From 7d56d5d3368af89252f88bff0089080e3c3c6276 Mon Sep 17 00:00:00 2001 From: Sergey Beryozkin Date: Tue, 23 Apr 2024 11:18:23 +0100 Subject: [PATCH] Add another BouncyCastle FIPS test --- .../BouncyCastleFipsEndpoint.java | 38 +++++++++++++++++++ .../BouncyCastleFipsTestCase.java | 9 +++++ 2 files changed, 47 insertions(+) diff --git a/integration-tests/bouncycastle-fips/src/main/java/io/quarkus/it/bouncycastle/BouncyCastleFipsEndpoint.java b/integration-tests/bouncycastle-fips/src/main/java/io/quarkus/it/bouncycastle/BouncyCastleFipsEndpoint.java index b1b2024b8208d..8945e0e42c0fd 100644 --- a/integration-tests/bouncycastle-fips/src/main/java/io/quarkus/it/bouncycastle/BouncyCastleFipsEndpoint.java +++ b/integration-tests/bouncycastle-fips/src/main/java/io/quarkus/it/bouncycastle/BouncyCastleFipsEndpoint.java @@ -1,13 +1,23 @@ package io.quarkus.it.bouncycastle; +import java.security.SecureRandom; import java.security.Security; import java.security.Signature; import java.util.Arrays; import java.util.stream.Collectors; +import javax.crypto.KeyGenerator; + import jakarta.ws.rs.GET; import jakarta.ws.rs.Path; +import org.bouncycastle.crypto.CryptoServicesRegistrar; +import org.bouncycastle.crypto.EntropySourceProvider; +import org.bouncycastle.crypto.fips.FipsDRBG; +import org.bouncycastle.crypto.fips.FipsUnapprovedOperationError; +import org.bouncycastle.crypto.util.BasicEntropySourceProvider; +import org.bouncycastle.util.Strings; + @Path("/jca") public class BouncyCastleFipsEndpoint { @@ -26,4 +36,32 @@ public String checkSHA256withRSAandMGF1() throws Exception { Signature.getInstance("SHA256withRSAandMGF1", "BCFIPS"); return "success"; } + + @GET + @Path("fipsmode") + public String confirmFipsMode() throws Exception { + // https://www.bouncycastle.org/fips-java/BCFipsIn100.pdf + + // Ensure that only approved algorithms and key sizes for FIPS-140-3. + CryptoServicesRegistrar.setApprovedOnlyMode(true); + // Set Secure Random to be compliant + EntropySourceProvider entSource = new BasicEntropySourceProvider(new SecureRandom(), true); + FipsDRBG.Builder drgbBldr = FipsDRBG.SHA512 + .fromEntropySource(entSource) + .setSecurityStrength(256) + .setEntropyBitsRequired(256); + CryptoServicesRegistrar.setSecureRandom(drgbBldr.build(Strings.toByteArray("axs"), true)); + + // Validates FIPS Mode enabled and enforced correctly with Unapproved Key Generation + KeyGenerator keyGenerator = KeyGenerator.getInstance("HmacSHA512", "BCFIPS"); + + try { + keyGenerator.init(256); + return "HMAC SHA-512 initialization should not work when FIPS enabled."; + } catch (FipsUnapprovedOperationError ex) { + return "HMAC SHA-512 initialization does not work when FIPS enabled."; + } catch (Exception exception) { + return exception.getClass().getName(); + } + } } diff --git a/integration-tests/bouncycastle-fips/src/test/java/io/quarkus/it/bouncycastle/BouncyCastleFipsTestCase.java b/integration-tests/bouncycastle-fips/src/test/java/io/quarkus/it/bouncycastle/BouncyCastleFipsTestCase.java index fed961e576198..ceb9d46c65335 100644 --- a/integration-tests/bouncycastle-fips/src/test/java/io/quarkus/it/bouncycastle/BouncyCastleFipsTestCase.java +++ b/integration-tests/bouncycastle-fips/src/test/java/io/quarkus/it/bouncycastle/BouncyCastleFipsTestCase.java @@ -30,4 +30,13 @@ public void testSHA256withRSAandMGF1() { .body(equalTo("success")); } + @Test + public void testFipsMode() { + RestAssured.given() + .when() + .get("/jca/fipsmode") + .then() + .statusCode(200) + .body(equalTo("HMAC SHA-512 initialization does not work when FIPS enabled.")); + } }