Merge pull request #2426 from kalaiyarasiganeshalingam/master

Add FIPS support

Author: arunans23

modules/commons/pom.xml

@@ -149,6 +149,10 @@
             <groupId>commons-pool</groupId>
             <artifactId>commons-pool</artifactId>
         </dependency>
+        <dependency>
+            <groupId>jaxen</groupId>
+            <artifactId>jaxen</artifactId>
+        </dependency>
         <dependency>
             <groupId>org.wso2.orbit.javax.activation</groupId>
             <artifactId>activation</artifactId>

modules/commons/src/main/java/org/apache/synapse/commons/crypto/CryptoUtil.java

@@ -18,6 +18,7 @@
 package org.apache.synapse.commons.crypto;
 
 import org.apache.axis2.AxisFault;
+import org.apache.commons.lang.StringUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.wso2.securevault.CipherFactory;
@@ -43,6 +44,7 @@ public class CryptoUtil {
     private EncodeDecodeTypes inType = null;
     private EncodeDecodeTypes outType = null;
     private String algorithm = null;
+    private static final String SECURITY_JCE_PROVIDER = "security.jce.provider";
 
     /**
      * Public constructor
@@ -106,19 +108,7 @@ public void init(Properties secureVaultProperties) throws AxisFault {
         cipherInformation.setInType(null); //skipping decoding encoding in securevault
         cipherInformation.setOutType(null); //skipping decoding encoding in securevault
         if (provider != null && !provider.isEmpty()) {
-            String providerClass;
-            if (CryptoConstants.BOUNCY_CASTLE_PROVIDER.equals(provider)) {
-                providerClass = "org.bouncycastle.jce.provider.BouncyCastleProvider";
-            } else if (CryptoConstants.BOUNCY_CASTLE_FIPS_PROVIDER.equals(provider)) {
-                providerClass = "org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider";
-            } else {
-                throw new AxisFault("Unsupported JCE Provider: " + provider);
-            }
-            try {
-                Security.addProvider((Provider) Class.forName(providerClass).getDeclaredConstructor().newInstance());
-            } catch (Exception e) {
-                throw new AxisFault("Error while initializing the JCE Provider: " + provider, e);
-            }
+            addProvider(provider);
             cipherInformation.setProvider(provider);
             //todo need to add other providers if there are any.
         }
@@ -148,4 +138,20 @@ public boolean isInitialized() {
         return isInitialized;
     }
 
+    private static void addProvider(String jceProvider) throws AxisFault {
+        if (StringUtils.isEmpty(System.getProperty(SECURITY_JCE_PROVIDER))) {
+            String providerClass;
+            if (CryptoConstants.BOUNCY_CASTLE_FIPS_PROVIDER.equals(jceProvider)) {
+                providerClass = "org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider";
+            } else {
+                providerClass = "org.bouncycastle.jce.provider.BouncyCastleProvider";
+            }
+            try {
+                Security.addProvider((Provider) Class.forName(providerClass).getDeclaredConstructor().newInstance());
+            } catch (Exception e) {
+                throw new AxisFault("Error while initializing the JCE provider: " + providerClass, e);
+            }
+        }
+    }
+
 }

modules/core/src/main/java/org/apache/synapse/message/store/impl/rabbitmq/RabbitMQStore.java

@@ -84,6 +84,8 @@ public class RabbitMQStore extends AbstractMessageStore {
     public static final String SSL_TRUSTSTORE_TYPE = "rabbitmq.connection.ssl.truststore.type";
     public static final String SSL_TRUSTSTORE_PASSWORD = "rabbitmq.connection.ssl.truststore.password";
     public static final String SSL_VERSION = "rabbitmq.connection.ssl.version";
+    private static final String PKIX = "PKIX";
+    private static final String JCE_PROVIDER = "security.jce.provider";
 
     public static final String AMQ_PREFIX = "amq.";
 
