Merge pull request #40211 from sberyozkin/bc_fips_test

Add another BouncyCastle FIPS test
quarkusio · Apr 24, 2024 · 4945eaa · 4945eaa
2 parents ea41b08 + 7d56d5d
commit 4945eaa
Show file tree

Hide file tree

Showing 2 changed files with 47 additions and 0 deletions.
diff --git a/.../bouncycastle-fips/src/main/java/io/quarkus/it/bouncycastle/BouncyCastleFipsEndpoint.java b/.../bouncycastle-fips/src/main/java/io/quarkus/it/bouncycastle/BouncyCastleFipsEndpoint.java
@@ -1,13 +1,23 @@
 package io.quarkus.it.bouncycastle;
 
+import java.security.SecureRandom;
 import java.security.Security;
 import java.security.Signature;
 import java.util.Arrays;
 import java.util.stream.Collectors;
 
+import javax.crypto.KeyGenerator;
+
 import jakarta.ws.rs.GET;
 import jakarta.ws.rs.Path;
 
+import org.bouncycastle.crypto.CryptoServicesRegistrar;
+import org.bouncycastle.crypto.EntropySourceProvider;
+import org.bouncycastle.crypto.fips.FipsDRBG;
+import org.bouncycastle.crypto.fips.FipsUnapprovedOperationError;
+import org.bouncycastle.crypto.util.BasicEntropySourceProvider;
+import org.bouncycastle.util.Strings;
+
 @Path("/jca")
 public class BouncyCastleFipsEndpoint {
 
@@ -26,4 +36,32 @@ public String checkSHA256withRSAandMGF1() throws Exception {
         Signature.getInstance("SHA256withRSAandMGF1", "BCFIPS");
         return "success";
     }
+
+    @GET
+    @Path("fipsmode")
+    public String confirmFipsMode() throws Exception {
+        // https://www.bouncycastle.org/fips-java/BCFipsIn100.pdf
+
+        // Ensure that only approved algorithms and key sizes for FIPS-140-3.
+        CryptoServicesRegistrar.setApprovedOnlyMode(true);
+        // Set Secure Random to be compliant
+        EntropySourceProvider entSource = new BasicEntropySourceProvider(new SecureRandom(), true);
+        FipsDRBG.Builder drgbBldr = FipsDRBG.SHA512
+                .fromEntropySource(entSource)
+                .setSecurityStrength(256)
+                .setEntropyBitsRequired(256);
+        CryptoServicesRegistrar.setSecureRandom(drgbBldr.build(Strings.toByteArray("axs"), true));
+
+        // Validates FIPS Mode enabled and enforced correctly with Unapproved Key Generation
+        KeyGenerator keyGenerator = KeyGenerator.getInstance("HmacSHA512", "BCFIPS");
+
+        try {
+            keyGenerator.init(256);
+            return "HMAC SHA-512 initialization should not work when FIPS enabled.";
+        } catch (FipsUnapprovedOperationError ex) {
+            return "HMAC SHA-512 initialization does not work when FIPS enabled.";
+        } catch (Exception exception) {
+            return exception.getClass().getName();
+        }
+    }
 }
diff --git a/.../bouncycastle-fips/src/test/java/io/quarkus/it/bouncycastle/BouncyCastleFipsTestCase.java b/.../bouncycastle-fips/src/test/java/io/quarkus/it/bouncycastle/BouncyCastleFipsTestCase.java
@@ -30,4 +30,13 @@ public void testSHA256withRSAandMGF1() {
                 .body(equalTo("success"));
     }
 
+    @Test
+    public void testFipsMode() {
+        RestAssured.given()
+                .when()
+                .get("/jca/fipsmode")
+                .then()
+                .statusCode(200)
+                .body(equalTo("HMAC SHA-512 initialization does not work when FIPS enabled."));
+    }
 }