From 33ff9ef17e9c85b1460ae8c05bf785fbfa5cc414 Mon Sep 17 00:00:00 2001 From: Marek Posolda Date: Mon, 30 Jan 2023 16:01:57 +0100 Subject: [PATCH] Fix remaining failing tests with BCFIPS approved mode (#16699) * Fix remaining failing tests with BCFIPS approved mode Closes #16698 --- .../common/crypto/CryptoIntegration.java | 6 ++++ .../crypto/fips/test/FIPS1402SslTest.java | 11 ++++++++ .../ConfigurationValidationHelper.java | 15 ++-------- .../java/org/keycloak/utils/StringUtil.java | 26 +++++++++++++++++ .../auth-server/common/fips/kc.java.security | 6 ++-- .../org/keycloak/testsuite/util/KeyUtils.java | 22 +++++++++++++++ .../servlet/SAMLServletAdapterTest.java | 2 +- .../testsuite/admin/ServerInfoTest.java | 8 ++---- .../testsuite/forms/ResetPasswordTest.java | 3 ++ .../keys/GeneratedRsaKeyProviderTest.java | 8 ++++-- .../testsuite/keys/KeyRotationTest.java | 2 +- .../JsonFileImport198MigrationTest.java | 8 ++++++ .../testsuite/saml/AbstractSamlTest.java | 28 +++++++++++++++---- .../tests/base/testsuites/fips-suite | 1 + 14 files changed, 116 insertions(+), 30 deletions(-) diff --git a/common/src/main/java/org/keycloak/common/crypto/CryptoIntegration.java b/common/src/main/java/org/keycloak/common/crypto/CryptoIntegration.java index 436f833d2f4..b9acf96e954 100644 --- a/common/src/main/java/org/keycloak/common/crypto/CryptoIntegration.java +++ b/common/src/main/java/org/keycloak/common/crypto/CryptoIntegration.java @@ -9,6 +9,9 @@ import java.util.stream.Collectors; import java.util.stream.Stream; import java.util.stream.StreamSupport; +import javax.net.ssl.KeyManagerFactory; +import javax.net.ssl.TrustManagerFactory; + import org.jboss.logging.Logger; import org.keycloak.common.util.BouncyIntegration; @@ -75,6 +78,9 @@ public class CryptoIntegration { StringBuilder builder = new StringBuilder("Security properties: [ \n") .append(" Java security properties file: " + System.getProperty("java.security.properties") + "\n") .append(" Default keystore type: " + KeyStore.getDefaultType() + "\n") + .append(" KeyManagerFactory.getDefaultAlgorithm(): " + KeyManagerFactory.getDefaultAlgorithm() + "\n") + .append(" TrustManagerFactory.getDefaultAlgorithm(): " + TrustManagerFactory.getDefaultAlgorithm() + "\n") + .append(" Default keystore type: " + KeyStore.getDefaultType() + "\n") .append(" keystore.type.compat: " + Security.getProperty("keystore.type.compat") + "\n"); Stream.of("javax.net.ssl.trustStoreType", "javax.net.ssl.trustStore", "javax.net.ssl.trustStoreProvider", "javax.net.ssl.keyStoreType", "javax.net.ssl.keyStore", "javax.net.ssl.keyStoreProvider") diff --git a/crypto/fips1402/src/test/java/org/keycloak/crypto/fips/test/FIPS1402SslTest.java b/crypto/fips1402/src/test/java/org/keycloak/crypto/fips/test/FIPS1402SslTest.java index 9f560b07f02..513ba50b67c 100644 --- a/crypto/fips1402/src/test/java/org/keycloak/crypto/fips/test/FIPS1402SslTest.java +++ b/crypto/fips1402/src/test/java/org/keycloak/crypto/fips/test/FIPS1402SslTest.java @@ -12,6 +12,7 @@ import javax.net.ssl.KeyManagerFactory; import javax.net.ssl.SSLContext; import javax.net.ssl.SSLEngine; import javax.net.ssl.SSLSessionContext; +import