@@ -214,15 +216,14 @@ private void setSSL(boolean sslEnabled) {
                     KeyStore ks = KeyStore.getInstance(keyStoreType);
                     ks.load(new FileInputStream(keyStoreLocation), keyPassphrase);
 
-                    KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
+                    KeyManagerFactory kmf = KeyManagerFactory.getInstance(getKeyManagerType());
                     kmf.init(ks, keyPassphrase);
 
                     char[] trustPassphrase = trustStorePassword.toCharArray();
                     KeyStore tks = KeyStore.getInstance(trustStoreType);
                     tks.load(new FileInputStream(trustStoreLocation), trustPassphrase);
 
-                    TrustManagerFactory tmf = TrustManagerFactory
-                            .getInstance(KeyManagerFactory.getDefaultAlgorithm());
+                    TrustManagerFactory tmf = TrustManagerFactory.getInstance(getTrustManagerType());
                     tmf.init(tks);
 
                     SSLContext c = SSLContext.getInstance(sslVersion);
@@ -477,4 +478,20 @@ public MessageContext get(String messageId) {
     private String nameString() {
         return "Store [" + getName() + "]";
     }
+
+    private static String getTrustManagerType() {
+        String provider = System.getProperty(JCE_PROVIDER);
+        if (StringUtils.isNotEmpty(provider)) {
+            return PKIX;
+        }
+        return TrustManagerFactory.getDefaultAlgorithm();
+    }
+
+    private static String getKeyManagerType() {
+        String provider = System.getProperty(JCE_PROVIDER);
+        if (StringUtils.isNotEmpty(provider)) {
+            return PKIX;
+        }
+        return KeyManagerFactory.getDefaultAlgorithm();
+    }
 }

modules/core/src/main/java/org/apache/synapse/util/xpath/DecryptFunction.java

@@ -15,6 +15,7 @@
  */
 package org.apache.synapse.util.xpath;
 
+import org.apache.commons.lang.StringUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.jaxen.Context;
@@ -44,7 +45,10 @@ public class DecryptFunction implements Function {
     private static final Log log = LogFactory.getLog(DecryptFunction.class);
     private static final String DEFAULT_ALGORITHM = "RSA";
     private static final String DEFAULT_KEYSTORE_TYPE = "JKS";
-    private static Map<String, Cipher> cipherInstancesMap = new ConcurrentHashMap<>();
+    private static final Map<String, Cipher> cipherInstancesMap = new ConcurrentHashMap<>();
+    private static final String SECURITY_JCE_PROVIDER = "security.jce.provider";
+    private static final String PRIMARY_KEY_STORE_TYPE_PROPERTY = "primary.key.type";
+    public static final String BCFKS = "BCFKS";
 
     @Override
     public Object call(Context context, List args) throws FunctionCallException {
@@ -62,7 +66,7 @@ public Object call(Context context, List args) throws FunctionCallException {
             String keyStore = StringFunction.evaluate(args.get(1), context.getNavigator());
             String keyStorePassword = StringFunction.evaluate(args.get(2), context.getNavigator());
             String keyStoreAlias = StringFunction.evaluate(args.get(3), context.getNavigator());
-            return decrypt(encryptedText.getBytes(), keyStore, keyStorePassword, keyStoreAlias, DEFAULT_KEYSTORE_TYPE,
+            return decrypt(encryptedText.getBytes(), keyStore, keyStorePassword, keyStoreAlias, getKeyType(),
                         DEFAULT_ALGORITHM);
         }
         if (size == 5) {
@@ -132,4 +136,13 @@ private Cipher getCipherInstance(String algorithm) throws NoSuchPaddingException
         }
         return cipherInstance;
     }
+
+    private static String getKeyType() {
+        String keyType = System.getProperty(PRIMARY_KEY_STORE_TYPE_PROPERTY);
+        if (StringUtils.isNotEmpty(System.getProperty(SECURITY_JCE_PROVIDER))) {
+            return StringUtils.isNotEmpty(keyType) ? keyType : BCFKS;
+        } else {
+            return StringUtils.isNotEmpty(keyType) ? keyType : DEFAULT_KEYSTORE_TYPE;
+        }
+    }
 }

modules/core/src/main/java/org/apache/synapse/util/xpath/EncryptFunction.java

@@ -15,6 +15,7 @@
  */
 package org.apache.synapse.util.xpath;
 
