diff --git a/core/src/main/java/org/apache/cxf/helpers/JavaUtils.java b/core/src/main/java/org/apache/cxf/helpers/JavaUtils.java
index 04462d0714e..b3ea55ed2a4 100644
--- a/core/src/main/java/org/apache/cxf/helpers/JavaUtils.java
+++ b/core/src/main/java/org/apache/cxf/helpers/JavaUtils.java
@@ -51,10 +51,16 @@ public final class JavaUtils {
private static boolean isJava11Compatible;
private static boolean isJava9Compatible;
private static boolean isJava8Before161;
+ private static boolean isFIPSEnabled;
+ private static String fipsSecurityProvider;
private static Integer javaMajorVersion;
+ private static final String FIPS_ENABLED = "fips.enabled";
+ private static final String FIPS_SECURITY_PROVIDER = "fips.security.provider";
static {
String version = SystemPropertyAction.getProperty("java.version");
+ isFIPSEnabled = Boolean.parseBoolean(SystemPropertyAction.getProperty(FIPS_ENABLED));
+ fipsSecurityProvider = SystemPropertyAction.getProperty(FIPS_SECURITY_PROVIDER);
try {
isJava8Before161 = version.startsWith("1.8.0_")
&& Integer.parseInt(version.substring(6)) < 161;
@@ -114,6 +120,18 @@ private static void setJava11Compatible(boolean java11Compatible) {
public static boolean isJava8Before161() {
return isJava8Before161;
}
+
+ public static boolean isFIPSEnabled() {
+ return isFIPSEnabled;
+ }
+
+ /**
+ * Returns the FIPS security provider name configured via the
+ * {@code fips.security.provider} system property. If not set, returns {@code null}.
+ */
+ public static String getFIPSSecurityProvider() {
+ return fipsSecurityProvider;
+ }
public static void setJavaMajorVersion(Integer javaMajorVersion) {
JavaUtils.javaMajorVersion = javaMajorVersion;
diff --git a/core/src/test/java/org/apache/cxf/helpers/FipsTestUtils.java b/core/src/test/java/org/apache/cxf/helpers/FipsTestUtils.java
new file mode 100644
index 00000000000..dd9dd5bb6ea
--- /dev/null
+++ b/core/src/test/java/org/apache/cxf/helpers/FipsTestUtils.java
@@ -0,0 +1,41 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.helpers;
+
+import java.lang.reflect.Field;
+
+/**
+ * Test utilities for manipulating FIPS state in unit tests via reflection.
+ */
+public final class FipsTestUtils {
+
+ private FipsTestUtils() { }
+
+ public static void setFipsEnabled(boolean enabled) throws Exception {
+ Field field = JavaUtils.class.getDeclaredField("isFIPSEnabled");
+ field.setAccessible(true);
+ field.setBoolean(null, enabled);
+ }
+
+ public static void setFipsProvider(String provider) throws Exception {
+ Field field = JavaUtils.class.getDeclaredField("fipsSecurityProvider");
+ field.setAccessible(true);
+ field.set(null, provider);
+ }
+}
diff --git a/core/src/test/java/org/apache/cxf/helpers/JavaUtilsTest.java b/core/src/test/java/org/apache/cxf/helpers/JavaUtilsTest.java
new file mode 100644
index 00000000000..d05a27e5319
--- /dev/null
+++ b/core/src/test/java/org/apache/cxf/helpers/JavaUtilsTest.java
@@ -0,0 +1,92 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.helpers;
+
+import org.junit.After;
+import org.junit.Assume;
+import org.junit.Before;
+import org.junit.Test;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNull;
+import static org.junit.Assert.assertTrue;
+
+public class JavaUtilsTest {
+
+ private boolean originalFipsEnabled;
+ private String originalFipsProvider;
+
+ @Before
+ public void saveFipsState() throws Exception {
+ originalFipsEnabled = JavaUtils.isFIPSEnabled();
+ originalFipsProvider = JavaUtils.getFIPSSecurityProvider();
+ }
+
+ @After
+ public void restoreFipsState() throws Exception {
+ FipsTestUtils.setFipsEnabled(originalFipsEnabled);
+ FipsTestUtils.setFipsProvider(originalFipsProvider);
+ }
+
+ @Test
+ public void testIsFIPSEnabledDefaultFalse() {
+ Assume.assumeFalse(JavaUtils.isFIPSEnabled()); //ignore this test when running in FIPS mode
+ // Without the fips.enabled system property, FIPS should be disabled
+ assertFalse("FIPS should be disabled by default", JavaUtils.isFIPSEnabled());
+ }
+
+ @Test
+ public void testSetFIPSEnabled() throws Exception {
+ FipsTestUtils.setFipsEnabled(true);
+ assertTrue("FIPS should be enabled after setting the field", JavaUtils.isFIPSEnabled());
+
+ FipsTestUtils.setFipsEnabled(false);
+ assertFalse("FIPS should be disabled after clearing the field", JavaUtils.isFIPSEnabled());
+ }
+
+ @Test
+ public void testGetFIPSSecurityProviderDefault() {
+ // Without the fips.security.provider property, should return null
+ assertNull("FIPS security provider should be null by default",
+ JavaUtils.getFIPSSecurityProvider());
+ }
+
+ @Test
+ public void testGetFIPSSecurityProviderCustom() throws Exception {
+ FipsTestUtils.setFipsProvider("BouncyCastleFIPS");
+ assertEquals("BouncyCastleFIPS", JavaUtils.getFIPSSecurityProvider());
+ }
+
+ @Test
+ public void testIsJavaKeyword() {
+ assertTrue(JavaUtils.isJavaKeyword("class"));
+ assertTrue(JavaUtils.isJavaKeyword("public"));
+ assertTrue(JavaUtils.isJavaKeyword("null"));
+ assertTrue(JavaUtils.isJavaKeyword("true"));
+ assertFalse(JavaUtils.isJavaKeyword("foo"));
+ assertFalse(JavaUtils.isJavaKeyword("Class"));
+ }
+
+ @Test
+ public void testMakeNonJavaKeyword() {
+ assertEquals("_class", JavaUtils.makeNonJavaKeyword("class"));
+ assertEquals("_public", JavaUtils.makeNonJavaKeyword("public"));
+ }
+}
diff --git a/parent/pom.xml b/parent/pom.xml
index 8b328e8ce90..ad05679e3ef 100644
--- a/parent/pom.xml
+++ b/parent/pom.xml
@@ -505,7 +505,6 @@
${cxf.server.launcher.vmargs}
ASYNC_ONLY
${org.apache.cxf.transport.websocket.atmosphere.disabled}
- SHA1PRNG
@@ -2059,7 +2058,17 @@
org.apache.wss4j
wss4j-ws-security-common
- ${cxf.jakarta.wss4j.version}
+ ${cxf.jakarta.wss4j.version}
+
+
+ org.ehcache
+ ehcache
+
+
+ org.bouncycastle
+ *
+
+
org.apache.maven.plugins
@@ -2358,6 +2367,10 @@
maven-surefire-plugin
${cxf.jacoco.argLine} ${cxf.surefire.fork.vmargs} -D${cxf.jaxb.context.class.property}=${cxf.jaxb.context.class}
+
+
+ secp256r1,secp384r1,secp521r1,sect283k1,sect283r1,sect409k1,sect409r1,sect571k1,sect571r1,secp256k1,ffdhe2048,ffdhe3072,ffdhe4096,ffdhe6144,ffdhe8192
+
@@ -2375,5 +2388,45 @@
12.3.1
+
+ fips
+
+
+ fips.enabled
+
+
+
+
+ org.bouncycastle
+ bc-fips
+ 2.1.2
+
+
+
+
+
+ org.apache.maven.plugins
+ maven-surefire-plugin
+
+
+ PKCS11
+ true
+
+
+
+ **/SslContextTest.java
+ **/SslHostnameVerifierTest.java
+ **/SslMutualTest.java
+ **/SslTrustStoreTest.java
+
+ **/JAXRSKerberosBookTest.java
+ **/KerberosTokenTest.java
+ **/SpnegoTokenTest.java
+
+
+
+
+
+
diff --git a/rt/rs/security/http-signature/src/main/java/org/apache/cxf/rs/security/httpsignature/utils/DefaultSignatureConstants.java b/rt/rs/security/http-signature/src/main/java/org/apache/cxf/rs/security/httpsignature/utils/DefaultSignatureConstants.java
index ac1bf39b3a6..5b357639ee0 100644
--- a/rt/rs/security/http-signature/src/main/java/org/apache/cxf/rs/security/httpsignature/utils/DefaultSignatureConstants.java
+++ b/rt/rs/security/http-signature/src/main/java/org/apache/cxf/rs/security/httpsignature/utils/DefaultSignatureConstants.java
@@ -18,11 +18,22 @@
*/
package org.apache.cxf.rs.security.httpsignature.utils;
+import org.apache.cxf.helpers.JavaUtils;
+
public final class DefaultSignatureConstants {
public static final String SIGNING_ALGORITHM = "rsa-sha256";
public static final String DIGEST_ALGORITHM = "SHA-256";
- public static final String SECURITY_PROVIDER = "SunRsaSign";
+ public static final String SECURITY_PROVIDER = getDefaultSecurityProvider();
private DefaultSignatureConstants() { }
+ private static String getDefaultSecurityProvider() {
+ if (JavaUtils.isFIPSEnabled()) {
+ // Use the configured FIPS provider, or null to let the JCA framework
+ // select an appropriate provider automatically
+ return JavaUtils.getFIPSSecurityProvider();
+ }
+ return "SunRsaSign";
+ }
+
}
diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/common/JoseConstants.java b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/common/JoseConstants.java
index 092581d3fd0..1bc318b8342 100644
--- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/common/JoseConstants.java
+++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/common/JoseConstants.java
@@ -135,8 +135,9 @@ public final class JoseConstants extends RSSecurityConstants {
public static final String RSSEC_ENCRYPTION_CONTENT_ALGORITHM = "rs.security.encryption.content.algorithm";
/**
- * The encryption key algorithm to use. The default algorithm if not specified is 'RSA-OAEP' if the key is an
- * RSA key, and 'A128GCMKW' if it is an octet sequence.
+ * The encryption key algorithm to use. The default algorithm if not specified is 'RSA-OAEP'
+ * (or RSA-OAEP-256 in FIPS mode)
+ * if the key is an RSA key, and 'A128GCMKW' if it is an octet sequence.
