Merge pull request #126 from sgala/fips_detection_certs

Fips changes for JWS in noe-core

Author: mmadzin

core/src/main/groovy/noe/common/DefaultProperties.groovy

@@ -61,6 +61,11 @@ class DefaultProperties {
       "${JENKINS_JOBS_DIR_PREFIX}/clusterbench-mod_cluster-mbabacek/lastSuccessful/archive/clusterbench-ee6-web-nondist/target/clusterbench.war")
   public static final boolean SOLARIS_DEFAULT_LIBRARY_PATH_CLEAN = Boolean.valueOf(Library.getUniversalProperty('solaris.default.library.path.clean', 'false'))
 
+  // Get the fips self signed directory depending on whether fips on the OS is enabled or not
+  public static final String SELF_SIGNED_CERTIFICATE_RESOURCE = Library.getUniversalProperty('self_signed.certificate.resource',
+      new Platform().isFips() ? "self_signed_fips" : "self_signed")
+  public static final String FIPS_140_2_CIPHERS = "SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_anon_WITH_AES_128_CBC_SHA,TLS_ECDH_anon_WITH_AES_256_CBC_SHA"
+
   /**
    * Method which tries to retrieve version from property, if it doesn't succeed, null is returned
    */

core/src/main/groovy/noe/common/utils/Cmd.groovy

@@ -854,7 +854,8 @@ public class Cmd {
         try {
           javaPids.add(Integer.parseInt(pid))
         } catch (NumberFormatException ex) {
-          throw new NumberFormatException("Guys, I can't parse Integer from:${pid}", ex)
+          log.error("Error trying to parse process ID from: \"${pid}\"")
+          throw ex
         }
       }
 
@@ -897,7 +898,8 @@ public class Cmd {
       try {
         pids.add(Integer.parseInt(pid))
       } catch (NumberFormatException ex) {
-        throw new NumberFormatException("Guys, I can't parse Integer from:${pid}", ex)
+        log.error("Error trying to parse process ID from: \"${pid}\"")
+        throw ex
       }
     }
 
@@ -952,7 +954,8 @@ public class Cmd {
           try {
             pids.add(Integer.parseInt(pid))
           } catch (NumberFormatException ex) {
-            throw new NumberFormatException("Guys, I can't parse Integer from:${pid}", ex)
+            log.error("Error trying to parse process ID from: \"${pid}\"")
+            throw ex
           }
         } else {
           log.error("WIDLE match didn't succeed :-) it was: match.size():${match.size()}")
@@ -1053,9 +1056,9 @@ public class Cmd {
    */
   static boolean waitForPidsRemoved(List<Integer> pids, int timeout, TimeUnit timeUnit) {
     long maxTime = System.currentTimeMillis() + timeUnit.toMillis(timeout)
-    boolean anyPidExist = getPidList().intersect(pids).isEmpty()
+    boolean anyPidExist = !getPidList().intersect(pids).isEmpty()
     while (anyPidExist && System.currentTimeMillis() <= maxTime) {
-      anyPidExist = getPidList().intersect(pids).isEmpty()
+      anyPidExist = !getPidList().intersect(pids).isEmpty()
       Library.letsSleep(42)
     }
     if (anyPidExist) {

core/src/main/groovy/noe/common/utils/Platform.groovy

@@ -152,6 +152,21 @@ class Platform {
     return isHP() && (osName ==~ /.*11.*/)
   }
 
+  boolean isFips() {
+    if(isRHEL()) {
+      // Using return (['/usr/bin/fips-mode-setup', '--is-enabled'].execute().waitFor() == 0)
+      // does not work on RHEL7
+      try {
+        return (new File('/proc/sys/crypto/fips_enabled').readLines()[0]=='1')
+      } catch(Exception e) {
+        log.error("Can't detect FIPS enabled using /proc for a RHEL machine, will return false")
+        return false
+      }
+    }
+    //For the moment return false for non-RHEL targets
+    return false
+  }
+
   public String getScriptSuffix() {
     return isWindows() ? 'bat' : 'sh'
   }

core/src/main/groovy/noe/server/ApacheDS.groovy

@@ -5,6 +5,8 @@ import noe.common.newcmd.CmdBuilder
 import noe.common.newcmd.CmdCommand
 import noe.common.utils.Cmd
 import noe.common.utils.JBFile
+import noe.common.utils.Java
+
 /**
  *  Class for manipulting with ApacheDS server
  *    - Pure java LDAP, Kerberos server
@@ -52,6 +54,24 @@ abstract class ApacheDS extends ServerAbstract {
 
