From d043f96b60c7fc92a204b6482cfc014457c93f04 Mon Sep 17 00:00:00 2001
From: Luis Benthin Sanguino <Luis-Alberto.Benthin-Sanguino@t-systems.com>
Date: Wed, 1 Jul 2020 17:37:45 +0200
Subject: [PATCH] TLS Ciphers Config (#45)

* feat: added recommended ciphers. TLSv1.3 ciphers are not being added yet

* feat: add support for TLSv1.3

* feat: add env variables for TLS ciphers

* fix: add env variable for keystore

* fix: add SSL contexts

* Update ci-master.yml

* fix: remove creation of keystores dir

* fix: removed commented code

Co-authored-by: Julien Hagestedt <julien.hagestedt@gmail.com>
Co-authored-by: ascheibal <andreas.scheibal@t-systems.com>
---
 Dockerfile                                    |   2 ++
 README.md                                     |   2 +-
 src/opt/jboss/tools/cli/x509-keystore.cli     |  11 +++++++
 .../keystores/test-only-https-keystore.jks    | Bin 0 -> 2691 bytes
 .../configuration/standalone-ha.xml           |  31 +++++++++++++-----
 5 files changed, 37 insertions(+), 9 deletions(-)
 create mode 100644 src/opt/jboss/tools/cli/x509-keystore.cli
 create mode 100644 src/standalone/configuration/keystores/test-only-https-keystore.jks

diff --git a/Dockerfile b/Dockerfile
index 2da2d61..3b95cc6 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -10,6 +10,8 @@ RUN cp -r /opt/jboss/keycloak/themes/base/* /opt/jboss/keycloak/themes/cwa/
 RUN cp -r ${WORK_DIR}/src/themes/cwa/login /opt/jboss/keycloak/themes/cwa/
 RUN cp -r ${WORK_DIR}/src/themes/cwa/account /opt/jboss/keycloak/themes/cwa/
 RUN cp ${WORK_DIR}/src/standalone/configuration/standalone-ha.xml /opt/jboss/keycloak/standalone/configuration/
+RUN cp ${WORK_DIR}/src/standalone/configuration/keystores/test-only-https-keystore.jks /opt/jboss/keycloak/standalone/configuration/
+RUN cp ${WORK_DIR}/src/opt/jboss/tools/cli/x509-keystore.cli /opt/jboss/tools/cli/
 