*/
public static final String RSSEC_ENCRYPTION_KEY_ALGORITHM = "rs.security.encryption.key.algorithm";
diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
index 67d6cb6af31..fbec3f88979 100644
--- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
+++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
@@ -43,6 +43,7 @@
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.common.util.StringUtils;
+import org.apache.cxf.helpers.JavaUtils;
import org.apache.cxf.message.Message;
import org.apache.cxf.message.MessageUtils;
import org.apache.cxf.phase.PhaseInterceptorChain;
@@ -186,7 +187,7 @@ public static KeyEncryptionProvider getPublicKeyEncryptionProvider(PublicKey key
}
private static KeyAlgorithm getDefaultPublicKeyAlgorithm(PublicKey key) {
if (key instanceof RSAPublicKey) {
- return KeyAlgorithm.RSA_OAEP;
+ return JavaUtils.isFIPSEnabled() ? KeyAlgorithm.RSA_OAEP_256 : KeyAlgorithm.RSA_OAEP;
} else if (key instanceof ECPublicKey) {
return KeyAlgorithm.ECDH_ES_A128KW;
} else {
@@ -195,7 +196,7 @@ private static KeyAlgorithm getDefaultPublicKeyAlgorithm(PublicKey key) {
}
private static KeyAlgorithm getDefaultPrivateKeyAlgorithm(PrivateKey key) {
if (key instanceof RSAPrivateKey) {
- return KeyAlgorithm.RSA_OAEP;
+ return JavaUtils.isFIPSEnabled() ? KeyAlgorithm.RSA_OAEP_256 : KeyAlgorithm.RSA_OAEP;
} else if (key instanceof ECPrivateKey) {
return KeyAlgorithm.ECDH_ES_A128KW;
} else {
@@ -937,7 +938,7 @@ private static KeyAlgorithm getDefaultKeyAlgorithm(JsonWebKey jwk) {
if (KeyType.OCTET == keyType) {
return KeyAlgorithm.A128GCMKW;
} else if (KeyType.RSA == keyType) {
- return KeyAlgorithm.RSA_OAEP;
+ return JavaUtils.isFIPSEnabled() ? KeyAlgorithm.RSA_OAEP_256 : KeyAlgorithm.RSA_OAEP;
} else {
return KeyAlgorithm.ECDH_ES_A128KW;
}
diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/RSAKeyDecryptionAlgorithm.java b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/RSAKeyDecryptionAlgorithm.java
index db0bc6b29f2..270b22de33a 100644
--- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/RSAKeyDecryptionAlgorithm.java
+++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/RSAKeyDecryptionAlgorithm.java
@@ -20,12 +20,14 @@
import java.security.interfaces.RSAPrivateKey;
+import org.apache.cxf.helpers.JavaUtils;
import org.apache.cxf.rs.security.jose.jwa.AlgorithmUtils;
import org.apache.cxf.rs.security.jose.jwa.KeyAlgorithm;
public class RSAKeyDecryptionAlgorithm extends WrappedKeyDecryptionAlgorithm {
public RSAKeyDecryptionAlgorithm(RSAPrivateKey privateKey) {
- this(privateKey, KeyAlgorithm.RSA_OAEP);
+ this(privateKey, JavaUtils.isFIPSEnabled()
+ ? KeyAlgorithm.RSA_OAEP_256 : KeyAlgorithm.RSA_OAEP);
}
public RSAKeyDecryptionAlgorithm(RSAPrivateKey privateKey, KeyAlgorithm supportedAlgo) {
this(privateKey, supportedAlgo, true);
@@ -43,5 +45,9 @@ protected void validateKeyEncryptionAlgorithm(String keyAlgo) {
if (!AlgorithmUtils.isRsaKeyWrap(keyAlgo)) {
reportInvalidKeyAlgorithm(keyAlgo);
}
+ if (JavaUtils.isFIPSEnabled() && AlgorithmUtils.RSA1_5_ALGO.equals(keyAlgo)) {
+ LOG.warning("RSA1_5 key encryption algorithm is not allowed in FIPS mode");
+ reportInvalidKeyAlgorithm(keyAlgo);
+ }
}
}
diff --git a/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jwa/JwaDecryptRfcConformanceTest.java b/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jwa/JwaDecryptRfcConformanceTest.java
index 49a150a9d35..0ef19266f9e 100644
--- a/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jwa/JwaDecryptRfcConformanceTest.java
+++ b/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jwa/JwaDecryptRfcConformanceTest.java
@@ -18,6 +18,9 @@
*/
package org.apache.cxf.rs.security.jose.jwa;
+import org.apache.cxf.helpers.JavaUtils;
+
+import org.junit.Assume;
import org.junit.Test;
public abstract class JwaDecryptRfcConformanceTest extends AbstractDecryptTest {
@@ -99,31 +102,43 @@ public void testEcdhA128KwA128CbcJweJson() throws Exception {
@Test
public void testRsa15A128GcmCompact() throws Exception {
+ //RSA15 is not FIPS 140-2 approved
+ Assume.assumeFalse(JavaUtils.isFIPSEnabled());
test("/jwe/rsa.2048.rsa1_5.a128gcm.compact.jwe");
}
@Test
public void testRsa15A128GcmJsonFlattened() throws Exception {
+ //RSA15 is not FIPS 140-2 approved
+ Assume.assumeFalse(JavaUtils.isFIPSEnabled());
test("/jwe/rsa.2048.rsa1_5.a128gcm.json.flattened.jwe");
}
@Test
public void testRsa15A128GcmJson() throws Exception {
+ //RSA15 is not FIPS 140-2 approved
+ Assume.assumeFalse(JavaUtils.isFIPSEnabled());
test("/jwe/rsa.2048.rsa1_5.a128gcm.json.jwe");
}
@Test
public void testRsa15A128CbcJweCompact() throws Exception {
+ //RSA15 is not FIPS 140-2 approved
+ Assume.assumeFalse(JavaUtils.isFIPSEnabled());
test("/jwe/rsa.2048.rsa1_5.a128cbc-hs256.compact.jwe");
}
@Test
public void testRsa15A128CbcJweJsonFlattened() throws Exception {
+ //RSA15 is not FIPS 140-2 approved
+ Assume.assumeFalse(JavaUtils.isFIPSEnabled());
test("/jwe/rsa.2048.rsa1_5.a128cbc-hs256.json.flattened.jwe");
}
@Test
public void testRsa15A128CbcJweJson() throws Exception {
+ //RSA15 is not FIPS 140-2 approved
+ Assume.assumeFalse(JavaUtils.isFIPSEnabled());
test("/jwe/rsa.2048.rsa1_5.a128cbc-hs256.json.jwe");
}
diff --git a/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jwa/JwaEncryptRfcConformanceTest.java b/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jwa/JwaEncryptRfcConformanceTest.java
index 92f32199b73..8387ce1d5ef 100644
--- a/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jwa/JwaEncryptRfcConformanceTest.java
+++ b/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jwa/JwaEncryptRfcConformanceTest.java
@@ -18,8 +18,10 @@
*/
package org.apache.cxf.rs.security.jose.jwa;
+import org.apache.cxf.helpers.JavaUtils;
import org.apache.cxf.rs.security.jose.support.Serialization;
+import org.junit.Assume;
import org.junit.Test;
public abstract class JwaEncryptRfcConformanceTest extends AbstractEncryptTest {
@@ -41,16 +43,22 @@ public void testOctA128GcmJweJson() throws Exception {
@Test
public void testRsaOaepA128GcmJweCompact() throws Exception {
+ //fips: no RSA-OAEP support
+ Assume.assumeFalse(JavaUtils.isFIPSEnabled());
test("RSA", "RSA-OAEP", "A128GCM", Serialization.COMPACT);
}
@Test
public void testRsaOaepA128GcmJweJsonFlattened() throws Exception {
+ //fips: no RSA-OAEP support
+ Assume.assumeFalse(JavaUtils.isFIPSEnabled());
test("RSA", "RSA-OAEP", "A128GCM", Serialization.FLATTENED);
}
@Test
public void testRsaOaepA128GcmJweJson() throws Exception {
+ //fips: no RSA-OAEP support
+ Assume.assumeFalse(JavaUtils.isFIPSEnabled());
test("RSA", "RSA-OAEP", "A128GCM", Serialization.JSON);
}
diff --git a/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/FipsTestUtils.java b/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/FipsTestUtils.java
new file mode 100644
index 00000000000..a05cec217a9
--- /dev/null
+++ b/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/FipsTestUtils.java
@@ -0,0 +1,44 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.jose.jwe;
+
+import java.lang.reflect.Field;
+
+import org.apache.cxf.helpers.JavaUtils;
+
+/**
+ * Test utilities for manipulating FIPS state in unit tests via reflection.
+ * Mirror of org.apache.cxf.helpers.FipsTestUtils from cxf-core test sources.
