-resource + echo "Adding from ${tck.home} ${env.TCK_HOME}" + # security/security-tck-3.0.2/tck/app-openid2/tomcat.cert + /subsystem=elytron/key-store=tck:add(path=server.truststore.pkcs12,relative-to=jboss.server.config.dir,credential-reference={clear-text=changeit},type=PKCS12) + echo "Added store " + /subsystem=elytron/key-store=tck:import-certificate(alias=tomcat,path="/home/jperkins/projects/wildfly/wildfly-tck-runners/security/security-tck-3.0.2/tck/app-openid2/tomcat.cert",credential-reference={clear-text=changeit},trust-cacerts=true,validate=false) + /subsystem=elytron/key-store=tck:store() +end-if + stop-embedded-server \ No newline at end of file diff --git a/security/wildfly/pom.xml b/security/wildfly/pom.xml index 9bccd2b..2e27b8d 100644 --- a/security/wildfly/pom.xml +++ b/security/wildfly/pom.xml @@ -50,6 +50,8 @@ true true false + + ${env.TCK_HOME} @@ -72,6 +74,9 @@ ${wildfly.home} true + + ${tck.home} + From a9ba35365324a417a8f90e515a86bfd168798797 Mon Sep 17 00:00:00 2001 From: "James R. Perkins" Date: Tue, 9 Jul 2024 13:31:41 -0700 Subject: [PATCH 2/7] Further configuration of updating the Jakarta Security TCK to use 3.0.2 Signed-off-by: James R. Perkins --- security/run-tck.sh | 9 ++++----- security/wildfly/configure-server.cli | 26 +++++++++++++++----------- security/wildfly/pom.xml | 9 ++++----- 3 files changed, 23 insertions(+), 21 deletions(-) diff --git a/security/run-tck.sh b/security/run-tck.sh index ebbd2ce..be788f1 100755 --- a/security/run-tck.sh +++ b/security/run-tck.sh @@ -6,7 +6,8 @@ TCK_VERSION="3.0.2" TCK_URL=https://eclipse.mirror.rafal.ca/security/jakartaee10/staged/eftl/jakarta-security-tck-${TCK_VERSION}.zip TCK_ZIP=jakarta-security-tck-${TCK_VERSION}.zip TCK_HOME=security-tck-${TCK_VERSION} -TCK_ROOT=$TCK_HOME/tck +TCK_ROOT="$(readlink -m ${TCK_HOME}/tck)" +export TCK_ROOT WILDFLY_HOME=wildfly/target/wildfly NEW_WILDFLY=servers/new-wildfly OLD_WILDFLY=servers/old-wildfly @@ -96,8 +97,7 @@ keytool -v -genkeypair -alias tomcat -keyalg RSA -keysize 2048 \ -dname "${DNAME}" \ -storepass changeit -keystore ${TCK_ROOT}/app-openid2/localhost-rsa.jks -keytool -v -certreq -alias tomcat -keypass changeit -storepass changeit \ - -dname "${DNAME}" \ +keytool -v -export -alias tomcat -storepass changeit \ -keystore ${TCK_ROOT}/app-openid2/localhost-rsa.jks -file ${TCK_ROOT}/app-openid2/tomcat.cert # Copy the files to app-openid3 @@ -153,7 +153,6 @@ NEW_WILDFLY=`pwd` popd pushd wildfly -export TCK_HOME mvn ${MVN_ARGS} install -Dwildfly.home=$NEW_WILDFLY -Dprovision.skip=true -Dconfigure.skip=false popd @@ -165,7 +164,7 @@ echo "Executing NEW Jakarta Security TCK." pushd $TCK_ROOT mvn ${MVN_ARGS} clean -pl '!old-tck,!old-tck/build,!old-tck/run' mkdir target -safeRun mvn ${MVN_ARGS} install -Pnew-wildfly -pl '!old-tck,!old-tck/build,!old-tck/run' -Dtest.wildfly.home=$NEW_WILDFLY -fae +safeRun mvn ${MVN_ARGS} install -Pnew-wildfly -pl 'app-openid2' -Dtest.wildfly.home=$NEW_WILDFLY -fae newTckStatus=${status} popd diff --git a/security/wildfly/configure-server.cli b/security/wildfly/configure-server.cli index 6cd1ebd..bf8f326 100644 --- a/security/wildfly/configure-server.cli +++ b/security/wildfly/configure-server.cli @@ -1,12 +1,12 @@ embed-server --admin-only=true - +/subsystem=logging/console-handler=CONSOLE:undefine-attribute(name=level) if (outcome != success) of /subsystem=logging/logger=org.wildfly.security:read-resource /subsystem=logging/logger=org.wildfly.security:add(level=TRACE) end-if -#if (outcome != success) of /subsystem=logging/logger=org.glassfish.soteria:read-resource -# /subsystem=logging/logger=org.glassfish.soteria:add(level=TRACE) -#end-if +if (outcome != success) of /subsystem=logging/logger=org.glassfish.soteria:read-resource + /subsystem=logging/logger=org.glassfish.soteria:add(level=TRACE) +end-if #if (outcome != success) of /subsystem=logging/logger=org.jboss.resteasy:read-resource # /subsystem=logging/logger=org.jboss.resteasy:add(level=TRACE) #end-if @@ -19,13 +19,17 @@ end-if /subsystem=ee:write-attribute(name=global-modules, value=[{name=com.nimbusds.nimbus-jose-jwt}]) # Configure the keystore -if (outcome != success) of /subsystem=elytron/key-store=tck:read-resource - echo "Adding from ${tck.home} ${env.TCK_HOME}" - # security/security-tck-3.0.2/tck/app-openid2/tomcat.cert - /subsystem=elytron/key-store=tck:add(path=server.truststore.pkcs12,relative-to=jboss.server.config.dir,credential-reference={clear-text=changeit},type=PKCS12) - echo "Added store " - /subsystem=elytron/key-store=tck:import-certificate(alias=tomcat,path="/home/jperkins/projects/wildfly/wildfly-tck-runners/security/security-tck-3.0.2/tck/app-openid2/tomcat.cert",credential-reference={clear-text=changeit},trust-cacerts=true,validate=false) - /subsystem=elytron/key-store=tck:store() +if (outcome != success) of /subsystem=elytron/key-store=tckKs:read-resource + /subsystem=elytron/key-store=tckKs:add(path=server.truststore.pkcs12,relative-to=jboss.server.config.dir,credential-reference={clear-text=changeit},type=PKCS12) + /subsystem=elytron/key-store=tckKs:import-certificate(alias=tomcat,path="${tck.root}/app-openid2/tomcat.cert",credential-reference={clear-text=changeit},trust-cacerts=true,validate=false) + /subsystem=elytron/key-store=tckKs:store() + + /subsystem=elytron/key-manager=tckKm:add(key-store=tckKs,credential-reference={clear-text=changeit}) + /subsystem=elytron/trust-manager=tckTm:add(key-store=tckKs) + /subsystem=elytron/server-ssl-context=tckSsl:add(key-manager=tckKm,protocols=["TLSv1.2"],trust-manager=tckTm,need-client-auth=true) + + /subsystem=undertow/server=default-server/https-listener=https:undefine-attribute(name=security-realm) + /subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=ssl-context,value=tckSsl) end-if stop-embedded-server \ No newline at end of file diff --git a/security/wildfly/pom.xml b/security/wildfly/pom.xml index 2e27b8d..dc94188 100644 --- a/security/wildfly/pom.xml +++ b/security/wildfly/pom.xml @@ -33,8 +33,8 @@ - 31.0.1.Final - 5.0.0.Beta3 + 32.0.1.Final + 5.0.0.Final ${project.build.directory}/wildfly @@ -50,8 +50,6 @@ true true false - - ${env.TCK_HOME} @@ -75,8 +73,9 @@ ${wildfly.home} true - ${tck.home} + ${env.TCK_ROOT} + true From 3ce49fcb0531405872ed4de166e06b506f0898fe Mon Sep 17 00:00:00 2001 From: "James R. Perkins" Date: Tue, 9 Jul 2024 16:04:33 -0700 Subject: [PATCH 3/7] Switch to a client-ssl-context. Signed-off-by: James R. Perkins --- security/wildfly/configure-server.cli | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/security/wildfly/configure-server.cli b/security/wildfly/configure-server.cli index bf8f326..b6901f7 100644 --- a/security/wildfly/configure-server.cli +++ b/security/wildfly/configure-server.cli @@ -26,10 +26,14 @@ if (outcome != success) of /subsystem=elytron/key-store=tckKs:read-resource /subsystem=elytron/key-manager=tckKm:add(key-store=tckKs,credential-reference={clear-text=changeit}) /subsystem=elytron/trust-manager=tckTm:add(key-store=tckKs) - /subsystem=elytron/server-ssl-context=tckSsl:add(key-manager=tckKm,protocols=["TLSv1.2"],trust-manager=tckTm,need-client-auth=true) + # /subsystem=elytron/server-ssl-context=tckSsl:add(key-manager=tckKm,protocols=["TLSv1.2"],trust-manager=tckTm,need-client-auth=true) - /subsystem=undertow/server=default-server/https-listener=https:undefine-attribute(name=security-realm) - /subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=ssl-context,value=tckSsl) + # /subsystem=undertow/server=default-server/https-listener=https:undefine-attribute(name=security-realm) + # /subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=ssl-context,value=tckSsl) + + /subsystem=elytron/client-ssl-context=tckSsl:add(key-manager=tckKm,trust-manager=tckTm) + /subsystem=elytron/authentication-context=tckAc:add(match-rules=[{match-port=9443,ssl-context=tckSsl}]) + /subsystem=elytron/dynamic-client-ssl-context=dynamicClientSSLContext:add(authentication-context=tckAc) end-if stop-embedded-server \ No newline at end of file From c873c06b0a3c49ea32775887d9748de63eca7811 Mon Sep 17 00:00:00 2001 From: "James R. Perkins" Date: Tue, 9 Jul 2024 17:40:39 -0700 Subject: [PATCH 4/7] Revert back to running all tests. Upgrade WildFly and WildFly Arquillian. Signed-off-by: James R. Perkins --- security/run-tck.sh | 2 +- security/wildfly-mods/profile.xml | 71 +------------------------------ 2 files changed, 3 insertions(+), 70 deletions(-) diff --git a/security/run-tck.sh b/security/run-tck.sh index be788f1..a8e8fcc 100755 --- a/security/run-tck.sh +++ b/security/run-tck.sh @@ -164,7 +164,7 @@ echo "Executing NEW Jakarta Security TCK." pushd $TCK_ROOT mvn ${MVN_ARGS} clean -pl '!old-tck,!old-tck/build,!old-tck/run' mkdir target -safeRun mvn ${MVN_ARGS} install -Pnew-wildfly -pl 'app-openid2' -Dtest.wildfly.home=$NEW_WILDFLY -fae +safeRun mvn ${MVN_ARGS} install -Pnew-wildfly -pl '!old-tck,!old-tck/build,!old-tck/run' -Dtest.wildfly.home=$NEW_WILDFLY -fae newTckStatus=${status} popd diff --git a/security/wildfly-mods/profile.xml b/security/wildfly-mods/profile.xml index 374784e..9f87433 100644 --- a/security/wildfly-mods/profile.xml +++ b/security/wildfly-mods/profile.xml @@ -6,12 +6,8 @@ 6.0.0 - 3.4.3.Final - 3.0.4.Final - 31.0.1.Final - 5.0.0.Alpha5 - 19.0.1.Final - 2.0.2.Final + 32.0.1.Final + 5.1.0.Beta3 ${project.basedir}/../../../wildfly/target/wildfly @@ -26,64 +22,10 @@ jakarta.servlet-api ${version.jakarta.servlet} - - org.jboss.logging - jboss-logging - ${version.org.jboss.logging} - - - * - * - - - test - - - org.jboss.remotingjmx - remoting-jmx - ${version.org.jboss.remoting-jmx} - test - - - org.wildfly.arquillian - wildfly-arquillian-common - ${version.org.wildfly.arquillian} - - - * - * - - - test - org.wildfly.arquillian wildfly-arquillian-container-managed ${version.org.wildfly.arquillian} - - - * - * - - - test - - - org.wildfly.core - wildfly-controller-client - ${version.org.wildfly.core} - test - - - org.wildfly.core - wildfly-launcher - ${version.org.wildfly.core} - test - - - org.wildfly.plugins - wildfly-plugin-core - ${version.org.wildfly.plugins} test @@ -134,15 +76,6 @@ true - - org.apache.maven.plugins - maven-failsafe-plugin - - - - - - From 678fb079eccbc59be49049b1314185a2d40f3ad4 Mon Sep 17 00:00:00 2001 From: "James R. Perkins" Date: Wed, 10 Jul 2024 11:52:21 -0700 Subject: [PATCH 5/7] Set the default SSL context in Elytron and turn on SSL debugging. Signed-off-by: James R. Perkins --- security/run-tck.sh | 3 ++- security/wildfly-mods/arquillian.xml | 2 +- security/wildfly/configure-server.cli | 9 ++++----- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/security/run-tck.sh b/security/run-tck.sh index a8e8fcc..9cf588e 100755 --- a/security/run-tck.sh +++ b/security/run-tck.sh @@ -164,7 +164,8 @@ echo "Executing NEW Jakarta Security TCK." pushd $TCK_ROOT mvn ${MVN_ARGS} clean -pl '!old-tck,!old-tck/build,!old-tck/run' mkdir target -safeRun mvn ${MVN_ARGS} install -Pnew-wildfly -pl '!old-tck,!old-tck/build,!old-tck/run' -Dtest.wildfly.home=$NEW_WILDFLY -fae +# safeRun mvn ${MVN_ARGS} install -Pnew-wildfly -pl '!old-tck,!old-tck/build,!old-tck/run' -Dtest.wildfly.home=$NEW_WILDFLY -fae +safeRun mvn ${MVN_ARGS} install -Pnew-wildfly -pl 'app-openid2' -Dtest.wildfly.home=$NEW_WILDFLY -fae newTckStatus=${status} popd diff --git a/security/wildfly-mods/arquillian.xml b/security/wildfly-mods/arquillian.xml index 5b099fc..dce365f 100644 --- a/security/wildfly-mods/arquillian.xml +++ b/security/wildfly-mods/arquillian.xml @@ -6,7 +6,7 @@ ${test.wildfly.home} - ${debugJvmArgs} -Djboss.https.port=9443 + ${debugJvmArgs} -Djboss.https.port=9443 -Djavax.net.debug=all wildfly localhost diff --git a/security/wildfly/configure-server.cli b/security/wildfly/configure-server.cli index b6901f7..2d4a25a 100644 --- a/security/wildfly/configure-server.cli +++ b/security/wildfly/configure-server.cli @@ -26,14 +26,13 @@ if (outcome != success) of /subsystem=elytron/key-store=tckKs:read-resource /subsystem=elytron/key-manager=tckKm:add(key-store=tckKs,credential-reference={clear-text=changeit}) /subsystem=elytron/trust-manager=tckTm:add(key-store=tckKs) - # /subsystem=elytron/server-ssl-context=tckSsl:add(key-manager=tckKm,protocols=["TLSv1.2"],trust-manager=tckTm,need-client-auth=true) - # /subsystem=undertow/server=default-server/https-listener=https:undefine-attribute(name=security-realm) - # /subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=ssl-context,value=tckSsl) + #/subsystem=elytron/server-ssl-context=tckSsl:add(key-manager=tckKm,protocols=["TLSv1.2"],trust-manager=tckTm,need-client-auth=true) /subsystem=elytron/client-ssl-context=tckSsl:add(key-manager=tckKm,trust-manager=tckTm) - /subsystem=elytron/authentication-context=tckAc:add(match-rules=[{match-port=9443,ssl-context=tckSsl}]) - /subsystem=elytron/dynamic-client-ssl-context=dynamicClientSSLContext:add(authentication-context=tckAc) + /subsystem=elytron:write-attribute(name=default-ssl-context, value=tckSsl) + + /subsystem=elytron/configurable-http-server-mechanism-factory=configuredCert:add(http-server-mechanism-factory=global, properties={org.wildfly.security.http.skip-certificate-verification=true}) end-if stop-embedded-server \ No newline at end of file From c96675ec4daf307f7a61d22e0ca7727471743610 Mon Sep 17 00:00:00 2001 From: "James R. Perkins" Date: Mon, 15 Jul 2024 18:27:08 -0700 