javax.net.ssl.TrustManagerFactory; import org.bouncycastle.crypto.CryptoServicesRegistrar; import org.jboss.logging.Logger; @@ -103,6 +104,16 @@ public class FIPS1402SslTest { testSSLContext(keyMgrFact); } + @Test + public void testDefaultTruststore() throws Exception { + String defaultAlg = TrustManagerFactory.getDefaultAlgorithm(); + logger.infof("Default trust manager factory algorithm: %s", defaultAlg); + TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(defaultAlg); + + // This may fail if default truststore is "pkcs12" and security property "keystore.type.compat" is set to false + trustManagerFactory.init((KeyStore) null); + } + private KeyStore loadKeystore(String type, String password) throws Exception { KeyStore keystore = KeyStore.getInstance(type); InputStream in = FIPS1402SslTest.class.getClassLoader().getResourceAsStream("bcfips-keystore." + type.toLowerCase()); diff --git a/server-spi-private/src/main/java/org/keycloak/provider/ConfigurationValidationHelper.java b/server-spi-private/src/main/java/org/keycloak/provider/ConfigurationValidationHelper.java index 94b20ba7d22..ee9da044327 100644 --- a/server-spi-private/src/main/java/org/keycloak/provider/ConfigurationValidationHelper.java +++ b/server-spi-private/src/main/java/org/keycloak/provider/ConfigurationValidationHelper.java @@ -19,6 +19,7 @@ package org.keycloak.provider; import org.keycloak.component.ComponentModel; import org.keycloak.component.ComponentValidationException; +import org.keycloak.utils.StringUtil; import java.util.List; @@ -46,18 +47,8 @@ public class ConfigurationValidationHelper { String value = model.getConfig().getFirst(property.getName()); if (value != null && !property.getOptions().contains(value)) { - StringBuilder options = new StringBuilder(); - int i = 1; - for (String o : property.getOptions()) { - if (i == property.getOptions().size()) { - options.append(" or "); - } else if (i > 1) { - options.append(", "); - } - options.append(o); - i++; - } - throw new ComponentValidationException("''{0}'' should be {1}", property.getLabel(), options.toString()); + String options = StringUtil.joinValuesWithLogicalCondition("or", property.getOptions()); + throw new ComponentValidationException("''{0}'' should be {1}", property.getLabel(), options); } return this; diff --git a/server-spi/src/main/java/org/keycloak/utils/StringUtil.java b/server-spi/src/main/java/org/keycloak/utils/StringUtil.java index 054527c07e8..d1d8e39499f 100644 --- a/server-spi/src/main/java/org/keycloak/utils/StringUtil.java +++ b/server-spi/src/main/java/org/keycloak/utils/StringUtil.java @@ -16,6 +16,8 @@ */ package org.keycloak.utils; +import java.util.Collection; + public class StringUtil { public static boolean isBlank(String str) { @@ -26,4 +28,28 @@ public class StringUtil { return str != null && !"".equals(str.trim()); } + /** + * Calling: + * 
joinValuesWithLogicalCondition("or", Arrays.asList("foo", "bar", "baz", "caz" ))