+ */
+final class FipsTestUtils {
+
+ private FipsTestUtils() { }
+
+ static void setFipsEnabled(boolean enabled) throws Exception {
+ Field field = JavaUtils.class.getDeclaredField("isFIPSEnabled");
+ field.setAccessible(true);
+ field.setBoolean(null, enabled);
+ }
+
+ static void setFipsProvider(String provider) throws Exception {
+ Field field = JavaUtils.class.getDeclaredField("fipsSecurityProvider");
+ field.setAccessible(true);
+ field.set(null, provider);
+ }
+}
diff --git a/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JweCompactReaderWriterTest.java b/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JweCompactReaderWriterTest.java
index 094af892d23..67b905216d5 100644
--- a/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JweCompactReaderWriterTest.java
+++ b/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JweCompactReaderWriterTest.java
@@ -28,6 +28,7 @@
import javax.crypto.SecretKey;
import org.apache.cxf.common.util.Base64UrlUtility;
+import org.apache.cxf.helpers.JavaUtils;
import org.apache.cxf.rs.security.jose.jwa.AlgorithmUtils;
import org.apache.cxf.rs.security.jose.jwa.ContentAlgorithm;
import org.apache.cxf.rs.security.jose.jwa.KeyAlgorithm;
@@ -36,6 +37,7 @@
import org.apache.cxf.rs.security.jose.jws.JwsCompactReaderWriterTest;
import org.apache.cxf.rt.security.crypto.CryptoUtils;
+import org.junit.Assume;
import org.junit.Test;
import static org.junit.Assert.assertEquals;
@@ -48,12 +50,13 @@ public class JweCompactReaderWriterTest {
115, 63, (byte)180, 3, (byte)255, 107, (byte)154, (byte)212, (byte)246,
(byte)138, 7, 110, 91, 112, 46, 34, 105, 47,
(byte)130, (byte)203, 46, 122, (byte)234, 64, (byte)252};
+
static final String RSA_MODULUS_ENCODED_A1 = "oahUIoWw0K0usKNuOR6H4wkf4oBUXHTxRvgb48E-BVvxkeDNjbC4he8rUW"
- + "cJoZmds2h7M70imEVhRU5djINXtqllXI4DFqcI1DgjT9LewND8MW2Krf3S"
- + "psk_ZkoFnilakGygTwpZ3uesH-PFABNIUYpOiN15dsQRkgr0vEhxN92i2a"
- + "sbOenSZeyaxziK72UwxrrKoExv6kc5twXTq4h-QChLOln0_mtUZwfsRaMS"
- + "tPs6mS6XrgxnxbWhojf663tuEQueGC-FCMfra36C9knDFGzKsNa7LZK2dj"
- + "YgyD3JR_MB_4NUJW_TqOQtwHYbxevoJArm-L5StowjzGy-_bq6Gw";
+ + "cJoZmds2h7M70imEVhRU5djINXtqllXI4DFqcI1DgjT9LewND8MW2Krf3S"
+ + "psk_ZkoFnilakGygTwpZ3uesH-PFABNIUYpOiN15dsQRkgr0vEhxN92i2a"
+ + "sbOenSZeyaxziK72UwxrrKoExv6kc5twXTq4h-QChLOln0_mtUZwfsRaMS"
+ + "tPs6mS6XrgxnxbWhojf663tuEQueGC-FCMfra36C9knDFGzKsNa7LZK2dj"
+ + "YgyD3JR_MB_4NUJW_TqOQtwHYbxevoJArm-L5StowjzGy-_bq6Gw";
static final String RSA_PUBLIC_EXPONENT_ENCODED_A1 = "AQAB";
static final String RSA_PRIVATE_EXPONENT_ENCODED_A1 =
"kLdtIj6GbDks_ApCSTYQtelcNttlKiOyPzMrXHeI-yk1F7-kpDxY4-WY5N"
@@ -62,7 +65,43 @@ public class JweCompactReaderWriterTest {
+ "qDp0Vqj3kbSCz1XyfCs6_LehBwtxHIyh8Ripy40p24moOAbgxVw3rxT_vl"
+ "t3UVe4WO3JkJOzlpUf-KTVI2Ptgm-dARxTEtE-id-4OJr0h-K-VFs3VSnd"
+ "VTIznSxfyrj8ILL6MG_Uv8YAu7VILSB3lOW085-4qE3DzgrTjgyQ";
-
+
+ static final String RSA_MODULUS_ENCODED_A1_FIPS =
+ "0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx4cbbfAAtV"
+ + "T86zwu1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZCiFV4n3oknjhMstn6"
+ + "4tZ_2W-5JsGY4Hc5n9yBXArwl93lqt7_RN5w6Cf0h4QyQ5v-65YGjQR0_F"
+ + "DW2QvzqY368QQMicAtaSqzs8KJZgnYb9c7d0zgdAZHzu6qMQvRL5hajrn1"
+ + "n91CbOpbISD08qNLyrdkt-bFTWhAI4vMQFh6WeZu0fM4lFd2NcRwr3XPks"
+ + "INHaQ-G_xBniIqbw0Ls1jF44-csFCur-kEgU8awapJzKnqDKgw";
+ static final String RSA_PUBLIC_EXPONENT_ENCODED_A1_FIPS = "AQAB";
+ static final String RSA_PRIVATE_EXPONENT_ENCODED_A1_FIPS =
+ "X4cTteJY_gn4FYPsXB8rdXix5vwsg1FLN5E3EaG6RJoVH-HLLKD9M7dx5oo"
+ + "7GURknchnrRweUkC7hT5fJLM0WbFAKNLWY2vv7B6NqXSzUvxT0_YSfqij"
+ + "wp3RTzlBaCxWp4doFk5N2o8Gy_nHNKroADIkJ46pRUohsXywbReAdYaMw"
+ + "Fs9tv8d_cPVY3i07a3t8MN6TNwm0dSawm9v47UiCl3Sk5ZiG7xojPLu4s"
+ + "bg1U2jx4IBTNBznbJSzFHK66jT8bgkuqsk0GjskDJk19Z4qwjwbsnn4j2"
+ + "WBii3RL-Us2lGVkY8fkFzme1z0HbIkfz0Y6mqnOYtqc0X4jfcKoAC8Q";
+ static final String RSA_PRIVATE_FIRST_PRIME_FACTOR_A1_FIPS =
+ "83i-7IvMGXoMXCskv73TKr8637FiO7Z27zv8oj6pbWUQyLPQBQxtPVnwD"
+ + "20R-60eTDmD2ujnMt5PoqMrm8RfmNhVWDtjjMmCMjOpSXicFHj7XOuV"
+ + "IYQyqVWlWEh6dN36GVZYk93N8Bc9vY41xy8B9RzzOGVQzXvNEvn7O0nVbfs";
+ static final String RSA_PRIVATE_SECOND_PRIME_FACTOR_A1_FIPS =
+ "3dfOR9cuYq-0S-mkFLzgItgMEfFzB2q3hWehMuG0oCuqnb3vobLyumqjVZQO1"
+ + "dIrdwgTnCdpYzBcOfW5r370AFXjiWft_NGEiovonizhKpo9VVS78TzFgxkI"
+ + "drecRezsZ-1kYd_s1qDbxtkDEgfAITAG9LUnADun4vIcb6yelxk";
+ static final String RSA_PRIVATE_FIRST_PRIME_CRT_A1_FIPS =
+ "G4sPXkc6Ya9y8oJW9_ILj4xuppu0lzi_H7VTkS8xj5SdX3coE0oimYwxIi2em"
+ + "TAue0UOa5dpgFGyBJ4c8tQ2VF402XRugKDTP8akYhFo5tAA77Qe_NmtuYZc"
+ + "3C3m3I24G2GvR5sSDxUyAN2zq8Lfn9EUms6rY3Ob8YeiKkTiBj0";
+ static final String RSA_PRIVATE_SECOND_PRIME_CRT_A1_FIPS =
+ "s9lAH9fggBsoFR8Oac2R_E2gw282rT2kGOAhvIllETE1efrA6huUUvMfBcMpn"
+ + "8lqeW6vzznYY5SSQF7pMdC_agI3nG8Ibp1BUb0JUiraRNqUfLhcQb_d9GF4"
+ + "Dh7e74WbRsobRonujTYN1xCaP6TO61jvWrX-L18txXw494Q_cgk";
+ static final String RSA_PRIVATE_FIRST_CRT_COEFFICIENT_A1_FIPS =
+ "GyM_p6JrXySiz1toFgKbWV-JdI3jQ4ypu9rbMWx3rQJBfmt0FoYzgUIZEVFEc"
+ + "OqwemRN81zoDAaa-Bk0KWNGDjJHZDdDmFhW3AN7lI-puxk_mHZGJ11rxyR8"
+ + "O55XLSe3SPmRfKwZI6yU24ZxvQKFYItdldUKGzO6Ia6zTKhAVRU";
+
static final byte[] INIT_VECTOR_A1 = {(byte)227, (byte)197, 117, (byte)252, 2, (byte)219,
(byte)233, 68, (byte)180, (byte)225, 77, (byte)219};
@@ -184,10 +223,16 @@ public void testRejectInvalidCurve() throws Exception {
}
@Test
public void testEncryptDecryptRSA15WrapA128CBCHS256() throws Exception {
+ // RSA1_5 and CBC are not FIPS-approved
+ Assume.assumeFalse(JavaUtils.isFIPSEnabled());
