PR for FIPS implemenation (#351)

* Part 1 of FIPS Compliance

* MQ Web Server FIPSs changes

* Remove function param

* Updates to FIPS MQ WebServer

* Fix build error

* Merge latest code from private-master

* Rename fips variable

* Fix build break

* Fix build break

* Fix build break

* Add new docker tests

* First cut of fips metrics

* First cut of fips metrics

* Second part of metrics fips

* Second part of metrics fips

* Added NativeHA FIPS

* Updated test

* Add Native HA tests

* Optimze FIPS handling

* Update comments

* Apply changes from private-master

* Undo metrics changes

* Merge latest changes

* Pull in changes from master

* Update copyright year

* Resolve merge conflicts

internal/fips/fips.go

@@ -0,0 +1,78 @@
+/*
+© Copyright IBM Corporation 2022
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+package fips
+
+import (
+	"os"
+	"strings"
+
+	"github.com/ibm-messaging/mq-container/internal/command"
+	"github.com/ibm-messaging/mq-container/pkg/logger"
+)
+
+var (
+	FIPSEnabledType int
+)
+
+// FIPS has been turned off either because OS is not FIPS enabled or
+// MQ_ENABLE_FIPS environment variable is set to "false"
+const FIPS_ENABLED_OFF = 0
+
+// FIPS is turned ON
+const FIPS_ENABLED_ON = 1
+
+// FIPS enabled at operating system level
+const FIPS_ENABLED_PLATFORM = 1
+
+// FIPS enabled via environment variable
+const FIPS_ENABLED_ENV_VAR = 2
+
+// Get FIPS enabled type.
+func ProcessFIPSType(logs *logger.Logger) {
+	// Run "sysctl crypto.fips_enabled" command to determine if FIPS has been enabled
+	// on OS.
+	FIPSEnabledType = FIPS_ENABLED_OFF
+	out, _, err := command.Run("sysctl", "crypto.fips_enabled")
+	if err == nil {
+		// Check the output of the command for expected output
+		if strings.Contains(out, "crypto.fips_enabled = 1") {
+			FIPSEnabledType = FIPS_ENABLED_PLATFORM
+		}
+	}
+
+	// Check if we have been asked to override FIPS cryptography
+	fipsOverride, fipsOverrideSet := os.LookupEnv("MQ_ENABLE_FIPS")
+	if fipsOverrideSet {
+		if strings.EqualFold(fipsOverride, "false") || strings.EqualFold(fipsOverride, "0") {
+			FIPSEnabledType = FIPS_ENABLED_OFF
+		} else if strings.EqualFold(fipsOverride, "true") || strings.EqualFold(fipsOverride, "1") {
+			// This is the case where OS is not FIPS compliant but we have been asked to run MQ
+			// queue manager, web server in FIPS mode. This case can be used when running docker tests.
+			FIPSEnabledType = FIPS_ENABLED_ENV_VAR
+		} else if strings.EqualFold(fipsOverride, "auto") {
+			// This is the default case. Leave it to the OS default as determine above
+		} else {
+			// We don't recognise the value specified. Log a warning and carry on.
+			if logs != nil {
+				logs.Printf("Invalid value '%s' was specified for MQ_ENABLE_FIPS. The value has been ignored.\n", fipsOverride)
+			}
+		}
+	}
+}
+
+func IsFIPSEnabled() bool {
+	return FIPSEnabledType > FIPS_ENABLED_OFF
+}

internal/fips/fips_test.go

@@ -0,0 +1,65 @@
+/*
+© Copyright IBM Corporation 2022
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package keystore contains code to create and update keystores
+package fips
+
+import (
+	"fmt"
+	"os"
+	"testing"
+)
+
+func TestEnableFIPSAuto(t *testing.T) {
+	ProcessFIPSType(nil)
+	// Test default "auto"
+	fipsType := IsFIPSEnabled()
+	if fipsType {
+		t.Errorf("Expected FIPS OFF but got %v\n", fipsType)
+	}
+}
+
+func TestEnableFIPSTrue(t *testing.T) {
+	// Test MQ_ENABLE_FIPS=true
+	os.Setenv("MQ_ENABLE_FIPS", "true")
+	fmt.Println(os.Getenv("MQ_ENABLE_FIPS"))
+	ProcessFIPSType(nil)
+	fipsType := IsFIPSEnabled()
+	if !fipsType {
+		t.Errorf("Expected FIPS ON but got %v\n", fipsType)
+	}
+}
+
+func TestEnableFIPSFalse(t *testing.T) {
+	// Test MQ_ENABLE_FIPS=false
+	os.Setenv("MQ_ENABLE_FIPS", "false")
+	ProcessFIPSType(nil)
+	fipsType := IsFIPSEnabled()
+	if fipsType {
+		t.Errorf("Expected FIPS OFF but got %v\n", fipsType)
+	}
+
+}
+
+func TestEnableFIPSInvalid(t *testing.T) {
+	// Test MQ_ENABLE_FIPS with invalid value
+	os.Setenv("MQ_ENABLE_FIPS", "falseOff")
+	ProcessFIPSType(nil)
+	fipsType := IsFIPSEnabled()
+	if fipsType {
+		t.Errorf("Expected FIPS OFF but got %v\n", fipsType)
+	}
+}