     portsAvailable()
     CmdCommand cmdCommand = new CmdBuilder<>(start).setWorkDir(new File(apacheDSBin)).build()
+    Map cmdProps = cmdCommand.getEnvProperties()
+    if(platform.isFips()) {
+      //ApacheDS won't start with FIPS
+      def opts = cmdProps.getOrDefault("JAVA_OPTS","")
+      if(opts.size()>0) {
+        opts+=' '
+      }
+      opts+='-Dcom.redhat.fips=false'
+      cmdProps.put("JAVA_OPTS", opts)
+    }
+    if(Java.isJdkXOrHigher("17")) {
+      def opts = cmdProps.getOrDefault("JAVA_OPTS", "")
+      if (opts.size() > 0) {
+        opts += ' '
+      }
+      opts += '--add-exports=java.base/sun.security.util=ADD-UNNAMED'
+      cmdProps.put("JAVA_OPTS", opts)
+    }
     process = Cmd.startProcess(cmdCommand)
     process.consumeProcessOutput(System.out, System.err)
     waitForStartComplete()

core/src/main/groovy/noe/server/Httpd.groovy

@@ -67,7 +67,7 @@ abstract class Httpd extends ServerAbstract {
     this.cachePath = this.basedir + platform.sep + 'cache'
     postInstallErrFile = new File(getHttpdServerRootFull(), 'httpdPostInstallErr.log')
     postInstallOutFile = new File(getHttpdServerRootFull(), 'httpdPostInstallOut.log')
-    String sslStringDir = PathHelper.join(platform.tmpDir, "ssl", "self_signed")
+    String sslStringDir = PathHelper.join(platform.tmpDir, "ssl", DefaultProperties.SELF_SIGNED_CERTIFICATE_RESOURCE)
     this.sslCertDir = new File(sslStringDir)
     this.sslCertificate = new File(sslCertDir, "server.crt").absolutePath
     this.sslKey = new File(sslCertDir, "server.key").absolutePath

core/src/main/groovy/noe/server/ServerAbstract.groovy

@@ -6,12 +6,14 @@ import noe.app.IApp
 import noe.common.DefaultProperties
 import noe.common.utils.Cmd
 import noe.common.utils.JBFile
+import noe.common.utils.Java
 import noe.common.utils.Library
 import noe.common.utils.Platform
 import noe.common.utils.Version
 import noe.common.utils.processid.ProcessUtils
 
 import java.util.concurrent.TimeUnit
+import java.util.regex.Pattern
 
 
 @Slf4j
@@ -54,6 +56,8 @@ abstract class ServerAbstract implements IApp {
   String sslCertificate
   String sslKey
   String keystorePath
+  String keystoreType
+  String securityPath
   String sslKeystorePassword
 
   // truststore related properties
@@ -98,11 +102,20 @@ abstract class ServerAbstract implements IApp {
     this.serverRoot = basedir
     this.host = (host) ?: DefaultProperties.HOST
     this.ignoreShutdownPort = true
-    this.sslCertificate = getDeplSrcPath() + "${platform.sep}ssl${platform.sep}self_signed${platform.sep}server.crt"
-    this.sslKey = getDeplSrcPath() + "${platform.sep}ssl${platform.sep}self_signed${platform.sep}server.key"
-    this.keystorePath = getDeplSrcPath() + "${platform.sep}ssl${platform.sep}self_signed${platform.sep}server.jks"
-    this.truststorePassword = 'changeit'
+    this.sslCertificate = getDeplSrcPath() + "${platform.sep}ssl${platform.sep}${DefaultProperties.SELF_SIGNED_CERTIFICATE_RESOURCE}${platform.sep}server.crt"
+    this.sslKey = getDeplSrcPath() + "${platform.sep}ssl${platform.sep}${DefaultProperties.SELF_SIGNED_CERTIFICATE_RESOURCE}${platform.sep}server.key"
+    if( platform.isFips() ) {
+      this.keystorePath = "${platform.tmpDir}${platform.sep}ssl${platform.sep}${DefaultProperties.SELF_SIGNED_CERTIFICATE_RESOURCE}${platform.sep}nssdb"
+      this.keystoreType = 'PKCS11'
+      def variant = (Java.openJDK ? "openjdk" : (Java.oracleJDK ? "oracle-java" : "ibm-java")) +
+              (Java.isJdk8() ? "-1.8" : ( Java.isJdk11()? "-11" : "-17"))
+      this.securityPath = "${platform.tmpDir}${platform.sep}ssl${platform.sep}${DefaultProperties.SELF_SIGNED_CERTIFICATE_RESOURCE}${platform.sep}java.security."+ variant
+    } else{
+      this.keystorePath = getDeplSrcPath() + "${platform.sep}ssl${platform.sep}${DefaultProperties.SELF_SIGNED_CERTIFICATE_RESOURCE}${platform.sep}server.jks"
+      this.keystoreType = 'jks'
+    }
     this.sslKeystorePassword = 'changeit'
+    this.truststorePassword = 'changeit'
     this.pid = null
     setRunAs(loadRunAs())
     this.processCode = String.valueOf(Math.abs(this.hashCode()))
@@ -603,10 +616,10 @@ abstract class ServerAbstract implements IApp {
   }
 