final String specPlainText = "Live long and prosper.";
- RSAPublicKey publicKey = CryptoUtils.getRSAPublicKey(RSA_MODULUS_ENCODED_A1,
- RSA_PUBLIC_EXPONENT_ENCODED_A1);
+ RSAPublicKey publicKey = CryptoUtils.getRSAPublicKey(JavaUtils.isFIPSEnabled()
+ ? RSA_MODULUS_ENCODED_A1_FIPS
+ : RSA_MODULUS_ENCODED_A1,
+ JavaUtils.isFIPSEnabled()
+ ? RSA_PUBLIC_EXPONENT_ENCODED_A1_FIPS
+ : RSA_PUBLIC_EXPONENT_ENCODED_A1);
KeyEncryptionProvider keyEncryption = new RSAKeyEncryptionAlgorithm(publicKey,
KeyAlgorithm.RSA1_5);
@@ -198,8 +243,20 @@ public void testEncryptDecryptRSA15WrapA128CBCHS256() throws Exception {
keyEncryption);
String jweContent = encryption.encrypt(specPlainText.getBytes(StandardCharsets.UTF_8), null);
- RSAPrivateKey privateKey = CryptoUtils.getRSAPrivateKey(RSA_MODULUS_ENCODED_A1,
- RSA_PRIVATE_EXPONENT_ENCODED_A1);
+ RSAPrivateKey privateKey = null;
+ if (JavaUtils.isFIPSEnabled()) {
+ privateKey = CryptoUtils.getRSAPrivateKey(RSA_MODULUS_ENCODED_A1_FIPS,
+ RSA_PUBLIC_EXPONENT_ENCODED_A1_FIPS,
+ RSA_PRIVATE_EXPONENT_ENCODED_A1_FIPS,
+ RSA_PRIVATE_FIRST_PRIME_FACTOR_A1_FIPS,
+ RSA_PRIVATE_SECOND_PRIME_FACTOR_A1_FIPS,
+ RSA_PRIVATE_FIRST_PRIME_CRT_A1_FIPS,
+ RSA_PRIVATE_SECOND_PRIME_CRT_A1_FIPS,
+ RSA_PRIVATE_FIRST_CRT_COEFFICIENT_A1_FIPS);
+ } else {
+ privateKey = CryptoUtils.getRSAPrivateKey(RSA_MODULUS_ENCODED_A1,
+ RSA_PRIVATE_EXPONENT_ENCODED_A1);
+ }
KeyDecryptionProvider keyDecryption = new RSAKeyDecryptionAlgorithm(privateKey,
KeyAlgorithm.RSA1_5);
JweDecryptionProvider decryption = new AesCbcHmacJweDecryption(keyDecryption);
@@ -208,6 +265,8 @@ public void testEncryptDecryptRSA15WrapA128CBCHS256() throws Exception {
}
@Test
public void testEncryptDecryptAesGcmWrapA128CBCHS256() throws Exception {
+ //fips: CBC mode not supported
+ Assume.assumeFalse(JavaUtils.isFIPSEnabled());
//
// This test fails with the IBM JDK
//
@@ -231,7 +290,7 @@ public void testEncryptDecryptAesGcmWrapA128CBCHS256() throws Exception {
String decryptedText = decryption.decrypt(jweContent).getContentText();
assertEquals(specPlainText, decryptedText);
}
-
+
@Test
public void testEncryptDecryptSpecExample() throws Exception {
final String specPlainText = "The true sign of intelligence is not knowledge but imagination.";
@@ -256,8 +315,13 @@ public void testEncryptDecryptJwsToken() throws Exception {
}
private String encryptContent(String content, boolean createIfException) throws Exception {
- RSAPublicKey publicKey = CryptoUtils.getRSAPublicKey(RSA_MODULUS_ENCODED_A1,
- RSA_PUBLIC_EXPONENT_ENCODED_A1);
+ RSAPublicKey publicKey = CryptoUtils.getRSAPublicKey(JavaUtils.isFIPSEnabled()
+ ? RSA_MODULUS_ENCODED_A1_FIPS
+ : RSA_MODULUS_ENCODED_A1,
+ JavaUtils.isFIPSEnabled()
+ ? RSA_PUBLIC_EXPONENT_ENCODED_A1_FIPS
+ : RSA_PUBLIC_EXPONENT_ENCODED_A1);
+
SecretKey key = createSecretKey(createIfException);
final String jwtKeyName;
if (key == null) {
@@ -267,7 +331,9 @@ private String encryptContent(String content, boolean createIfException) throws
jwtKeyName = AlgorithmUtils.toJwaName(key.getAlgorithm(), key.getEncoded().length * 8);
}
KeyEncryptionProvider keyEncryptionAlgo = new RSAKeyEncryptionAlgorithm(publicKey,
- KeyAlgorithm.RSA_OAEP);
+ JavaUtils.isFIPSEnabled()
+ ? KeyAlgorithm.RSA_OAEP_256
+ : KeyAlgorithm.RSA_OAEP);
ContentEncryptionProvider contentEncryptionAlgo =
new AesGcmContentEncryptionAlgorithm(key == null ? null : key.getEncoded(), INIT_VECTOR_A1,
ContentAlgorithm.getAlgorithm(jwtKeyName));
@@ -280,8 +346,20 @@ private String encryptContentDirect(SecretKey key, String content) throws Except
return encryptor.encrypt(content.getBytes(StandardCharsets.UTF_8), null);
}
private void decrypt(String jweContent, String plainContent, boolean unwrap) throws Exception {
- RSAPrivateKey privateKey = CryptoUtils.getRSAPrivateKey(RSA_MODULUS_ENCODED_A1,
- RSA_PRIVATE_EXPONENT_ENCODED_A1);
+ RSAPrivateKey privateKey = null;
+ if (JavaUtils.isFIPSEnabled()) {
+ privateKey = CryptoUtils.getRSAPrivateKey(RSA_MODULUS_ENCODED_A1_FIPS,
+ RSA_PUBLIC_EXPONENT_ENCODED_A1_FIPS,
+ RSA_PRIVATE_EXPONENT_ENCODED_A1_FIPS,
+ RSA_PRIVATE_FIRST_PRIME_FACTOR_A1_FIPS,
+ RSA_PRIVATE_SECOND_PRIME_FACTOR_A1_FIPS,
+ RSA_PRIVATE_FIRST_PRIME_CRT_A1_FIPS,
+ RSA_PRIVATE_SECOND_PRIME_CRT_A1_FIPS,
+ RSA_PRIVATE_FIRST_CRT_COEFFICIENT_A1_FIPS);
+ } else {
+ privateKey = CryptoUtils.getRSAPrivateKey(RSA_MODULUS_ENCODED_A1,
+ RSA_PRIVATE_EXPONENT_ENCODED_A1);
+ }
ContentAlgorithm algo = Cipher.getMaxAllowedKeyLength("AES") > 128
? ContentAlgorithm.A256GCM : ContentAlgorithm.A128GCM;
JweDecryptionProvider decryptor = new JweDecryption(new RSAKeyDecryptionAlgorithm(privateKey),
diff --git a/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JweFipsAlgorithmTest.java b/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JweFipsAlgorithmTest.java
new file mode 100644
index 00000000000..f36195a8fb8
--- /dev/null
+++ b/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JweFipsAlgorithmTest.java
@@ -0,0 +1,134 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.jose.jwe;
+
+import java.lang.reflect.Method;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.PublicKey;
+import java.security.interfaces.RSAPrivateKey;
+
+import org.apache.cxf.helpers.JavaUtils;
+import org.apache.cxf.rs.security.jose.jwa.KeyAlgorithm;
+
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+
+import static org.junit.Assert.assertEquals;
+
+/**
+ * Tests that FIPS mode selects RSA-OAEP-256 instead of RSA-OAEP for key algorithms.