+ * will return "foo, bar, baz or caz" + * + * @param conditionText condition + * @param values values to be joined with the condition at the end + * @return see the example above + */ + public static String joinValuesWithLogicalCondition(String conditionText, Collection values) { + StringBuilder options = new StringBuilder(); + int i = 1; + for (String o : values) { + if (i == values.size()) { + options.append(" " + conditionText + " "); + } else if (i > 1) { + options.append(", "); + } + options.append(o); + i++; + } + return options.toString(); + } + } \ No newline at end of file diff --git a/testsuite/integration-arquillian/servers/auth-server/common/fips/kc.java.security b/testsuite/integration-arquillian/servers/auth-server/common/fips/kc.java.security index 9b5b8bfabe3..7b96cb4108b 100644 --- a/testsuite/integration-arquillian/servers/auth-server/common/fips/kc.java.security +++ b/testsuite/integration-arquillian/servers/auth-server/common/fips/kc.java.security @@ -54,6 +54,6 @@ fips.ssl.TrustManagerFactory.algorithm=PKIX # JKS keystore type supports loading only JKS keystore files and the PKCS12 # keystore type supports loading only PKCS12 keystore files. # -# This is set to false as BCFIPS providers don't support JKS -keystore.type.compat=false -fips.keystore.type.compat=false +# This is set to true as when set to false on OpenJDK 17 and PKCS12 is default keystore type, loading of default truststore (from java cacerts) fails. +#keystore.type.compat=false +#fips.keystore.type.compat=false diff --git a/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/KeyUtils.java b/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/KeyUtils.java index c451634db33..20c113b7c52 100644 --- a/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/KeyUtils.java +++ b/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/KeyUtils.java @@ -15,6 +15,9 @@ import java.security.spec.InvalidKeySpecException; import java.security.spec.PKCS8EncodedKeySpec; import java.security.spec.X509EncodedKeySpec; import java.util.Base64; +import java.util.List; + +import static org.junit.Assert.fail; /** * @author mhajas @@ -59,4 +62,23 @@ public class KeyUtils { throw new RuntimeException("Active key not found"); } + /** + * @return key sizes, which are expected to be supported by Keycloak server for {@link org.keycloak.keys.GeneratedRsaKeyProviderFactory} and {@link org.keycloak.keys.GeneratedRsaEncKeyProviderFactory}. + */ + public static String[] getExpectedSupportedRsaKeySizes() { + String expectedKeySizes = System.getProperty("auth.server.supported.rsa.key.sizes"); + if (expectedKeySizes == null || expectedKeySizes.trim().isEmpty()) { + fail("System property 'auth.server.supported.rsa.key.sizes' should be set"); + } + return expectedKeySizes.split(","); + } + + /** + * @return Lowest key size supported by Keycloak server for {@link org.keycloak.keys.GeneratedRsaKeyProviderFactory}. + * It is usually 1024, but can be 2048 in some environments (typically in FIPS environments) + */ + public static int getLowestSupportedRsaKeySize() { + return Integer.parseInt(getExpectedSupportedRsaKeySizes()[0]); + } + } diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/servlet/SAMLServletAdapterTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/servlet/SAMLServletAdapterTest.java index 7d6781f32ef..448a924423a 