fips support

core/src/main/java/org/apache/cxf/helpers/JavaUtils.java

@@ -51,10 +51,13 @@ public final class JavaUtils {
     private static boolean isJava11Compatible;
     private static boolean isJava9Compatible;
     private static boolean isJava8Before161;
+    private static boolean isFIPSEnabled;
     private static Integer javaMajorVersion;
+    private static final String FIPS_ENABLED = "fips.enabled";
 
     static {
         String version = SystemPropertyAction.getProperty("java.version");
+        isFIPSEnabled = Boolean.valueOf(SystemPropertyAction.getProperty(FIPS_ENABLED));
         try {
             isJava8Before161 = version.startsWith("1.8.0_")
                 && Integer.parseInt(version.substring(6)) < 161;
@@ -114,6 +117,10 @@ private static void setJava11Compatible(boolean java11Compatible) {
     public static boolean isJava8Before161() {
         return isJava8Before161;
     }
+
+    public static boolean isFIPSEnabled() {
+        return isFIPSEnabled;
+    }
 
     public static void setJavaMajorVersion(Integer javaMajorVersion) {
         JavaUtils.javaMajorVersion = javaMajorVersion;

parent/pom.xml

@@ -236,7 +236,7 @@
         <cxf.woodstox.core.version>6.6.2</cxf.woodstox.core.version>
         <cxf.woodstox.stax2-api.version>4.2.1</cxf.woodstox.stax2-api.version>
         <cxf.wsdl4j.version>1.6.3</cxf.wsdl4j.version>
-        <cxf.jakarta.wss4j.version>3.0.3</cxf.jakarta.wss4j.version>
+        <cxf.jakarta.wss4j.version>3.0.4-SNAPSHOT</cxf.jakarta.wss4j.version>
         <cxf.xmlschema.version>2.3.1</cxf.xmlschema.version>
         <cxf.xnio.version>3.8.14.Final</cxf.xnio.version>
         <cxf.zest.version>2.1</cxf.zest.version>
@@ -487,7 +487,7 @@
                         <parallel>${cxf.surefire.parallel.mode}</parallel>
                         <forkNode implementation="org.apache.maven.plugin.surefire.extensions.SurefireForkNodeFactory" />
                         <rerunFailingTestsCount>${cxf.surefire.rerun.count}</rerunFailingTestsCount>
-                        <systemPropertyVariables>
+			<systemPropertyVariables>
                             <java.io.tmpdir>${basedir}/target</java.io.tmpdir>
                             <cxf.useRandomFirstPort>true</cxf.useRandomFirstPort>
                             <org.apache.cxf.JDKBugHacks.all>true</org.apache.cxf.JDKBugHacks.all>
@@ -501,7 +501,6 @@
                             <server.launcher.vmargs>${cxf.server.launcher.vmargs}</server.launcher.vmargs>
                             <org.apache.cxf.transport.http.async.usePolicy>ASYNC_ONLY</org.apache.cxf.transport.http.async.usePolicy>
                             <org.apache.cxf.transport.websocket.atmosphere.disabled>${org.apache.cxf.transport.websocket.atmosphere.disabled}</org.apache.cxf.transport.websocket.atmosphere.disabled>
-                            <org.apache.xml.security.securerandom.algorithm>SHA1PRNG</org.apache.xml.security.securerandom.algorithm>
                         </systemPropertyVariables>
                     </configuration>
                 </plugin>
@@ -2267,7 +2266,7 @@
                         <configuration>
                             <systemPropertyVariables>
                                  <!-- https://github.com/bcgit/bc-java/issues/589  -->
-                                 <jdk.tls.namedGroups>secp256r1,secp384r1,secp521r1,sect283k1,sect283r1,sect409k1,sect409r1,sect571k1,sect571r1,secp256k1,ffdhe2048,ffdhe3072,ffdhe4096,ffdhe6144,ffdhe8192</jdk.tls.namedGroups>
+				 <jdk.tls.namedGroups>secp256r1,secp384r1,secp521r1,sect283k1,sect283r1,sect409k1,sect409r1,sect571k1,sect571r1,secp256k1,ffdhe2048,ffdhe3072,ffdhe4096,ffdhe6144,ffdhe8192</jdk.tls.namedGroups>
                             </systemPropertyVariables>
                         </configuration>
                     </plugin>
@@ -2284,5 +2283,38 @@
                 <cxf.surefire.fork.vmargs>-ea --add-opens java.base/java.lang=ALL-UNNAMED --add-opens java.base/java.net=ALL-UNNAMED  --add-opens java.base/sun.net.www.protocol.https=ALL-UNNAMED</cxf.surefire.fork.vmargs>
             </properties>
         </profile>
+        <profile>
+            <id>fips</id>
+            <activation>
+                <property>
+                    <name>fips.enabled</name>
+                </property>
+            </activation>
+            <build>
+                <plugins>
+                    <plugin>
+                        <groupId>org.apache.maven.plugins</groupId>
+                        <artifactId>maven-surefire-plugin</artifactId>
+                        <configuration>
+                            <systemPropertyVariables>
+                                <org.apache.xml.security.securerandom.algorithm>PKCS11</org.apache.xml.security.securerandom.algorithm>
+                                <fips.enabled>true</fips.enabled>
+                            </systemPropertyVariables>
+                            <excludes>
+                                <!--fips: need to regenerate keys for systests/microprofile/client/weld tests which are out of CXF codebase-->
+                                <exclude>**/SslContextTest.java</exclude>
+                                <exclude>**/SslHostnameVerifierTest.java</exclude>
+                                <exclude>**/SslMutualTest.java</exclude>
+                                <exclude>**/SslTrustStoreTest.java</exclude>
+                                <!--fips: Kerberos are not supported on fips mode -->
+                                <exclude>**/JAXRSKerberosBookTest.java</exclude>
+                                <exclude>**/KerberosTokenTest.java</exclude>
+                                <exclude>**/SpnegoTokenTest.java</exclude>
+                            </excludes>
+                        </configuration>
+                    </plugin>
+                </plugins>
+            </build>
+        </profile>
     </profiles>
 </project>