   /**
-   * Check log files for ERRORS and WARNINGS
+   * Check log files for ERRORS and WARNINGS, ignoring a list of patterns, empty by default
    * TODO add offsets for logs (or delete logs before each test - replace symlinks)
    */
-  List<String> verifyLogs() {
+  List<String> verifyLogs( List<String>filtered=[]) {
     def affectedLines = []
 
     logDirs.each { logDir ->
@@ -627,6 +640,13 @@ abstract class ServerAbstract implements IApp {
           }
 
         }
+        affectedLines.removeIf { line-> filtered.any {
+          pat -> if(line =~ pat) {
+            log.debug("Filtered Warning: ${line}")
+            return true
+            }
+          }
+        }
       }
     }
     return affectedLines
@@ -871,8 +891,12 @@ abstract class ServerAbstract implements IApp {
   Boolean verifySecuredUrl(int code = 200, String content = "", long timeout = 30000, Boolean allowRedirects = true, Boolean setReqProp = false,
                            String reqKey = "", String reqValue = "", String urlPath = '') {
     System.setProperty('javax.net.ssl.trustStore', getKeystorePath())
+    System.setProperty('javax.net.ssl.trustStoreType', getKeystoreType())
+    System.setProperty('javax.net.ssl.trustStorePassword', getSslKeystorePassword())
     def ret = Library.verifyUrl(getUrl(urlPath, true), code, content, timeout, allowRedirects, setReqProp, reqKey, reqValue)
     System.clearProperty('javax.net.ssl.trustStore')
+    System.clearProperty('javax.net.ssl.trustStoreType')
+    System.clearProperty('javax.net.ssl.trustStorePassword')
     return ret
   }
 

core/src/main/groovy/noe/server/Tomcat.groovy

@@ -62,11 +62,10 @@ class Tomcat extends ServerAbstract implements WorkerServer {
     this.cfgHost = (cfgHost) ?: ''
     postInstallErrFile = new File(basedir,  'tomcatPostInstallErr.log')
     postInstallOutFile = new File(basedir,  'tomcatPostInstallOut.log')
-    String sslStringDir = PathHelper.join(platform.tmpDir, "ssl", "self_signed")
+    String sslStringDir = PathHelper.join(platform.tmpDir, "ssl", DefaultProperties.SELF_SIGNED_CERTIFICATE_RESOURCE)
     this.sslCertDir = new File(sslStringDir)
     this.sslCertificate = new File(sslCertDir, "server.crt").absolutePath
     this.sslKey = new File(sslCertDir, "server.key").absolutePath
-    this.keystorePath = new File(sslCertDir, "server.jks").absolutePath
 
   }
 
@@ -121,7 +120,7 @@ class Tomcat extends ServerAbstract implements WorkerServer {
       File f = new File(keystorePath)
       URL certUrl = f.toURI().toURL()
       webClient.getOptions().setUseInsecureSSL(true)
-      webClient.getOptions().setSSLClientCertificate(certUrl, sslKeystorePassword, "jks")
+      webClient.getOptions().setSSLClientCertificate(certUrl, sslKeystorePassword, keystoreType)
       serverUrl = this.getUrl('', true)
     } else {
       serverUrl = this.getUrl()
@@ -192,6 +191,19 @@ class Tomcat extends ServerAbstract implements WorkerServer {
     }
   }
 