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/servlet/SAMLServletAdapterTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/servlet/SAMLServletAdapterTest.java @@ -649,7 +649,7 @@ public class SAMLServletAdapterTest extends AbstractSAMLServletAdapterTest { } } - private static final KeyPair NEW_KEY_PAIR = KeyUtils.generateRsaKeyPair(1024); + private static final KeyPair NEW_KEY_PAIR = KeyUtils.generateRsaKeyPair(org.keycloak.testsuite.util.KeyUtils.getLowestSupportedRsaKeySize()); private static final String NEW_KEY_PRIVATE_KEY_PEM = PemUtils.encodeKey(NEW_KEY_PAIR.getPrivate()); private PublicKey createKeys(String priority) throws Exception { diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/ServerInfoTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/ServerInfoTest.java index e52d99f3726..643b9da636f 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/ServerInfoTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/ServerInfoTest.java @@ -29,6 +29,7 @@ import org.keycloak.representations.info.ProviderRepresentation; import org.keycloak.representations.info.ServerInfoRepresentation; import org.keycloak.testsuite.AbstractKeycloakTest; import org.keycloak.testsuite.Assert; +import org.keycloak.testsuite.util.KeyUtils; import org.keycloak.testsuite.util.KeystoreUtils; import java.util.List; @@ -36,7 +37,6 @@ import java.util.Map; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertNotNull; -import static org.junit.Assert.fail; /** * @author Stian Thorgersen @@ -67,10 +67,6 @@ public class ServerInfoTest extends AbstractKeycloakTest { assertNotNull(info.getCryptoInfo()); Assert.assertNames(info.getCryptoInfo().getSupportedKeystoreTypes(), KeystoreUtils.getSupportedKeystoreTypes()); - String expectedSupportedRsaKeySizes = System.getProperty("auth.server.supported.rsa.key.sizes"); - if (expectedSupportedRsaKeySizes == null || expectedSupportedRsaKeySizes.trim().isEmpty()) { - fail("Property 'auth.server.supported.rsa.key.sizes' not set"); - } ComponentTypeRepresentation rsaGeneratedProviderInfo = info.getComponentTypes().get(KeyProvider.class.getName()) .stream() .filter(componentType -> GeneratedRsaKeyProviderFactory.ID.equals(componentType.getId())) @@ -79,7 +75,7 @@ public class ServerInfoTest extends AbstractKeycloakTest { .stream() .filter(configProp -> Attributes.KEY_SIZE_KEY.equals(configProp.getName())) .findFirst().orElseThrow(() -> new RuntimeException("Not found provider with ID 'rsa-generated'")); - Assert.assertNames(keySizeRep.getOptions(), expectedSupportedRsaKeySizes.split(",")); + Assert.assertNames(keySizeRep.getOptions(), KeyUtils.getExpectedSupportedRsaKeySizes()); assertEquals(Version.VERSION, info.getSystemInfo().getVersion()); assertNotNull(info.getSystemInfo().getServerTime()); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/ResetPasswordTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/ResetPasswordTest.java index cf0c8ad7eba..299f0933946 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/ResetPasswordTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/ResetPasswordTest.java @@ -55,6 +55,7 @@ import org.keycloak.testsuite.updaters.ClientAttributeUpdater; import org.keycloak.testsuite.util.BrowserTabUtil; import