rt/rs/security/http-signature/src/main/java/org/apache/cxf/rs/security/httpsignature/utils/DefaultSignatureConstants.java

@@ -18,10 +18,13 @@
  */
 package org.apache.cxf.rs.security.httpsignature.utils;
 
+import org.apache.cxf.helpers.JavaUtils;
+
 public final class DefaultSignatureConstants {
     public static final String SIGNING_ALGORITHM = "rsa-sha256";
     public static final String DIGEST_ALGORITHM = "SHA-256";
-    public static final String SECURITY_PROVIDER = "SunRsaSign";
+    public static final String SECURITY_PROVIDER 
+        = JavaUtils.isFIPSEnabled() ? "SunPKCS11-NSS-FIPS" : "SunRsaSign";
 
     private DefaultSignatureConstants() { }
 

rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/common/JoseConstants.java

@@ -135,8 +135,9 @@ public final class JoseConstants extends RSSecurityConstants {
     public static final String RSSEC_ENCRYPTION_CONTENT_ALGORITHM = "rs.security.encryption.content.algorithm";
 
     /**
-     * The encryption key algorithm to use. The default algorithm if not specified is 'RSA-OAEP' if the key is an
-     * RSA key, and 'A128GCMKW' if it is an octet sequence.
+     * The encryption key algorithm to use. The default algorithm if not specified is 'RSA-OAEP'
+     * (or RSA1_5 in FIPS mode) 
+     * if the key is an RSA key, and 'A128GCMKW' if it is an octet sequence.
      */
     public static final String RSSEC_ENCRYPTION_KEY_ALGORITHM = "rs.security.encryption.key.algorithm";
 

rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java

@@ -43,6 +43,7 @@
 
 import org.apache.cxf.common.logging.LogUtils;
 import org.apache.cxf.common.util.StringUtils;
+import org.apache.cxf.helpers.JavaUtils;
 import org.apache.cxf.message.Message;
 import org.apache.cxf.message.MessageUtils;
 import org.apache.cxf.phase.PhaseInterceptorChain;
@@ -186,7 +187,7 @@ public static KeyEncryptionProvider getPublicKeyEncryptionProvider(PublicKey key
     }
     private static KeyAlgorithm getDefaultPublicKeyAlgorithm(PublicKey key) {
         if (key instanceof RSAPublicKey) {
-            return KeyAlgorithm.RSA_OAEP;
+            return JavaUtils.isFIPSEnabled() ? KeyAlgorithm.RSA1_5 : KeyAlgorithm.RSA_OAEP;
         } else if (key instanceof ECPublicKey) {
             return KeyAlgorithm.ECDH_ES_A128KW;
         } else {
@@ -195,7 +196,7 @@ private static KeyAlgorithm getDefaultPublicKeyAlgorithm(PublicKey key) {
     }
     private static KeyAlgorithm getDefaultPrivateKeyAlgorithm(PrivateKey key) {
         if (key instanceof RSAPrivateKey) {
-            return KeyAlgorithm.RSA_OAEP;
+            return JavaUtils.isFIPSEnabled() ? KeyAlgorithm.RSA1_5 : KeyAlgorithm.RSA_OAEP;
         } else if (key instanceof ECPrivateKey) {
             return KeyAlgorithm.ECDH_ES_A128KW;
         } else {
@@ -937,7 +938,7 @@ private static KeyAlgorithm getDefaultKeyAlgorithm(JsonWebKey jwk) {
         if (KeyType.OCTET == keyType) {
             return KeyAlgorithm.A128GCMKW;
         } else if (KeyType.RSA == keyType) {
-            return KeyAlgorithm.RSA_OAEP;
+            return JavaUtils.isFIPSEnabled() ? KeyAlgorithm.RSA1_5 : KeyAlgorithm.RSA_OAEP;
         } else {
             return KeyAlgorithm.ECDH_ES_A128KW;
         }

rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/RSAKeyDecryptionAlgorithm.java

@@ -20,12 +20,14 @@
 
 import java.security.interfaces.RSAPrivateKey;
 
+import org.apache.cxf.helpers.JavaUtils;
 import org.apache.cxf.rs.security.jose.jwa.AlgorithmUtils;
 import org.apache.cxf.rs.security.jose.jwa.KeyAlgorithm;
 
 public class RSAKeyDecryptionAlgorithm extends WrappedKeyDecryptionAlgorithm {
     public RSAKeyDecryptionAlgorithm(RSAPrivateKey privateKey) {
-        this(privateKey, KeyAlgorithm.RSA_OAEP);
+        this(privateKey, JavaUtils.isFIPSEnabled() 
+             ? KeyAlgorithm.RSA1_5 : KeyAlgorithm.RSA_OAEP);
     }
     public RSAKeyDecryptionAlgorithm(RSAPrivateKey privateKey, KeyAlgorithm supportedAlgo) {
         this(privateKey, supportedAlgo, true);

rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jwa/JwaDecryptRfcConformanceTest.java

@@ -18,6 +18,9 @@
  */
 package org.apache.cxf.rs.security.jose.jwa;
 
+import org.apache.cxf.helpers.JavaUtils;
+
+import org.junit.Assume;
 import org.junit.Test;
 
 public abstract class JwaDecryptRfcConformanceTest extends AbstractDecryptTest {
@@ -39,16 +42,22 @@ public void testOctA128GcmJweJson() throws Exception {
 
     @Test
     public void testRsaOaepA128GcmJweCompact() throws Exception {
+        //fips: no RSA-OAEP support
+        Assume.assumeFalse(JavaUtils.isFIPSEnabled());
         test("/jwe/rsa.2048.rsa-oaep.a128gcm.compact.jwe");
     }
 
     @Test
     public void testRsaOaepA128GcmJweJsonFlattened() throws Exception {
+        //fips: no RSA-OAEP support
+        Assume.assumeFalse(JavaUtils.isFIPSEnabled());
         test("/jwe/rsa.2048.rsa-oaep.a128gcm.json.flattened.jwe");
     }
 
     @Test
     public void testRsaOaepA128GcmJweJson() throws Exception {
+        //fips: no RSA-OAEP support
+        Assume.assumeFalse(JavaUtils.isFIPSEnabled());
         test("/jwe/rsa.2048.rsa-oaep.a128gcm.json.jwe");
     }
 

rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jwa/JwaEncryptRfcConformanceTest.java

@@ -18,8 +18,10 @@
  */
 package org.apache.cxf.rs.security.jose.jwa;
 
+import org.apache.cxf.helpers.JavaUtils;
 import org.apache.cxf.rs.security.jose.support.Serialization;
 
+import org.junit.Assume;
 import org.junit.Test;
 
 public abstract class JwaEncryptRfcConformanceTest extends AbstractEncryptTest {
@@ -41,16 +43,22 @@ public void testOctA128GcmJweJson() throws Exception {
 
     @Test
     public void testRsaOaepA128GcmJweCompact() throws Exception {
+        //fips: no RSA-OAEP support
+        Assume.assumeFalse(JavaUtils.isFIPSEnabled());
         test("RSA", "RSA-OAEP", "A128GCM", Serialization.COMPACT);
     }
 
     @Test
     public void testRsaOaepA128GcmJweJsonFlattened() throws Exception {
+        //fips: no RSA-OAEP support
+        Assume.assumeFalse(JavaUtils.isFIPSEnabled());
         test("RSA", "RSA-OAEP", "A128GCM", Serialization.FLATTENED);
     }
 
     @Test
     public void testRsaOaepA128GcmJweJson() throws Exception {
+        //fips: no RSA-OAEP support
+        Assume.assumeFalse(JavaUtils.isFIPSEnabled());
         test("RSA", "RSA-OAEP", "A128GCM", Serialization.JSON);
     }