+import org.apache.commons.lang.StringUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.jaxen.Context;
@@ -43,7 +44,10 @@ public class EncryptFunction implements Function {
     private static final Log log = LogFactory.getLog(EncryptFunction.class);
     private static final String DEFAULT_ALGORITHM = "RSA";
     private static final String DEFAULT_KEYSTORE_TYPE ="JKS";
-    private static Map<String, Cipher> cipherInstancesMap = new ConcurrentHashMap<>();
+    private static final Map<String, Cipher> cipherInstancesMap = new ConcurrentHashMap<>();
+    private static final String SECURITY_JCE_PROVIDER = "security.jce.provider";
+    private static final String PRIMARY_KEY_STORE_TYPE_PROPERTY = "primary.key.type";
+    public static final String BCFKS = "BCFKS";
 
     @Override
     public Object call(Context context, List args) throws FunctionCallException {
@@ -61,7 +65,7 @@ public Object call(Context context, List args) throws FunctionCallException {
             String keyStore = StringFunction.evaluate(args.get(1), context.getNavigator());
             String keyStorePassword = StringFunction.evaluate(args.get(2), context.getNavigator());
             String keyStoreAlias = StringFunction.evaluate(args.get(3), context.getNavigator());
-            return encrypt(plainText.getBytes(), keyStore, keyStorePassword, keyStoreAlias, DEFAULT_KEYSTORE_TYPE,
+            return encrypt(plainText.getBytes(), keyStore, keyStorePassword, keyStoreAlias, getKeyType(),
                         DEFAULT_ALGORITHM);
         }
         if (size == 5) {
@@ -131,4 +135,13 @@ private Cipher getCipherInstance(String algorithm) throws NoSuchPaddingException
         }
         return cipherInstance;
     }
+
+    private static String getKeyType() {
+        String keyType = System.getProperty(PRIMARY_KEY_STORE_TYPE_PROPERTY);
+        if (StringUtils.isNotEmpty(System.getProperty(SECURITY_JCE_PROVIDER))) {
+            return StringUtils.isNotEmpty(keyType) ? keyType : BCFKS;
+        } else {
+            return StringUtils.isNotEmpty(keyType) ? keyType : DEFAULT_KEYSTORE_TYPE;
+        }
+    }
 }

modules/extensions/src/main/java/org/apache/synapse/mediators/opa/OPAClient.java

@@ -19,6 +19,7 @@
 package org.apache.synapse.mediators.opa;
 
 import org.apache.commons.httpclient.HttpStatus;
+import org.apache.commons.lang.StringUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.apache.http.HttpEntity;
@@ -69,6 +70,10 @@ public class OPAClient {
     private int connectionTimeout = 30;
 
     private CloseableHttpClient httpClient = null;
+    private static final String PRIMARY_KEY_STORE_TYPE_PROPERTY = "primary.key.type";
+    private static final String DEFAULT_KEYSTORE_TYPE ="JKS";
+    private static final String SECURITY_JCE_PROVIDER = "security.jce.provider";
+    public static final String BCFKS = "BCFKS";
 
     public OPAClient(String url, Map<String, String> additionalParameters) throws OPASecurityException {
 