internal/ha/ha.go

@@ -1,5 +1,5 @@
 /*
-© Copyright IBM Corporation 2020, 2021
+© Copyright IBM Corporation 2020, 2022
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -20,6 +20,7 @@ package ha
 import (
 	"os"
 
+	"github.com/ibm-messaging/mq-container/internal/fips"
 	"github.com/ibm-messaging/mq-container/internal/mqtemplate"
 	"github.com/ibm-messaging/mq-container/internal/tls"
 	"github.com/ibm-messaging/mq-container/pkg/logger"
@@ -57,6 +58,13 @@ func ConfigureNativeHA(log *logger.Logger) error {
 		if ok {
 			templateMap["CipherSpec"] = cipherSpec
 		}
+
+		// If FIPS is enabled, then set SSLFipsRequired to Yes
+		if fips.IsFIPSEnabled() {
+			templateMap["SSLFipsRequired"] = "Yes"
+		} else {
+			templateMap["SSLFipsRequired"] = "No"
+		}
 	}
 
 	err := mqtemplate.ProcessTemplateFile(templateFile, file, templateMap, log)

internal/keystore/keystore.go

@@ -26,6 +26,7 @@ import (
 	"strings"
 
 	"github.com/ibm-messaging/mq-container/internal/command"
+	"github.com/ibm-messaging/mq-container/internal/fips"
 )
 
 // KeyStore describes information about a keystore file
@@ -34,36 +35,46 @@ type KeyStore struct {
 	Password     string
 	keyStoreType string
 	command      string
+	fipsEnabled  bool
 }
 
 // NewJKSKeyStore creates a new Java Key Store, managed by the runmqckm command
 func NewJKSKeyStore(filename, password string) *KeyStore {
-	return &KeyStore{
+	keyStore := &KeyStore{
 		Filename:     filename,
 		Password:     password,
 		keyStoreType: "jks",
 		command:      "/opt/mqm/bin/runmqckm",
+		fipsEnabled:  fips.IsFIPSEnabled(),
 	}
+
+	return keyStore
 }
 
 // NewCMSKeyStore creates a new MQ CMS Key Store, managed by the runmqakm command
 func NewCMSKeyStore(filename, password string) *KeyStore {
-	return &KeyStore{
+	keyStore := &KeyStore{
 		Filename:     filename,
 		Password:     password,
 		keyStoreType: "cms",
 		command:      "/opt/mqm/bin/runmqakm",
+		fipsEnabled:  fips.IsFIPSEnabled(),
 	}
+
+	return keyStore
 }
 
 // NewPKCS12KeyStore creates a new PKCS12 Key Store, managed by the runmqakm command
 func NewPKCS12KeyStore(filename, password string) *KeyStore {
-	return &KeyStore{
+	keyStore := &KeyStore{
 		Filename:     filename,
 		Password:     password,
 		keyStoreType: "p12",
 		command:      "/opt/mqm/bin/runmqakm",
+		fipsEnabled:  fips.IsFIPSEnabled(),
 	}
+
+	return keyStore
 }
 
 // Create a key store, if it doesn't already exist
@@ -100,7 +111,7 @@ func (ks *KeyStore) Create() error {
 	}
 