 EXPOSE 8080
 EXPOSE 8443
diff --git a/README.md b/README.md
index 7fb0068..9b5b652 100644
--- a/README.md
+++ b/README.md
@@ -40,7 +40,7 @@ In the world of the Corona Warn App the Verification Identity and Access Managem
  So be sure to have [docker](https://docker.com) installed on your machine.
 ````bash
 docker build --pull --rm -f "Dockerfile" -t cwa-verification-iam "."
-docker run -p "8080:8080"  -p "8443:8443" -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin -e SSL_KEY_STORE=/opt/jboss/keycloak/standalone/configuration/ONLY_FOR_TEST_keystore.jks -e SSL_KEY_STORE_PASSWORD=secret cwa-verification-iam
+docker run -p "8080:8080"  -p "8443:8443" -p "7443:7443" -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin  cwa-verification-iam
  ````
 After that you will have run a Keykloak IAM Solution on you machine. The landing page of the Keykloak system will provide you with further information on how to setup the system and add new users.  
 For a detailed view on all the features please refer to the manual pages, also linked on the landing page.
diff --git a/src/opt/jboss/tools/cli/x509-keystore.cli b/src/opt/jboss/tools/cli/x509-keystore.cli
new file mode 100644
index 0000000..cac075d
--- /dev/null
+++ b/src/opt/jboss/tools/cli/x509-keystore.cli
@@ -0,0 +1,11 @@
+embed-server --server-config=$configuration_file --std-out=discard
+/subsystem=elytron/key-store=cwa-keystore:add(path=$keycloak_tls_keystore_file,type=JKS,credential-reference={clear-text=$keycloak_tls_keystore_password})
+/subsystem=elytron/key-manager=cwa-key-manager:add(key-store=cwa-keystore,credential-reference={clear-text=$keycloak_tls_keystore_password})
+/subsystem=elytron/server-ssl-context=cwa-ssl-context:add(key-manager=cwa-key-manager,protocols=["TLSv1.2","TLSv1.3"],cipher-suite-names="${env.TLSv1_3_CIPHERS:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256}",cipher-suite-filter="${env.TLSv1_2_CIPHERS:TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384}")
+batch
+/subsystem=undertow/server=default-server/https-listener=https:undefine-attribute(name=security-realm)
+/subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=ssl-context,value=cwa-ssl-context)
+/subsystem=undertow/server=default-server/https-listener=https-admin:undefine-attribute(name=security-realm)
+/subsystem=undertow/server=default-server/https-listener=https-admin:write-attribute(name=ssl-context,value=cwa-ssl-context)
+run-batch
+stop-embedded-server
diff --git a/src/standalone/configuration/keystores/test-only-https-keystore.jks b/src/standalone/configuration/keystores/test-only-https-keystore.jks
new file mode 100644
index 0000000000000000000000000000000000000000..6a2b794d9462697124b2af92816c153826653dad
GIT binary patch
literal 2691
zcmY+Ec{~(~7RP7C%wUjhEF)pa))<D&7$jM<WV^T}ONNLDm+Z+HTb7coY-Q|}onh>B
zWe*n>l_iPn+hC?F&wHQu?)|(!&gXp2_jk_u^NS(D!a+bL3<-vZvR;TWh&kW@G6TsZ
zm@JqClRU*p3<(nbe-R`AOoI5HVz1M>3uXK76*~+FB9p+sFeLB+MivVDA3lA477VvH
zDnU2BXpa3<Z&rDuBdk{xPtgG}0sb@xlfZrW!9^<2N6>f*+YmNzN5pNEVyTv3!(_s;
zqu@^B$3jlP3cVG^e;qMdA7V06*RN*r?h0K`pl;#8Q$sO+vqQ3?)nsDdk{lQ>`2v1M
