diff --git a/dev/com.ibm.ws.crypto.common/src/com/ibm/ws/crypto/common/FipsUtils.java b/dev/com.ibm.ws.crypto.common/src/com/ibm/ws/crypto/common/FipsUtils.java index 725ae1dbecc4..ffd507fca5d1 100644 --- a/dev/com.ibm.ws.crypto.common/src/com/ibm/ws/crypto/common/FipsUtils.java +++ b/dev/com.ibm.ws.crypto.common/src/com/ibm/ws/crypto/common/FipsUtils.java @@ -18,6 +18,9 @@ public class FipsUtils { + public static boolean isFIPSEnabled = false; + public static boolean fipsChecked = false; + private static final TraceComponent tc = Tr.register(FipsUtils.class); static String FIPSLevel = getFipsLevel(); @@ -29,7 +32,8 @@ static String getFipsLevel() { String fipsLevel = AccessController.doPrivileged(new PrivilegedAction() { @Override public String run() { - return System.getProperty("com.ibm.fips.mode"); + String propertyValue = System.getProperty("com.ibm.fips.mode"); + return (propertyValue == null) ? "disabled" : propertyValue.trim().toLowerCase(); } }); return fipsLevel; @@ -44,6 +48,25 @@ public static boolean isFips140_3Enabled() { } } + public static boolean isFips140_2Enabled() { + //TODO remove beta check + if (unitTest) { + return "140-2".equals(FIPSLevel); + } else { + return isRunningBetaMode() && "140-2".equals(FIPSLevel); + } + } + + public static boolean isFIPSEnabled() { + if (fipsChecked) { + return isFIPSEnabled; + } else { + isFIPSEnabled = isFips140_2Enabled() || isFips140_3Enabled(); + fipsChecked = true; + return isFIPSEnabled; + } + } + //TODO remove beta check static boolean isRunningBetaMode() { return ProductInfo.getBetaEdition(); diff --git a/dev/com.ibm.ws.crypto.ltpakeyutil/bnd.bnd b/dev/com.ibm.ws.crypto.ltpakeyutil/bnd.bnd index 949227119994..9806c0a306da 100644 --- a/dev/com.ibm.ws.crypto.ltpakeyutil/bnd.bnd +++ b/dev/com.ibm.ws.crypto.ltpakeyutil/bnd.bnd @@ -37,7 +37,8 @@ Service-Component:\ com.ibm.ws.logging;version=latest, \ com.ibm.ws.kernel.service;version=latest, \ com.ibm.ws.kernel.boot.core;version=latest, \ - com.ibm.ws.org.osgi.annotation.versioning;version=latest + com.ibm.ws.org.osgi.annotation.versioning;version=latest, \ + com.ibm.ws.crypto.common;version=latest -testpath: \ ../build.sharedResources/lib/junit/old/junit.jar;version=file, \ @@ -48,5 +49,6 @@ Service-Component:\ com.ibm.ws.logging;version=latest, \ com.ibm.ws.kernel.boot.common;version=latest, \ com.ibm.ws.kernel.boot.logging;version=latest, \ - com.ibm.ws.kernel.security.thread;version=latest + com.ibm.ws.kernel.security.thread;version=latest, \ + com.ibm.ws.crypto.common;version=latest diff --git a/dev/com.ibm.ws.crypto.ltpakeyutil/src/com/ibm/ws/crypto/ltpakeyutil/KeyEncryptor.java b/dev/com.ibm.ws.crypto.ltpakeyutil/src/com/ibm/ws/crypto/ltpakeyutil/KeyEncryptor.java index a87374acdff3..66b0bfd24ad8 100644 --- a/dev/com.ibm.ws.crypto.ltpakeyutil/src/com/ibm/ws/crypto/ltpakeyutil/KeyEncryptor.java +++ b/dev/com.ibm.ws.crypto.ltpakeyutil/src/com/ibm/ws/crypto/ltpakeyutil/KeyEncryptor.java @@ -1,5 +1,5 @@ /******************************************************************************* - * Copyright (c) 1997, 2011 IBM Corporation and others. + * Copyright (c) 1997, 2024 IBM Corporation and others. * All rights reserved. This program and the accompanying materials * are made available under the terms of the Eclipse Public License 2.0 * which accompanies this distribution, and is available at @@ -14,16 +14,19 @@ import