Minor bug fixes

dev/com.ibm.websphere.appserver.features/visibility/private/com.ibm.websphere.appserver.ltpa-1.0.feature

@@ -8,6 +8,7 @@ WLP-DisableAllFeatures-OnConflict: false
  com.ibm.ws.security.credentials.ssotoken, \
  com.ibm.ws.security.token.ltpa, \
  com.ibm.ws.crypto.ltpakeyutil, \
- com.ibm.ws.security.token.s4u2
+ com.ibm.ws.security.token.s4u2, \
+ com.ibm.ws.crypto.common
 kind=ga
 edition=core

dev/com.ibm.ws.crypto.ltpakeyutil/bnd.bnd

@@ -1,5 +1,5 @@
 #*******************************************************************************
-# Copyright (c) 2017, 2023 IBM Corporation and others.
+# Copyright (c) 2017, 2024 IBM Corporation and others.
 # All rights reserved. This program and the accompanying materials
 # are made available under the terms of the Eclipse Public License 2.0
 # which accompanies this distribution, and is available at

dev/com.ibm.ws.crypto.ltpakeyutil/src/com/ibm/ws/crypto/ltpakeyutil/KeyEncryptor.java

@@ -22,7 +22,7 @@
  */
 public class KeyEncryptor {
 
-    private static final boolean isFIPSEnabled = FipsUtils.isFIPSEnabled();
+    private static final boolean isFIPSEnabled = LTPAKeyUtil.isFIPSEnabled();
     private static final int size = (isFIPSEnabled ? 32 : 24);
     private static final String MESSAGE_DIGEST_ALGORITHM = (isFIPSEnabled ? "SHA-256" : "SHA");
     private static final String CIPHER = (isFIPSEnabled ? "AES/GCM/NoPadding" : "DESede/ECB/PKCS5Padding");

dev/com.ibm.ws.crypto.ltpakeyutil/src/com/ibm/ws/crypto/ltpakeyutil/LTPACrypto.java

@@ -1,5 +1,5 @@
 /*******************************************************************************
- * Copyright (c) 1997, 2011, 2023 IBM Corporation and others.
+ * Copyright (c) 1997, 2011, 2024 IBM Corporation and others.
  * All rights reserved. This program and the accompanying materials
  * are made available under the terms of the Eclipse Public License 2.0
  * which accompanies this distribution, and is available at
@@ -49,7 +49,7 @@
 
 final class LTPACrypto {
 
-	private static final boolean isFIPSEnabled = FipsUtils.isFIPSEnabled();
+	private static final boolean isFIPSEnabled = LTPAKeyUtil.isFIPSEnabled();
 
 	private static final TraceComponent tc = Tr.register(LTPACrypto.class);
 	private static final String IBMJCE_NAME = "IBMJCE";
@@ -1060,7 +1060,7 @@ static final void random(byte[] to, int off, int n) {
 	@Trivial
 	static final byte[] generate3DESKey() {
 		byte[] rndSeed = null;
-		int len = 24; // 3DES
+		int len = (isFIPSEnabled) ? 32 : 24;
 		rndSeed = new byte[len];
 		random(rndSeed, 0, len);
 		return rndSeed;

dev/com.ibm.ws.crypto.ltpakeyutil/src/com/ibm/ws/crypto/ltpakeyutil/LTPADigSignature.java

@@ -1,5 +1,5 @@
 /*******************************************************************************
- * Copyright (c) 1997, 2011 IBM Corporation and others.
+ * Copyright (c) 1997, 2024 IBM Corporation and others.
  * All rights reserved. This program and the accompanying materials
  * are made available under the terms of the Eclipse Public License 2.0
  * which accompanies this distribution, and is available at
@@ -20,7 +20,7 @@
 
 final class LTPADigSignature {
 
-	static boolean isFipsEnabled = FipsUtils.isFIPSEnabled();
+	static boolean isFipsEnabled = LTPAKeyUtil.isFIPSEnabled();
 	static int keySize = (isFipsEnabled ? 256 : 128);
 
 	static byte[][] testRawPubKey = null;

dev/com.ibm.ws.crypto.ltpakeyutil/src/com/ibm/ws/crypto/ltpakeyutil/LTPAKeyFileUtilityImpl.java

@@ -53,7 +53,7 @@ protected final Properties generateLTPAKeys(byte[] keyPasswordBytes, final Strin
             byte[] publicKey = pair.getPublic().getEncoded();
             byte[] privateKey = pair.getPrivate().getEncoded();
             byte[] encryptedPrivateKey = encryptor.encrypt(privateKey);
-            byte[] sharedKey = LTPACrypto.generate3DESKey(); // key length is 24 for 3DES
+            byte[] sharedKey = LTPACrypto.generate3DESKey(); // key length is 32 bytes (256 bits) for FIPS (AES), 24 bytes (192 bits) for non-FIPS (3DES)
             byte[] encryptedSharedKey = encryptor.encrypt(sharedKey);
 
             String tmpShared = Base64Coder.base64EncodeToString(encryptedSharedKey);

dev/com.ibm.ws.crypto.ltpakeyutil/src/com/ibm/ws/crypto/ltpakeyutil/LTPAKeyUtil.java

