This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ws-wss4j.git
The following commit(s) were added to refs/heads/master by this push:
new 9a9d575ef [WSS-711]Introduce a system property "fips.enabled" so that
WSS4J can work easier in FIPS mode (#313)
9a9d575ef is described below
commit 9a9d575efdf91932bf95328505ede71a4f7a4ee9
Author: Freeman(Yue) Fang <[email protected]>
AuthorDate: Fri Feb 7 11:22:15 2025 -0500
[WSS-711]Introduce a system property "fips.enabled" so that WSS4J can work
easier in FIPS mode (#313)
---
parent/pom.xml | 6 ++++
ws-security-common/pom.xml | 6 ++++
.../common/crypto/JasyptPasswordEncryptor.java | 15 +++++++-
.../wss4j/common/crypto/WSProviderConfig.java | 26 ++++++++++++++
.../org/apache/wss4j/common/util/FIPSUtils.java | 42 ++++++++++++++++++++++
.../apache/wss4j/dom/message/WSSecDKEncrypt.java | 4 ++-
.../org/apache/wss4j/dom/message/WSSecEncrypt.java | 4 ++-
.../java/org/apache/wss4j/stax/setup/WSSec.java | 5 ++-
8 files changed, 104 insertions(+), 4 deletions(-)
diff --git a/parent/pom.xml b/parent/pom.xml
index 69991a446..289eee3ef 100644
--- a/parent/pom.xml
+++ b/parent/pom.xml
@@ -34,6 +34,7 @@
<properties>
<bcprov.version>1.80</bcprov.version>
+ <bc.fips.version>2.1.0</bc.fips.version>
<commons.compress.version>1.27.1</commons.compress.version>
<cryptacular.version>1.2.7</cryptacular.version>
<ehcache.version>3.10.8</ehcache.version>
@@ -83,6 +84,11 @@
<artifactId>bcpkix-jdk18on</artifactId>
<version>${bcprov.version}</version>
</dependency>
+ <dependency>
+ <groupId>org.bouncycastle</groupId>
+ <artifactId>bc-fips</artifactId>
+ <version>${bc.fips.version}</version>
+ </dependency>
<dependency>
<groupId>org.apache.neethi</groupId>
<artifactId>neethi</artifactId>
diff --git a/ws-security-common/pom.xml b/ws-security-common/pom.xml
index 10dc6c953..dbc9f7e6e 100644
--- a/ws-security-common/pom.xml
+++ b/ws-security-common/pom.xml
@@ -223,6 +223,12 @@
<scope>compile</scope>
<optional>true</optional>
</dependency>
+ <dependency>
+ <groupId>org.bouncycastle</groupId>
+ <artifactId>bc-fips</artifactId>
+ <scope>compile</scope>
+ <optional>true</optional>
+ </dependency>
<dependency>
<groupId>org.jasypt</groupId>
<artifactId>jasypt</artifactId>
diff --git
a/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/JasyptPasswordEncryptor.java
b/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/JasyptPasswordEncryptor.java
index e418ac97a..68ed78aa4 100644
---
a/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/JasyptPasswordEncryptor.java
+++
b/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/JasyptPasswordEncryptor.java
@@ -26,7 +26,10 @@ import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import org.apache.wss4j.common.ext.WSPasswordCallback;
+import org.apache.wss4j.common.util.FIPSUtils;
import org.jasypt.encryption.pbe.StandardPBEStringEncryptor;
+import org.jasypt.iv.RandomIvGenerator;
+import org.jasypt.salt.RandomSaltGenerator;
/**
@@ -35,7 +38,9 @@ import org.jasypt.encryption.pbe.StandardPBEStringEncryptor;
*/
public class JasyptPasswordEncryptor implements PasswordEncryptor {
- public static final String DEFAULT_ALGORITHM = "PBEWithMD5AndTripleDES";
+ public static final String DEFAULT_ALGORITHM =
+ FIPSUtils.isFIPSEnabled()
+ ? "PBEWithHmacSHA512AndAES_256" : "PBEWithMD5AndTripleDES";
private static final org.slf4j.Logger LOG =
org.slf4j.LoggerFactory.getLogger(JasyptPasswordEncryptor.class);
@@ -51,6 +56,10 @@ public class JasyptPasswordEncryptor implements
PasswordEncryptor {
passwordEncryptor = new StandardPBEStringEncryptor();
