CXF-9008: Add FIPS 140-2 compliance support

core/src/main/java/org/apache/cxf/helpers/JavaUtils.java

@@ -51,10 +51,16 @@ public final class JavaUtils {
     private static boolean isJava11Compatible;
     private static boolean isJava9Compatible;
     private static boolean isJava8Before161;
+    private static boolean isFIPSEnabled;
+    private static String fipsSecurityProvider;
     private static Integer javaMajorVersion;
+    private static final String FIPS_ENABLED = "fips.enabled";
+    private static final String FIPS_SECURITY_PROVIDER = "fips.security.provider";
 
     static {
         String version = SystemPropertyAction.getProperty("java.version");
+        isFIPSEnabled = Boolean.parseBoolean(SystemPropertyAction.getProperty(FIPS_ENABLED));
+        fipsSecurityProvider = SystemPropertyAction.getProperty(FIPS_SECURITY_PROVIDER);
         try {
             isJava8Before161 = version.startsWith("1.8.0_")
                 && Integer.parseInt(version.substring(6)) < 161;
@@ -114,6 +120,18 @@ private static void setJava11Compatible(boolean java11Compatible) {
     public static boolean isJava8Before161() {
         return isJava8Before161;
     }
+
+    public static boolean isFIPSEnabled() {
+        return isFIPSEnabled;
+    }
+
+    /**
+     * Returns the FIPS security provider name configured via the
+     * {@code fips.security.provider} system property. If not set, returns {@code null}.
+     */
+    public static String getFIPSSecurityProvider() {
+        return fipsSecurityProvider;
+    }
 
     public static void setJavaMajorVersion(Integer javaMajorVersion) {
         JavaUtils.javaMajorVersion = javaMajorVersion;

core/src/test/java/org/apache/cxf/helpers/FipsTestUtils.java

@@ -0,0 +1,41 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.helpers;
+
+import java.lang.reflect.Field;
+
+/**
+ * Test utilities for manipulating FIPS state in unit tests via reflection.
+ */
+public final class FipsTestUtils {
+
+    private FipsTestUtils() { }
+
+    public static void setFipsEnabled(boolean enabled) throws Exception {
+        Field field = JavaUtils.class.getDeclaredField("isFIPSEnabled");
+        field.setAccessible(true);
+        field.setBoolean(null, enabled);
+    }
+
+    public static void setFipsProvider(String provider) throws Exception {
+        Field field = JavaUtils.class.getDeclaredField("fipsSecurityProvider");
+        field.setAccessible(true);
+        field.set(null, provider);
+    }
+}

core/src/test/java/org/apache/cxf/helpers/JavaUtilsTest.java

@@ -0,0 +1,90 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.helpers;
+
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNull;
+import static org.junit.Assert.assertTrue;
+
+public class JavaUtilsTest {
+
+    private boolean originalFipsEnabled;
+    private String originalFipsProvider;
+
+    @Before
+    public void saveFipsState() throws Exception {
+        originalFipsEnabled = JavaUtils.isFIPSEnabled();
+        originalFipsProvider = JavaUtils.getFIPSSecurityProvider();
+    }
+
+    @After
+    public void restoreFipsState() throws Exception {
+        FipsTestUtils.setFipsEnabled(originalFipsEnabled);
+        FipsTestUtils.setFipsProvider(originalFipsProvider);
+    }
+
+    @Test
+    public void testIsFIPSEnabledDefaultFalse() {
+        // Without the fips.enabled system property, FIPS should be disabled
+        assertFalse("FIPS should be disabled by default", JavaUtils.isFIPSEnabled());
+    }
+
+    @Test
+    public void testSetFIPSEnabled() throws Exception {
+        FipsTestUtils.setFipsEnabled(true);
+        assertTrue("FIPS should be enabled after setting the field", JavaUtils.isFIPSEnabled());
+
+        FipsTestUtils.setFipsEnabled(false);
+        assertFalse("FIPS should be disabled after clearing the field", JavaUtils.isFIPSEnabled());
+    }
+
+    @Test
+    public void testGetFIPSSecurityProviderDefault() {
+        // Without the fips.security.provider property, should return null
+        assertNull("FIPS security provider should be null by default",
+                   JavaUtils.getFIPSSecurityProvider());
+    }
+
+    @Test
+    public void testGetFIPSSecurityProviderCustom() throws Exception {
+        FipsTestUtils.setFipsProvider("BouncyCastleFIPS");
+        assertEquals("BouncyCastleFIPS", JavaUtils.getFIPSSecurityProvider());
+    }
+
+    @Test
+    public void testIsJavaKeyword() {
+        assertTrue(JavaUtils.isJavaKeyword("class"));
+        assertTrue(JavaUtils.isJavaKeyword("public"));
+        assertTrue(JavaUtils.isJavaKeyword("null"));
+        assertTrue(JavaUtils.isJavaKeyword("true"));
+        assertFalse(JavaUtils.isJavaKeyword("foo"));
+        assertFalse(JavaUtils.isJavaKeyword("Class"));
+    }
+
+    @Test
+    public void testMakeNonJavaKeyword() {
+        assertEquals("_class", JavaUtils.makeNonJavaKeyword("class"));
+        assertEquals("_public", JavaUtils.makeNonJavaKeyword("public"));
+    }
+}