@@ -191,7 +196,7 @@ private PoolingHttpClientConnectionManager getPoolingHttpClientConnectionManager
             String trustStoreLocation = System.getProperty(OPAConstants.TRUST_STORE_LOCATION_SYSTEM_PROPERTY);
             File trustStoreFile = new File(trustStoreLocation);
             try (InputStream localTrustStoreStream = new FileInputStream(trustStoreFile)) {
-                KeyStore trustStore = KeyStore.getInstance("JKS");
+                KeyStore trustStore = KeyStore.getInstance(getKeyType());
                 trustStore.load(localTrustStoreStream, trustStorePassword);
                 SSLContext sslContext = SSLContexts.custom().loadTrustMaterial(trustStore).build();
 
@@ -251,4 +256,15 @@ public CloseableHttpClient createHttpClient(String url) throws OPASecurityExcept
 
         return HttpClients.custom().setConnectionManager(pool).setDefaultRequestConfig(params).build();
     }
+
+    private static String getKeyType() {
+        String keyType = System.getProperty(PRIMARY_KEY_STORE_TYPE_PROPERTY);
+        if (StringUtils.isNotEmpty(keyType)) {
+            return keyType;
+        }
+        if (System.getProperty(SECURITY_JCE_PROVIDER) != null) {
+            return BCFKS;
+        }
+        return DEFAULT_KEYSTORE_TYPE;
+    }
 }

modules/securevault/src/main/java/org/apache/synapse/securevault/definition/IdentityKeyStoreInformation.java

@@ -18,6 +18,7 @@
 */
 package org.apache.synapse.securevault.definition;
 
+import org.apache.commons.lang.StringUtils;
 import org.apache.synapse.securevault.secret.SecretInformation;
 
 import javax.net.ssl.KeyManagerFactory;
@@ -30,6 +31,8 @@ public class IdentityKeyStoreInformation extends KeyStoreInformation {
 
     /* Password for access private key*/
     private SecretInformation keyPasswordProvider;
+    private static final String PKIX = "PKIX";
+    private static final String JCE_PROVIDER = "security.jce.provider";
 
     public void setKeyPasswordProvider(SecretInformation keyPasswordProvider) {
         this.keyPasswordProvider = keyPasswordProvider;
@@ -48,8 +51,7 @@ public KeyManagerFactory getIdentityKeyManagerFactoryInstance() {
             }
 
             KeyStore keyStore = this.getIdentityKeyStore();
-            KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(
-                    KeyManagerFactory.getDefaultAlgorithm());
+            KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(getManagerType());
             keyManagerFactory.init(keyStore, keyPasswordProvider.getResolvedSecret().toCharArray());
 
             return keyManagerFactory;
@@ -72,4 +74,13 @@ public KeyStore getIdentityKeyStore() {
     public SecretInformation getKeyPasswordProvider() {
         return keyPasswordProvider;
     }
+
+    private static String getManagerType() {
+        String provider = System.getProperty(JCE_PROVIDER);
+        if (StringUtils.isNotEmpty(provider)) {
+            return PKIX;
+        } else {
+            return KeyManagerFactory.getDefaultAlgorithm();
+        }
+    }
 }

modules/securevault/src/main/java/org/apache/synapse/securevault/definition/TrustKeyStoreInformation.java

@@ -18,6 +18,8 @@
 */
 package org.apache.synapse.securevault.definition;
 
+import org.apache.commons.lang.StringUtils;
+
 import javax.net.ssl.TrustManagerFactory;
 import java.security.KeyStore;
 
@@ -26,6 +28,9 @@
  */
 public class TrustKeyStoreInformation extends KeyStoreInformation {
 
+    private static final String PKIX = "PKIX";
+    private static final String JCE_PROVIDER = "security.jce.provider";
+
     /**
      * Returns the TrustManagerFactory instance
      *
@@ -38,8 +43,7 @@ public TrustManagerFactory getTrustManagerFactoryInstance() {
                 log.debug("Creating a TrustManagerFactory instance");
             }
             KeyStore trustStore = this.getTrustStore();
-            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(
-                    TrustManagerFactory.getDefaultAlgorithm());
+            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(getManagerType());
             trustManagerFactory.init(trustStore);
 
             return trustManagerFactory;
@@ -60,4 +64,11 @@ public KeyStore getTrustStore() {
 
     }
 
+    private static String getManagerType() {
+        String provider = System.getProperty(JCE_PROVIDER);
+        if (StringUtils.isNotEmpty(provider)) {
+            return PKIX;
+        }
+        return TrustManagerFactory.getDefaultAlgorithm();
+    }
 }

modules/transports/core/nhttp/src/main/java/org/apache/synapse/transport/certificatevalidation/ocsp/OCSPVerifier.java

@@ -18,6 +18,7 @@
  */
 package org.apache.synapse.transport.certificatevalidation.ocsp;
 
+import org.apache.commons.lang.StringUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.apache.http.HttpResponse;
@@ -27,6 +28,7 @@
 import org.apache.http.entity.ContentType;
 import org.apache.http.impl.client.CloseableHttpClient;
 import org.apache.http.impl.client.HttpClientBuilder;
+import org.apache.synapse.commons.crypto.CryptoConstants;
 import org.apache.synapse.transport.certificatevalidation.CertificateVerificationException;
 import org.apache.synapse.transport.certificatevalidation.Constants;
 import org.apache.synapse.transport.certificatevalidation.RevocationStatus;
@@ -79,7 +81,7 @@ public OCSPVerifier(OCSPCache cache) {
     public static final String ACCEPT_TYPE = "Accept";
     public static final String OCSP_REQUEST_TYPE = "application/ocsp-request";
     public static final String OCSP_RESPONSE_TYPE = "application/ocsp-response";
-
+    private static final String SECURITY_JCE_PROVIDER = "security.jce.provider";
 
     /**
      * Gets the revocation status (Good, Revoked or Unknown) of the given peer certificate.
@@ -201,20 +203,7 @@ protected OCSPResp getOCSPResponce(String serviceUrl, OCSPReq request) throws Ce
     private OCSPReq generateOCSPRequest(X509Certificate issuerCert, BigInteger serialNumber)
             throws CertificateVerificationException {
         String jceProvider = getPreferredJceProvider();
-        String providerClass;
-        if (jceProvider.equals(Constants.BOUNCY_CASTLE_PROVIDER)) {
-            providerClass = "org.bouncycastle.jce.provider.BouncyCastleProvider";
-        } else if (jceProvider.equals(Constants.BOUNCY_CASTLE_FIPS_PROVIDER)) {
-            providerClass = "org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider";
-        } else {
-            throw new CertificateVerificationException("Unsupported JCE provider: " + jceProvider);
-        }
-        try {
-            Security.addProvider((Provider) Class.forName(providerClass).getDeclaredConstructor().newInstance());
-        } catch (Exception e) {
-            throw new CertificateVerificationException("Error while initializing the JCE provider: "
-                    + providerClass, e);
-        }
+        addProvider(jceProvider);
 
         try {
 
@@ -299,4 +288,21 @@ private static String getPreferredJceProvider() {
         }
         return Constants.BOUNCY_CASTLE_PROVIDER;
     }
+
+    public static void addProvider(String jceProvider) throws CertificateVerificationException {
+        if (StringUtils.isEmpty(System.getProperty(SECURITY_JCE_PROVIDER))) {
+            String providerClass;
+            if (CryptoConstants.BOUNCY_CASTLE_FIPS_PROVIDER.equals(jceProvider)) {
+                providerClass = "org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider";
+            } else {
+                providerClass = "org.bouncycastle.jce.provider.BouncyCastleProvider";
+            }
+            try {
+                Security.addProvider((Provider) Class.forName(providerClass).getDeclaredConstructor().newInstance());
+            } catch (Exception e) {
+                throw new CertificateVerificationException("Error while initializing the JCE provider: " +
+                        providerClass, e);
+            }
+        }
+    }
 }