passwordEncryptor.setPassword(password);
passwordEncryptor.setAlgorithm(algorithm);
+ if (FIPSUtils.isFIPSEnabled()) {
+ passwordEncryptor.setSaltGenerator(new
RandomSaltGenerator("PKCS11"));
+ passwordEncryptor.setIvGenerator(new RandomIvGenerator("PKCS11"));
+ }
}
public JasyptPasswordEncryptor(CallbackHandler callbackHandler) {
@@ -60,6 +69,10 @@ public class JasyptPasswordEncryptor implements
PasswordEncryptor {
public JasyptPasswordEncryptor(CallbackHandler callbackHandler, String
algorithm) {
passwordEncryptor = new StandardPBEStringEncryptor();
passwordEncryptor.setAlgorithm(algorithm);
+ if (FIPSUtils.isFIPSEnabled()) {
+ passwordEncryptor.setSaltGenerator(new
RandomSaltGenerator("PKCS11"));
+ passwordEncryptor.setIvGenerator(new RandomIvGenerator("PKCS11"));
+ }
this.callbackHandler = callbackHandler;
}
diff --git
a/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/WSProviderConfig.java
b/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/WSProviderConfig.java
index 9afc378cf..acdae3796 100644
---
a/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/WSProviderConfig.java
+++
b/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/WSProviderConfig.java
@@ -26,6 +26,7 @@ import java.security.PrivilegedExceptionAction;
import java.security.Provider;
import java.security.Security;
+import org.apache.wss4j.common.util.FIPSUtils;
import org.apache.wss4j.common.util.Loader;
import org.apache.xml.security.utils.I18n;
import org.apache.xml.security.utils.XMLUtils;
@@ -79,6 +80,17 @@ public final class WSProviderConfig {
bcProviderAdded = false;
tlProviderAdded = false;
}
+ if (FIPSUtils.isFIPSEnabled()) {
+ //So far the in-JDK security provider in FIPS mode
+ //doesn't support RSA-OAEP padding, try use the one
+ //from BC-FIPS as last resort
+ AccessController.doPrivileged(new PrivilegedAction<Boolean>() {
+ public Boolean run() {
+ addJceProvider("BCFIPS",
"org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider");
+ return true;
+ }
+ });
+ }
staticallyInitialized = true;
}
}
@@ -106,6 +118,20 @@ public final class WSProviderConfig {
}
});
}
+ if (FIPSUtils.isFIPSEnabled()) {
+ //So far the in-JDK security provider in FIPS mode
+ //doesn't support RSA-OAEP padding, try use the one
+ //from BC-FIPS as last resort
+
+
+ AccessController.doPrivileged(new PrivilegedAction<Boolean>() {
+ public Boolean run() {
+ addJceProvider("BCFIPS",
"org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider");
+ return true;
+ }
+ });
+
+ }
tlProviderAdded = addTLProv;
if (addTLProv) {
diff --git
a/ws-security-common/src/main/java/org/apache/wss4j/common/util/FIPSUtils.java
b/ws-security-common/src/main/java/org/apache/wss4j/common/util/FIPSUtils.java
new file mode 100644
index 000000000..f432dea55
--- /dev/null
+++
b/ws-security-common/src/main/java/org/apache/wss4j/common/util/FIPSUtils.java
@@ -0,0 +1,42 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.wss4j.common.util;
+
+import java.security.AccessController;
+import java.security.PrivilegedAction;
+
+
+public final class FIPSUtils {
+
+ private static boolean isFIPSEnabled = false;
+ private static final String FIPS_ENABLED = "fips.enabled";
+
+ static {
+ isFIPSEnabled = Boolean.parseBoolean(AccessController.doPrivileged(new
PrivilegedAction<String>() {
+ public String run() {
+ return System.getProperty(FIPS_ENABLED);
+ }
+ }));
+
+ }
+
+ public static boolean isFIPSEnabled() {
+ return isFIPSEnabled;
+ }
+}
diff --git
a/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/WSSecDKEncrypt.java