 	// Create the keystore now we're sure it doesn't exist
-	out, _, err := command.Run(ks.command, "-keydb", "-create", "-type", ks.keyStoreType, "-db", ks.Filename, "-pw", ks.Password, "-stash")
+	out, _, err := command.Run(ks.command, "-keydb", "-create", ks.getFipsEnabledFlag(), "-type", ks.keyStoreType, "-db", ks.Filename, "-pw", ks.Password, "-stash")
 	if err != nil {
 		return fmt.Errorf("error running \"%v -keydb -create\": %v %s", ks.command, err, out)
 	}
@@ -115,7 +126,7 @@ func (ks *KeyStore) CreateStash() error {
 	_, err := os.Stat(stashFile)
 	if err != nil {
 		if os.IsNotExist(err) {
-			out, _, err := command.Run(ks.command, "-keydb", "-stashpw", "-type", ks.keyStoreType, "-db", ks.Filename, "-pw", ks.Password)
+			out, _, err := command.Run(ks.command, "-keydb", ks.getFipsEnabledFlag(), "-stashpw", "-type", ks.keyStoreType, "-db", ks.Filename, "-pw", ks.Password)
 			if err != nil {
 				return fmt.Errorf("error running \"%v -keydb -stashpw\": %v %s", ks.command, err, out)
 			}
@@ -127,7 +138,7 @@ func (ks *KeyStore) CreateStash() error {
 
 // Import imports a certificate file in the keystore
 func (ks *KeyStore) Import(inputFile, password string) error {
-	out, _, err := command.Run(ks.command, "-cert", "-import", "-file", inputFile, "-pw", password, "-target", ks.Filename, "-target_pw", ks.Password, "-target_type", ks.keyStoreType)
+	out, _, err := command.Run(ks.command, "-cert", "-import", ks.getFipsEnabledFlag(), "-file", inputFile, "-pw", password, "-target", ks.Filename, "-target_pw", ks.Password, "-target_type", ks.keyStoreType)
 	if err != nil {
 		return fmt.Errorf("error running \"%v -cert -import\": %v %s", ks.command, err, out)
 	}
@@ -136,7 +147,7 @@ func (ks *KeyStore) Import(inputFile, password string) error {
 
 // CreateSelfSignedCertificate creates a self-signed certificate in the keystore
 func (ks *KeyStore) CreateSelfSignedCertificate(label, dn, hostname string) error {
-	out, _, err := command.Run(ks.command, "-cert", "-create", "-db", ks.Filename, "-pw", ks.Password, "-label", label, "-dn", dn, "-san_dnsname", hostname, "-size 2048 -sig_alg sha256 -eku serverAuth")
+	out, _, err := command.Run(ks.command, "-cert", "-create", ks.getFipsEnabledFlag(), "-db", ks.Filename, "-pw", ks.Password, "-label", label, "-dn", dn, "-san_dnsname", hostname, "-size 2048 -sig_alg sha256 -eku serverAuth")
 	if err != nil {
 		return fmt.Errorf("error running \"%v -cert -create\": %v %s", ks.command, err, out)
 	}
@@ -145,7 +156,7 @@ func (ks *KeyStore) CreateSelfSignedCertificate(label, dn, hostname string) erro
 
 // Add adds a CA certificate to the keystore
 func (ks *KeyStore) Add(inputFile, label string) error {
-	out, _, err := command.Run(ks.command, "-cert", "-add", "-db", ks.Filename, "-type", ks.keyStoreType, "-pw", ks.Password, "-file", inputFile, "-label", label)
+	out, _, err := command.Run(ks.command, "-cert", "-add", ks.getFipsEnabledFlag(), "-db", ks.Filename, "-type", ks.keyStoreType, "-pw", ks.Password, "-file", inputFile, "-label", label)
 	if err != nil {
 		return fmt.Errorf("error running \"%v -cert -add\": %v %s", ks.command, err, out)
 	}
@@ -154,7 +165,7 @@ func (ks *KeyStore) Add(inputFile, label string) error {
 
 // Add adds a CA certificate to the keystore
 func (ks *KeyStore) AddNoLabel(inputFile string) error {
-	out, _, err := command.Run(ks.command, "-cert", "-add", "-db", ks.Filename, "-type", ks.keyStoreType, "-pw", ks.Password, "-file", inputFile)
+	out, _, err := command.Run(ks.command, "-cert", "-add", ks.getFipsEnabledFlag(), "-db", ks.Filename, "-type", ks.keyStoreType, "-pw", ks.Password, "-file", inputFile)
 	if err != nil {
 		return fmt.Errorf("error running \"%v -cert -add\": %v %s", ks.command, err, out)
 	}
@@ -163,7 +174,7 @@ func (ks *KeyStore) AddNoLabel(inputFile string) error {
 