parent/pom.xml

@@ -505,7 +505,6 @@
                             <server.launcher.vmargs>${cxf.server.launcher.vmargs}</server.launcher.vmargs>
                             <org.apache.cxf.transport.http.async.usePolicy>ASYNC_ONLY</org.apache.cxf.transport.http.async.usePolicy>
                             <org.apache.cxf.transport.websocket.atmosphere.disabled>${org.apache.cxf.transport.websocket.atmosphere.disabled}</org.apache.cxf.transport.websocket.atmosphere.disabled>
-                            <org.apache.xml.security.securerandom.algorithm>SHA1PRNG</org.apache.xml.security.securerandom.algorithm>
                         </systemPropertyVariables>
                     </configuration>
                 </plugin>
@@ -2358,6 +2357,10 @@
                         <artifactId>maven-surefire-plugin</artifactId>
                         <configuration>
                             <argLine>${cxf.jacoco.argLine} ${cxf.surefire.fork.vmargs} -D${cxf.jaxb.context.class.property}=${cxf.jaxb.context.class}</argLine>
+                            <systemPropertyVariables>
+                                 <!-- https://github.com/bcgit/bc-java/issues/589  -->
+                                 <jdk.tls.namedGroups>secp256r1,secp384r1,secp521r1,sect283k1,sect283r1,sect409k1,sect409r1,sect571k1,sect571r1,secp256k1,ffdhe2048,ffdhe3072,ffdhe4096,ffdhe6144,ffdhe8192</jdk.tls.namedGroups>
+                            </systemPropertyVariables>
                         </configuration>
                     </plugin>
                 </plugins>
@@ -2375,5 +2378,38 @@
                 <cxf.checkstyle.version>12.3.1</cxf.checkstyle.version>
             </properties>
         </profile>
+        <profile>
+            <id>fips</id>
+            <activation>
+                <property>
+                    <name>fips.enabled</name>
+                </property>
+            </activation>
+            <build>
+                <plugins>
+                    <plugin>
+                        <groupId>org.apache.maven.plugins</groupId>
+                        <artifactId>maven-surefire-plugin</artifactId>
+                        <configuration>
+                            <systemPropertyVariables>
+                                <org.apache.xml.security.securerandom.algorithm>PKCS11</org.apache.xml.security.securerandom.algorithm>
+                                <fips.enabled>true</fips.enabled>
+                            </systemPropertyVariables>
+                            <excludes>
+                                <!--fips: need to regenerate keys for systests/microprofile/client/weld tests which are out of CXF codebase-->
+                                <exclude>**/SslContextTest.java</exclude>
+                                <exclude>**/SslHostnameVerifierTest.java</exclude>
+                                <exclude>**/SslMutualTest.java</exclude>
+                                <exclude>**/SslTrustStoreTest.java</exclude>
+                                <!--fips: Kerberos are not supported on fips mode -->
+                                <exclude>**/JAXRSKerberosBookTest.java</exclude>
+                                <exclude>**/KerberosTokenTest.java</exclude>
+                                <exclude>**/SpnegoTokenTest.java</exclude>
+                            </excludes>
+                        </configuration>
+                    </plugin>
+                </plugins>
+            </build>
+        </profile>
     </profiles>
 </project>

rt/rs/security/http-signature/src/main/java/org/apache/cxf/rs/security/httpsignature/utils/DefaultSignatureConstants.java

