Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FIPS Support #36

Open
UnicornChance opened this issue Mar 20, 2024 · 0 comments
Open

FIPS Support #36

UnicornChance opened this issue Mar 20, 2024 · 0 comments
Labels
enhancement New feature or request

Comments

@UnicornChance
Copy link
Contributor

Description

At this time this is more of a discussion placeholder than an actual intent to implement.

FIPS is not supported at the moment. IF we want to move to supporting FIPS in our identity config we will need to spend some time understanding the different bouncy-castle libraries. This primarily impacts the x509 plugin source code, but will probably affect the other pieces as well.

At the moment we utilize the bcpg-fips library, but based on bouncy-castle documentation that also requires at least a library for FIPS algorithms and potentially also using the bc-fips general FIPS library that isn't specific to OpenPGP.

Current bouncy-castle and Keycloak crypto libraries:

        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-crypto-default</artifactId>
            <version>${keycloak.version}</version>
        </dependency>
        <dependency>
            <groupId>org.bouncycastle</groupId>
            <artifactId>bcpg-fips</artifactId>
            <version>1.0.7.1</version>
        </dependency>

Libraries that should be looked into:

        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-crypto-fips1402</artifactId>
            <version>${keycloak.version}</version>
        </dependency>
        <dependency>
            <groupId>org.bouncycastle</groupId>
            <artifactId>bc-fips</artifactId>
            <version>1.0.2.4</version>
        </dependency>

Describe the solution you'd like

  • All testing should pass (integration tests, plugin unit tests, etc).
  • The provided identity config should be FIPS compliant, regardless of the surrounding environment.

Testing Gotcha's

  • While testing changes to libraries be aware that sometimes the order of the libraries in the pom.xml can cause errors. @rjferguson21 and @UnicornChance experienced this behavior when importing the keycloak-crypto-defualt library after the bcpg-fips library.

Links

Official Keycloak FIPS140-2 Docs
Maven Repo description of bcpg-fips
@UnicornChance UnicornChance added the enhancement New feature or request label Mar 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@UnicornChance