b/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/WSSecDKEncrypt.java
index 8059ac3aa..81683dd96 100644
---
a/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/WSSecDKEncrypt.java
+++
b/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/WSSecDKEncrypt.java
@@ -29,6 +29,7 @@ import
org.apache.wss4j.common.derivedKey.ConversationConstants;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.token.Reference;
import org.apache.wss4j.common.token.SecurityTokenReference;
+import org.apache.wss4j.common.util.FIPSUtils;
import org.apache.wss4j.common.util.KeyUtils;
import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.dom.util.WSSecurityUtil;
@@ -44,7 +45,8 @@ import org.w3c.dom.Node;
*/
public class WSSecDKEncrypt extends WSSecDerivedKeyBase {
- private String symEncAlgo = WSConstants.AES_128;
+ private String symEncAlgo = FIPSUtils.isFIPSEnabled()
+ ? WSConstants.AES_128_GCM : WSConstants.AES_128;
private int derivedKeyLength = -1;
private List<Element> attachmentEncryptedDataElements;
diff --git
a/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/WSSecEncrypt.java
b/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/WSSecEncrypt.java
index 59db22247..3698b4d34 100644
---
a/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/WSSecEncrypt.java
+++
b/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/WSSecEncrypt.java
@@ -32,6 +32,7 @@ import org.apache.wss4j.common.crypto.Crypto;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.token.Reference;
import org.apache.wss4j.common.token.SecurityTokenReference;
+import org.apache.wss4j.common.util.FIPSUtils;
import org.apache.wss4j.common.util.XMLUtils;
import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.dom.message.token.KerberosSecurity;
@@ -80,7 +81,8 @@ public class WSSecEncrypt extends WSSecEncryptedKey {
/**
* Algorithm to be used with the ephemeral key
*/
- private String symEncAlgo = WSConstants.AES_128;
+ private String symEncAlgo = FIPSUtils.isFIPSEnabled()
+ ? WSConstants.AES_128_GCM : WSConstants.AES_128;
public WSSecEncrypt(WSSecHeader securityHeader) {
super(securityHeader);
diff --git
a/ws-security-stax/src/main/java/org/apache/wss4j/stax/setup/WSSec.java
b/ws-security-stax/src/main/java/org/apache/wss4j/stax/setup/WSSec.java
index 29b98fb4b..d713956f6 100644
--- a/ws-security-stax/src/main/java/org/apache/wss4j/stax/setup/WSSec.java
+++ b/ws-security-stax/src/main/java/org/apache/wss4j/stax/setup/WSSec.java
@@ -31,8 +31,10 @@ import javax.xml.transform.stream.StreamSource;
import javax.xml.validation.Schema;
import javax.xml.validation.SchemaFactory;
+import org.apache.wss4j.common.WSS4JConstants;
import org.apache.wss4j.common.crypto.WSProviderConfig;
import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.common.util.FIPSUtils;
import org.apache.wss4j.stax.ext.WSSConfigurationException;
import org.apache.wss4j.stax.ext.WSSConstants;
import org.apache.wss4j.stax.ext.WSSSecurityProperties;
@@ -367,7 +369,8 @@ public class WSSec {
throw new
WSSConfigurationException(WSSConfigurationException.ErrorCode.FAILURE,
"noEncryptionUser");
}
if (securityProperties.getEncryptionSymAlgorithm() == null) {
-
securityProperties.setEncryptionSymAlgorithm(WSSConstants.NS_XENC_AES256);
+
securityProperties.setEncryptionSymAlgorithm(FIPSUtils.isFIPSEnabled()
+ ? WSS4JConstants.AES_256_GCM : WSSConstants.NS_XENC_AES256);
}
if (securityProperties.getEncryptionKeyTransportAlgorithm() == null) {
//@see
http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/Overview.html#rsa-1_5 :
