You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@camel.apache.org by "JiriOndrusek (via GitHub)" <gi...@apache.org> on 2024/04/05 13:08:21 UTC

[PR] Http: use FIPS complaiant keystore and truststore [camel-quarkus]

JiriOndrusek opened a new pull request, #5968:
URL: https://github.com/apache/camel-quarkus/pull/5968

   fixes https://github.com/apache/camel-quarkus/issues/5966
   
   <!-- Uncomment and fill this section if your PR is not trivial
   [ ] An issue should be filed for the change unless this is a trivial change (fixing a typo or similar). One issue should ideally be fixed by not more than one commit and the other way round, each commit should fix just one issue, without pulling in other changes.
   [ ] Each commit in the pull request should have a meaningful and properly spelled subject line and body. Copying the title of the associated issue is typically enough. Please include the issue number in the commit message prefixed by #.
   [ ] The pull request description should explain what the pull request does, how, and why. If the info is available in the associated issue or some other external document, a link is enough.
   [ ] Phrases like Fix #<issueNumber> or Fixes #<issueNumber> will auto-close the named issue upon merging the pull request. Using them is typically a good idea.
   [ ] Please run mvn process-resources -Pformat (and amend the changes if necessary) before sending the pull request.
   [ ] Contributor guide is your good friend: https://camel.apache.org/camel-quarkus/latest/contributor-guide.html
   -->


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@camel.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

Re: [PR] Http: use FIPS complaiant keystore and truststore [camel-quarkus]

Posted by "ppalaga (via GitHub)" <gi...@apache.org>.
ppalaga commented on PR #5968:
URL: https://github.com/apache/camel-quarkus/pull/5968#issuecomment-2040472314

   I'd personally vote for not having those certs checked in in git but rather executing the script as a part of Maven build as we do in QCXF
   
   https://github.com/quarkiverse/quarkus-cxf/blob/e7cb0f50eceb03af8adea31c5403dd8b5554e2b7/integration-tests/mtls/pom.xml#L78-L96
   
   In that way, we can stay sure that the script works and it will also keep working 10001 days from now. 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@camel.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

Re: [PR] Http: use FIPS complaiant keystore and truststore [camel-quarkus]

Posted by "zhfeng (via GitHub)" <gi...@apache.org>.
zhfeng commented on PR #5968:
URL: https://github.com/apache/camel-quarkus/pull/5968#issuecomment-2042255483

   Can we open a new issue for the certification generation?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@camel.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

Re: [PR] Http: use FIPS complaiant keystore and truststore [camel-quarkus]

Posted by "JiriOndrusek (via GitHub)" <gi...@apache.org>.
JiriOndrusek commented on PR #5968:
URL: https://github.com/apache/camel-quarkus/pull/5968#issuecomment-2041967697

   > I'd personally vote for not having those certs checked in in git but rather executing the script as a part of Maven build as we do in QCXF
   
   Yes., I agree, there is a small hickup, that several modules extend the `common` module, therefire the code for generation hasa to be present several times. I'd like to think about a nicer solution to do not duplicate code. <therefore I created an issue to improve this thing - https://github.com/apache/camel-quarkus/issues/5967  and I forgot to linkl those issues together. @ppalaga @jamesnetherton should I apply the generation (with duplicated code), or is it ok to wait the the improve?
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@camel.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

Re: [PR] Http: use FIPS complaiant keystore and truststore [camel-quarkus]

Posted by "zhfeng (via GitHub)" <gi...@apache.org>.
zhfeng merged PR #5968:
URL: https://github.com/apache/camel-quarkus/pull/5968


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@camel.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

Re: [PR] Http: use FIPS complaiant keystore and truststore [camel-quarkus]

Posted by "jamesnetherton (via GitHub)" <gi...@apache.org>.
jamesnetherton commented on PR #5968:
URL: https://github.com/apache/camel-quarkus/pull/5968#issuecomment-2041986041

   >  @ppalaga @jamesnetherton should I apply the generation (with duplicated code), or is it ok to wait the the improve?
   
   I have no strong opinion about it. But at some point we should probably discuss our strategy for certificate generation. IMO we should try to make it uniform across the entire project and have it so we can override things like the CN, validity period etc.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@camel.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

Re: [PR] Http: use FIPS complaiant keystore and truststore [camel-quarkus]

Posted by "jamesnetherton (via GitHub)" <gi...@apache.org>.
jamesnetherton commented on PR #5968:
URL: https://github.com/apache/camel-quarkus/pull/5968#issuecomment-2040496665

   > executing the script as a part of Maven build
   
   How would that work on Windows?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@camel.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

Re: [PR] Http: use FIPS complaiant keystore and truststore [camel-quarkus]

Posted by "jamesnetherton (via GitHub)" <gi...@apache.org>.
jamesnetherton commented on PR #5968:
URL: https://github.com/apache/camel-quarkus/pull/5968#issuecomment-2040997036

   > Is that a satisfactory answer?
   