zboHg{2O){ZdFBbwbD^qh+TzIj?*pV$$`1G>7b7jD2xg03xm*2$)XK149Tp+&4a=Rx
z+b2Rzqs?JxE^hll*_R`06}##WCRd*N*W!@S=3OneF<nDwD5qW@rDA~>+(9mcuRZ)T
zQKfvHyv170uWXdq-oVmtso#=>ZL)U4w!Ahwr?UALF0&Eg`qk6a&am?Gtm6`^EQ~vc
zGw6-Idf0^%d&%i^o!>1V=aj-8tE$R2+2=F9HN2}2nLgiY^wI#{4`c<lKPZLbU@YHT
zSeFaObXP`ntm18BZZY=gA3j9TvPG2%Zq4NSDHkt`PutgqGEt)CEiL&>Newe&rV$(n
zP*6H3)SG%i=%(D6;B&99HjU7Aa<#*iWG>3>CYtrvYZ`|-WeD8wY2Rt5ZU-+-Z{!M9
zG!vEZCMnWuI=^oYj?IhNg>Odb>!JH!O0Z+70yQg#Et0<kh7f2A(9yR&?2T-Z;oG(?
z#U+X|k6*G&6qG$T%eg4AJxi;Tj}Icop?x}2Q&D$plMZM03kE5Wjsc}%x{BeAhE~K!
z?4sNHaVkQylbVD1uyEI)ySc%J+b2GyInF!J^?CWk_;)QRFQF-}Q8EtCxms_t7xT0+
zZjx7U!^jlfIK4BN;4mmm+p?}Gm1z70HebKwV7M9GBM+*OsywMF_;P}ouqgWY`oiwF
zkD|}&8-@K<!Zemn1V)nA^jfo8PWJpp`wQ!r;c#KYkzb+I(N{$2pF%C58obyF)>G_w
z$G}Ug`IZoZ6?mM`WHJ~z#WxrvpfNUiFjp(A8eL%2`3W@q`H}Yx=JWgYC9ABoy7@`)
zE%)3B2BxYGe2ABGknWDH47b*CnU%3B-^F-7RbMFfs4-c(!{W^7{ne&z{(O*S$}IgV
zy8ZrJe+g8e$+6dOpGmli;np!|$lMq1I8;>pVZWa?Uj^!UpQnC*$Nn9$1Y^T1q<Ce=
z%wcp;Aew7OEj_d{v(SJ~#h5xLk+jhK%wS%D$1Eb=z1seVt=^inUxrM{CSmK)hpg@!
z8Ad*Hn~gAc4|3LJS-<*iGF>8*48{~E)xb3N6rj(7r}`yTS6eku<GM#$9oxWo2Li{e
zrnrm4O69bXB1s*_D^gF?l57P$eQW(2e5God55pr{z(N1x&25iGH+u4S1KcfZj15fW
z{GgbGJ>piw^`44YbDXT*&Z|0s2SU|!erO$XqH^(Gn%z;*UK%7~bK;3aiuDkcg6gkN
z-PdhFhd4lLMJBxKw@*w5Ta{Vmw>4^yoS3ZA&BnTwj41=IPfF+~ljuH0g8@5sw&;|{
zgC4=~s6v(rb6k_?1BZxg)WiH9&o-_xz6y9-;)>%`*F*~|yFvEnFidRa$T(2&X_4Ri
zcCDWZNaW3!MAdrnTloausx;HD3Os-p@prs>d6Q<Zb5YLb>uso}*U{%R6LDTRQ`<!o
z$6X7ho7$O#jy}$dI3hRI@k&U0d>ZHsUcR>Ka9Qx-n$+P;gIGAMK}Yv{nRB+Iha2sO
zq8&!%Z&k9w6)%X$0Gt7V00ICF2mrVMd;#tN*VA%7CHGIeH^A#OaX+2zVUYhE@+rc>
zJXY@aT*MTys*0*OoQe_-uYx@lYuevS%+OQUMxUYx5D;+MLjFmB|7Tz5zwJwyWkB(N
z`O&rRZmc?pq+~jFIu8EFzC;rE%30-w7ZLtEqr%c2oj=~1#uq$dvWesFR5mN18F0J!
zO^f((OoBYHwLJu4?*YS=<5K;3rbh$NRwpZYav;Cl(0pEZ-aMePO3LYAiFiyQYAo}A
zQtEd^&Mf3?hKs<{rL(NXkC<N<CSZe0_00UXdh@jHQ~ky_V#URCX(G!z`I*&f)pqX#
zIQ0qU@#>0{K}YrAn-_hfU8=yc%^p|6i)O(bkz)chpGD2t^elBA6SUM}J3Iapm@i$N
zo~&>G!41;pG4G>9%?qB%!29~<$J{l^G<T-Yta?t|w%+gAaxpFnbgcoKdqeW})osjq
zoXR{X{Rp2o>~f}lh9b7kDz>Ek_L5pN3fCpvfpg6<Vx$PF&|#EYRyyP(`rf4GBgj>?
zNHKzAoQ0^Wa3<ty)c3v1o0?(mml%b+$GZy|pBxeF8b0A$c1@Pz6rItjck(5)kH>OZ
z36p_R)R^^TU6GzMZv2efqrsd*O1}nrv-W6PtIk4oj@6ndDLL(hX&<=Zo9<n%AmPy`
zl4>h(O*JH<{ng`3stu~_v8JK}VzK;7tTI8G@@DxAXJ>*T`<fAxwuZ$bo5D{y{a4$S
z*K{b?XgmW~#*35%?GcuyR`ilm%P+{a-1BH13W$zdY=fFu7GV=$u5tTO1-~fVVn-nJ
zVMYc0DBGveHb5-NN|FEW{gY^vFHd&<Q-6waSt<N!9<7EcsA%`*bN8OE3np{NzA@$M
zF3s4@u5!EIx-WMi(q4dnFARxX&70_>U5Q4#jvG7D86}Su$9T?F3RtB$3C{|-UjoTD
z^o~XWfGBek+xW_ok8sCMDbTLg;_%7m^gAg_f5GrP3gg!^vM)X?-s7BB{z4M%ZbXlA
zV;E_I(+s_#8;^{<$bS3|hj!Z18cie1ftfLyMEfv>WAB^0F~n!k47HEQ@Fho+tfkeD
zsrKdEOK%~41hj0}I_bn%<n{tibQaZ*X6NWE7}M1IFvNgBonUp=Tibd7ch$^th!sLo
zJc*p+KD5(iF{wXH_dOStImRi5l!KOzbVU#&L`zhfcxFP~OLP9vMe^!NSQsaFu|3d?
zn^k$je7Qa09_XkkFX=>>hU2GfwYf|GIcIaN!M@RKJ@vWTiJQ%g?h|HMaY+!Ho`BqP
zIalb^N#&!@-ur6ns~OQ&W0AhhKNH0*0`6bU<**YL-7mfxK=)_-wEh+;sRn#-qku+@
zO=hFcOPfGViGe||nTybdv}a$FSNE}{Z=d!1mn*<rRuSaTaqhM+Ya<do=RO~|R8*5g
zc%C&3u_JfG*RyQ7=FXA5T8D4C7^(MiXS`ArR~OF5+7u$+{qg4e1r5yk9EP0T&bQT6
zHG<cBaa_G?rhM8rhHg!k<&SITsXAK0f@M^>_fxDd<vIt>zPoR2y1m8ah7vJN@I3bE
z()&975Srz6@14bHNGKELG6soZg+fqgm_R}h02sboO|G-HH1K;(wF$U1*H+b}>c|X+
dquJFCIIh4)qr~~u)F?^8k#JNnhzS@&{uh#L-bDZa