java.security.MessageDigest; +import com.ibm.ws.crypto.common.FipsUtils; + /** * A package local class for performing encryption and decryption of keys * based on admin's password */ public class KeyEncryptor { - private static final String MESSAGE_DIGEST_ALGORITHM = "SHA"; - private static final String DES_ECB_CIPHER = "DESede/ECB/PKCS5Padding"; - - private final byte[] desKey; + private static final boolean isFIPSEnabled = FipsUtils.isFIPSEnabled(); + private static final int size = (isFIPSEnabled ? 32 : 24); + private static final String MESSAGE_DIGEST_ALGORITHM = (isFIPSEnabled ? "SHA-256" : "SHA"); + private static final String CIPHER = (isFIPSEnabled ? "AES/GCM/NoPadding" : "DESede/ECB/PKCS5Padding"); + private final byte[] key; /** * A KeyEncryptor constructor. @@ -33,12 +36,14 @@ public class KeyEncryptor { public KeyEncryptor(byte[] password) throws Exception { MessageDigest md = MessageDigest.getInstance(MESSAGE_DIGEST_ALGORITHM); byte[] digest = md.digest(password); - desKey = new byte[24]; - System.arraycopy(digest, 0, desKey, 0, digest.length); - desKey[20] = (byte) 0x00; - desKey[21] = (byte) 0x00; - desKey[22] = (byte) 0x00; - desKey[23] = (byte) 0x00; + key = new byte[size]; + System.arraycopy(digest, 0, key, 0, digest.length); + if (!isFIPSEnabled) { + key[20] = (byte) 0x00; + key[21] = (byte) 0x00; + key[22] = (byte) 0x00; + key[23] = (byte) 0x00; + } } /** @@ -48,10 +53,16 @@ public KeyEncryptor(byte[] password) throws Exception { * @return The decrypted key */ public byte[] decrypt(byte[] encryptedKey) throws Exception { - return LTPACrypto.decrypt(encryptedKey, desKey, DES_ECB_CIPHER); + return LTPACrypto.decrypt(encryptedKey, key, CIPHER); } + /** + * Encrypt the key + * + * @param key The key + * @return The encrypted key + */ public byte[] encrypt(byte[] key) throws Exception { - return LTPACrypto.encrypt(key, desKey, DES_ECB_CIPHER); + return LTPACrypto.encrypt(key, this.key, CIPHER); } } diff --git a/dev/com.ibm.ws.crypto.ltpakeyutil/src/com/ibm/ws/crypto/ltpakeyutil/LTPACrypto.java b/dev/com.ibm.ws.crypto.ltpakeyutil/src/com/ibm/ws/crypto/ltpakeyutil/LTPACrypto.java index 974fd0144227..6c86a8237ed1 100755 --- a/dev/com.ibm.ws.crypto.ltpakeyutil/src/com/ibm/ws/crypto/ltpakeyutil/LTPACrypto.java +++ b/dev/com.ibm.ws.crypto.ltpakeyutil/src/com/ibm/ws/crypto/ltpakeyutil/LTPACrypto.java @@ -38,19 +38,24 @@ import javax.crypto.SecretKey; import javax.crypto.SecretKeyFactory; import javax.crypto.spec.DESedeKeySpec; +import javax.crypto.spec.GCMParameterSpec; import javax.crypto.spec.IvParameterSpec; import javax.crypto.spec.SecretKeySpec; import com.ibm.websphere.ras.Tr; import com.ibm.websphere.ras.TraceComponent; import com.ibm.websphere.ras.annotation.Trivial; +import com.ibm.ws.crypto.common.FipsUtils; final class LTPACrypto { + private static final boolean isFIPSEnabled = FipsUtils.isFIPSEnabled(); + private static final TraceComponent tc = Tr.register(LTPACrypto.class); private static final String IBMJCE_NAME = "IBMJCE"; private static final String IBMJCE_PLUS_FIPS_NAME = "IBMJCEPlusFIPS"; private static final String OPENJCE_PLUS_NAME = "OpenJCEPlus"; + private static final String OPENJCE_PLUS_FIPS_NAME = "OpenJCEPlusFIPS"; private static final String provider = getProvider(); private static final String SIGNATURE_ALGORITHM_SHA1WITHRSA = "SHA1withRSA"; @@ -63,6 +68,9 @@ final class LTPACrypto { private static final String ENCRYPT_ALGORITHM_RSA = "RSA"; private static final String encryptAlgorithm = getEncryptionAlgorithm(); + public static RSAPublicKey rsaPubKey; + public static RSAPrivateCrtKey rsaPrivKey; + private static int MAX_CACHE = 500; private static IvParameterSpec ivs8 = null; private static IvParameterSpec ivs16 = null; @@ -637,21 +645,26 @@ private static Cipher createCipher(int cipherMode, byte[] key, String cipher, Se ci = (provider == null) ? Cipher.getInstance(cipher) : Cipher.getInstance(cipher, provider); if (cipher.indexOf("ECB") == -1) { - if (cipher.indexOf("AES") != -1) { - if (ivs16 == null) { - setIVS16(key); - } - ci.init(cipherMode, sKey, ivs16); - } else { - if (ivs8 == null) { - setIVS8(key); - } - ci.init(cipherMode, sKey, ivs8); - } - } else { - ci.init(cipherMode, sKey); - } - return ci; + if (cipher.indexOf("GCM") != -1) { + byte[] iv = new byte[12]; + GCMParameterSpec params = new GCMParameterSpec(128, iv); + System.out.println("using GCM spec"); + ci.init(cipherMode, sKey, params); + } else if (cipher.indexOf("AES") != -1) { + if (ivs16 == null) { + setIVS16(key); + } + ci.init(cipherMode, sKey, ivs16); + } else { + if (ivs8 == null) { + setIVS8(key); + } + ci.init(cipherMode, sKey, ivs8); + } + } else { + ci.init(cipherMode, sKey); + } + return ci; } /** @@ -1159,14 +1172,19 @@ static final byte[][] rsaKey(int len, boolean crt, boolean f4) { } private static String getProvider() { - String provider = null; - if (LTPAKeyUtil.isFIPSEnabled() && LTPAKeyUtil.isIBMJCEPlusFIPSAvailable()) { - provider = IBMJCE_PLUS_FIPS_NAME; - } else if (LTPAKeyUtil.isIBMJCEAvailable()) { - provider = IBMJCE_NAME; - } else if (LTPAKeyUtil.isZOSandRunningJava11orHigher() && LTPAKeyUtil.isOpenJCEPlusAvailable()) { - provider = OPENJCE_PLUS_NAME; - } + String provider = null; + if (isFIPSEnabled && LTPAKeyUtil.isOpenJCEPlusFIPSAvailable()) { + provider = OPENJCE_PLUS_FIPS_NAME; + } + else if (isFIPSEnabled && LTPAKeyUtil.isIBMJCEPlusFIPSAvailable()) { + provider = IBMJCE_PLUS_FIPS_NAME; + } + else if (LTPAKeyUtil.isZOSandRunningJava11orHigher() && LTPAKeyUtil.isOpenJCEPlusAvailable()) { + provider = OPENJCE_PLUS_NAME; + } + else if (LTPAKeyUtil.isIBMJCEAvailable()) { + provider = IBMJCE_NAME; + } if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) { if (provider == null) { Tr.debug(tc, "getProvider" + " Provider configured by JDK"); @@ -1178,14 +1196,14 @@ private static String getProvider() { } private static String getSignatureAlgorithm() { - if (LTPAKeyUtil.isFIPSEnabled() && LTPAKeyUtil.isIBMJCEPlusFIPSAvailable()) + if (isFIPSEnabled && (LTPAKeyUtil.isOpenJCEPlusFIPSAvailable() || LTPAKeyUtil.isIBMJCEPlusFIPSAvailable())) return SIGNATURE_ALGORITHM_SHA256WITHRSA; else return SIGNATURE_ALGORITHM_SHA1WITHRSA; } private static String getEncryptionAlgorithm() { - if (LTPAKeyUtil.isFIPSEnabled() && LTPAKeyUtil.isIBMJCEPlusFIPSAvailable()) + if (isFIPSEnabled && (LTPAKeyUtil.isOpenJCEPlusFIPSAvailable() || LTPAKeyUtil.isIBMJCEPlusFIPSAvailable())) return ENCRYPT_ALGORITHM_RSA; else return ENCRYPT_ALGORITHM_DESEDE; diff --git a/dev/com.ibm.ws.crypto.ltpakeyutil/src/com/ibm/ws/crypto/ltpakeyutil/LTPADigSignature.java b/dev/com.ibm.ws.crypto.ltpakeyutil/src/com/ibm/ws/crypto/ltpakeyutil/LTPADigSignature.java index 9cc4c02398cd..51899dbde941 100644 --- a/dev/com.ibm.ws.crypto.ltpakeyutil/src/com/ibm/ws/crypto/ltpakeyutil/LTPADigSignature.java +++ b/dev/com.ibm.ws.crypto.ltpakeyutil/src/com/ibm/ws/crypto/ltpakeyutil/LTPADigSignature.java @@ -16,8 +16,13 @@ import java.security.NoSuchAlgorithmException; import java.security.NoSuchProviderException; +import com.ibm.ws.crypto.common.FipsUtils; + final class LTPADigSignature { + static boolean isFipsEnabled = FipsUtils.isFIPSEnabled(); + static int keySize = (isFipsEnabled ? 