@@ -18,11 +18,22 @@
  */
 package org.apache.cxf.rs.security.httpsignature.utils;
 
+import org.apache.cxf.helpers.JavaUtils;
+
 public final class DefaultSignatureConstants {
     public static final String SIGNING_ALGORITHM = "rsa-sha256";
     public static final String DIGEST_ALGORITHM = "SHA-256";
-    public static final String SECURITY_PROVIDER = "SunRsaSign";
+    public static final String SECURITY_PROVIDER = getDefaultSecurityProvider();
 
     private DefaultSignatureConstants() { }
 
+    private static String getDefaultSecurityProvider() {
+        if (JavaUtils.isFIPSEnabled()) {
+            // Use the configured FIPS provider, or null to let the JCA framework
+            // select an appropriate provider automatically
+            return JavaUtils.getFIPSSecurityProvider();
+        }
+        return "SunRsaSign";
+    }
+
 }

rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/common/JoseConstants.java

@@ -135,8 +135,9 @@ public final class JoseConstants extends RSSecurityConstants {
     public static final String RSSEC_ENCRYPTION_CONTENT_ALGORITHM = "rs.security.encryption.content.algorithm";
 
     /**
-     * The encryption key algorithm to use. The default algorithm if not specified is 'RSA-OAEP' if the key is an
-     * RSA key, and 'A128GCMKW' if it is an octet sequence.
+     * The encryption key algorithm to use. The default algorithm if not specified is 'RSA-OAEP'
+     * (or RSA-OAEP-256 in FIPS mode)
+     * if the key is an RSA key, and 'A128GCMKW' if it is an octet sequence.
      */
     public static final String RSSEC_ENCRYPTION_KEY_ALGORITHM = "rs.security.encryption.key.algorithm";
 

rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java

@@ -43,6 +43,7 @@
 
 import org.apache.cxf.common.logging.LogUtils;
 import org.apache.cxf.common.util.StringUtils;
+import org.apache.cxf.helpers.JavaUtils;
 import org.apache.cxf.message.Message;
 import org.apache.cxf.message.MessageUtils;
 import org.apache.cxf.phase.PhaseInterceptorChain;
@@ -186,7 +187,7 @@ public static KeyEncryptionProvider getPublicKeyEncryptionProvider(PublicKey key
     }
     private static KeyAlgorithm getDefaultPublicKeyAlgorithm(PublicKey key) {
         if (key instanceof RSAPublicKey) {
-            return KeyAlgorithm.RSA_OAEP;
+            return JavaUtils.isFIPSEnabled() ? KeyAlgorithm.RSA_OAEP_256 : KeyAlgorithm.RSA_OAEP;
         } else if (key instanceof ECPublicKey) {
             return KeyAlgorithm.ECDH_ES_A128KW;
         } else {
@@ -195,7 +196,7 @@ private static KeyAlgorithm getDefaultPublicKeyAlgorithm(PublicKey key) {
     }
     private static KeyAlgorithm getDefaultPrivateKeyAlgorithm(PrivateKey key) {
         if (key instanceof RSAPrivateKey) {
-            return KeyAlgorithm.RSA_OAEP;
+            return JavaUtils.isFIPSEnabled() ? KeyAlgorithm.RSA_OAEP_256 : KeyAlgorithm.RSA_OAEP;
         } else if (key instanceof ECPrivateKey) {
             return KeyAlgorithm.ECDH_ES_A128KW;
         } else {
@@ -937,7 +938,7 @@ private static KeyAlgorithm getDefaultKeyAlgorithm(JsonWebKey jwk) {
         if (KeyType.OCTET == keyType) {
             return KeyAlgorithm.A128GCMKW;
         } else if (KeyType.RSA == keyType) {
-            return KeyAlgorithm.RSA_OAEP;
+            return JavaUtils.isFIPSEnabled() ? KeyAlgorithm.RSA_OAEP_256 : KeyAlgorithm.RSA_OAEP;
         } else {
             return KeyAlgorithm.ECDH_ES_A128KW;
         }

rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/RSAKeyDecryptionAlgorithm.java

@@ -20,12 +20,14 @@
 
 import java.security.interfaces.RSAPrivateKey;
 