 // GetCertificateLabels returns the labels of all certificates in the key store
 func (ks *KeyStore) GetCertificateLabels() ([]string, error) {
-	out, _, err := command.Run(ks.command, "-cert", "-list", "-type", ks.keyStoreType, "-db", ks.Filename, "-pw", ks.Password)
+	out, _, err := command.Run(ks.command, "-cert", "-list", ks.getFipsEnabledFlag(), "-type", ks.keyStoreType, "-db", ks.Filename, "-pw", ks.Password)
 	if err != nil {
 		return nil, fmt.Errorf("error running \"%v -cert -list\": %v %s", ks.command, err, out)
 	}
@@ -207,7 +218,7 @@ func (ks *KeyStore) RenameCertificate(from, to string) error {
 
 // ListAllCertificates Lists all certificates in the keystore
 func (ks *KeyStore) ListAllCertificates() ([]string, error) {
-	out, _, err := command.Run(ks.command, "-cert", "-list", "-type", ks.keyStoreType, "-db", ks.Filename, "-pw", ks.Password)
+	out, _, err := command.Run(ks.command, "-cert", "-list", ks.getFipsEnabledFlag(), "-type", ks.keyStoreType, "-db", ks.Filename, "-pw", ks.Password)
 	if err != nil {
 		return nil, fmt.Errorf("error running \"%v -cert -list\": %v %s", ks.command, err, out)
 	}
@@ -226,3 +237,22 @@ func (ks *KeyStore) ListAllCertificates() ([]string, error) {
 	}
 	return labels, nil
 }
+
+// Returns the FIPS flag. True if enabled else false
+func (ks *KeyStore) IsFIPSEnabled() bool {
+	return ks.fipsEnabled
+}
+
+// Returns -fips option if FIPS is enabled otherwise empty string. Return value is used
+// when running runmqakm/runmqckm commands.
+func (ks *KeyStore) getFipsEnabledFlag() string {
+	var fipsEnabled string
+
+	if ks.fipsEnabled {
+		fipsEnabled = "-fips"
+	} else {
+		fipsEnabled = ""
+	}
+
+	return fipsEnabled
+}

internal/tls/tls.go

@@ -118,18 +118,25 @@ func ConfigureTLS(keyLabel string, cmsKeystore KeyStoreData, devMode bool, log *
 	const mqsc string = "/etc/mqm/15-tls.mqsc"
 	const mqscTemplate string = mqsc + ".tpl"
 	sslKeyRing := ""
+	var fipsEnabled = "NO"
 
 	// Don't set SSLKEYR if no keys or crts are not supplied
-	// Key label will be blank if no certs were added during processing keys and certs.
-	if cmsKeystore.Keystore != nil {
+	// Key label will be blank if no private keys were added during processing keys and certs.
+	if cmsKeystore.Keystore != nil && len(keyLabel) > 0 {
 		certList, _ := cmsKeystore.Keystore.ListAllCertificates()
 		if len(certList) > 0 {
 			sslKeyRing = strings.TrimSuffix(cmsKeystore.Keystore.Filename, ".kdb")
 		}
+
+		if cmsKeystore.Keystore.IsFIPSEnabled() {
+			fipsEnabled = "YES"
+		}
 	}
+
 	err := mqtemplate.ProcessTemplateFile(mqscTemplate, mqsc, map[string]string{
 		"SSLKeyR":          sslKeyRing,
 		"CertificateLabel": keyLabel,
+		"SSLFips":          fipsEnabled,
 	}, log)
 	if err != nil {
 		return err
@@ -631,7 +638,7 @@ func haveKeysAndCerts(keyDir string) bool {
 			// Do a listing of the subdirectory and then search for .key and .cert files
 			keys, _ := ioutil.ReadDir(filepath.Join(keyDir, fileInfo.Name()))
 			for _, key := range keys {
-				if strings.Contains(key.Name(), ".key") || strings.Contains(key.Name(), ".crt") {
+				if strings.HasSuffix(key.Name(), ".key") || strings.HasSuffix(key.Name(), ".crt") {
 					// We found at least one key/crt file.
 					return true
 				}

internal/tls/tls_web.go

@@ -77,7 +77,6 @@ func ConfigureWebKeystore(p12Truststore KeyStoreData, webKeystore string) (strin
 		if err != nil {
 			return "", fmt.Errorf("Failed to generate certificate in Web Keystore %s with DN of 'CN=%s': %v", webKeystoreFile, genHostName, err)
 		}
-
 	} else {
 		// Check Web Keystore already exists
 		_, err := os.Stat(webKeystoreFile)