256 : 128); + static byte[][] testRawPubKey = null; static byte[][] testRawPrivKey = null; static MessageDigest md1 = null; @@ -27,14 +32,19 @@ final class LTPADigSignature { static { try { - if (LTPAKeyUtil.isFIPSEnabled() && LTPAKeyUtil.isIBMJCEPlusFIPSAvailable()) { - md1 = MessageDigest.getInstance(LTPAKeyUtil.MESSAGE_DIGEST_ALGORITHM_SHA256, - LTPAKeyUtil.IBMJCE_PLUS_FIPS_NAME); - } else if (LTPAKeyUtil.isIBMJCEAvailable()) { - md1 = MessageDigest.getInstance(LTPAKeyUtil.MESSAGE_DIGEST_ALGORITHM_SHA, LTPAKeyUtil.IBMJCE_NAME); - } else { - md1 = MessageDigest.getInstance(LTPAKeyUtil.MESSAGE_DIGEST_ALGORITHM_SHA); - } + if (isFipsEnabled && LTPAKeyUtil.isOpenJCEPlusFIPSAvailable()) { + md1 = MessageDigest.getInstance(LTPAKeyUtil.MESSAGE_DIGEST_ALGORITHM_SHA256, + LTPAKeyUtil.OPENJCE_PLUS_FIPS_NAME); + } else if (isFipsEnabled && LTPAKeyUtil.isIBMJCEPlusFIPSAvailable()) { + md1 = MessageDigest.getInstance(LTPAKeyUtil.MESSAGE_DIGEST_ALGORITHM_SHA256, + LTPAKeyUtil.IBMJCE_PLUS_FIPS_NAME); + } else if (LTPAKeyUtil.isOpenJCEPlusAvailable()) { + md1 = MessageDigest.getInstance(LTPAKeyUtil.MESSAGE_DIGEST_ALGORITHM_SHA, LTPAKeyUtil.OPENJCE_PLUS_NAME); + } else if (LTPAKeyUtil.isIBMJCEAvailable()) { + md1 = MessageDigest.getInstance(LTPAKeyUtil.MESSAGE_DIGEST_ALGORITHM_SHA, LTPAKeyUtil.IBMJCE_NAME); + } else { + md1 = MessageDigest.getInstance(LTPAKeyUtil.MESSAGE_DIGEST_ALGORITHM_SHA); + } } catch (NoSuchAlgorithmException e) { // instrumented ffdc @@ -48,7 +58,7 @@ public LTPADigSignature() { } static void generateRSAKeys(byte[][] rsaPubKey, byte[][] rsaPrivKey) { - byte[][] rsaKey = LTPACrypto.rsaKey(128, true, true); // 64 is 512, 128 + byte[][] rsaKey = LTPACrypto.rsaKey(keySize, true, true); // 64 is 512, 128 // is 1024 rsaPrivKey[0] = rsaKey[0]; diff --git a/dev/com.ibm.ws.crypto.ltpakeyutil/src/com/ibm/ws/crypto/ltpakeyutil/LTPAKeyUtil.java b/dev/com.ibm.ws.crypto.ltpakeyutil/src/com/ibm/ws/crypto/ltpakeyutil/LTPAKeyUtil.java index eef78304639b..fc89dd1fcdcb 100644 --- a/dev/com.ibm.ws.crypto.ltpakeyutil/src/com/ibm/ws/crypto/ltpakeyutil/LTPAKeyUtil.java +++ b/dev/com.ibm.ws.crypto.ltpakeyutil/src/com/ibm/ws/crypto/ltpakeyutil/LTPAKeyUtil.java @@ -1,5 +1,5 @@ /******************************************************************************* - * Copyright (c) 2016, 2023 IBM Corporation and others. + * Copyright (c) 2016, 2024 IBM Corporation and others. * All rights reserved. This program and the accompanying materials * are made available under the terms of the Eclipse Public License 2.0 * which accompanies this distribution, and is available at @@ -14,9 +14,12 @@ import java.security.AccessController; import java.security.PrivilegedAction; +import java.security.interfaces.RSAPrivateCrtKey; +import java.security.interfaces.RSAPublicKey; import com.ibm.websphere.ras.Tr; import com.ibm.websphere.ras.TraceComponent; +import com.ibm.ws.crypto.common.FipsUtils; import com.ibm.ws.kernel.productinfo.ProductInfo; import