+ */
+public class JweFipsAlgorithmTest {
+
+ private boolean originalFipsEnabled;
+ private String originalFipsProvider;
+ private KeyPair rsaKeyPair;
+
+ @Before
+ public void setUp() throws Exception {
+ originalFipsEnabled = JavaUtils.isFIPSEnabled();
+ originalFipsProvider = JavaUtils.getFIPSSecurityProvider();
+ KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
+ kpg.initialize(2048);
+ rsaKeyPair = kpg.generateKeyPair();
+ }
+
+ @After
+ public void restoreFipsState() throws Exception {
+ FipsTestUtils.setFipsEnabled(originalFipsEnabled);
+ FipsTestUtils.setFipsProvider(originalFipsProvider);
+ }
+
+ @Test
+ public void testDefaultPublicKeyAlgorithmNonFIPS() throws Exception {
+ FipsTestUtils.setFipsEnabled(false);
+ KeyAlgorithm algo = invokeGetDefaultPublicKeyAlgorithm(rsaKeyPair.getPublic());
+ assertEquals(KeyAlgorithm.RSA_OAEP, algo);
+ }
+
+ @Test
+ public void testDefaultPublicKeyAlgorithmFIPS() throws Exception {
+ FipsTestUtils.setFipsEnabled(true);
+ KeyAlgorithm algo = invokeGetDefaultPublicKeyAlgorithm(rsaKeyPair.getPublic());
+ assertEquals(KeyAlgorithm.RSA_OAEP_256, algo);
+ }
+
+ @Test
+ public void testDefaultPrivateKeyAlgorithmNonFIPS() throws Exception {
+ FipsTestUtils.setFipsEnabled(false);
+ KeyAlgorithm algo = invokeGetDefaultPrivateKeyAlgorithm(rsaKeyPair.getPrivate());
+ assertEquals(KeyAlgorithm.RSA_OAEP, algo);
+ }
+
+ @Test
+ public void testDefaultPrivateKeyAlgorithmFIPS() throws Exception {
+ FipsTestUtils.setFipsEnabled(true);
+ KeyAlgorithm algo = invokeGetDefaultPrivateKeyAlgorithm(rsaKeyPair.getPrivate());
+ assertEquals(KeyAlgorithm.RSA_OAEP_256, algo);
+ }
+
+ @Test
+ public void testRSAKeyDecryptionAlgorithmDefaultNonFIPS() throws Exception {
+ FipsTestUtils.setFipsEnabled(false);
+ RSAKeyDecryptionAlgorithm decryptor =
+ new RSAKeyDecryptionAlgorithm((RSAPrivateKey) rsaKeyPair.getPrivate());
+ assertEquals(KeyAlgorithm.RSA_OAEP.getJwaName(), decryptor.getAlgorithm().getJwaName());
+ }
+
+ @Test
+ public void testRSAKeyDecryptionAlgorithmDefaultFIPS() throws Exception {
+ FipsTestUtils.setFipsEnabled(true);
+ RSAKeyDecryptionAlgorithm decryptor =
+ new RSAKeyDecryptionAlgorithm((RSAPrivateKey) rsaKeyPair.getPrivate());
+ assertEquals(KeyAlgorithm.RSA_OAEP_256.getJwaName(), decryptor.getAlgorithm().getJwaName());
+ }
+
+ private static KeyAlgorithm invokeGetDefaultPublicKeyAlgorithm(PublicKey key) throws Exception {
+ Method method = JweUtils.class.getDeclaredMethod("getDefaultPublicKeyAlgorithm", PublicKey.class);
+ method.setAccessible(true);
+ return (KeyAlgorithm) method.invoke(null, key);
+ }
+
+ private static KeyAlgorithm invokeGetDefaultPrivateKeyAlgorithm(java.security.PrivateKey key)
+ throws Exception {
+ Method method = JweUtils.class.getDeclaredMethod("getDefaultPrivateKeyAlgorithm",
+ java.security.PrivateKey.class);
+ method.setAccessible(true);
+ return (KeyAlgorithm) method.invoke(null, key);
+ }
+
+ @Test(expected = JweException.class)
+ public void testRSA15RejectedInFIPSMode() throws Exception {
+ FipsTestUtils.setFipsEnabled(true);
+ RSAKeyDecryptionAlgorithm decryptor =
+ new RSAKeyDecryptionAlgorithm((RSAPrivateKey) rsaKeyPair.getPrivate(),
+ KeyAlgorithm.RSA1_5);
+ JweHeaders headers = new JweHeaders();
+ headers.setKeyEncryptionAlgorithm(KeyAlgorithm.RSA1_5);
+ headers.setContentEncryptionAlgorithm(
+ org.apache.cxf.rs.security.jose.jwa.ContentAlgorithm.A128GCM);
+ JweDecryptionInput input = new JweDecryptionInput(
+ new byte[0], new byte[0], new byte[0], new byte[0],
+ new byte[0], "{}", headers);
+ decryptor.getDecryptedContentEncryptionKey(input);
+ }
+
+}
diff --git a/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jws/JwsCompactReaderWriterTest.java b/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jws/JwsCompactReaderWriterTest.java
index 6189e7dfb44..9be532c674d 100644
--- a/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jws/JwsCompactReaderWriterTest.java
+++ b/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jws/JwsCompactReaderWriterTest.java
@@ -18,9 +18,10 @@
*/
package org.apache.cxf.rs.security.jose.jws;
-import java.security.PrivateKey;
+
import java.security.interfaces.ECPrivateKey;
import java.security.interfaces.ECPublicKey;
+import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.time.Clock;
import java.util.Arrays;
@@ -30,6 +31,7 @@
import java.util.Map;
import java.util.concurrent.TimeUnit;
+import org.apache.cxf.helpers.JavaUtils;
import org.apache.cxf.jaxrs.json.basic.JsonMapObjectReaderWriter;
import org.apache.cxf.rs.security.jose.common.JoseConstants;
import org.apache.cxf.rs.security.jose.common.JoseType;
@@ -66,7 +68,7 @@ public class JwsCompactReaderWriterTest {
+ "zI1NiIsDQogImp3ayI6eyJrdHkiOiJvY3QiLA0KICJrZXlfb3BzIjpbDQogInNpZ24iLA0KICJ2ZXJpZnkiDQogXX19"
+ ".eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ"
+ ".8cFZqb15gEDYRZqSzUu23nQnKNynru1ADByRPvmmOq8";
-
+
private static final String RSA_MODULUS_ENCODED = "ofgWCuLjybRlzo0tZWJjNiuSfb4p4fAkd_wWJcyQoTbji9k0l8W26mPddx"
+ "HmfHQp-Vaw-4qPCJrcS2mJPMEzP1Pt0Bm4d4QlL-yRT-SFd2lZS-pCgNMs"
+ "D1W_YpRPEwOWvG6b32690r2jZ47soMZo9wGzjb_7OMg0LOL-bSf63kpaSH"
@@ -94,6 +96,51 @@ public class JwsCompactReaderWriterTest {
+ "hJ1phCnvWh6IeYI2w9QOYEUipUTI8np6LbgGY9Fs98rqVt5AXLIhWkWywlVmtVrB"
+ "p0igcN_IoypGlUPQGe77Rw";
+ private static final String RSA_MODULUS_ENCODED_FIPS =
+ "0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx4cbbfAAtV"
+ + "T86zwu1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZCiFV4n3oknjhMstn6"
+ + "4tZ_2W-5JsGY4Hc5n9yBXArwl93lqt7_RN5w6Cf0h4QyQ5v-65YGjQR0_F"
+ + "DW2QvzqY368QQMicAtaSqzs8KJZgnYb9c7d0zgdAZHzu6qMQvRL5hajrn1"
+ + "n91CbOpbISD08qNLyrdkt-bFTWhAI4vMQFh6WeZu0fM4lFd2NcRwr3XPks"
+ + "INHaQ-G_xBniIqbw0Ls1jF44-csFCur-kEgU8awapJzKnqDKgw";
+ private static final String RSA_PUBLIC_EXPONENT_ENCODED_FIPS = "AQAB";
+ private static final String RSA_PRIVATE_EXPONENT_ENCODED_FIPS =
+ "X4cTteJY_gn4FYPsXB8rdXix5vwsg1FLN5E3EaG6RJoVH-HLLKD9M7dx5oo"
+ + "7GURknchnrRweUkC7hT5fJLM0WbFAKNLWY2vv7B6NqXSzUvxT0_YSfqij"
+ + "wp3RTzlBaCxWp4doFk5N2o8Gy_nHNKroADIkJ46pRUohsXywbReAdYaMw"
+ + "Fs9tv8d_cPVY3i07a3t8MN6TNwm0dSawm9v47UiCl3Sk5ZiG7xojPLu4s"
+ + "bg1U2jx4IBTNBznbJSzFHK66jT8bgkuqsk0GjskDJk19Z4qwjwbsnn4j2"
+ + "WBii3RL-Us2lGVkY8fkFzme1z0HbIkfz0Y6mqnOYtqc0X4jfcKoAC8Q";
+ private static final String RSA_PRIVATE_FIRST_PRIME_FACTOR_FIPS =
+ "83i-7IvMGXoMXCskv73TKr8637FiO7Z27zv8oj6pbWUQyLPQBQxtPVnwD"
+ + "20R-60eTDmD2ujnMt5PoqMrm8RfmNhVWDtjjMmCMjOpSXicFHj7XOuV"
+ + "IYQyqVWlWEh6dN36GVZYk93N8Bc9vY41xy8B9RzzOGVQzXvNEvn7O0nVbfs";
+ private static final String RSA_PRIVATE_SECOND_PRIME_FACTOR_FIPS =
+ "3dfOR9cuYq-0S-mkFLzgItgMEfFzB2q3hWehMuG0oCuqnb3vobLyumqjVZQO1"
+ + "dIrdwgTnCdpYzBcOfW5r370AFXjiWft_NGEiovonizhKpo9VVS78TzFgxkI"
+ + "drecRezsZ-1kYd_s1qDbxtkDEgfAITAG9LUnADun4vIcb6yelxk";
+ private static final String RSA_PRIVATE_FIRST_PRIME_CRT_FIPS =
+ "G4sPXkc6Ya9y8oJW9_ILj4xuppu0lzi_H7VTkS8xj5SdX3coE0oimYwxIi2em"
+ + "TAue0UOa5dpgFGyBJ4c8tQ2VF402XRugKDTP8akYhFo5tAA77Qe_NmtuYZc"
+ + "3C3m3I24G2GvR5sSDxUyAN2zq8Lfn9EUms6rY3Ob8YeiKkTiBj0";
+ private static final String RSA_PRIVATE_SECOND_PRIME_CRT_FIPS =
+ "s9lAH9fggBsoFR8Oac2R_E2gw282rT2kGOAhvIllETE1efrA6huUUvMfBcMpn"
+ + "8lqeW6vzznYY5SSQF7pMdC_agI3nG8Ibp1BUb0JUiraRNqUfLhcQb_d9GF4"
+ + "Dh7e74WbRsobRonujTYN1xCaP6TO61jvWrX-L18txXw494Q_cgk";
+ private static final String RSA_PRIVATE_FIRST_CRT_COEFFICIENT_FIPS =
+ "GyM_p6JrXySiz1toFgKbWV-JdI3jQ4ypu9rbMWx3rQJBfmt0FoYzgUIZEVFEc"
+ + "OqwemRN81zoDAaa-Bk0KWNGDjJHZDdDmFhW3AN7lI-puxk_mHZGJ11rxyR8"
+ + "O55XLSe3SPmRfKwZI6yU24ZxvQKFYItdldUKGzO6Ia6zTKhAVRU";
+ private static final String ENCODED_TOKEN_SIGNED_BY_PRIVATE_KEY_FIPS =
+ "eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkz"
+ + "ODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ.DS0k"
+ + "cM3KbMwJWyxmJ2NWC21HGx93MXy9sSgsVygnx4U7XKayfNACjigqZL9jH-U"
+ + "L1MjIIXVUmaVc5ljgt84fjhlfcMdJ67Q2_tyyUdbOjPrVfcDnpwpxKQQ2tA"
+ + "9fpHFQL_JENgraWFJQ1O27WKDvYfsRmj-Z2xIJzYETdZykNKS4lcN-B-eus"
+ + "A2zw9iUnl3TdAdSIKr7QrTZrd3Osema_hCSCfD1faLWGUhRMHnx5eSxbDog"
+ + "V0-7P0OUHDP0IoxWGNcrAQ7vTBlEAg92LhGN8JGW2k-bludnJb5gBJrauMY"
+ + "xqi9d4ajKYka0GSaky4CpjMOpexkkGORk2VC8wiNMFg";
+
private static final String EC_PRIVATE_KEY_ENCODED =
"jpsQnnGQmL-YBIffH1136cspYG6-0iY7X1fCE9-E9LI";
private static final String EC_X_POINT_ENCODED =
@@ -255,22 +302,56 @@ public void testWriteJwsSignedByPrivateKey() throws Exception {
JwsHeaders headers = new JwsHeaders();
headers.setSignatureAlgorithm(SignatureAlgorithm.RS256);
JwsCompactProducer jws = initSpecJwtTokenWriter(headers);
- PrivateKey key = CryptoUtils.getRSAPrivateKey(RSA_MODULUS_ENCODED, RSA_PRIVATE_EXPONENT_ENCODED);
+ RSAPrivateKey key = null;
+ if (JavaUtils.isFIPSEnabled()) {
+ key = CryptoUtils.getRSAPrivateKey(RSA_MODULUS_ENCODED_FIPS,
+ RSA_PUBLIC_EXPONENT_ENCODED_FIPS,
+ RSA_PRIVATE_EXPONENT_ENCODED_FIPS,
+ RSA_PRIVATE_FIRST_PRIME_FACTOR_FIPS,
+ RSA_PRIVATE_SECOND_PRIME_FACTOR_FIPS,
+ RSA_PRIVATE_FIRST_PRIME_CRT_FIPS,
+ RSA_PRIVATE_SECOND_PRIME_CRT_FIPS,
+ RSA_PRIVATE_FIRST_CRT_COEFFICIENT_FIPS);
+ } else {
+ key = CryptoUtils.getRSAPrivateKey(RSA_MODULUS_ENCODED,
+ RSA_PRIVATE_EXPONENT_ENCODED);
+ }
jws.signWith(new PrivateKeyJwsSignatureProvider(key, SignatureAlgorithm.RS256));
- assertEquals(ENCODED_TOKEN_SIGNED_BY_PRIVATE_KEY, jws.getSignedEncodedJws());
+
+ assertEquals(JavaUtils.isFIPSEnabled()
+ ? ENCODED_TOKEN_SIGNED_BY_PRIVATE_KEY_FIPS
+ : ENCODED_TOKEN_SIGNED_BY_PRIVATE_KEY, jws.getSignedEncodedJws());
}
@Test
public void testJwsPsSha() throws Exception {
JwsHeaders outHeaders = new JwsHeaders();
outHeaders.setSignatureAlgorithm(SignatureAlgorithm.PS256);
JwsCompactProducer producer = initSpecJwtTokenWriter(outHeaders);
- PrivateKey privateKey = CryptoUtils.getRSAPrivateKey(RSA_MODULUS_ENCODED, RSA_PRIVATE_EXPONENT_ENCODED);
+ RSAPrivateKey privateKey = null;
+ if (JavaUtils.isFIPSEnabled()) {
+ privateKey = CryptoUtils.getRSAPrivateKey(RSA_MODULUS_ENCODED_FIPS,
+ RSA_PUBLIC_EXPONENT_ENCODED_FIPS,
+ RSA_PRIVATE_EXPONENT_ENCODED_FIPS,
+ RSA_PRIVATE_FIRST_PRIME_FACTOR_FIPS,
+ RSA_PRIVATE_SECOND_PRIME_FACTOR_FIPS,
+ RSA_PRIVATE_FIRST_PRIME_CRT_FIPS,
+ RSA_PRIVATE_SECOND_PRIME_CRT_FIPS,
+ RSA_PRIVATE_FIRST_CRT_COEFFICIENT_FIPS);
+ } else {
+ privateKey = CryptoUtils.getRSAPrivateKey(RSA_MODULUS_ENCODED,
