Unit tests in "crypto/fips1402" passing on RHEL 8.6 with BC FIPS appr…

…oved mode. Cleanup (keycloak#13406)

Closes keycloak#13128

common/src/main/java/org/keycloak/common/crypto/CryptoConstants.java

@@ -0,0 +1,19 @@
+package org.keycloak.common.crypto;
+
+/**
+ * @author <a href="mailto:[email protected]">Marek Posolda</a>
+ */
+public class CryptoConstants {
+
+    // JWE algorithms
+    public static final String A128KW = "A128KW";
+    public static final String RSA1_5 = "RSA1_5";
+    public static final String RSA_OAEP = "RSA-OAEP";
+    public static final String RSA_OAEP_256 = "RSA-OAEP-256";
+
+    /** Name of Java security provider used with non-fips BouncyCastle. Should be used in non-FIPS environment */
+    public static final String BC_PROVIDER_ID = "BC";
+
+    /** Name of Java security provider used with fips BouncyCastle. Should be used in FIPS environment */
+    public static final String BCFIPS_PROVIDER_ID = "BCFIPS";
+}

common/src/main/java/org/keycloak/common/crypto/CryptoProvider.java

@@ -1,5 +1,6 @@
 package org.keycloak.common.crypto;
 
+import java.security.Provider;
 import java.security.spec.ECParameterSpec;
 
 /**
@@ -9,6 +10,11 @@
  */
 public interface CryptoProvider {
 
+    /**
+     * @return BouncyCastle security provider. Can be either non-FIPS or FIPS based provider
+     */
+    Provider getBouncyCastleProvider();
+
     /**
      * Get some algorithm provider implementation. Returned implementation can be dependent according to if we have
      * non-fips bouncycastle or fips bouncycastle on the classpath.
@@ -25,7 +31,7 @@ public interface CryptoProvider {
      *
      * @return
      */
-    public CertificateUtilsProvider getCertificateUtils();
+    CertificateUtilsProvider getCertificateUtils();
 
 
     /**
@@ -34,7 +40,7 @@ public interface CryptoProvider {
      *
      * @return
      */
-    public PemUtilsProvider getPemUtils();
+    PemUtilsProvider getPemUtils();
 
 
     /**
@@ -43,6 +49,6 @@ public interface CryptoProvider {
      * @param curveName
      * @return
      */
-    public ECParameterSpec createECParams(String curveName);
+    ECParameterSpec createECParams(String curveName);
 
 }

common/src/main/java/org/keycloak/common/util/BouncyIntegration.java

@@ -19,7 +19,7 @@
 
 import org.jboss.logging.Logger;
 import org.keycloak.common.crypto.CryptoIntegration;
-import org.keycloak.common.crypto.CryptoProviderTypes;
+import org.keycloak.common.crypto.CryptoConstants;
 
 import java.security.Provider;
 import java.security.Security;
@@ -35,7 +35,7 @@ public class BouncyIntegration {
     public static final String PROVIDER = loadProvider();
 
     private static String loadProvider() {
-        Provider provider = CryptoIntegration.getProvider().getAlgorithmProvider(Provider.class, CryptoProviderTypes.BC_SECURITY_PROVIDER);
+        Provider provider = CryptoIntegration.getProvider().getBouncyCastleProvider();
         if (provider == null) {
             throw new RuntimeException("Failed to load required security provider: BouncyCastleProvider or BouncyCastleFipsProvider");
         }

common/src/main/java/org/keycloak/common/util/CertificateUtils.java

@@ -30,10 +30,6 @@
  */
 public class CertificateUtils {
 
-    static {
-        CryptoIntegration.init(ClassLoader.getSystemClassLoader());
-    }
-
 
     /**
      * Generates version 3 {@link java.security.cert.X509Certificate}.

common/src/main/java/org/keycloak/common/util/Environment.java

@@ -43,6 +43,13 @@ public static int getServerStartupTimeout() {
      * @return true if java is FIPS mode
      */
     public static boolean isJavaInFipsMode() {
+        // Check if FIPS explicitly enabled by system property
+        String property = System.getProperty("com.redhat.fips");
+        if (property != null) {
+            return Boolean.parseBoolean(property);
+        }
+
+        // Otherwise try to auto-detect
         for (Provider provider : Security.getProviders()) {
             if (provider.getName().equals("BCFIPS")) continue; // Ignore BCFIPS provider for the detection as we may register it programatically
             if (provider.getName().toUpperCase().contains("FIPS")) return true;

common/src/main/java/org/keycloak/common/util/PemUtils.java

@@ -37,10 +37,6 @@ public class PemUtils {
     public static final String BEGIN_CERT = "-----BEGIN CERTIFICATE-----";
     public static final String END_CERT = "-----END CERTIFICATE-----";
 
-    static {
-        CryptoIntegration.init(ClassLoader.getSystemClassLoader());
-    }
-
     /**
      * Decode a X509 Certificate from a PEM string
      *

core/src/main/java/org/keycloak/jose/jwe/JWEConstants.java

@@ -17,16 +17,18 @@
 
 package org.keycloak.jose.jwe;
 