literal 0
HcmV?d00001

diff --git a/src/standalone/configuration/standalone-ha.xml b/src/standalone/configuration/standalone-ha.xml
index 338d659..4239db7 100644
--- a/src/standalone/configuration/standalone-ha.xml
+++ b/src/standalone/configuration/standalone-ha.xml
@@ -43,12 +43,6 @@
         </authorization>
       </security-realm>
       <security-realm name="ApplicationRealm">
-        <server-identities>
-          <ssl>
-            <keystore path="application.keystore" relative-to="jboss.server.config.dir" keystore-password="password"
-                      alias="server" key-password="password" generate-self-signed-certificate-host="localhost"/>
-          </ssl>
-        </server-identities>
         <authentication>
           <local default-user="$local" allowed-users="*" skip-group-loading="true"/>
           <properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
@@ -249,6 +243,25 @@
     </subsystem>
     <subsystem xmlns="urn:wildfly:elytron:9.0" final-providers="combined-providers"
                disallowed-providers="OracleUcrypto">
+      <tls>
+        <key-stores>
+          <key-store name="cwa-keystore-test">
+            <credential-reference clear-text="changeit"/>
+            <implementation type="JKS"/>
+            <file path="test-only-https-keystore.jks"
+                  relative-to="jboss.server.config.dir"/>
+          </key-store>
+        </key-stores>
+        <key-managers>
+          <key-manager name="cwa-key-manager-test" key-store="cwa-keystore-test">
+            <credential-reference clear-text="changeit"/>
+          </key-manager>
+        </key-managers>
+        <server-ssl-contexts>
+          <server-ssl-context name="cwa-ssl-context-test"
+                              key-manager="cwa-key-manager-test" />
+        </server-ssl-contexts>
+      </tls>
       <providers>
         <aggregate-providers name="combined-providers">
           <providers name="elytron"/>
@@ -670,12 +683,14 @@
                        proxy-address-forwarding="${env.PROXY_ADDRESS_FORWARDING:false}" enable-http2="true"/>
         <https-listener name="https" socket-binding="https"
                         proxy-address-forwarding="${env.PROXY_ADDRESS_FORWARDING:false}"
-                        security-realm="ApplicationRealm" enable-http2="true"/>
+                        enable-http2="true"
+                        ssl-context="cwa-ssl-context-test"/>
         <http-listener name="http-admin" socket-binding="http-admin" redirect-socket="https"
                        proxy-address-forwarding="${env.PROXY_ADDRESS_FORWARDING:false}" enable-http2="true"/>
         <https-listener name="https-admin" socket-binding="https-admin"
                         proxy-address-forwarding="${env.PROXY_ADDRESS_FORWARDING:false}"
-                        security-realm="ApplicationRealm" enable-http2="true"/>
+                        enable-http2="true"
+                        ssl-context="cwa-ssl-context-test"/>
         <host name="default-host" alias="localhost">
           <location name="/" handler="welcome-content"/>
           <http-invoker security-realm="ApplicationRealm"/>