org.keycloak.testsuite.util.GreenMailRule; import org.keycloak.testsuite.util.InfinispanTestTimeServiceRule; +import org.keycloak.testsuite.util.KerberosUtils; import org.keycloak.testsuite.util.MailUtils; import org.keycloak.testsuite.util.OAuthClient; import org.keycloak.testsuite.util.RealmBuilder; @@ -1094,6 +1095,8 @@ public class ResetPasswordTest extends AbstractTestRealmKeycloakTest { // KEYCLOAK-15239 @Test public void resetPasswordWithSpnegoEnabled() throws IOException, MessagingException { + KerberosUtils.assumeKerberosSupportExpected(); + // Just switch SPNEGO authenticator requirement to alternative. No real usage of SPNEGO needed for this test AuthenticationExecutionModel.Requirement origRequirement = AbstractKerberosTest.updateKerberosAuthExecutionRequirement(AuthenticationExecutionModel.Requirement.ALTERNATIVE, testRealm()); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/keys/GeneratedRsaKeyProviderTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/keys/GeneratedRsaKeyProviderTest.java index af21b69341a..3eefd801a94 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/keys/GeneratedRsaKeyProviderTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/keys/GeneratedRsaKeyProviderTest.java @@ -36,9 +36,12 @@ import org.keycloak.testsuite.AssertEvents; import org.keycloak.testsuite.admin.ApiUtil; import org.keycloak.testsuite.pages.AppPage; import org.keycloak.testsuite.pages.LoginPage; +import org.keycloak.testsuite.util.KeyUtils; +import org.keycloak.utils.StringUtil; import javax.ws.rs.core.Response; import java.security.interfaces.RSAPublicKey; +import java.util.Arrays; import java.util.List; import static org.junit.Assert.*; @@ -226,7 +229,7 @@ public class GeneratedRsaKeyProviderTest extends AbstractKeycloakTest { } @Test - public void invalidKeysizeForEnd() throws Exception { + public void invalidKeysizeForEnc() throws Exception { invalidKeysize(GeneratedRsaEncKeyProviderFactory.ID); } @@ -235,7 +238,8 @@ public class GeneratedRsaKeyProviderTest extends AbstractKeycloakTest { rep.getConfig().putSingle("keySize", "1234"); Response response = adminClient.realm("test").components().add(rep); - assertErrror(response, "'Key size' should be 1024, 2048 or 4096"); + String expectedKeySizesDisplay = StringUtil.joinValuesWithLogicalCondition("or", Arrays.asList(KeyUtils.getExpectedSupportedRsaKeySizes())); + assertErrror(response, "'Key size' should be " + expectedKeySizesDisplay); } protected void assertErrror(Response response, String error) { diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/keys/KeyRotationTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/keys/KeyRotationTest.java index 47cf678af7a..d5247736173 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/keys/KeyRotationTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/keys/KeyRotationTest.java @@ -268,7 +268,7 @@ public class KeyRotationTest extends AbstractKeycloakTest { } private Map createKeys(String priority) throws Exception { - KeyPair keyPair = KeyUtils.generateRsaKeyPair(1024); + KeyPair keyPair = KeyUtils.generateRsaKeyPair(org.keycloak.testsuite.util.KeyUtils.getLowestSupportedRsaKeySize()); String