Http: use FIPS complaiant keystore and truststore

integration-test-groups/http/README.adoc

@@ -1,5 +1,7 @@
 == Certificate for HTTPS
 
-Server keystore has to contain server certificate. It is possible to use self-signed certificate created by following command:
+Server keystore has to contain server certificate.
 
-`keytool -genkeypair -keystore keystore.p12 -storetype PKCS12 -storepass changeit -alias localhost -keyalg RSA -keysize 2048 -validity 99999 -dname "CN=localhost"'
+=== How to generate new keystore and truststore
+
+Delete folder `common/src/main/resources/jsse` and run the script `common/generate-certs.sh` to generate new keystore and truststore.

integration-test-groups/http/common/generate-certs.sh

@@ -0,0 +1,51 @@
+#!/bin/bash
+
+set -e
+set -x
+
+invocationDir="$(pwd)"
+workDir="target/openssl-work"
+destinationDir="src/main/resources/jsse"
+keySize=2048
+days=10000
+extFile="$(pwd)/v3.ext"
+encryptionAlgo="aes-256-cbc"
+
+if [[ -n "${JAVA_HOME}" ]] ; then
+  keytool="$JAVA_HOME/bin/keytool"
+elif ! [[ -x "$(command -v keytool)" ]] ; then
+  echo 'Error: Either add keytool to PATH or set JAVA_HOME' >&2
+  exit 1
+else
+  keytool="keytool"
+fi
+
+if ! [[ -x "$(command -v openssl)" ]] ; then
+  echo 'Error: openssl is not installed.' >&2
+  exit 1
+fi
+
+mkdir -p "$workDir"
+mkdir -p "$destinationDir"
+
+# Certificate authority
+openssl genrsa -out "$workDir/ca.key" $keySize
+openssl req -x509 -new -subj '/O=apache.org/OU=eng (NOT FOR PRODUCTION)/CN=ca' -key "$workDir/ca.key" -nodes -out "$workDir/ca.pem" -days $days -extensions v3_req
+openssl req -new -subj '/O=apache.org/OU=eng (NOT FOR PRODUCTION)/CN=ca' -x509 -key "$workDir/ca.key" -days $days -out "$workDir/ca.crt"
+
+for actor in localhost; do
+  # Generate keys
+  openssl genrsa -out "$workDir/$actor.key" $keySize
+
+  # Generate certificates
+  openssl req -new -subj "/O=apache.org/OU=eng (NOT FOR PRODUCTION)/CN=$actor" -key "$workDir/$actor.key"  -out "$workDir/$actor.csr"
+  openssl x509 -req -in "$workDir/$actor.csr" -extfile "$extFile" -CA "$workDir/ca.pem" -CAkey "$workDir/ca.key" -CAcreateserial -days $days -out "$workDir/$actor.crt"
+
+  # Export keystores
+  openssl pkcs12 -export -in "$workDir/$actor.crt" -inkey "$workDir/$actor.key" -certfile "$workDir/ca.crt" -name "$actor" -out "$destinationDir/$actor-keystore.pkcs12" -passout pass:"${actor}-keystore-password" -keypbe "$encryptionAlgo" -certpbe "$encryptionAlgo"
+done
+
+
+# Truststore
+"$keytool" -import -file "$workDir/localhost.crt" -alias localhost -noprompt -keystore "$destinationDir/client-truststore.pkcs12" -storepass "client-truststore-password"
+"$keytool" -import -file "$workDir/ca.crt"     -alias ca     -noprompt -keystore "$destinationDir/client-truststore.pkcs12" -storepass "client-truststore-password"

integration-test-groups/http/common/src/main/java/org/apache/camel/quarkus/component/http/common/CommonProducers.java

@@ -27,20 +27,20 @@ public class CommonProducers {
     @Named
     public SSLContextParameters sslContextParameters() {
         KeyStoreParameters keystoreParameters = new KeyStoreParameters();
-        keystoreParameters.setResource("/jsse/keystore.p12");
-        keystoreParameters.setPassword("changeit");
+        keystoreParameters.setResource("/jsse/localhost-keystore.pkcs12");
+        keystoreParameters.setPassword("localhost-keystore-password");
 
         KeyStoreParameters truststoreParameters = new KeyStoreParameters();
-        truststoreParameters.setResource("/jsse/truststore.jks");
-        truststoreParameters.setPassword("changeit");
+        truststoreParameters.setResource("/jsse/client-truststore.pkcs12");
+        truststoreParameters.setPassword("client-truststore-password");
 
         TrustManagersParameters trustManagersParameters = new TrustManagersParameters();
         trustManagersParameters.setKeyStore(truststoreParameters);
         SSLContextParameters sslContextParameters = new SSLContextParameters();
         sslContextParameters.setTrustManagers(trustManagersParameters);
 
         KeyManagersParameters keyManagersParameters = new KeyManagersParameters();
-        keyManagersParameters.setKeyPassword("changeit");
+        keyManagersParameters.setKeyPassword("localhost-keystore-password");
         keyManagersParameters.setKeyStore(keystoreParameters);
         sslContextParameters.setKeyManagers(keyManagersParameters);
 

integration-test-groups/http/common/src/main/resources/application.properties

@@ -31,7 +31,7 @@ quarkus.security.users.embedded.roles.admin=admin
 quarkus.security.users.embedded.roles.noadmin=user
 
 quarkus.http.insecure-requests=enabled
-quarkus.http.ssl.certificate.key-store-file=jsse/keystore.p12
-quarkus.http.ssl.certificate.key-store-password=changeit
+quarkus.http.ssl.certificate.key-store-file=jsse/localhost-keystore.pkcs12
+quarkus.http.ssl.certificate.key-store-password=localhost-keystore-password
 quarkus.resteasy.gzip.enabled=true
 

integration-test-groups/http/common/v3.ext

@@ -0,0 +1,3 @@
+authorityKeyIdentifier = keyid, issuer
+basicConstraints = CA:FALSE
+keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment