Skip to content

Commit 7e925bf

Browse files
mposoldamposolda
authored
Unit tests in "crypto/fips1402" passing on RHEL 8.6 with BC FIPS approved mode. Cleanup (keycloak#13406)
Closes keycloak#13128
1 parent 6f7d20f commit 7e925bf

36 files changed

+323
-280
lines changed

common/src/main/java/org/keycloak/common/crypto/CryptoConstants.java

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,19 @@
1+
package org.keycloak.common.crypto;
2+
3+
/**
4+
* @author <a href="mailto:[email protected]">Marek Posolda</a>
5+
*/
6+
public class CryptoConstants {
7+
8+
// JWE algorithms
9+
public static final String A128KW = "A128KW";
10+
public static final String RSA1_5 = "RSA1_5";
11+
public static final String RSA_OAEP = "RSA-OAEP";
12+
public static final String RSA_OAEP_256 = "RSA-OAEP-256";
13+
14+
/** Name of Java security provider used with non-fips BouncyCastle. Should be used in non-FIPS environment */
15+
public static final String BC_PROVIDER_ID = "BC";
16+
17+
/** Name of Java security provider used with fips BouncyCastle. Should be used in FIPS environment */
18+
public static final String BCFIPS_PROVIDER_ID = "BCFIPS";
19+
}

common/src/main/java/org/keycloak/common/crypto/CryptoProvider.java

Lines changed: 9 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,6 @@
11
package org.keycloak.common.crypto;
22

3+
import java.security.Provider;
34
import java.security.spec.ECParameterSpec;
45

56
/**
@@ -9,6 +10,11 @@
910
*/
1011
public interface CryptoProvider {
1112

13+
/**
14+
* @return BouncyCastle security provider. Can be either non-FIPS or FIPS based provider
15+
*/
16+
Provider getBouncyCastleProvider();
17+
1218
/**
1319
* Get some algorithm provider implementation. Returned implementation can be dependent according to if we have
1420
* non-fips bouncycastle or fips bouncycastle on the classpath.
@@ -25,7 +31,7 @@ public interface CryptoProvider {
2531
*
2632
* @return
2733
*/
28-
public CertificateUtilsProvider getCertificateUtils();
34+
CertificateUtilsProvider getCertificateUtils();
2935

3036

3137
/**
@@ -34,7 +40,7 @@ public interface CryptoProvider {
3440
*
3541
* @return
3642
*/
37-
public PemUtilsProvider getPemUtils();
43+
PemUtilsProvider getPemUtils();
3844

3945

4046
/**
@@ -43,6 +49,6 @@ public interface CryptoProvider {
4349
* @param curveName
4450
* @return
4551
*/
46-
public ECParameterSpec createECParams(String curveName);
52+
ECParameterSpec createECParams(String curveName);
4753

4854
}

common/src/main/java/org/keycloak/common/crypto/CryptoProviderTypes.java

Lines changed: 0 additions & 11 deletions
This file was deleted.

common/src/main/java/org/keycloak/common/util/BouncyIntegration.java

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,7 @@
1919

2020
import org.jboss.logging.Logger;
2121
import org.keycloak.common.crypto.CryptoIntegration;
22-
import org.keycloak.common.crypto.CryptoProviderTypes;
22+
import org.keycloak.common.crypto.CryptoConstants;
2323

2424
import java.security.Provider;
2525
import java.security.Security;
@@ -35,7 +35,7 @@ public class BouncyIntegration {
3535
public static final String PROVIDER = loadProvider();
3636

3737
private static String loadProvider() {
38-
Provider provider = CryptoIntegration.getProvider().getAlgorithmProvider(Provider.class, CryptoProviderTypes.BC_SECURITY_PROVIDER);
38+
Provider provider = CryptoIntegration.getProvider().getBouncyCastleProvider();
3939
if (provider == null) {
4040
throw new RuntimeException("Failed to load required security provider: BouncyCastleProvider or BouncyCastleFipsProvider");
4141
}

common/src/main/java/org/keycloak/common/util/CertificateUtils.java

Lines changed: 0 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -30,10 +30,6 @@
3030
*/
3131
public class CertificateUtils {
3232

33-
static {
34-
CryptoIntegration.init(ClassLoader.getSystemClassLoader());
35-
}
36-
3733

3834
/**
3935
* Generates version 3 {@link java.security.cert.X509Certificate}.

common/src/main/java/org/keycloak/common/util/Environment.java

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -43,6 +43,13 @@ public static int getServerStartupTimeout() {
4343
* @return true if java is FIPS mode
4444
*/
4545
public static boolean isJavaInFipsMode() {
46+
// Check if FIPS explicitly enabled by system property
47+
String property = System.getProperty("com.redhat.fips");
48+
if (property != null) {
49+
return Boolean.parseBoolean(property);
50+
}
51+
52+
// Otherwise try to auto-detect
4653
for (Provider provider : Security.getProviders()) {
4754
if (provider.getName().equals("BCFIPS")) continue; // Ignore BCFIPS provider for the detection as we may register it programatically
4855
if (provider.getName().toUpperCase().contains("FIPS")) return true;

common/src/main/java/org/keycloak/common/util/PemUtils.java

Lines changed: 0 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -37,10 +37,6 @@ public class PemUtils {
3737
public static final String BEGIN_CERT = "-----BEGIN CERTIFICATE-----";
3838
public static final String END_CERT = "-----END CERTIFICATE-----";
3939

40-
static {
41-
CryptoIntegration.init(ClassLoader.getSystemClassLoader());
42-
}
43-
4440
/**
4541
* Decode a X509 Certificate from a PEM string
4642
*

core/src/main/java/org/keycloak/jose/jwe/JWEConstants.java

Lines changed: 7 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -17,16 +17,18 @@
1717

1818
package org.keycloak.jose.jwe;
1919

20+
import org.keycloak.common.crypto.CryptoConstants;
21+
2022
/**
2123
* @author <a href="mailto:[email protected]">Marek Posolda</a>
2224
*/
2325
public class JWEConstants {
2426

25-
public static final String DIR = "dir";
26-
public static final String A128KW = "A128KW";
27-
public static final String RSA1_5 = "RSA1_5";
28-
public static final String RSA_OAEP = "RSA-OAEP";
29-
public static final String RSA_OAEP_256 = "RSA-OAEP-256";
27+
public static final String DIRECT = "dir";
28+
public static final String A128KW = CryptoConstants.A128KW;
29+
public static final String RSA1_5 = CryptoConstants.RSA1_5;
30+
public static final String RSA_OAEP = CryptoConstants.RSA_OAEP;
31+
public static final String RSA_OAEP_256 = CryptoConstants.RSA_OAEP_256;
3032

3133
public static final String A128CBC_HS256 = "A128CBC-HS256";
3234
public static final String A192CBC_HS384 = "A192CBC-HS384";

core/src/main/java/org/keycloak/jose/jwe/JWERegistry.java

Lines changed: 7 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -21,11 +21,8 @@
2121
import java.util.Map;
2222

2323
import org.keycloak.common.crypto.CryptoIntegration;
24-
import org.keycloak.common.crypto.CryptoProviderTypes;
2524
import org.keycloak.jose.jwe.alg.DirectAlgorithmProvider;
2625
import org.keycloak.jose.jwe.alg.JWEAlgorithmProvider;
27-
import org.keycloak.jose.jwe.alg.RsaKeyEncryption256JWEAlgorithmProvider;
28-
import org.keycloak.jose.jwe.alg.RsaKeyEncryptionJWEAlgorithmProvider;
2926
import org.keycloak.jose.jwe.enc.AesCbcHmacShaEncryptionProvider;
3027
import org.keycloak.jose.jwe.enc.AesGcmJWEEncryptionProvider;
3128
import org.keycloak.jose.jwe.enc.JWEEncryptionProvider;
@@ -36,23 +33,11 @@
3633
*/
3734
class JWERegistry {
3835

39-
// https://tools.ietf.org/html/rfc7518#page-12
40-
// Registry not pluggable for now. Just supported algorithms included
41-
private static final Map<String, JWEEncryptionProvider> ENC_PROVIDERS = new HashMap<>();
42-
4336
// https://tools.ietf.org/html/rfc7518#page-22
4437
// Registry not pluggable for now. Just supported algorithms included
45-
private static final Map<String, JWEAlgorithmProvider> ALG_PROVIDERS = new HashMap<>();
46-
38+
private static final Map<String, JWEEncryptionProvider> ENC_PROVIDERS = new HashMap<>();
4739

4840
static {
49-
// Provider 'dir' just directly uses encryption keys for encrypt/decrypt content.
50-
ALG_PROVIDERS.put(JWEConstants.DIR, new DirectAlgorithmProvider());
51-
ALG_PROVIDERS.put(JWEConstants.A128KW, CryptoIntegration.getProvider().getAlgorithmProvider(JWEAlgorithmProvider.class, CryptoProviderTypes.AES_KEY_WRAP_ALGORITHM_PROVIDER));
52-
ALG_PROVIDERS.put(JWEConstants.RSA_OAEP, new RsaKeyEncryptionJWEAlgorithmProvider("RSA/ECB/OAEPWithSHA-1AndMGF1Padding"));
53-
ALG_PROVIDERS.put(JWEConstants.RSA_OAEP_256, new RsaKeyEncryption256JWEAlgorithmProvider("RSA/ECB/OAEPWithSHA-256AndMGF1Padding"));
54-
55-
5641
ENC_PROVIDERS.put(JWEConstants.A256GCM, new AesGcmJWEEncryptionProvider(JWEConstants.A256GCM));
5742
ENC_PROVIDERS.put(JWEConstants.A128CBC_HS256, new AesCbcHmacShaEncryptionProvider.Aes128CbcHmacSha256Provider());
5843
ENC_PROVIDERS.put(JWEConstants.A192CBC_HS384, new AesCbcHmacShaEncryptionProvider.Aes192CbcHmacSha384Provider());
@@ -61,7 +46,12 @@ class JWERegistry {
6146

6247

6348
static JWEAlgorithmProvider getAlgProvider(String alg) {
64-
return ALG_PROVIDERS.get(alg);
49+
// https://tools.ietf.org/html/rfc7518#page-12
50+
if (JWEConstants.DIRECT.equals(alg)) {
51+
return new DirectAlgorithmProvider();
52+
} else {
53+
return CryptoIntegration.getProvider().getAlgorithmProvider(JWEAlgorithmProvider.class, alg);
54+
}
6555
}
6656

6757

core/src/main/java/org/keycloak/jose/jwe/alg/KeyEncryptionJWEAlgorithmProvider.java

Lines changed: 0 additions & 46 deletions
This file was deleted.

0 commit comments

Comments
 (0)