privateKeyPem = PemUtils.encodeKey(keyPair.getPrivate()); PublicKey publicKey = keyPair.getPublic(); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/migration/JsonFileImport198MigrationTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/migration/JsonFileImport198MigrationTest.java index a7711b5d6f1..9f775d0c46d 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/migration/JsonFileImport198MigrationTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/migration/JsonFileImport198MigrationTest.java @@ -16,9 +16,11 @@ */ package org.keycloak.testsuite.migration; +import org.junit.BeforeClass; import org.junit.Test; import org.keycloak.exportimport.util.ImportUtils; import org.keycloak.representations.idm.RealmRepresentation; +import org.keycloak.testsuite.util.KerberosUtils; import org.keycloak.testsuite.utils.io.IOUtil; import org.keycloak.util.JsonSerialization; @@ -34,6 +36,12 @@ import java.util.Map; */ public class JsonFileImport198MigrationTest extends AbstractJsonFileImportMigrationTest { + @BeforeClass + public static void checkKerberosSupportedByAuthServer() { + // Requires 'KERBEROS' feature on the server, due some kerberos provider present in the JSON + KerberosUtils.assumeKerberosSupportExpected(); + } + @Override public void addTestRealms(List testRealms) { Map reps = null; diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/saml/AbstractSamlTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/saml/AbstractSamlTest.java index 3e1aac720ab..37b1bd96e34 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/saml/AbstractSamlTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/saml/AbstractSamlTest.java @@ -88,11 +88,29 @@ public abstract class AbstractSamlTest extends AbstractAuthTest { } - // Set date to past; then: openssl req -x509 -newkey rsa:1024 -keyout key.pem -out cert.pem -days 1 -nodes -subj '/CN=http:\/\/localhost:8080\/sales-post-sig\/' - public static final String SAML_CLIENT_SALES_POST_SIG_EXPIRED_PRIVATE_KEY = "MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAMrGzRp3HVf6Ti75rl5mPAPXua8APCCLANikzOd82VI0R8Ml0UAchkfRUBvBedobJIn9r8wwxMeXLmKsMynW52SYeC/Zx5b5K6ayMS3GWJIgqLpp/n1piUeI4sbJXlUj9UtW+QTpGhrHt9n7s7znwoNqGDUkjmyZiekEspjdfzzlAgMBAAECgYBJvPFo5lftXkCAJJucCGFapGAJm3RCAUpVfdhldakxk4FlHaNyRO0vwJX5AeplvekTpQUAo9trGTbs+uHAHT4XWOnwhHHyBRkWdiwXX9bzNdHnIwf/0SLIBBYUk0hoWEDvpklBPqllM215a0sEnB2ykYSsMDBSkFB7Ah+RK7zTAQJBAOw9v7SsfIhOXci9vnkQPuQpL8T4kwj7nWi+YtRGrXbF/bJGwjsgXN5i7otwBV/W+TNzI5H7s2opPUXdIxfP9C0CQQDbvIcxXjwjO1hjXXY4axiT1sxU8Oq1bds033atMoN9pib7IxkWh6ouOQZT8bxwQ2ElH0rswZ0/2CusrIUIekaZAkEAk9UUSQiDKXz4vSzXq8SZxodriDQRNtbVqv0wtSvBUwkU9+HFm+BlnRiFtCYWhuHsseCESs8ad/10hWqbkkQkxQJAZOvN2+rADB5xlhGS/o6RlzUMW+bapcFy8HHB/AI7SjZJqQaRuztL+jbOpTddqOIJeBdLPjoekvgh9wi1gRNH4QJBAMjfB1xYxmztfbUcUuOsATz3s7StprOAukd+hhBiMukxcKhi1IQp7tFhfFe/+xUY3fSh1a3KlyItFKxp68EdDRk="; - public static final String SAML_CLIENT_SALES_POST_SIG_EXPIRED_PUBLIC_KEY = "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDKxs0adx1X+k4u+a5eZjwD17mvADwgiwDYpMznfNlSNEfDJdFAHIZH0VAbwXnaGySJ/a/MMMTHly5irDMp1udkmHgv2ceW+SumsjEtxliSIKi6af59aYlHiOLGyV5VI/VLVvkE6Roax7fZ+7O858KDahg1JI5smYnpBLKY3X885QIDAQAB"; - public static