+import org.keycloak.common.crypto.CryptoConstants;
+
 /**
  * @author <a href="mailto:[email protected]">Marek Posolda</a>
  */
 public class JWEConstants {
 
-    public static final String DIR = "dir";
-    public static final String A128KW = "A128KW";
-    public static final String RSA1_5 = "RSA1_5";
-    public static final String RSA_OAEP = "RSA-OAEP";
-    public static final String RSA_OAEP_256 = "RSA-OAEP-256";
+    public static final String DIRECT = "dir";
+    public static final String A128KW = CryptoConstants.A128KW;
+    public static final String RSA1_5 = CryptoConstants.RSA1_5;
+    public static final String RSA_OAEP = CryptoConstants.RSA_OAEP;
+    public static final String RSA_OAEP_256 = CryptoConstants.RSA_OAEP_256;
 
     public static final String A128CBC_HS256 = "A128CBC-HS256";
     public static final String A192CBC_HS384 = "A192CBC-HS384";

core/src/main/java/org/keycloak/jose/jwe/JWERegistry.java

@@ -21,11 +21,8 @@
 import java.util.Map;
 
 import org.keycloak.common.crypto.CryptoIntegration;
-import org.keycloak.common.crypto.CryptoProviderTypes;
 import org.keycloak.jose.jwe.alg.DirectAlgorithmProvider;
 import org.keycloak.jose.jwe.alg.JWEAlgorithmProvider;
-import org.keycloak.jose.jwe.alg.RsaKeyEncryption256JWEAlgorithmProvider;
-import org.keycloak.jose.jwe.alg.RsaKeyEncryptionJWEAlgorithmProvider;
 import org.keycloak.jose.jwe.enc.AesCbcHmacShaEncryptionProvider;
 import org.keycloak.jose.jwe.enc.AesGcmJWEEncryptionProvider;
 import org.keycloak.jose.jwe.enc.JWEEncryptionProvider;
@@ -36,23 +33,11 @@
  */
 class JWERegistry {
 
-    // https://tools.ietf.org/html/rfc7518#page-12
-    // Registry not pluggable for now. Just supported algorithms included
-    private static final Map<String, JWEEncryptionProvider> ENC_PROVIDERS = new HashMap<>();
-
     // https://tools.ietf.org/html/rfc7518#page-22
     // Registry not pluggable for now. Just supported algorithms included
-    private static final Map<String, JWEAlgorithmProvider> ALG_PROVIDERS = new HashMap<>();
-
+    private static final Map<String, JWEEncryptionProvider> ENC_PROVIDERS = new HashMap<>();
 
     static {
-        // Provider 'dir' just directly uses encryption keys for encrypt/decrypt content.
-        ALG_PROVIDERS.put(JWEConstants.DIR, new DirectAlgorithmProvider());
-        ALG_PROVIDERS.put(JWEConstants.A128KW, CryptoIntegration.getProvider().getAlgorithmProvider(JWEAlgorithmProvider.class, CryptoProviderTypes.AES_KEY_WRAP_ALGORITHM_PROVIDER));
-        ALG_PROVIDERS.put(JWEConstants.RSA_OAEP, new RsaKeyEncryptionJWEAlgorithmProvider("RSA/ECB/OAEPWithSHA-1AndMGF1Padding"));
-        ALG_PROVIDERS.put(JWEConstants.RSA_OAEP_256, new RsaKeyEncryption256JWEAlgorithmProvider("RSA/ECB/OAEPWithSHA-256AndMGF1Padding"));
-
-
         ENC_PROVIDERS.put(JWEConstants.A256GCM, new AesGcmJWEEncryptionProvider(JWEConstants.A256GCM));
         ENC_PROVIDERS.put(JWEConstants.A128CBC_HS256, new AesCbcHmacShaEncryptionProvider.Aes128CbcHmacSha256Provider());
         ENC_PROVIDERS.put(JWEConstants.A192CBC_HS384, new AesCbcHmacShaEncryptionProvider.Aes192CbcHmacSha384Provider());
@@ -61,7 +46,12 @@ class JWERegistry {
 
 
     static JWEAlgorithmProvider getAlgProvider(String alg) {
-        return ALG_PROVIDERS.get(alg);
+        // https://tools.ietf.org/html/rfc7518#page-12
+        if (JWEConstants.DIRECT.equals(alg)) {
+            return new DirectAlgorithmProvider();
+        } else {
+            return CryptoIntegration.getProvider().getAlgorithmProvider(JWEAlgorithmProvider.class, alg);
+        }
     }
 
 

core/src/main/java/org/keycloak/util/TokenUtil.java

@@ -203,7 +203,7 @@ public static String jweDirectEncode(Key aesKey, Key hmacKey, byte[] contentByte
             default: throw new IllegalArgumentException("Bad size for Encryption key: " + aesKey + ". Valid sizes are 16, 24, 32.");
         }
 
-        JWEHeader jweHeader = new JWEHeader(JWEConstants.DIR, encAlgorithm, null);
+        JWEHeader jweHeader = new JWEHeader(JWEConstants.DIRECT, encAlgorithm, null);
         JWE jwe = new JWE()
                 .header(jweHeader)
                 .content(contentBytes);