+  /**
+   * Check log files for ERRORS and WARNINGS
+   */
+  List<String> verifyLogs() {
+    final List<String> defaultFilteredLines = platform.isFips() ? Arrays.asList(
+            "Creation of SecureRandom instance for session ID generation using \\[.*\\] took \\[",
+            "Exception initializing random number generator using algorithm \\[SHA1PRNG\\]",
+            "ErrorReportValve\\.java"
+    ) : Arrays.asList(
+            "Creation of SecureRandom instance for session ID generation using \\[.*\\] took \\[")
+    return super.verifyLogs(defaultFilteredLines)
+  }
+
   /**
    * Start the server Tomcat with JSVC wrapper
    */
@@ -636,9 +648,16 @@ class Tomcat extends ServerAbstract implements WorkerServer {
     def dummyComment = '<!-- Define an AJP 1.3 Connector on port 8009 -->'
     def enableJavaSsl = '<Connector port="' + this.mainHttpsPort.toString() + '" protocol="HTTP/1.1" SSLEnabled="true"' + nl +
         'maxThreads="150" scheme="https" secure="true"' + nl +
-        'keystoreFile="' + this.keystorePath + '" keystorePass="' + this.sslKeystorePassword + '"' + nl +
+        'keystoreFile="' + this.keystorePath + '" keystoreType="' + this.keystoreType + '" keystorePass="' + this.sslKeystorePassword + '"' + nl +
         'clientAuth="false" sslProtocol="TLS" />'
-
+    if (platform.isFips()) {
+      enableJavaSsl = '<Connector port="' + this.mainHttpsPort.toString() + '" protocol="HTTP/1.1"' + nl +
+              '          SSLEnabled="true" maxThreads="150" scheme="https" secure="true"' + nl +
+              '          clientAuth="false" sslEnabledProtocols="TLSv1.1+TLSv1.2"' + nl +
+              '          keystorePass="' + this.sslKeystorePassword + '"' + nl +
+              '          keystoreType="' + this.keystoreType + '"' + nl +
+              '          ciphers="' + DefaultProperties.FIPS_140_2_CIPHERS+ '" />'
+      }
     updateConfReplaceRegExp('server.xml', aprListener, commentAprListener, true, true)
     updateConfReplaceRegExp('server.xml', dummyComment, enableJavaSsl, true, true)
   }
@@ -651,8 +670,11 @@ class Tomcat extends ServerAbstract implements WorkerServer {
         'maxThreads="200" scheme="https" secure="true"' + nl +
         'SSLCertificateFile="' + this.sslCertificate + '"' + nl +
         'SSLCertificateKeyFile="' + this.sslKey + '"' + nl +
-        'SSLPassword="' + this.sslKeystorePassword + '"' + nl +
-        '/>'
+        'SSLPassword="' + this.sslKeystorePassword + '"' + nl
+    if(platform.isFips()) {
+      enableOpenSsl += 'ciphers="' + DefaultProperties.FIPS_140_2_CIPHERS + '"'
+    }
+    enableOpenSsl += '/>'
 
     updateConfReplaceRegExp('server.xml', dummyComment, enableOpenSsl, true, true)
   }
@@ -666,7 +688,13 @@ class Tomcat extends ServerAbstract implements WorkerServer {
     def enableNIOSsl = '<Connector port="' + this.mainHttpsPort.toString() + '" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true"' + nl +
         'maxThreads="150" scheme="https" secure="true"' + nl +
         'keystoreFile="' + this.keystorePath + '" keystorePass="' + this.sslKeystorePassword + '"' + nl +
-        'clientAuth="false" sslProtocol="TLS" />'
+        'clientAuth="false" '
+    if(platform.isFips()) {
+      enableNIOSsl += 'sslEnabledProtocols="TLSv1.1+TLSv1.2" '
+    } else {
+      enableNIOSsl += 'sslProtocol="TLS" '
+    }
+    enableNIOSsl +=  'keystoreType="' + this.keystoreType + '" />'
 
     updateConfReplaceRegExp('server.xml', aprListener, commentAprListener, true, true)
     updateConfReplaceRegExp('server.xml', dummyComment, enableNIOSsl, true, true)

core/src/main/groovy/noe/tomcat/configure/SecureHttpConnectorTomcat.groovy

@@ -1,5 +1,6 @@
 package noe.tomcat.configure
 
+import noe.common.DefaultProperties
 import noe.common.utils.Platform
 
 /**
@@ -53,7 +54,7 @@ public class SecureHttpConnectorTomcat extends ConnectorTomcatAbstract<SecureHtt
   }
 