final String SAML_CLIENT_SALES_POST_SIG_EXPIRED_CERTIFICATE = "MIICMTCCAZqgAwIBAgIJAPlizW20Nhe6MA0GCSqGSIb3DQEBCwUAMDAxLjAsBgNVBAMMJWh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC9zYWxlcy1wb3N0LXNpZy8wHhcNMTYwODI5MDg1MjMzWhcNMTYwODMwMDg1MjMzWjAwMS4wLAYDVQQDDCVodHRwOi8vbG9jYWxob3N0OjgwODAvc2FsZXMtcG9zdC1zaWcvMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDKxs0adx1X+k4u+a5eZjwD17mvADwgiwDYpMznfNlSNEfDJdFAHIZH0VAbwXnaGySJ/a/MMMTHly5irDMp1udkmHgv2ceW+SumsjEtxliSIKi6af59aYlHiOLGyV5VI/VLVvkE6Roax7fZ+7O858KDahg1JI5smYnpBLKY3X885QIDAQABo1MwUTAdBgNVHQ4EFgQUE9C6Ck0jsdY+sjN064ZYwYkZJr4wHwYDVR0jBBgwFoAUE9C6Ck0jsdY+sjN064ZYwYkZJr4wDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOBgQBuypHw5DMDBgfI6LcXBiCjpiQP3DLRLdwthh/RfCnZT7PrhXRJV8RMm8EqxqtEgfg2SKqMyA02uxMKH0p277U2iQveSDAaICTJRxtyFm6FERtgLNlsekusC2I14gZpLe84oHDf6L1w3dKFzzLEC9+bHg/XCg/KthWxW8iuVct5qg=="; - + // Set date to past (For example with "faketime" utility); then: openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 1 -nodes -subj '/CN=http:\/\/localhost:8080\/sales-post-sig\/' + public static final String SAML_CLIENT_SALES_POST_SIG_EXPIRED_PRIVATE_KEY = "MIIEpQIBAAKCAQEA3SMEGYw330CS++XP0KqoFz2UezUxZAhkLv5C93hf5FPGw9QpPmimpGcsN8RCy4DDYOGrbuJLd8GkoBCkmp7xTqQMx/nrUvzDCAWAUSnxnBVgCsq9KbpI5sdacOHd0oEI9pQdRQ71Rj+tipeIt+Fy8S17bkpGBYjQk3xdusMX8E9LR04ksp0C9o2mvX+U0QCrF8HqVCCO9gMJJNOGaot7a3+QaTWnNrPguhMuHgJ6LlsyOUYNFQw5rdxs8Vz2mOsIGvWn1Em/c+KCcMltTIhOhDY3zW3ZrFL3Vwq4kTQ74ju9Qp1qyyQOOJmig6LLm31LQvQHPQWkY7rRcp9VBMRPcQIDAQABAoIBAQDPUpvuY9KiIYVsWvoqFUWAfIBvvuAue9uJX2JjZ1zn0U+Bm7CLTUwmyH/hTMSezHrgotK6I7lDbq4sT04zlJ6B7zX4aqwg4s7q/1VdQui9QCEKHSeaLodYrkBxoqD4UXeYziZe73YvRVYroIRSeTDtQon9Te82Ex4RmEC771rLNZ38rm2EsF2+GfNIavumo458TBmX0DI8w3QwlSMEeXaNZqch2adZSDxehrOFeqzZ9o8KtgCfrJ5P11vgXlKnVGFa7Pfndrc6XacfYhKAtTyX3Bgx9FFaOK+W5k5/XXc2UTbUV6aNmiQdNp5CrjoZ/DuttWFGwOWfg9zSG3i5wwLRAoGBAPR7IWPk1Ejf8+4vGvDED3ZDc94DINrFjszaVZBt2w/Hx0uePdeojulHhTBFMFUtV2Dn8vpG7D9TxDeZj7tmKSHE3/j1DXE6jpo72Z+iOR5byO/HmgiV0kblKxXnZfDy5/cq/Cy6GTJ2MU6k50SDgIIq86gWCXbRwveX9E66qlHdAoGBAOeOUEiuGC332m7N2wfUobBbczNviSWeAzIFP4t15u0QHRhMDeRmfE4xuWS4aL1vfsyTOrxaN5GJ2QeAIdkM42dSA0FqzzumRd9T8VdeJ+J2GGB+ALNmTHNuz8jWepLVD2F1GBhs+gkSh5yS1p+FUodQWkWC5YLI/y2rySpbiPylAoGBAJpV0LJbFpgaqMbH/d3YJ1qlIlQY7XiuFoPDoRhYAV5o46sc7jViNzWU7MOYKfbbdLm8M2tDsogXvVrMGixXRcgHnMxxBldge/1pouxfYGeF0cds3hRlYCVZLmXZekUtUrp57E/f+2AbtOzMtSJPUaTasI5/uuHDca0TxCqfND4RAoGAWS6Fm0h6BZJVLaHZPw3U7FB8cQ3/G17dSjGdRMA3HYy8N/Rq0VHrhE5AYhtoM7Wyd2YpFAwHJOWbkfj2kFsXZl6+5D4X7JhghuAUrpqT7/Od9ePxryayQS8nlemNMeofT2DC0/1822uokVQ4lx3JKFZ5PhZpANMa/OMRyl+QxgUCgYEA4D5YyD5wHz7fNFyaUrgJr4dFLG9vqRv8Pm9IozBAmNumi25Gi7gyi/WN8DrVbsRiq4ywiKiikui5TW3/RR51OYDnX3YCnWE5AGV4okci3PlclJ/UsPjlUOzNlXW7Wr0pFCcJc/WuQm1lgho/o6QGbMbS/BSwxBrUl/bUEp4IZKc="; + public static final String SAML_CLIENT_SALES_POST_SIG_EXPIRED_PUBLIC_KEY = "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3SMEGYw330CS++XP0KqoFz2UezUxZAhkLv5C93hf5FPGw9QpPmimpGcsN8RCy4DDYOGrbuJLd8GkoBCkmp7xTqQMx/nrUvzDCAWAUSnxnBVgCsq9KbpI5sdacOHd0oEI9pQdRQ71Rj+tipeIt+Fy8S17bkpGBYjQk3xdusMX8E9LR04ksp0C9o2mvX+U0QCrF8HqVCCO9gMJJNOGaot7a3+QaTWnNrPguhMuHgJ6LlsyOUYNFQw5rdxs8Vz2mOsIGvWn1Em/c+KCcMltTIhOhDY3zW3ZrFL3Vwq4kTQ74ju9Qp1qyyQOOJmig6LLm31LQvQHPQWkY7rRcp9VBMRPcQIDAQAB"; + public