   Yes it probably uses WSL, which anyone can install.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@camel.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

Re: [PR] Http: use FIPS complaiant keystore and truststore [camel-quarkus]

Posted by "JiriOndrusek (via GitHub)" <gi...@apache.org>.
JiriOndrusek commented on PR #5968:
URL: https://github.com/apache/camel-quarkus/pull/5968#issuecomment-2039800154

   I add *.pkcs12 and *.ext into ignored files for license check.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@camel.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

Re: [PR] Http: use FIPS complaiant keystore and truststore [camel-quarkus]

Posted by "aldettinger (via GitHub)" <gi...@apache.org>.
aldettinger commented on code in PR #5968:
URL: https://github.com/apache/camel-quarkus/pull/5968#discussion_r1554022773


##########
integration-test-groups/http/common/generate-certs.sh:
##########
@@ -0,0 +1,67 @@
+#!/bin/bash
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+set -e
+set -x
+
+invocationDir="$(pwd)"
+workDir="target/openssl-work"
+destinationDir="src/main/resources/jsse"
+keySize=2048
+days=10000
+extFile="$(pwd)/v3.ext"
+encryptionAlgo="aes-256-cbc"
+
+if [[ -n "${JAVA_HOME}" ]] ; then
+  keytool="$JAVA_HOME/bin/keytool"
+elif ! [[ -x "$(command -v keytool)" ]] ; then
+  echo 'Error: Either add keytool to PATH or set JAVA_HOME' >&2
+  exit 1
+else
+  keytool="keytool"
+fi
+
+if ! [[ -x "$(command -v openssl)" ]] ; then
+  echo 'Error: openssl is not installed.' >&2
+  exit 1
+fi
+
+mkdir -p "$workDir"
+mkdir -p "$destinationDir"
+
+# Certificate authority
+openssl genrsa -out "$workDir/ca.key" $keySize
+openssl req -x509 -new -subj '/O=apache.org/OU=eng (NOT FOR PRODUCTION)/CN=ca' -key "$workDir/ca.key" -nodes -out "$workDir/ca.pem" -days $days -extensions v3_req
+openssl req -new -subj '/O=apache.org/OU=eng (NOT FOR PRODUCTION)/CN=ca' -x509 -key "$workDir/ca.key" -days $days -out "$workDir/ca.crt"
+
+for actor in localhost; do
+  # Generate keys

Review Comment:
   So actor = localhost ? What's the purpose of the loop then ?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@camel.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

Re: [PR] Http: use FIPS complaiant keystore and truststore [camel-quarkus]

Posted by "ppalaga (via GitHub)" <gi...@apache.org>.
ppalaga commented on PR #5968:
URL: https://github.com/apache/camel-quarkus/pull/5968#issuecomment-2040521385

   > > executing the script as a part of Maven build
   > 
   > How would that work on Windows?
   
   It works flawlessly on GH Actions Windows hosts, when shell is set to bash and openssl is installed (no idea how to install it, it's there OOtB on GHA Windows runners). The same works locally for sure. Is that a satisfactory answer? 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@camel.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

Re: [PR] Http: use FIPS complaiant keystore and truststore [camel-quarkus]

Posted by "ppalaga (via GitHub)" <gi...@apache.org>.
ppalaga commented on code in PR #5968:
URL: https://github.com/apache/camel-quarkus/pull/5968#discussion_r1554166062


##########
integration-test-groups/http/common/generate-certs.sh:
##########
@@ -0,0 +1,67 @@
+#!/bin/bash
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+set -e
+set -x
+
+invocationDir="$(pwd)"
+workDir="target/openssl-work"
+destinationDir="src/main/resources/jsse"
+keySize=2048
+days=10000
+extFile="$(pwd)/v3.ext"
+encryptionAlgo="aes-256-cbc"
+
+if [[ -n "${JAVA_HOME}" ]] ; then
+  keytool="$JAVA_HOME/bin/keytool"
+elif ! [[ -x "$(command -v keytool)" ]] ; then
+  echo 'Error: Either add keytool to PATH or set JAVA_HOME' >&2
+  exit 1
+else
+  keytool="keytool"
+fi
+
+if ! [[ -x "$(command -v openssl)" ]] ; then
+  echo 'Error: openssl is not installed.' >&2
+  exit 1
+fi
+
+mkdir -p "$workDir"
+mkdir -p "$destinationDir"
+
+# Certificate authority
+openssl genrsa -out "$workDir/ca.key" $keySize
+openssl req -x509 -new -subj '/O=apache.org/OU=eng (NOT FOR PRODUCTION)/CN=ca' -key "$workDir/ca.key" -nodes -out "$workDir/ca.pem" -days $days -extensions v3_req
+openssl req -new -subj '/O=apache.org/OU=eng (NOT FOR PRODUCTION)/CN=ca' -x509 -key "$workDir/ca.key" -days $days -out "$workDir/ca.crt"
+
+for actor in localhost; do
+  # Generate keys

Review Comment:
   It is copied from a place where there were more actors. The loop could be removed, but OTOH, maybe we'll want to test mTLS one day?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@camel.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

Re: [PR] Http: use FIPS complaiant keystore and truststore [camel-quarkus]