com.ibm.ws.kernel.service.util.JavaInfo; @@ -24,11 +27,15 @@ public final class LTPAKeyUtil { private static final TraceComponent tc = Tr.register(LTPAKeyUtil.class); public static boolean ibmJCEAvailable = false; - public static boolean ibmJCEPlusFIPSAvailable = false; - public static boolean openJCEPlusAvailable = false; - public static boolean ibmJCEProviderChecked = false; - public static boolean ibmJCEPlusFIPSProviderChecked = false; - public static boolean openJCEPlusProviderChecked = false; + public static boolean ibmJCEPlusFIPSAvailable = false; + public static boolean openJCEPlusAvailable = false; + public static boolean openJCEPlusFIPSAvailable = false; + public static boolean ibmJCEProviderChecked = false; + public static boolean ibmJCEPlusFIPSProviderChecked = false; + public static boolean openJCEPlusProviderChecked = false; + public static boolean openJCEPlusFIPSProviderChecked = false; + + public static boolean isFIPSEnabled = FipsUtils.isFIPSEnabled(); public static boolean javaVersionChecked = false; public static boolean isJava11orHigher = false; @@ -41,14 +48,17 @@ public final class LTPAKeyUtil { public static boolean osVersionChecked = false; public static String IBMJCE_PROVIDER = "com.ibm.crypto.provider.IBMJCE"; - public static String IBMJCE_PLUS_FIPS_PROVIDER = "com.ibm.crypto.provider.IBMJCEPlusFIPS"; - public static String OPENJCE_PLUS_PROVIDER = "com.ibm.crypto.plus.provider.OpenJCEPlus"; + public static String IBMJCE_PLUS_FIPS_PROVIDER = "com.ibm.crypto.provider.IBMJCEPlusFIPS"; + public static String OPENJCE_PLUS_PROVIDER = "com.ibm.crypto.plus.provider.OpenJCEPlus"; + public static String OPENJCE_PLUS_FIPS_PROVIDER = "com.ibm.crypto.plus.provider.OpenJCEPlusFIPS"; public static final String MESSAGE_DIGEST_ALGORITHM_SHA = "SHA"; - public static final String MESSAGE_DIGEST_ALGORITHM_SHA256 = "SHA256"; + public static final String MESSAGE_DIGEST_ALGORITHM_SHA256 = "SHA-256"; public static final String IBMJCE_NAME = "IBMJCE"; - public static final String IBMJCE_PLUS_FIPS_NAME = "IBMJCEPlusFIPS"; + public static final String IBMJCE_PLUS_FIPS_NAME = "IBMJCEPlusFIPS"; + public static final String OPENJCE_PLUS_NAME = "OpenJCEPlus"; + public static final String OPENJCE_PLUS_FIPS_NAME = "OpenJCEPlusFIPS"; private static boolean issuedBetaMessage = false; @@ -99,37 +109,59 @@ public static boolean isIBMJCEAvailable() { } } - public static boolean isIBMJCEPlusFIPSAvailable() { - if (ibmJCEPlusFIPSProviderChecked) { - return ibmJCEPlusFIPSAvailable; - } else { - String ibmjceplusfipsprovider = AccessController.doPrivileged(new PrivilegedAction() { - @Override - public String run() { - return System.getProperty("com.ibm.jsse2.usefipsProviderName"); - } - }); - ibmJCEPlusFIPSProviderChecked = true; - if (isRunningBetaMode() && "IBMJCEPlusFIPS".equalsIgnoreCase(ibmjceplusfipsprovider)) { - ibmJCEPlusFIPSAvailable = true; - return ibmJCEPlusFIPSAvailable; + public static boolean isIBMJCEPlusFIPSAvailable() { + if (ibmJCEPlusFIPSProviderChecked) { + return ibmJCEPlusFIPSAvailable; + } else { + ibmJCEPlusFIPSAvailable = JavaInfo.isSystemClassAvailable(IBMJCE_PLUS_FIPS_PROVIDER); + ibmJCEPlusFIPSProviderChecked = true; + + if (isRunningBetaMode() && ibmJCEPlusFIPSAvailable) { + ibmJCEPlusFIPSAvailable = true; } else { - if (isFIPSEnabled()) { - // UTLE TODO: error msg - FIPS is enabled but the IBMJCEPlusFIPS is