static final String SAML_CLIENT_SALES_POST_SIG_EXPIRED_CERTIFICATE = "-----BEGIN CERTIFICATE-----\n" + + "MIIDQTCCAimgAwIBAgIUT8qwq3DECizGLB2tQAaaNSGAVLgwDQYJKoZIhvcNAQEL\n" + + "BQAwMDEuMCwGA1UEAwwlaHR0cDovL2xvY2FsaG9zdDo4MDgwL3NhbGVzLXBvc3Qt\n" + + "c2lnLzAeFw0yMzAxMjcxNjAwMDBaFw0yMzAxMjgxNjAwMDBaMDAxLjAsBgNVBAMM\n" + + "JWh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC9zYWxlcy1wb3N0LXNpZy8wggEiMA0GCSqG\n" + + "SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDdIwQZjDffQJL75c/QqqgXPZR7NTFkCGQu\n" + + "/kL3eF/kU8bD1Ck+aKakZyw3xELLgMNg4atu4kt3waSgEKSanvFOpAzH+etS/MMI\n" + + "BYBRKfGcFWAKyr0pukjmx1pw4d3SgQj2lB1FDvVGP62Kl4i34XLxLXtuSkYFiNCT\n" + + "fF26wxfwT0tHTiSynQL2jaa9f5TRAKsXwepUII72Awkk04Zqi3trf5BpNac2s+C6\n" + + "Ey4eAnouWzI5Rg0VDDmt3GzxXPaY6wga9afUSb9z4oJwyW1MiE6ENjfNbdmsUvdX\n" + + "CriRNDviO71CnWrLJA44maKDosubfUtC9Ac9BaRjutFyn1UExE9xAgMBAAGjUzBR\n" + + "MB0GA1UdDgQWBBR4R5i1kWMxzzdQ3TdgI/MuNLChSDAfBgNVHSMEGDAWgBR4R5i1\n" + + "kWMxzzdQ3TdgI/MuNLChSDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUA\n" + + "A4IBAQAacI/f9YFVTUCGXfh/FCVBQI20bgOs9D6IpIhN8L5kEnY6Ox5t00b9G5Bz\n" + + "64alK3WMR3DdhTEpufX8IMFpMlme/JnnOQXkfmIvzbev4iIKxcKFvS8qNXav8PVx\n" + + "wDApuzgxEq/XZCtFXhDS3q1jGRmlOr+MtQdCNQuJmxy7kOoFPY+UYjhSXTZVrCyF\n" + + "I0LYJQfcZ69bYXd+5h1U3UsN4ZvsBgnrz/IhhadaCtTZVtvyr/uzHiJpqT99VO9/\n" + + "7lwh2zL8ihPyOUVDjdYxYyCi+BHLRB+udnVAfo7t3fbxMi1gV9xVcYaqTJgSArsY\n" + + "M8mxv8p5mhTa8TJknzs4V3Dm+PHs\n" + + "-----END CERTIFICATE-----"; public static final String SAML_ASSERTION_CONSUMER_URL_SALES_POST_ENC = AUTH_SERVER_SCHEME + "://localhost:" + (AUTH_SERVER_SSL_REQUIRED ? AUTH_SERVER_PORT : 8080) + "/sales-post-enc/saml"; public static final String SAML_CLIENT_ID_SALES_POST_ENC = "http://localhost:8280/sales-post-enc/"; public static final String SAML_CLIENT_SALES_POST_ENC_PRIVATE_KEY = "MIICXQIBAAKBgQDb7kwJPkGdU34hicplwfp6/WmNcaLh94TSc7Jyr9Undp5pkyLgb0DE7EIE+6kSs4LsqCb8HDkB0nLD5DXbBJFd8n0WGoKstelvtg6FtVJMnwN7k7yZbfkPECWH9zF70VeOo9vbzrApNRnct8ZhH5fbflRB4JMA9L9R+LbURdoSKQIDAQABAoGBANtbZG9bruoSGp2s5zhzLzd4hczT6Jfk3o9hYjzNb5Z60ymN3Z1omXtQAdEiiNHkRdNxK+EM7TcKBfmoJqcaeTkW8cksVEAW23ip8W9/XsLqmbU2mRrJiKa+KQNDSHqJi1VGyimi4DDApcaqRZcaKDFXg2KDr/Qt5JFD/o9IIIPZAkEA+ZENdBIlpbUfkJh6Ln+bUTss/FZ1FsrcPZWu13rChRMrsmXsfzu9kZUWdUeQ2Dj5AoW2Q7L/cqdGXS7Mm5XhcwJBAOGZq9axJY5YhKrsksvYRLhQbStmGu5LG75suF+rc/44sFq+aQM7+oeRr4VY88Mvz7mk4esdfnk7ae+cCazqJvMCQQCx1L1cZw3yfRSn6S6u8XjQMjWE/WpjulujeoRiwPPY9WcesOgLZZtYIH8nRL6ehEJTnMnahbLmlPFbttxPRUanAkA11MtSIVcKzkhp2KV2ipZrPJWwI18NuVJXb+3WtjypTrGWFZVNNkSjkLnHIeCYlJIGhDd8OL9zAiBXEm6kmgLNAkBWAg0tK2hCjvzsaA505gWQb4X56uKWdb0IzN+fOLB3Qt7+fLqbVQNQoNGzqey6B4MoS1fUKAStqdGTFYPG/+9t"; diff --git a/testsuite/integration-arquillian/tests/base/testsuites/fips-suite b/testsuite/integration-arquillian/tests/base/testsuites/fips-suite index 6b4aa8afc02..bce17644bdd 100644 --- a/testsuite/integration-arquillian/tests/base/testsuites/fips-suite +++ b/testsuite/integration-arquillian/tests/base/testsuites/fips-suite @@ -21,3 +21,4 @@ KcSamlEncryptedIdTest KcSamlSignedBrokerTest KcSamlSpDescriptorTest KerberosLdapTest +TrustStoreEmailTest