Posted by "JiriOndrusek (via GitHub)" <gi...@apache.org>.
JiriOndrusek commented on code in PR #5968:
URL: https://github.com/apache/camel-quarkus/pull/5968#discussion_r1555287600


##########
integration-test-groups/http/common/generate-certs.sh:
##########
@@ -0,0 +1,67 @@
+#!/bin/bash
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+set -e
+set -x
+
+invocationDir="$(pwd)"
+workDir="target/openssl-work"
+destinationDir="src/main/resources/jsse"
+keySize=2048
+days=10000
+extFile="$(pwd)/v3.ext"
+encryptionAlgo="aes-256-cbc"
+
+if [[ -n "${JAVA_HOME}" ]] ; then
+  keytool="$JAVA_HOME/bin/keytool"
+elif ! [[ -x "$(command -v keytool)" ]] ; then
+  echo 'Error: Either add keytool to PATH or set JAVA_HOME' >&2
+  exit 1
+else
+  keytool="keytool"
+fi
+
+if ! [[ -x "$(command -v openssl)" ]] ; then
+  echo 'Error: openssl is not installed.' >&2
+  exit 1
+fi
+
+mkdir -p "$workDir"
+mkdir -p "$destinationDir"
+
+# Certificate authority
+openssl genrsa -out "$workDir/ca.key" $keySize
+openssl req -x509 -new -subj '/O=apache.org/OU=eng (NOT FOR PRODUCTION)/CN=ca' -key "$workDir/ca.key" -nodes -out "$workDir/ca.pem" -days $days -extensions v3_req
+openssl req -new -subj '/O=apache.org/OU=eng (NOT FOR PRODUCTION)/CN=ca' -x509 -key "$workDir/ca.key" -days $days -out "$workDir/ca.crt"
+
+for actor in localhost; do
+  # Generate keys

Review Comment:
   Exactly, I copied the code from cxf and it looked better to keep the loop in case we need to ad generation of more certificates



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@camel.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

Re: [PR] Http: use FIPS complaiant keystore and truststore [camel-quarkus]

Posted by "JiriOndrusek (via GitHub)" <gi...@apache.org>.
JiriOndrusek commented on PR #5968:
URL: https://github.com/apache/camel-quarkus/pull/5968#issuecomment-2041971720

   TBH I even thought aboyt placing the generation script in one place in QC repository and use it via several modules. (In theory that should work and would be nicer in my POV) - to not have copies of  the generation scripts in several modules


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@camel.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

Re: [PR] Http: use FIPS complaiant keystore and truststore [camel-quarkus]

Posted by "aldettinger (via GitHub)" <gi...@apache.org>.
aldettinger commented on code in PR #5968:
URL: https://github.com/apache/camel-quarkus/pull/5968#discussion_r1555376527


##########
integration-test-groups/http/common/generate-certs.sh:
##########
@@ -0,0 +1,67 @@
+#!/bin/bash
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+set -e
+set -x
+
+invocationDir="$(pwd)"
+workDir="target/openssl-work"
+destinationDir="src/main/resources/jsse"
+keySize=2048
+days=10000
+extFile="$(pwd)/v3.ext"
+encryptionAlgo="aes-256-cbc"
+
+if [[ -n "${JAVA_HOME}" ]] ; then
+  keytool="$JAVA_HOME/bin/keytool"
+elif ! [[ -x "$(command -v keytool)" ]] ; then
+  echo 'Error: Either add keytool to PATH or set JAVA_HOME' >&2
+  exit 1
+else
+  keytool="keytool"
+fi
+
+if ! [[ -x "$(command -v openssl)" ]] ; then
+  echo 'Error: openssl is not installed.' >&2
+  exit 1
+fi
+
+mkdir -p "$workDir"
+mkdir -p "$destinationDir"
+
+# Certificate authority
+openssl genrsa -out "$workDir/ca.key" $keySize
+openssl req -x509 -new -subj '/O=apache.org/OU=eng (NOT FOR PRODUCTION)/CN=ca' -key "$workDir/ca.key" -nodes -out "$workDir/ca.pem" -days $days -extensions v3_req
+openssl req -new -subj '/O=apache.org/OU=eng (NOT FOR PRODUCTION)/CN=ca' -x509 -key "$workDir/ca.key" -days $days -out "$workDir/ca.crt"
+
+for actor in localhost; do
+  # Generate keys

Review Comment:
   ok, plus one day, this kind of script might be used for other extensions and we would like to keep it generic.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@camel.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

Re: [PR] Http: use FIPS complaiant keystore and truststore [camel-quarkus]

Posted by "JiriOndrusek (via GitHub)" <gi...@apache.org>.
JiriOndrusek commented on PR #5968:
URL: https://github.com/apache/camel-quarkus/pull/5968#issuecomment-2042384340

   > Can we open a new issue for the certification generation?
   
   I already created the issue (a few days ago) - https://github.com/apache/camel-quarkus/issues/5967
   So I think that we can merge this PR and I'll continue using the new ticket)


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@camel.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org