+import org.apache.cxf.helpers.JavaUtils;
 import org.apache.cxf.rs.security.jose.jwa.AlgorithmUtils;
 import org.apache.cxf.rs.security.jose.jwa.KeyAlgorithm;
 
 public class RSAKeyDecryptionAlgorithm extends WrappedKeyDecryptionAlgorithm {
     public RSAKeyDecryptionAlgorithm(RSAPrivateKey privateKey) {
-        this(privateKey, KeyAlgorithm.RSA_OAEP);
+        this(privateKey, JavaUtils.isFIPSEnabled()
+             ? KeyAlgorithm.RSA_OAEP_256 : KeyAlgorithm.RSA_OAEP);
     }
     public RSAKeyDecryptionAlgorithm(RSAPrivateKey privateKey, KeyAlgorithm supportedAlgo) {
         this(privateKey, supportedAlgo, true);
@@ -43,5 +45,9 @@ protected void validateKeyEncryptionAlgorithm(String keyAlgo) {
         if (!AlgorithmUtils.isRsaKeyWrap(keyAlgo)) {
             reportInvalidKeyAlgorithm(keyAlgo);
         }
+        if (JavaUtils.isFIPSEnabled() && AlgorithmUtils.RSA1_5_ALGO.equals(keyAlgo)) {
+            LOG.warning("RSA1_5 key encryption algorithm is not allowed in FIPS mode");
+            reportInvalidKeyAlgorithm(keyAlgo);
+        }
     }
 }

rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jwa/JwaDecryptRfcConformanceTest.java

@@ -18,6 +18,9 @@
  */
 package org.apache.cxf.rs.security.jose.jwa;
 
+import org.apache.cxf.helpers.JavaUtils;
+
+import org.junit.Assume;
 import org.junit.Test;
 
 public abstract class JwaDecryptRfcConformanceTest extends AbstractDecryptTest {
@@ -39,16 +42,22 @@ public void testOctA128GcmJweJson() throws Exception {
 
     @Test
     public void testRsaOaepA128GcmJweCompact() throws Exception {
+        //fips: no RSA-OAEP support
+        Assume.assumeFalse(JavaUtils.isFIPSEnabled());
         test("/jwe/rsa.2048.rsa-oaep.a128gcm.compact.jwe");
     }
 
     @Test
     public void testRsaOaepA128GcmJweJsonFlattened() throws Exception {
+        //fips: no RSA-OAEP support
+        Assume.assumeFalse(JavaUtils.isFIPSEnabled());
         test("/jwe/rsa.2048.rsa-oaep.a128gcm.json.flattened.jwe");
     }
 
     @Test
     public void testRsaOaepA128GcmJweJson() throws Exception {
+        //fips: no RSA-OAEP support
+        Assume.assumeFalse(JavaUtils.isFIPSEnabled());
         test("/jwe/rsa.2048.rsa-oaep.a128gcm.json.jwe");
     }
 

rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jwa/JwaEncryptRfcConformanceTest.java

@@ -18,8 +18,10 @@
  */
 package org.apache.cxf.rs.security.jose.jwa;
 
+import org.apache.cxf.helpers.JavaUtils;
 import org.apache.cxf.rs.security.jose.support.Serialization;
 
+import org.junit.Assume;
 import org.junit.Test;
 
 public abstract class JwaEncryptRfcConformanceTest extends AbstractEncryptTest {
@@ -41,16 +43,22 @@ public void testOctA128GcmJweJson() throws Exception {
 
     @Test
     public void testRsaOaepA128GcmJweCompact() throws Exception {
+        //fips: no RSA-OAEP support
+        Assume.assumeFalse(JavaUtils.isFIPSEnabled());
         test("RSA", "RSA-OAEP", "A128GCM", Serialization.COMPACT);
     }
 
     @Test
     public void testRsaOaepA128GcmJweJsonFlattened() throws Exception {
+        //fips: no RSA-OAEP support
+        Assume.assumeFalse(JavaUtils.isFIPSEnabled());
         test("RSA", "RSA-OAEP", "A128GCM", Serialization.FLATTENED);
     }
 
     @Test
     public void testRsaOaepA128GcmJweJson() throws Exception {
+        //fips: no RSA-OAEP support
+        Assume.assumeFalse(JavaUtils.isFIPSEnabled());
         test("RSA", "RSA-OAEP", "A128GCM", Serialization.JSON);
     }