not - // available - } - return false; - } - } + if (isFIPSEnabled) { + Tr.error(tc, "FIPS is enabled but the IBMJCEPlusFIPS provider is not available."); + } + ibmJCEPlusFIPSAvailable = false; + } + return ibmJCEPlusFIPSAvailable; + } + } + public static boolean isOpenJCEPlusAvailable() { + if (openJCEPlusProviderChecked) { + return openJCEPlusAvailable; + } else { + openJCEPlusAvailable = JavaInfo.isSystemClassAvailable(OPENJCE_PLUS_PROVIDER); + openJCEPlusProviderChecked = true; + return openJCEPlusAvailable; + } } + public static boolean isOpenJCEPlusFIPSAvailable() { + if (openJCEPlusFIPSProviderChecked) { + return openJCEPlusFIPSAvailable; + } else { + openJCEPlusFIPSAvailable = JavaInfo.isSystemClassAvailable(OPENJCE_PLUS_FIPS_PROVIDER); + openJCEPlusFIPSProviderChecked = true; + + if (isRunningBetaMode() && openJCEPlusFIPSAvailable) { + openJCEPlusFIPSAvailable = true; + } else { + if (isFIPSEnabled) { + Tr.error(tc, "FIPS is enabled but the OpenJCEPlusFIPS provider is not available."); + } + openJCEPlusFIPSAvailable = false; + } + return openJCEPlusFIPSAvailable; + } + } + static boolean isRunningBetaMode() { if (!ProductInfo.getBetaEdition()) { return false; } else { - // Running beta exception, issue message if we haven't already issued one for - // this class + // Running beta exception, issue message if we haven't already issued one for this class if (!issuedBetaMessage) { Tr.info(tc, "BETA: A beta method has been invoked for the class LTPAKeyUtil for the first time."); issuedBetaMessage = !issuedBetaMessage; @@ -138,31 +170,6 @@ static boolean isRunningBetaMode() { } } - public static boolean isFIPSEnabled() { - String fipsON = AccessController.doPrivileged(new PrivilegedAction() { - @Override - public String run() { - return System.getProperty("com.ibm.jsse2.usefipsprovider"); - } - }); - if (fipsON == "true") { - return true; - } else { - return false; - } - } - - public static boolean isOpenJCEPlusAvailable() { - if (openJCEPlusProviderChecked) { - return openJCEPlusAvailable; - } else { - openJCEPlusAvailable = JavaInfo.isSystemClassAvailable(OPENJCE_PLUS_PROVIDER); - openJCEPlusProviderChecked = true; - return openJCEPlusAvailable; - } - - } - private static boolean isJava11orHigher() { if (javaVersionChecked) { return isJava11orHigher; diff --git a/dev/com.ibm.ws.crypto.ltpakeyutil/src/com/ibm/ws/crypto/ltpakeyutil/LTPAPrivateKey.java b/dev/com.ibm.ws.crypto.ltpakeyutil/src/com/ibm/ws/crypto/ltpakeyutil/LTPAPrivateKey.java index 2430fb9019fb..7c731c58b175 100644 --- a/dev/com.ibm.ws.crypto.ltpakeyutil/src/com/ibm/ws/crypto/ltpakeyutil/LTPAPrivateKey.java +++ b/dev/com.ibm.ws.crypto.ltpakeyutil/src/com/ibm/ws/crypto/ltpakeyutil/LTPAPrivateKey.java @@ -14,11 +14,14 @@ import java.security.PrivateKey; +import com.ibm.ws.crypto.common.FipsUtils; + /** * Represents an LTPA Private Key; Encoding is non-standard. Uses 128 byte RSA. */ public final class LTPAPrivateKey implements PrivateKey { + private static final boolean isFIPSEnabled = FipsUtils.isFIPSEnabled(); private static final long serialVersionUID = -2566137894245694562L; private static final int PRIVATE_EXPONENT = 1; private static final int PUBLIC_EXPONENT = 2; @@ -26,8 +29,8 @@ public final class LTPAPrivateKey implements PrivateKey { private static final int PRIME_Q = 4; private static final int PRIVATE_EXPONENT_LENGTH_FIELD_LENGTH = 4; private static final int PUBLIC_EXPONENT_LENGTH = 3; - private static final int PRIME_P_LENGTH = 65; - private static final int PRIME_Q_LENGTH = 65; + private static final int PRIME_P_LENGTH = (isFIPSEnabled ? 