Subject: [PATCH 6/7] Reduce debug log output. Change to only use a trust-manager for the SSL context. Minor update of the script. Signed-off-by: James R. Perkins --- security/run-tck.sh | 14 +++++++------- security/wildfly-mods/arquillian.xml | 2 +- security/wildfly/configure-server.cli | 20 +++++++++----------- security/wildfly/pom.xml | 8 ++++++++ 4 files changed, 25 insertions(+), 19 deletions(-) diff --git a/security/run-tck.sh b/security/run-tck.sh index 9cf588e..55409af 100755 --- a/security/run-tck.sh +++ b/security/run-tck.sh @@ -87,7 +87,7 @@ fi # Recreate the keystore and cert echo "Recreate the keystore and cert" -DNAME="CN=localhost, OU=jakarta, O=eclipse, L=amsterdam, S=holland, C=nl" +DNAME="CN=localhost, OU=jakarta, O=eclipse, L=Unknown, S=Unknown, C=Unknown" rm -rfv ${TCK_ROOT}/app-openid2/localhost-rsa.jks rm -rfv ${TCK_ROOT}/app-openid2/tomcat.cert rm -rfv ${TCK_ROOT}/app-openid3/localhost-rsa.jks @@ -95,14 +95,14 @@ rm -rfv ${TCK_ROOT}/app-openid3/tomcat.cert keytool -v -genkeypair -alias tomcat -keyalg RSA -keysize 2048 \ -dname "${DNAME}" \ - -storepass changeit -keystore ${TCK_ROOT}/app-openid2/localhost-rsa.jks + -storepass changeit -keystore "${TCK_ROOT}/app-openid2/localhost-rsa.jks" keytool -v -export -alias tomcat -storepass changeit \ - -keystore ${TCK_ROOT}/app-openid2/localhost-rsa.jks -file ${TCK_ROOT}/app-openid2/tomcat.cert + -keystore "${TCK_ROOT}/app-openid2/localhost-rsa.jks" -file "${TCK_ROOT}/app-openid2/tomcat.cert" # Copy the files to app-openid3 -cp -v ${TCK_ROOT}/app-openid2/localhost-rsa.jks ${TCK_ROOT}/app-openid3/localhost-rsa.jks -cp -v ${TCK_ROOT}/app-openid2/tomcat.cert ${TCK_ROOT}/app-openid3/tomcat.cert +cp -v "${TCK_ROOT}/app-openid2/localhost-rsa.jks" "${TCK_ROOT}/app-openid3/localhost-rsa.jks" +cp -v "${TCK_ROOT}/app-openid2/tomcat.cert" "${TCK_ROOT}/app-openid3/tomcat.cert" ################################################ # Install WildFly if not previously installed. # @@ -164,8 +164,8 @@ echo "Executing NEW Jakarta Security TCK." pushd $TCK_ROOT mvn ${MVN_ARGS} clean -pl '!old-tck,!old-tck/build,!old-tck/run' mkdir target -# safeRun mvn ${MVN_ARGS} install -Pnew-wildfly -pl '!old-tck,!old-tck/build,!old-tck/run' -Dtest.wildfly.home=$NEW_WILDFLY -fae -safeRun mvn ${MVN_ARGS} install -Pnew-wildfly -pl 'app-openid2' -Dtest.wildfly.home=$NEW_WILDFLY -fae +safeRun mvn ${MVN_ARGS} install -Pnew-wildfly -pl '!old-tck,!old-tck/build,!old-tck/run' -Dtest.wildfly.home=$NEW_WILDFLY -fae +# safeRun mvn ${MVN_ARGS} install -Pnew-wildfly -pl 'app-openid2' -Dtest.wildfly.home=$NEW_WILDFLY -fae newTckStatus=${status} popd diff --git a/security/wildfly-mods/arquillian.xml b/security/wildfly-mods/arquillian.xml index dce365f..5b099fc 100644 --- a/security/wildfly-mods/arquillian.xml +++ b/security/wildfly-mods/arquillian.xml @@ -6,7 +6,7 @@ ${test.wildfly.home} - ${debugJvmArgs} -Djboss.https.port=9443 -Djavax.net.debug=all + ${debugJvmArgs} -Djboss.https.port=9443 wildfly localhost diff --git a/security/wildfly/configure-server.cli b/security/wildfly/configure-server.cli index 2d4a25a..2b273ab 100644 --- a/security/wildfly/configure-server.cli +++ b/security/wildfly/configure-server.cli @@ -19,20 +19,18 @@ end-if /subsystem=ee:write-attribute(name=global-modules, value=[{name=com.nimbusds.nimbus-jose-jwt}]) # Configure the keystore -if (outcome != success) of /subsystem=elytron/key-store=tckKs:read-resource - /subsystem=elytron/key-store=tckKs:add(path=server.truststore.pkcs12,relative-to=jboss.server.config.dir,credential-reference={clear-text=changeit},type=PKCS12) - /subsystem=elytron/key-store=tckKs:import-certificate(alias=tomcat,path="${tck.root}/app-openid2/tomcat.cert",credential-reference={clear-text=changeit},trust-cacerts=true,validate=false) - /subsystem=elytron/key-store=tckKs:store() +if (outcome != success) of /subsystem=elytron/key-store=tckTs:read-resource + # create the truststore for the client that has the cert from the server's keystore + /subsystem=elytron/key-store=tckTs:add(path=client.truststore.pkcs12,relative-to=jboss.server.config.dir,credential-reference={clear-text=changeit},type=PKCS12) + /subsystem=elytron/key-store=tckTs:import-certificate(alias=tomcat,path="${tck.root}/app-openid2/tomcat.cert",credential-reference={clear-text=changeit},trust-cacerts=true,validate=false) + /subsystem=elytron/key-store=tckTs:store() - /subsystem=elytron/key-manager=tckKm:add(key-store=tckKs,credential-reference={clear-text=changeit}) - /subsystem=elytron/trust-manager=tckTm:add(key-store=tckKs) + # add the truststore to the trust manager + /subsystem=elytron/trust-manager=tckTm:add(key-store=tckTs) - #/subsystem=elytron/server-ssl-context=tckSsl:add(key-manager=tckKm,protocols=["TLSv1.2"],trust-manager=tckTm,need-client-auth=true) - - /subsystem=elytron/client-ssl-context=tckSsl:add(key-manager=tckKm,trust-manager=tckTm) + # create the SSL context with the trust manager + /subsystem=elytron/client-ssl-context=tckSsl:add(trust-manager=tckTm) /subsystem=elytron:write-attribute(name=default-ssl-context, value=tckSsl) - - /subsystem=elytron/configurable-http-server-mechanism-factory=configuredCert:add(http-server-mechanism-factory=global, properties={org.wildfly.security.http.skip-certificate-verification=true}) end-if stop-embedded-server \ No newline at end of file diff --git a/security/wildfly/pom.xml b/security/wildfly/pom.xml index dc94188..9f12c80 100644 --- a/security/wildfly/pom.xml +++ b/security/wildfly/pom.xml @@ -125,6 +125,14 @@ ${feature.pack.version} + + + + org.wildfly.channels + wildfly-ee + + + From b8b2af947ea6cf2c77ba56a3c4f3eff810b6d882 Mon Sep 17 00:00:00 2001 From: Brian Stansberry Date: Tue, 16 Jul 2024 06:56:15 -0500 Subject: [PATCH 7/7] Tell Java to use our truststore --- security/wildfly-mods/arquillian.xml | 2 +- security/wildfly-mods/profile.xml | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/security/wildfly-mods/arquillian.xml b/security/wildfly-mods/arquillian.xml index 5b099fc..d972773 100644 --- a/security/wildfly-mods/arquillian.xml +++ b/security/wildfly-mods/arquillian.xml @@ -6,7 +6,7 @@ ${test.wildfly.home} - ${debugJvmArgs} -Djboss.https.port=9443 + ${debugJvmArgs} -Djboss.https.port=9443 -Djavax.net.ssl.trustStore=${test.wildfly.home}/standalone/configuration/client.truststore.pkcs12 -Djavax.net.ssl.trustStorePassword=changeit wildfly localhost diff --git a/security/wildfly-mods/profile.xml b/security/wildfly-mods/profile.xml index 9f87433..7fd6045 100644 --- a/security/wildfly-mods/profile.xml +++ b/security/wildfly-mods/profile.xml @@ -45,6 +45,8 @@ ${jboss.server.name} + ${env.JBOSS_HOME}/standalone/configuration/client.truststore.pkcs12 + changeit