+ RSA_PRIVATE_EXPONENT_ENCODED);
+ }
String signed = producer.signWith(
new PrivateKeyJwsSignatureProvider(privateKey, SignatureAlgorithm.PS256));
JwsJwtCompactConsumer jws = new JwsJwtCompactConsumer(signed);
- RSAPublicKey key = CryptoUtils.getRSAPublicKey(RSA_MODULUS_ENCODED, RSA_PUBLIC_EXPONENT_ENCODED);
+ RSAPublicKey key = CryptoUtils.getRSAPublicKey(JavaUtils.isFIPSEnabled()
+ ? RSA_MODULUS_ENCODED_FIPS
+ : RSA_MODULUS_ENCODED,
+ JavaUtils.isFIPSEnabled()
+ ? RSA_PUBLIC_EXPONENT_ENCODED_FIPS
+ : RSA_PUBLIC_EXPONENT_ENCODED);
assertTrue(jws.verifySignatureWith(new PublicKeyJwsSignatureVerifier(key, SignatureAlgorithm.PS256)));
JwtToken token = jws.getJwtToken();
JwsHeaders inHeaders = new JwsHeaders(token.getJwsHeaders());
@@ -303,8 +384,15 @@ public void testWriteReadJwsSignedByESPrivateKey() throws Exception {
@Test
public void testReadJwsSignedByPrivateKey() throws Exception {
- JwsJwtCompactConsumer jws = new JwsJwtCompactConsumer(ENCODED_TOKEN_SIGNED_BY_PRIVATE_KEY);
- RSAPublicKey key = CryptoUtils.getRSAPublicKey(RSA_MODULUS_ENCODED, RSA_PUBLIC_EXPONENT_ENCODED);
+ JwsJwtCompactConsumer jws = new JwsJwtCompactConsumer(JavaUtils.isFIPSEnabled()
+ ? ENCODED_TOKEN_SIGNED_BY_PRIVATE_KEY_FIPS
+ : ENCODED_TOKEN_SIGNED_BY_PRIVATE_KEY);
+ RSAPublicKey key = CryptoUtils.getRSAPublicKey(JavaUtils.isFIPSEnabled()
+ ? RSA_MODULUS_ENCODED_FIPS
+ : RSA_MODULUS_ENCODED,
+ JavaUtils.isFIPSEnabled()
+ ? RSA_PUBLIC_EXPONENT_ENCODED_FIPS
+ : RSA_PUBLIC_EXPONENT_ENCODED);
assertTrue(jws.verifySignatureWith(new PublicKeyJwsSignatureVerifier(key, SignatureAlgorithm.RS256)));
JwtToken token = jws.getJwtToken();
JwsHeaders headers = new JwsHeaders(token.getJwsHeaders());
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthServerJoseJwtProducer.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthServerJoseJwtProducer.java
index a0bfaf15e56..500661c79c0 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthServerJoseJwtProducer.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthServerJoseJwtProducer.java
@@ -20,6 +20,7 @@
import java.security.cert.X509Certificate;
+import org.apache.cxf.helpers.JavaUtils;
import org.apache.cxf.rs.security.jose.jwa.ContentAlgorithm;
import org.apache.cxf.rs.security.jose.jwa.KeyAlgorithm;
import org.apache.cxf.rs.security.jose.jwe.JweEncryptionProvider;
@@ -44,7 +45,9 @@ protected JweEncryptionProvider getInitializedEncryptionProvider(Client c) {
X509Certificate cert =
(X509Certificate)CryptoUtils.decodeCertificate(c.getApplicationCertificates().get(0));
theEncryptionProvider = JweUtils.createJweEncryptionProvider(cert.getPublicKey(),
- KeyAlgorithm.RSA_OAEP,
+ JavaUtils.isFIPSEnabled()
+ ? KeyAlgorithm.RSA_OAEP_256
+ : KeyAlgorithm.RSA_OAEP,
ContentAlgorithm.A128GCM,
null);
}
diff --git a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/AbstractXmlEncInHandler.java b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/AbstractXmlEncInHandler.java
index 608b2cabbed..0ef98e3ea70 100644
--- a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/AbstractXmlEncInHandler.java
+++ b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/AbstractXmlEncInHandler.java
@@ -38,6 +38,7 @@
import org.apache.cxf.common.util.Base64Exception;
import org.apache.cxf.common.util.Base64Utility;
+import org.apache.cxf.helpers.JavaUtils;
import org.apache.cxf.message.Message;
import org.apache.cxf.rs.security.common.CryptoLoader;
import org.apache.cxf.rs.security.common.RSSecurityUtils;
@@ -145,8 +146,10 @@ protected byte[] getSymmetricKeyBytes(Message message, Element encDataElement) {
&& (digestAlgo == null || !encProps.getEncryptionDigestAlgo().equals(digestAlgo))) {
throwFault("Digest Algorithm is not supported", null);
}
- } else if (!XMLCipher.RSA_OAEP.equals(keyEncAlgo)) {
- // RSA OAEP is the required default Key Transport Algorithm
+ } else if ((JavaUtils.isFIPSEnabled() && !XMLCipher.RSA_OAEP_11.equals(keyEncAlgo))
+ || (!JavaUtils.isFIPSEnabled() && !XMLCipher.RSA_OAEP.equals(keyEncAlgo))) {
+ // RSA-OAEP is the required default Key Transport Algorithm
+ // (RSA-OAEP-11 with SHA-256 in FIPS mode)
throwFault("Key Transport Algorithm is not supported", null);
}
diff --git a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/EncryptionProperties.java b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/EncryptionProperties.java
index 4de9e8e2a0e..0530cf42dff 100644
--- a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/EncryptionProperties.java
+++ b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/EncryptionProperties.java
@@ -18,10 +18,12 @@
*/
package org.apache.cxf.rs.security.xml;
+import org.apache.cxf.helpers.JavaUtils;
import org.apache.xml.security.encryption.XMLCipher;
public class EncryptionProperties {
- private String encryptionKeyTransportAlgo = XMLCipher.RSA_OAEP;
+ private String encryptionKeyTransportAlgo =
+ JavaUtils.isFIPSEnabled() ? XMLCipher.RSA_OAEP_11 : XMLCipher.RSA_OAEP;
private String encryptionSymmetricKeyAlgo;
private String encryptionDigestAlgo;
private String encryptionKeyIdType;
diff --git a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlEncOutInterceptor.java b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlEncOutInterceptor.java
index 787ea36404e..5ededa4cfdc 100644
--- a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlEncOutInterceptor.java
+++ b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlEncOutInterceptor.java
@@ -37,6 +37,7 @@
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.common.util.StringUtils;
import org.apache.cxf.helpers.DOMUtils;
+import org.apache.cxf.helpers.JavaUtils;
import org.apache.cxf.message.Message;
import org.apache.cxf.message.MessageUtils;
import org.apache.cxf.rs.security.common.CryptoLoader;
@@ -102,7 +103,8 @@ protected Document encryptDocument(Message message, Document payloadDoc)
throws Exception {
String symEncAlgo = encProps.getEncryptionSymmetricKeyAlgo() == null
- ? XMLCipher.AES_256 : encProps.getEncryptionSymmetricKeyAlgo();
+ ? JavaUtils.isFIPSEnabled() ? XMLCipher.AES_256_GCM : XMLCipher.AES_256
+ : encProps.getEncryptionSymmetricKeyAlgo();
byte[] secretKey = getSymmetricKey(symEncAlgo);
@@ -140,7 +142,8 @@ protected Document encryptDocument(Message message, Document payloadDoc)
}
String keyEncAlgo = encProps.getEncryptionKeyTransportAlgo() == null
- ? XMLCipher.RSA_OAEP : encProps.getEncryptionKeyTransportAlgo();
+ ? JavaUtils.isFIPSEnabled() ? XMLCipher.RSA_OAEP_11 : XMLCipher.RSA_OAEP
+ : encProps.getEncryptionKeyTransportAlgo();
String digestAlgo = encProps.getEncryptionDigestAlgo();
byte[] encryptedSecretKey = encryptSymmetricKey(secretKey, receiverCert,
diff --git a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSecOutInterceptor.java b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSecOutInterceptor.java
index f335e15380c..ad13c20f8ad 100644
--- a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSecOutInterceptor.java
+++ b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSecOutInterceptor.java
@@ -35,6 +35,7 @@
import jakarta.ws.rs.core.Response;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.common.util.StringUtils;
+import org.apache.cxf.helpers.JavaUtils;
import org.apache.cxf.interceptor.AbstractOutDatabindingInterceptor;
import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.interceptor.StaxOutInterceptor;
@@ -152,7 +153,8 @@ public void handleMessage(Message message) throws Fault {
private void configureEncryption(Message message, XMLSecurityProperties properties)
throws Exception {
String symEncAlgo = encryptionProperties.getEncryptionSymmetricKeyAlgo() == null
- ? XMLCipher.AES_256 : encryptionProperties.getEncryptionSymmetricKeyAlgo();
+ ? JavaUtils.isFIPSEnabled() ? XMLCipher.AES_256_GCM : XMLCipher.AES_256
+ : encryptionProperties.getEncryptionSymmetricKeyAlgo();
properties.setEncryptionSymAlgorithm(symEncAlgo);
properties.setEncryptionKey(getSymmetricKey(symEncAlgo));
if (encryptSymmetricKey) {
diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/crypto/CryptoUtils.java b/rt/security/src/main/java/org/apache/cxf/rt/security/crypto/CryptoUtils.java
index 26964017954..abcd82ae2c0 100644
--- a/rt/security/src/main/java/org/apache/cxf/rt/security/crypto/CryptoUtils.java
+++ b/rt/security/src/main/java/org/apache/cxf/rt/security/crypto/CryptoUtils.java
@@ -29,8 +29,10 @@
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.PrivateKey;
+import java.security.Provider;
import java.security.PublicKey;
import java.security.SecureRandom;
+import java.security.Security;
import java.security.Signature;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
@@ -68,6 +70,25 @@
*/
public final class CryptoUtils {
+ static {
+ if (JavaUtils.isFIPSEnabled()) {
+ Provider currentProvider = Security.getProvider(JavaUtils.getFIPSSecurityProvider() != null
+ ? JavaUtils.getFIPSSecurityProvider() : "BCFIPS");
+ if (currentProvider == null) {
+ try {
+ Class clazz =
+ (Class)CryptoUtils.class.getClassLoader()
+ .loadClass("org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider");
+ Provider provider = clazz.getDeclaredConstructor().newInstance();
+ Security.addProvider(provider);
+ } catch (Throwable t) {
+ t.printStackTrace();
+
+ }
+ }
+ }
+ }
+
private CryptoUtils() {
}
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/custom/DefaultAlgorithmSuiteLoader.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/custom/DefaultAlgorithmSuiteLoader.java
index 312d591e37c..959af4e5bed 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/custom/DefaultAlgorithmSuiteLoader.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/custom/DefaultAlgorithmSuiteLoader.java
@@ -30,6 +30,7 @@
import org.w3c.dom.Element;
import org.apache.cxf.Bus;
+import org.apache.cxf.helpers.JavaUtils;
import org.apache.cxf.message.Message;
import org.apache.cxf.ws.policy.AssertionBuilderRegistry;
import org.apache.cxf.ws.policy.builder.primitive.PrimitiveAssertion;
@@ -42,6 +43,7 @@
import org.apache.wss4j.policy.SPConstants;
import org.apache.wss4j.policy.model.AbstractSecurityAssertion;
import org.apache.wss4j.policy.model.AlgorithmSuite;
+import org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType;
/**
* This class retrieves the default AlgorithmSuites plus the CXF specific GCM AlgorithmSuites.