   /**
-   * Configure secure http connector to expect certificates in ${SYSTEM_TEMP}/ssl/self_signed directory
+   * Configure secure http connector to expect certificates in ${SYSTEM_TEMP}/ssl/self_signed(_fips) directory
    * Expected names:
    *  <ul>
    *    <li>certificate = server.crt</li>
@@ -65,11 +66,14 @@ public class SecureHttpConnectorTomcat extends ConnectorTomcatAbstract<SecureHtt
    */
   SecureHttpConnectorTomcat setDefaultCertificatesConfiguration() {
     String sslRoot = new File(new Platform().getTmpDir(), "ssl").getCanonicalPath()
-    String sslStringDir = new File(sslRoot, "self_signed").getCanonicalPath()
+    String sslStringDir = new File(sslRoot, DefaultProperties.SELF_SIGNED_CERTIFICATE_RESOURCE).getCanonicalPath()
     String sslCertificate = new File(sslStringDir, "server.crt").getCanonicalPath()
     String sslCertificateKey = new File(sslStringDir, "server.key").getCanonicalPath()
     String keystoreFilePath = new File(sslStringDir, "server.jks").getCanonicalPath()
     String password = "changeit"
+    if(new Platform().isFips()) {
+      keystoreFilePath = new File(sslStringDir, "nssdb").getCanonicalPath()
+    }
 
     setSslCertificateFile(sslCertificate)
     setSslCertificateKeyFile(sslCertificateKey)

core/src/main/groovy/noe/workspace/WorkspaceAbstract.groovy

@@ -120,14 +120,28 @@ abstract class WorkspaceAbstract implements IWorkspace {
   }
 
   /**
-   * Copies self-signed, pre-generated certificates from noe core to ${tmpdir}/ssl/self_signed directory.
+   * Copies self-signed, pre-generated certificates from noe core to ${tmpdir}/ssl/self_signed(_fips) directory.
    *
    */
   void copyCertificates() {
     List<String> certificates = ["server.crt", "server.jks", "server.key", "server.p12"]
-    String sslStringDir = PathHelper.join(platform.tmpDir, "ssl", "self_signed")
+    def secFiles = [
+            "java.security.ibm-java-1.8",
+            "java.security.openjdk-1.8",
+            "java.security.openjdk-11",
+            "java.security.openjdk-17",
+            "java.security.oracle-java-1.8",
+            "java.security.oracle-java-11",
+            "java.security.oracle-java-17",
+            "nss.fips.cfg",
+            "nss.oraclefips.cfg",
+            "nss.cfg"]
+    if (platform.isFips()) {
+      certificates = certificates + secFiles
+    }
+    String sslStringDir = PathHelper.join(platform.tmpDir, "ssl", DefaultProperties.SELF_SIGNED_CERTIFICATE_RESOURCE)
     File sslDir = new File(sslStringDir)
-    String resourcesPath = "ssl/self_signed/"  //resources jar path is always separated by /
+    String resourcesPath = "ssl/" + DefaultProperties.SELF_SIGNED_CERTIFICATE_RESOURCE + "/"  //resources jar path is always separated by /
 
     if (!sslDir.exists()) {
       JBFile.mkdir(sslDir)
@@ -139,6 +153,18 @@ abstract class WorkspaceAbstract implements IWorkspace {
       File certFile = Library.retrieveResourceAsFile("${resourcesPath}${certName}")
       JBFile.move(certFile, sslDir)
     }
+    if (platform.isFips()) {
+      for (String file: secFiles){
+        JBFile.replace(new File(sslDir,file),"/tmp/ssl/self_signed_fips",sslStringDir)
+      }
+      List<String> keystore = [ "cert9.db", "key4.db", "pkcs11.txt", "secmod.db"]
+      File keystoreDir = new File(PathHelper.join(sslStringDir, "nssdb"))
+      resourcesPath = resourcesPath + "nssdb/"
+      for (String db : keystore) {
+        File dbFile = Library.retrieveResourceAsFile("${resourcesPath}${db}")
+        JBFile.move(dbFile,keystoreDir)
+      }
+    }
   }
 
   void downloadClusterBench() {