129 : 65); + private static final int PRIME_Q_LENGTH = (isFIPSEnabled ? 129 : 65); private int privateExponentLength; private final byte[][] rawKey; private final byte[] encodedKey; @@ -151,7 +154,11 @@ public final String getFormat() { * @return The raw data of the key */ protected final byte[][] getRawKey() { - return rawKey.clone(); + if (rawKey == null) { + return null; + } else { + return rawKey.clone(); + } } } diff --git a/dev/com.ibm.ws.crypto.ltpakeyutil/src/com/ibm/ws/crypto/ltpakeyutil/LTPAPublicKey.java b/dev/com.ibm.ws.crypto.ltpakeyutil/src/com/ibm/ws/crypto/ltpakeyutil/LTPAPublicKey.java index 0933f6a4af51..9ee7f2860a5c 100644 --- a/dev/com.ibm.ws.crypto.ltpakeyutil/src/com/ibm/ws/crypto/ltpakeyutil/LTPAPublicKey.java +++ b/dev/com.ibm.ws.crypto.ltpakeyutil/src/com/ibm/ws/crypto/ltpakeyutil/LTPAPublicKey.java @@ -14,15 +14,18 @@ import java.security.PublicKey; +import com.ibm.ws.crypto.common.FipsUtils; + /** * Represents an LTPA Public Key based on RSA/SHA-1. Its based on a 128 byte RSA key. */ public final class LTPAPublicKey implements PublicKey { + private static final boolean isFIPSEnabled = FipsUtils.isFIPSEnabled(); private static final long serialVersionUID = 6585779055758956436L; private static final int MODULUS = 0; private static final int EXPONENT = 1; - private static final int MODULUS_LENGTH = 129; + private static final int MODULUS_LENGTH = (isFIPSEnabled ? 257 : 129); private static final int EXPONENT_LENGTH = 3; private final byte[][] rawKey; private final byte[] encodedKey; @@ -80,6 +83,10 @@ public final String getFormat() { } protected final byte[][] getRawKey() { - return rawKey.clone(); + if (rawKey == null) { + return null; + } else { + return rawKey.clone(); + } } } diff --git a/dev/com.ibm.ws.security.token.ltpa/bnd.bnd b/dev/com.ibm.ws.security.token.ltpa/bnd.bnd index e510c5a5db6c..d66f89242065 100644 --- a/dev/com.ibm.ws.security.token.ltpa/bnd.bnd +++ b/dev/com.ibm.ws.security.token.ltpa/bnd.bnd @@ -95,7 +95,8 @@ instrument.classesExcludes: com/ibm/ws/security/token/ltpa/internal/resources/*. com.ibm.ws.crypto.ltpakeyutil;version=latest,\ com.ibm.ws.logging;version=latest,\ com.ibm.ws.org.osgi.annotation.versioning;version=latest,\ - com.ibm.ws.config;version=latest + com.ibm.ws.config;version=latest, \ + com.ibm.ws.crypto.common;version=latest -testpath: \ ../build.sharedResources/lib/junit/old/junit.jar;version=file, \ @@ -108,4 +109,5 @@ instrument.classesExcludes: com/ibm/ws/security/token/ltpa/internal/resources/*. com.ibm.ws.org.objectweb.asm;version=latest, \ org.jmock:jmock-legacy;version=2.5.0, \ com.ibm.ws.kernel.boot;version=latest, \ - com.ibm.ws.crypto.passwordutil;version=latest + com.ibm.ws.crypto.passwordutil;version=latest, \ + com.ibm.ws.crypto.common;version=latest diff --git a/dev/com.ibm.ws.security.token.ltpa/src/com/ibm/ws/security/token/ltpa/internal/LTPAToken2.java b/dev/com.ibm.ws.security.token.ltpa/src/com/ibm/ws/security/token/ltpa/internal/LTPAToken2.java index 6623d86f17c5..3b7169802832 100644 --- a/dev/com.ibm.ws.security.token.ltpa/src/com/ibm/ws/security/token/ltpa/internal/LTPAToken2.java +++ b/dev/com.ibm.ws.security.token.ltpa/src/com/ibm/ws/security/token/ltpa/internal/LTPAToken2.java @@ -28,6 +28,7 @@ import com.ibm.websphere.security.auth.InvalidTokenException; import com.ibm.websphere.security.auth.TokenExpiredException; import com.ibm.ws.common.encoder.Base64Coder; +import com.ibm.ws.crypto.common.FipsUtils; import com.ibm.ws.crypto.ltpakeyutil.LTPAKeyUtil; import com.ibm.ws.crypto.ltpakeyutil.LTPAPrivateKey; import com.ibm.ws.crypto.ltpakeyutil.LTPAPublicKey; @@ -41,9 +42,11 @@ */ public class LTPAToken2 implements Token, Serializable { + private static final boolean isFIPSEnabled = FipsUtils.isFIPSEnabled(); + private static final TraceComponent tc = Tr.register(LTPAToken2.class); - private static final String AES_CBC_CIPHER = "AES/CBC/PKCS5Padding"; + private static final String AES_GCM_CIPHER = "AES/GCM/NoPadding"; private static final long serialVersionUID = 1L; private static final String DELIM = "%"; @@ -66,9 +69,15 @@ public class LTPAToken2 implements Token, Serializable { static { MessageDigest m1 = null, m2 = null; try { - if (LTPAKeyUtil.isFIPSEnabled() && LTPAKeyUtil.isIBMJCEPlusFIPSAvailable()) { + if (isFIPSEnabled && LTPAKeyUtil.isOpenJCEPlusFIPSAvailable()) { + m1 = MessageDigest.getInstance(LTPAKeyUtil.MESSAGE_DIGEST_ALGORITHM_SHA256, LTPAKeyUtil.OPENJCE_PLUS_FIPS_NAME); + m2 = MessageDigest.getInstance(LTPAKeyUtil.MESSAGE_DIGEST_ALGORITHM_SHA256, LTPAKeyUtil.OPENJCE_PLUS_FIPS_NAME); + } else if (isFIPSEnabled && LTPAKeyUtil.isIBMJCEPlusFIPSAvailable()) { m1 = MessageDigest.getInstance(LTPAKeyUtil.MESSAGE_DIGEST_ALGORITHM_SHA256, LTPAKeyUtil.IBMJCE_PLUS_FIPS_NAME); m2 = MessageDigest.getInstance(LTPAKeyUtil.MESSAGE_DIGEST_ALGORITHM_SHA256, LTPAKeyUtil.IBMJCE_PLUS_FIPS_NAME); + } else if (LTPAKeyUtil.isOpenJCEPlusAvailable()) { + m1 = MessageDigest.getInstance(LTPAKeyUtil.MESSAGE_DIGEST_ALGORITHM_SHA256, LTPAKeyUtil.OPENJCE_PLUS_NAME); + m2 = MessageDigest.getInstance(LTPAKeyUtil.MESSAGE_DIGEST_ALGORITHM_SHA256, LTPAKeyUtil.OPENJCE_PLUS_NAME); } else if (LTPAKeyUtil.isIBMJCEAvailable()) { m1 = MessageDigest.getInstance(LTPAKeyUtil.MESSAGE_DIGEST_ALGORITHM_SHA, LTPAKeyUtil.IBMJCE_NAME); m2 = MessageDigest.getInstance(LTPAKeyUtil.MESSAGE_DIGEST_ALGORITHM_SHA, LTPAKeyUtil.IBMJCE_NAME); @@ -103,7 +112,7 @@ public LTPAToken2(byte[] tokenBytes, @Sensitive byte[] sharedKey, LTPAPrivateKey this.privateKey = privateKey; this.publicKey = publicKey; this.expirationInMilliseconds = 0; - this.cipher = AES_CBC_CIPHER; + this.cipher = AES_GCM_CIPHER; this.expirationDifferenceAllowed = expDiffAllowed; decrypt(); } @@ -126,7 +135,7 @@ public LTPAToken2(byte[] tokenBytes, @Sensitive byte[] sharedKey, LTPAPrivateKey this.privateKey = privateKey; this.publicKey = publicKey; this.expirationInMilliseconds = 0; - this.cipher = AES_CBC_CIPHER; + this.cipher = AES_GCM_CIPHER; this.expirationDifferenceAllowed = expDiffAllowed; decrypt(); isValid(); @@ -155,7 +164,7 @@ protected LTPAToken2(String accessID, long expirationInMinutes, @Sensitive byte[ this.publicKey = publicKey; this.userData = new UserData(accessID); setExpiration(expirationInMinutes); - this.cipher = AES_CBC_CIPHER; + this.cipher = AES_GCM_CIPHER; } /** @@ -175,7 +184,7 @@ protected LTPAToken2(long expirationInMinutes, @Sensitive byte[] sharedKey, LTPA this.publicKey = publicKey; this.userData = userdata; setExpiration(expirationInMinutes); - this.cipher = AES_CBC_CIPHER; + this.cipher = AES_GCM_CIPHER; } /**