@@ -59,6 +61,18 @@ public AlgorithmSuite getAlgorithmSuite(Bus bus, SPConstants.SPVersion version,
assertions.put(qName, new PrimitiveAssertion(qName));
qName = new QName(ns, "Basic256GCM");
assertions.put(qName, new PrimitiveAssertion(qName));
+ qName = new QName(ns, "Basic256GCMRsa15");
+ assertions.put(qName, new PrimitiveAssertion(qName));
+ qName = new QName(ns, "Basic192GCMRsa15");
+ assertions.put(qName, new PrimitiveAssertion(qName));
+ qName = new QName(ns, "Basic128GCMRsa15");
+ assertions.put(qName, new PrimitiveAssertion(qName));
+ qName = new QName(ns, "Basic256GCMSha256Rsa15");
+ assertions.put(qName, new PrimitiveAssertion(qName));
+ qName = new QName(ns, "Basic192GCMSha256Rsa15");
+ assertions.put(qName, new PrimitiveAssertion(qName));
+ qName = new QName(ns, "Basic128GCMSha256Rsa15");
+ assertions.put(qName, new PrimitiveAssertion(qName));
qName = new QName(ns, "CustomAlgorithmSuite");
assertions.put(qName, new PrimitiveAssertion(qName));
@@ -87,7 +101,8 @@ public static class GCMAlgorithmSuite extends AlgorithmSuite {
SPConstants.SHA1,
"http://www.w3.org/2009/xmlenc11#aes128-gcm",
SPConstants.KW_AES128,
- SPConstants.KW_RSA_OAEP,
+ JavaUtils.isFIPSEnabled() ? "http://www.w3.org/2009/xmlenc11#rsa-oaep"
+ : SPConstants.KW_RSA_OAEP,
SPConstants.P_SHA1_L128,
SPConstants.P_SHA1_L128,
128, 128, 128, 256, 1024, 4096
@@ -101,7 +116,8 @@ public static class GCMAlgorithmSuite extends AlgorithmSuite {
SPConstants.SHA1,
"http://www.w3.org/2009/xmlenc11#aes192-gcm",
SPConstants.KW_AES192,
- SPConstants.KW_RSA_OAEP,
+ JavaUtils.isFIPSEnabled() ? "http://www.w3.org/2009/xmlenc11#rsa-oaep"
+ : SPConstants.KW_RSA_OAEP,
SPConstants.P_SHA1_L192,
SPConstants.P_SHA1_L192,
192, 192, 192, 256, 1024, 4096
@@ -115,13 +131,77 @@ public static class GCMAlgorithmSuite extends AlgorithmSuite {
SPConstants.SHA1,
"http://www.w3.org/2009/xmlenc11#aes256-gcm",
SPConstants.KW_AES256,
- SPConstants.KW_RSA_OAEP,
+ JavaUtils.isFIPSEnabled() ? "http://www.w3.org/2009/xmlenc11#rsa-oaep"
+ : SPConstants.KW_RSA_OAEP,
SPConstants.P_SHA1_L256,
SPConstants.P_SHA1_L192,
256, 192, 256, 256, 1024, 4096
)
);
+ // GCM-based policies with RSA 1.5 key wrap (NOT FIPS compliant)
+
+ ALGORITHM_SUITE_TYPES.put("Basic256GCMRsa15", new AlgorithmSuiteType(
+ "Basic256GCMRsa15",
+ SPConstants.SHA1,
+ "http://www.w3.org/2009/xmlenc11#aes256-gcm",
+ SPConstants.KW_AES256,
+ SPConstants.KW_RSA15,
+ SPConstants.P_SHA1_L256,
+ SPConstants.P_SHA1_L192,
+ 256, 192, 256,
+ 256, 1024, 4096));
+ ALGORITHM_SUITE_TYPES.put("Basic192GCMRsa15", new AlgorithmSuiteType(
+ "Basic192GCMRsa15",
+ SPConstants.SHA1,
+ "http://www.w3.org/2009/xmlenc11#aes192-gcm",
+ SPConstants.KW_AES192,
+ SPConstants.KW_RSA15,
+ SPConstants.P_SHA1_L192,
+ SPConstants.P_SHA1_L192,
+ 192, 192, 192,
+ 256, 1024, 4096));
+ ALGORITHM_SUITE_TYPES.put("Basic128GCMRsa15", new AlgorithmSuiteType(
+ "Basic128GCMRsa15",
+ SPConstants.SHA1,
+ "http://www.w3.org/2009/xmlenc11#aes128-gcm",
+ SPConstants.KW_AES128,
+ SPConstants.KW_RSA15,
+ SPConstants.P_SHA1_L128,
+ SPConstants.P_SHA1_L128,
+ 128, 128, 128,
+ 256, 1024, 4096));
+
+ ALGORITHM_SUITE_TYPES.put("Basic256GCMSha256Rsa15", new AlgorithmSuiteType(
+ "Basic256GCMSha256Rsa15",
+ SPConstants.SHA256,
+ "http://www.w3.org/2009/xmlenc11#aes256-gcm",
+ SPConstants.KW_AES256,
+ SPConstants.KW_RSA15,
+ SPConstants.P_SHA1_L256,
+ SPConstants.P_SHA1_L192,
+ 256, 192, 256,
+ 256, 1024, 4096));
+ ALGORITHM_SUITE_TYPES.put("Basic192GCMSha256Rsa15", new AlgorithmSuiteType(
+ "Basic192GCMSha256Rsa15",
+ SPConstants.SHA256,
+ "http://www.w3.org/2009/xmlenc11#aes192-gcm",
+ SPConstants.KW_AES192,
+ SPConstants.KW_RSA15,
+ SPConstants.P_SHA1_L192,
+ SPConstants.P_SHA1_L192,
+ 192, 192, 192,
+ 256, 1024, 4096));
+ ALGORITHM_SUITE_TYPES.put("Basic128GCMSha256Rsa15", new AlgorithmSuiteType(
+ "Basic128GCMSha256Rsa15",
+ SPConstants.SHA256,
+ "http://www.w3.org/2009/xmlenc11#aes128-gcm",
+ SPConstants.KW_AES128,
+ SPConstants.KW_RSA15,
+ SPConstants.P_SHA1_L128,
+ SPConstants.P_SHA1_L128,
+ 128, 128, 128,
+ 256, 1024, 4096));
ALGORITHM_SUITE_TYPES.put(
"CustomAlgorithmSuite",
@@ -130,7 +210,8 @@ public static class GCMAlgorithmSuite extends AlgorithmSuite {
SPConstants.SHA256,
"http://www.w3.org/2009/xmlenc11#aes256-gcm",
SPConstants.KW_AES256,
- SPConstants.KW_RSA15,
+ JavaUtils.isFIPSEnabled()
+ ? "http://www.w3.org/2009/xmlenc11#rsa-oaep" : SPConstants.KW_RSA15,
SPConstants.P_SHA1_L256,
SPConstants.P_SHA1_L192,
256, 192, 256, 256, 1024, 4096
@@ -164,6 +245,24 @@ protected void parseCustomAssertion(Assertion assertion) {
} else if ("Basic256GCM".equals(assertionName)) {
setAlgorithmSuiteType(ALGORITHM_SUITE_TYPES.get("Basic256GCM"));
getAlgorithmSuiteType().setNamespace(assertionNamespace);
+ } else if ("Basic256GCMRsa15".equals(assertionName)) {
+ setAlgorithmSuiteType(ALGORITHM_SUITE_TYPES.get("Basic256GCMRsa15"));
+ getAlgorithmSuiteType().setNamespace(assertionNamespace);
+ } else if ("Basic192GCMRsa15".equals(assertionName)) {
+ setAlgorithmSuiteType(ALGORITHM_SUITE_TYPES.get("Basic192GCMRsa15"));
+ getAlgorithmSuiteType().setNamespace(assertionNamespace);
+ } else if ("Basic128GCMRsa15".equals(assertionName)) {
+ setAlgorithmSuiteType(ALGORITHM_SUITE_TYPES.get("Basic128GCMRsa15"));
+ getAlgorithmSuiteType().setNamespace(assertionNamespace);
+ } else if ("Basic256GCMSha256Rsa15".equals(assertionName)) {
+ setAlgorithmSuiteType(ALGORITHM_SUITE_TYPES.get("Basic256GCMSha256Rsa15"));
+ getAlgorithmSuiteType().setNamespace(assertionNamespace);
+ } else if ("Basic192GCMSha256Rsa15".equals(assertionName)) {
+ setAlgorithmSuiteType(ALGORITHM_SUITE_TYPES.get("Basic192GCMSha256Rsa15"));
+ getAlgorithmSuiteType().setNamespace(assertionNamespace);
+ } else if ("Basic128GCMSha256Rsa15".equals(assertionName)) {
+ setAlgorithmSuiteType(ALGORITHM_SUITE_TYPES.get("Basic128GCMSha256Rsa15"));
+ getAlgorithmSuiteType().setNamespace(assertionNamespace);
} else if ("CustomAlgorithmSuite".equals(assertionName)) {
setAlgorithmSuiteType(ALGORITHM_SUITE_TYPES.get("CustomAlgorithmSuite"));
getAlgorithmSuiteType().setNamespace(assertionNamespace);
diff --git a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageCheckerTest.java b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageCheckerTest.java
index d045a02ac23..8e2d6df63fc 100644
--- a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageCheckerTest.java
+++ b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageCheckerTest.java
@@ -32,6 +32,7 @@
import org.apache.cxf.binding.soap.SoapMessage;
import org.apache.cxf.binding.soap.interceptor.MustUnderstandInterceptor;
import org.apache.cxf.binding.soap.saaj.SAAJInInterceptor;
+import org.apache.cxf.helpers.JavaUtils;
import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.interceptor.Interceptor;
import org.apache.cxf.message.Message;
@@ -43,6 +44,8 @@
import org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil.CoverageType;
import org.apache.wss4j.common.ConfigurationConstants;
+
+import org.junit.Assume;
import org.junit.Test;
import static org.junit.Assert.assertTrue;
@@ -111,6 +114,8 @@ public void testSignedWithCompleteCoverage() throws Exception {
@Test
public void testEncryptedWithIncompleteCoverage() throws Exception {
+ //fips: CBC mode not supported
+ Assume.assumeFalse(JavaUtils.isFIPSEnabled());
this.runInterceptorAndValidate(
"encrypted_missing_enc_header.xml",
this.getPrefixes(),
@@ -135,6 +140,8 @@ public void testEncryptedWithIncompleteCoverage() throws Exception {
@Test
public void testEncryptedWithCompleteCoverage() throws Exception {
+ //fips: CBC mode not supported
+ Assume.assumeFalse(JavaUtils.isFIPSEnabled());
this.runInterceptorAndValidate(
"encrypted_body_content.xml",
this.getPrefixes(),
@@ -159,6 +166,8 @@ public void testEncryptedWithCompleteCoverage() throws Exception {
@Test
public void testEncryptedSignedWithIncompleteCoverage() throws Exception {
+ //fips: CBC mode not supported
+ Assume.assumeFalse(JavaUtils.isFIPSEnabled());
this.runInterceptorAndValidate(
"encrypted_body_content_signed_missing_signed_header.xml",
this.getPrefixes(),
@@ -169,6 +178,8 @@ public void testEncryptedSignedWithIncompleteCoverage() throws Exception {
@Test
public void testEncryptedSignedWithCompleteCoverage() throws Exception {
+ //fips: CBC mode not supported
+ Assume.assumeFalse(JavaUtils.isFIPSEnabled());
this.runInterceptorAndValidate(
"encrypted_body_content_signed.xml",
this.getPrefixes(),
@@ -250,5 +261,6 @@ private PhaseInterceptor getWss4jInInterceptor() {
inHandler.setProperty(ConfigurationConstants.ALLOW_RSA15_KEY_TRANSPORT_ALGORITHM, "true");
return inHandler;
+
}
}
diff --git a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/DOMToStaxRoundTripTest.java b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/DOMToStaxRoundTripTest.java
index 5f2b01f5a45..35a30391667 100644
--- a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/DOMToStaxRoundTripTest.java
+++ b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/DOMToStaxRoundTripTest.java
@@ -29,6 +29,7 @@
import org.apache.cxf.ext.logging.LoggingInInterceptor;
import org.apache.cxf.ext.logging.LoggingOutInterceptor;
import org.apache.cxf.frontend.ClientProxy;
+import org.apache.cxf.helpers.JavaUtils;
import org.apache.cxf.jaxws.JaxWsProxyFactoryBean;
import org.apache.cxf.jaxws.JaxWsServerFactoryBean;
import org.apache.cxf.service.Service;
@@ -205,14 +206,18 @@ public void testEncryptionAlgorithms() throws Exception {
properties.put(ConfigurationConstants.ENC_PROP_FILE, "outsecurity.properties");
properties.put(ConfigurationConstants.USER, "myalias");
properties.put(ConfigurationConstants.ENC_KEY_TRANSPORT, WSS4JConstants.KEYTRANSPORT_RSA15);
- properties.put(ConfigurationConstants.ENC_SYM_ALGO, WSS4JConstants.TRIPLE_DES);
-
+ if (JavaUtils.isFIPSEnabled()) {
+ properties.put(ConfigurationConstants.ENC_SYM_ALGO, WSS4JConstants.AES_128_GCM);
+ inProperties.setAllowRSA15KeyTransportAlgorithm(false);
+ } else {
+ properties.put(ConfigurationConstants.ENC_SYM_ALGO, WSS4JConstants.TRIPLE_DES);