@@ -35,7 +35,10 @@ public final class LTPAKeyUtil {
     public static boolean openJCEPlusProviderChecked = false;
     public static boolean openJCEPlusFIPSProviderChecked = false;
 
-	public static boolean isFIPSEnabled = FipsUtils.isFIPSEnabled();
+	public static boolean unitTest = false;
+	public static boolean isFIPSEnabled = false;
+	public static boolean fipsChecked = false;
+	public static String FIPSLevel = getFipsLevel();
 
 	public static boolean javaVersionChecked = false;
 	public static boolean isJava11orHigher = false;
@@ -170,6 +173,45 @@ static boolean isRunningBetaMode() {
 		}
 	}
 
+    static String getFipsLevel() {
+        String fipsLevel = AccessController.doPrivileged(new PrivilegedAction<String>() {
+            @Override
+            public String run() {
+                String propertyValue = System.getProperty("com.ibm.fips.mode");
+                return (propertyValue == null) ? "disabled" : propertyValue.trim().toLowerCase();
+            }
+        });
+        return fipsLevel;
+    }
+
+    public static boolean isFips140_3Enabled() {
+        //TODO remove beta check
+        if (unitTest) {
+            return "140-3".equals(FIPSLevel);
+        } else {
+            return isRunningBetaMode() && "140-3".equals(FIPSLevel);
+        }
+    }
+
+    public static boolean isFips140_2Enabled() {
+        //TODO remove beta check
+        if (unitTest) {
+            return "140-2".equals(FIPSLevel);
+        } else {
+            return isRunningBetaMode() && "140-2".equals(FIPSLevel);
+        }
+    }
+
+    public static boolean isFIPSEnabled() {
+		if (fipsChecked) {
+			return isFIPSEnabled;
+		} else {
+			isFIPSEnabled = isFips140_2Enabled() || isFips140_3Enabled();
+            fipsChecked = true;
+            return isFIPSEnabled;
+		}
+    }
+
 	private static boolean isJava11orHigher() {
 		if (javaVersionChecked) {
 			return isJava11orHigher;

dev/com.ibm.ws.crypto.ltpakeyutil/src/com/ibm/ws/crypto/ltpakeyutil/LTPAPrivateKey.java

@@ -1,5 +1,5 @@
 /*******************************************************************************
- * Copyright (c) 1997, 2011 IBM Corporation and others.
+ * Copyright (c) 1997, 2024 IBM Corporation and others.
  * All rights reserved. This program and the accompanying materials
  * are made available under the terms of the Eclipse Public License 2.0
  * which accompanies this distribution, and is available at
@@ -21,7 +21,7 @@
  */
 public final class LTPAPrivateKey implements PrivateKey {
 
-    private static final boolean isFIPSEnabled = FipsUtils.isFIPSEnabled();
+    private static final boolean isFIPSEnabled = LTPAKeyUtil.isFIPSEnabled();
     private static final long serialVersionUID = -2566137894245694562L;
     private static final int PRIVATE_EXPONENT = 1;
     private static final int PUBLIC_EXPONENT = 2;

dev/com.ibm.ws.crypto.ltpakeyutil/src/com/ibm/ws/crypto/ltpakeyutil/LTPAPublicKey.java

@@ -1,5 +1,5 @@
 /*******************************************************************************
- * Copyright (c) 1997, 2011 IBM Corporation and others.
+ * Copyright (c) 1997, 2024 IBM Corporation and others.
  * All rights reserved. This program and the accompanying materials
  * are made available under the terms of the Eclipse Public License 2.0
  * which accompanies this distribution, and is available at
@@ -21,7 +21,7 @@
  */
 public final class LTPAPublicKey implements PublicKey {
 
-    private static final boolean isFIPSEnabled = FipsUtils.isFIPSEnabled();
+    private static final boolean isFIPSEnabled = LTPAKeyUtil.isFIPSEnabled();
     private static final long serialVersionUID = 6585779055758956436L;
     private static final int MODULUS = 0;
     private static final int EXPONENT = 1;

dev/com.ibm.ws.security.token.ltpa/bnd.bnd

@@ -1,5 +1,5 @@
 #*******************************************************************************
-# Copyright (c) 2017, 2023 IBM Corporation and others.
+# Copyright (c) 2017, 2024 IBM Corporation and others.
 # All rights reserved. This program and the accompanying materials
 # are made available under the terms of the Eclipse Public License 2.0
 # which accompanies this distribution, and is available at

dev/com.ibm.ws.security.token.ltpa/src/com/ibm/ws/security/token/ltpa/internal/LTPAToken2.java

@@ -1,5 +1,5 @@
 /*******************************************************************************
- * Copyright (c) 2004, 2023 IBM Corporation and others.
+ * Copyright (c) 2004, 2024 IBM Corporation and others.
  * All rights reserved. This program and the accompanying materials
  * are made available under the terms of the Eclipse Public License 2.0
  * which accompanies this distribution, and is available at
@@ -42,7 +42,7 @@
  */
 public class LTPAToken2 implements Token, Serializable {
 
-    private static final boolean isFIPSEnabled = FipsUtils.isFIPSEnabled();
+    private static final boolean isFIPSEnabled = LTPAKeyUtil.isFIPSEnabled();
 
     private static final TraceComponent tc = Tr.register(LTPAToken2.class);