Closed JiriOndrusek closed 3 months ago
@ppalaga (@ffang ) I added missing policy.xml files (with different ids) for each endpoint. And I see a weird behavior (on FIPS): JVM tests succed, but native tests fail.
Here is a few lines from the log when executing CustomEncryptSignPolicyIT.helloCustomizedValuesCorrectly (the test customizes the suite to use weaker alghoritms, but the correct ones, therefor it shoul succeed on non-fips and fail on FIPS)
JVM part of log, FIPS (looks as expected):
2024-03-18 13:04:27,438 DEBUG [org.apa.cxf.ws.sec.wss.pol.AbstractCommonBindingHandler] (executor-thread-1) Asserting {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}RecipientToken
2024-03-18 13:04:27,438 DEBUG [org.apa.cxf.ws.sec.wss.pol.AbstractCommonBindingHandler] (executor-thread-1) Asserting {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}X509Token
2024-03-18 13:04:27,443 DEBUG [org.apa.cxf.ws.sec.wss.pol.AbstractCommonBindingHandler] (executor-thread-1) Asserting {http://schemas.xmlsoap.org/ws/2005/07/securitypolicy}Wss10
2024-03-18 13:04:27,452 DEBUG [org.apa.wss.com.uti.Loader] (executor-thread-1) Trying to find [alice-keystore.pkcs12] using QuarkusClassLoader:Quarkus Base Runtime ClassLoader: TEST for CustomEncryptSignPolicyTest (QuarkusTest)@44a14de0 class loader.
2024-03-18 13:04:27,455 DEBUG [org.apa.wss.com.cry.Merlin] (executor-thread-1) The KeyStore alice-keystore.pkcs12 of type pkcs12 has been loaded
2024-03-18 13:04:27,460 DEBUG [org.apa.cxf.ws.sec.wss.pol.AsymmetricBindingHandler] (executor-thread-1) unsupported key transport encryption algorithm: No such algorithm: "RSA/ECB/OAEPWithSHA1AndMGF1Padding": org.apache.wss4j.common.ext.WSSecurityException: unsupported key transport encryption algorithm: No such algorithm: "RSA/ECB/OAEPWithSHA1AndMGF1Padding"
native part of the log:
2024-03-18 13:08:00,243 DEBUG [org.apa.cxf.ws.sec.wss.pol.AbstractCommonBindingHandler] (executor-thread-1) Asserting {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}RecipientToken
2024-03-18 13:08:00,243 DEBUG [org.apa.cxf.ws.sec.wss.pol.AbstractCommonBindingHandler] (executor-thread-1) Asserting {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}X509Token
2024-03-18 13:08:00,243 DEBUG [org.apa.cxf.ws.sec.wss.pol.AbstractCommonBindingHandler] (executor-thread-1) Asserting {http://schemas.xmlsoap.org/ws/2005/07/securitypolicy}Wss10
2024-03-18 13:08:00,244 DEBUG [org.apa.wss.com.uti.Loader] (executor-thread-1) Trying to find [alice-keystore.pkcs12] using jdk.internal.loader.ClassLoaders$AppClassLoader@2c8d66b2 class loader.
2024-03-18 13:08:00,248 DEBUG [org.apa.wss.com.cry.Merlin] (executor-thread-1) The KeyStore alice-keystore.pkcs12 of type pkcs12 has been loaded
2024-03-18 13:08:00,248 DEBUG [org.apa.wss.dom.mes.WSSecEncryptedKey] (executor-thread-1) cipher blksize: 0
2024-03-18 13:08:00,249 DEBUG [org.apa.wss.dom.mes.WSSecEncrypt] (executor-thread-1) Error destroying key: null
2024-03-18 13:08:00,269 DEBUG [org.apa.cxf.ws.sec.wss.WSS4JInInterceptor] (executor-thread-2) WSS4JInInterceptor: enter handleMessage()
2024-03-18 13:08:00,308 INFO [org.ehc.cor.EhcacheManager] (executor-thread-2) Cache 'org.apache.cxf.ws.security.tokenstore.TokenStore-1186773456' created in EhcacheManager.
2024-03-18 13:08:00,312 INFO [org.ehc.cor.EhcacheManager] (executor-thread-2) Cache 'ws-security.timestamp.cache.instance-1186773456' created in EhcacheManager.
2024-03-18 13:08:00,313 DEBUG [org.apa.wss.com.uti.Loader] (executor-thread-2) Trying to find [bob-keystore.pkcs12] using jdk.internal.loader.ClassLoaders$AppClassLoader@2c8d66b2 class loader.
You can see the same line in both logs The KeyStore alice-keystore.pkcs12 of type pkcs12 has been loaded
On JVM (with FIPS) the next message is failure to find an algorithm, the native successfully continues.
Do you have an idea, what can be wrong?
I'm able to debug the JVM execution via remote and I see the value entering org.apache.wss4j.common.util.KeyUtils.getCipherInstance(KeyUtils.java:207)
- which fails - to be http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p which should happen also in native. I haven't find a way of proving, that the value is the samethough.
Thanks @ppalaga for the help! The behavior of the native testing makes sense, because the the natively compiled image is not FIPS compliant. I'll change the assertions of the tests to fails for FIPS in native + make them log, that native mode and FIPS behaves differently.
I fixed the problems and change is prepared to be merged.
If test runs in native and the machine environment (where the test runs) or the binary is FIPS enabled, the test fails with the message: Combination of FIPS environment and native mode is not supported.
In jvm, test detects, whether system is FIPS compliant, and test asserts success or failure based on this information.
To show behavior correctly:
In non-fips mode (jvm or native), results are Tests run: 28, Failures: 0, Errors: 0, Skipped: 0
In FIPS jvm, results are: Tests run: 28, Failures: 0, Errors: 0, Skipped: 0
In FIPS native : Tests run: 28, Failures: 9, Errors: 0, Skipped: 0
fixes https://github.com/quarkiverse/quarkus-cxf/issues/1285
replaces https://github.com/quarkiverse/quarkus-cxf/pull/1286
Tests are capable of knowing whether the environment is FIPS, therefore assertions are changed accordingly (whether success or failure is expected)
!There is a problem with the execution in the native in the FIPS! non-FIPS - jvm and native works FIPS - jvm works, native fails - I'm investigating it now.
I created this draft to see the CI results.