+ }
WSS4JOutInterceptor ohandler = new WSS4JOutInterceptor(properties);
client.getOutInterceptors().add(ohandler);
try {
echo.echo("test");
- fail("Failure expected as RSA v1.5 is not allowed by default");
+ fail("Failure expected as RSA v1.5 is not allowed by configuration");
} catch (jakarta.xml.ws.soap.SOAPFaultException ex) {
// expected
}
diff --git a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/PluggablePolicyValidatorTest.java b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/PluggablePolicyValidatorTest.java
index 77733e40a8a..783d2227a2e 100644
--- a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/PluggablePolicyValidatorTest.java
+++ b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/PluggablePolicyValidatorTest.java
@@ -31,6 +31,7 @@
import org.apache.cxf.binding.soap.SoapHeader;
import org.apache.cxf.binding.soap.SoapMessage;
+import org.apache.cxf.helpers.JavaUtils;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.policy.PolicyException;
@@ -42,6 +43,7 @@
import org.apache.wss4j.dom.util.WSSecurityUtil;
import org.apache.wss4j.policy.SP12Constants;
+import org.junit.Assume;
import org.junit.Test;
import static org.junit.Assert.assertNotNull;
@@ -54,6 +56,8 @@ public class PluggablePolicyValidatorTest extends AbstractPolicySecurityTest {
@Test
public void testEncryptedElementsPolicyValidator() throws Exception {
+ //fips: CBC mode not supported
+ Assume.assumeFalse(JavaUtils.isFIPSEnabled());
// This should work (body content is encrypted)
this.runInInterceptorAndValidate(
"encrypted_body_content.xml",
diff --git a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWss4JInOutTest.java b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWss4JInOutTest.java
index 81dedb4b463..1b05f793f11 100644
--- a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWss4JInOutTest.java
+++ b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWss4JInOutTest.java
@@ -27,6 +27,7 @@
import org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil.CoverageType;
import org.apache.wss4j.policy.SP12Constants;
+import org.junit.Assume;
import org.junit.Test;
import static org.junit.Assert.fail;
@@ -181,6 +182,8 @@ public void testSignedPartsPolicyWithCompleteCoverage() throws Exception {
@Test
public void testEncryptedElementsPolicyWithIncompleteCoverage() throws Exception {
+ //fips: CBC mode not supported
+ Assume.assumeFalse(JavaUtils.isFIPSEnabled());
this.runInInterceptorAndValidate(
"encrypted_missing_enc_header.xml",
"encrypted_elements_policy.xml",
@@ -198,6 +201,8 @@ public void testEncryptedElementsPolicyWithIncompleteCoverage() throws Exception
@Test
public void testEncryptedElementsPolicyWithCompleteCoverage() throws Exception {
+ //fips: CBC mode not supported
+ Assume.assumeFalse(JavaUtils.isFIPSEnabled());
this.runInInterceptorAndValidate(
"encrypted_body_content.xml",
"encrypted_elements_policy.xml",
@@ -244,6 +249,8 @@ public void testEncryptedElementsPolicyWithCompleteCoverage() throws Exception {
@Test
public void testContentEncryptedElementsPolicyWithIncompleteCoverage() throws Exception {
+ //fips: CBC mode not supported
+ Assume.assumeFalse(JavaUtils.isFIPSEnabled());
this.runInInterceptorAndValidate(
"encrypted_body_element.xml",
"content_encrypted_elements_policy.xml",
@@ -254,6 +261,8 @@ public void testContentEncryptedElementsPolicyWithIncompleteCoverage() throws Ex
@Test
public void testContentEncryptedElementsPolicyWithCompleteCoverage() throws Exception {
+ //fips: CBC mode not supported
+ Assume.assumeFalse(JavaUtils.isFIPSEnabled());
this.runInInterceptorAndValidate(
"encrypted_body_content.xml",
"content_encrypted_elements_policy.xml",
@@ -273,6 +282,8 @@ public void testContentEncryptedElementsPolicyWithCompleteCoverage() throws Exce
@Test
public void testEncryptedPartsPolicyWithIncompleteCoverage() throws Exception {
+ //fips: CBC mode not supported
+ Assume.assumeFalse(JavaUtils.isFIPSEnabled());
this.runInInterceptorAndValidate(
"encrypted_missing_enc_body.xml",
"encrypted_parts_policy_body.xml",
@@ -304,6 +315,8 @@ public void testEncryptedPartsPolicyWithIncompleteCoverage() throws Exception {
@Test
public void testEncryptedPartsPolicyWithCompleteCoverage() throws Exception {
+ //fips: CBC mode not supported
+ Assume.assumeFalse(JavaUtils.isFIPSEnabled());
this.runInInterceptorAndValidate(
"encrypted_body_content.xml",
"encrypted_parts_policy_body.xml",
@@ -371,6 +384,8 @@ public void testEncryptedPartsPolicyWithCompleteCoverage() throws Exception {
@Test
public void testSignedEncryptedPartsWithIncompleteCoverage() throws Exception {
+ //fips: CBC mode not supported
+ Assume.assumeFalse(JavaUtils.isFIPSEnabled());
this.runInInterceptorAndValidate(
"signed_x509_issuer_serial_encrypted_missing_enc_header.xml",
"signed_parts_policy_header_and_body_encrypted.xml",
@@ -382,6 +397,8 @@ public void testSignedEncryptedPartsWithIncompleteCoverage() throws Exception {
@Test
public void testSignedEncryptedPartsWithCompleteCoverage() throws Exception {
+ //fips: CBC mode not supported
+ Assume.assumeFalse(JavaUtils.isFIPSEnabled());
if (!TestUtilities.checkUnrestrictedPoliciesInstalled()) {
return;
}
@@ -408,6 +425,8 @@ public void testSignedEncryptedPartsWithCompleteCoverage() throws Exception {
@Test
public void testEncryptedSignedPartsWithIncompleteCoverage() throws Exception {
+ //fips: CBC mode not supported
+ Assume.assumeFalse(JavaUtils.isFIPSEnabled());
this.runInInterceptorAndValidate(
"encrypted_body_content_signed_missing_signed_header.xml",
"encrypted_parts_policy_header_and_body_signed.xml",
@@ -418,6 +437,8 @@ public void testEncryptedSignedPartsWithIncompleteCoverage() throws Exception {
@Test
public void testEncryptedSignedPartsWithCompleteCoverage() throws Exception {
+ //fips: CBC mode not supported
+ Assume.assumeFalse(JavaUtils.isFIPSEnabled());
this.runInInterceptorAndValidate(
"encrypted_body_content_signed.xml",
"encrypted_parts_policy_header_and_body_signed.xml",
diff --git a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/StaxCryptoCoverageCheckerTest.java b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/StaxCryptoCoverageCheckerTest.java
index 37434dbae44..b7b73eaf0a1 100644
--- a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/StaxCryptoCoverageCheckerTest.java
+++ b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/StaxCryptoCoverageCheckerTest.java
@@ -29,6 +29,7 @@
import org.apache.cxf.ext.logging.LoggingInInterceptor;
import org.apache.cxf.ext.logging.LoggingOutInterceptor;
import org.apache.cxf.frontend.ClientProxy;
+import org.apache.cxf.helpers.JavaUtils;
import org.apache.cxf.jaxws.JaxWsProxyFactoryBean;
import org.apache.cxf.jaxws.JaxWsServerFactoryBean;
import org.apache.cxf.service.Service;
@@ -77,7 +78,10 @@ public void testEncryptedBody() throws Exception {
actions.add(XMLSecurityConstants.ENCRYPTION);
properties.setActions(actions);
properties.setEncryptionUser("myalias");
- properties.setEncryptionSymAlgorithm(XMLSecurityConstants.NS_XENC_AES128);
+ properties.setEncryptionSymAlgorithm(
+ JavaUtils.isFIPSEnabled()
+ ? XMLSecurityConstants.NS_XENC11_AES128_GCM
+ : XMLSecurityConstants.NS_XENC_AES128);
Properties outCryptoProperties =
CryptoFactory.getProperties("outsecurity.properties", this.getClass().getClassLoader());
@@ -178,7 +182,9 @@ public void testEncryptUsernameToken() throws Exception {
);
properties.setEncryptionUser("myalias");
properties.setTokenUser("username");
- properties.setEncryptionSymAlgorithm(XMLSecurityConstants.NS_XENC_AES128);
+ properties.setEncryptionSymAlgorithm(JavaUtils.isFIPSEnabled()
+ ? XMLSecurityConstants.NS_XENC11_AES128_GCM
+ : XMLSecurityConstants.NS_XENC_AES128);
Properties outCryptoProperties =
CryptoFactory.getProperties("outsecurity.properties", this.getClass().getClassLoader());
@@ -424,7 +430,9 @@ public void testEncryptSignature() throws Exception {
properties.setActions(actions);
properties.setEncryptionUser("myalias");
properties.setSignatureUser("myalias");
- properties.setEncryptionSymAlgorithm(XMLSecurityConstants.NS_XENC_AES128);
+ properties.setEncryptionSymAlgorithm(JavaUtils.isFIPSEnabled()
+ ? XMLSecurityConstants.NS_XENC11_AES128_GCM
+ : XMLSecurityConstants.NS_XENC_AES128);
Properties outCryptoProperties =
CryptoFactory.getProperties("outsecurity.properties", this.getClass().getClassLoader());
diff --git a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/StaxRoundTripActionTest.java b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/StaxRoundTripActionTest.java
index ab10d697013..7daa6d4e07f 100644
--- a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/StaxRoundTripActionTest.java
+++ b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/StaxRoundTripActionTest.java
@@ -31,6 +31,7 @@
import org.apache.cxf.ext.logging.LoggingInInterceptor;
import org.apache.cxf.ext.logging.LoggingOutInterceptor;
import org.apache.cxf.frontend.ClientProxy;
+import org.apache.cxf.helpers.JavaUtils;
import org.apache.cxf.jaxws.JaxWsProxyFactoryBean;
import org.apache.cxf.jaxws.JaxWsServerFactoryBean;
import org.apache.cxf.service.Service;
@@ -185,7 +186,9 @@ public void testEncrypt() throws Exception {
actions.add(XMLSecurityConstants.ENCRYPTION);
properties.setActions(actions);
properties.setEncryptionUser("myalias");
- properties.setEncryptionSymAlgorithm(XMLSecurityConstants.NS_XENC_AES128);
+ properties.setEncryptionSymAlgorithm(JavaUtils.isFIPSEnabled()
+ ? XMLSecurityConstants.NS_XENC11_AES128_GCM
+ : XMLSecurityConstants.NS_XENC_AES128);
Properties outCryptoProperties =
CryptoFactory.getProperties("outsecurity.properties", this.getClass().getClassLoader());
@@ -235,7 +238,9 @@ public void testEncryptConfig() throws Exception {
outConfig.put(ConfigurationConstants.ENCRYPTION_USER, "myalias");
outConfig.put(ConfigurationConstants.PW_CALLBACK_REF, new TestPwdCallback());
outConfig.put(ConfigurationConstants.ENC_PROP_FILE, "outsecurity.properties");
- outConfig.put(ConfigurationConstants.ENC_SYM_ALGO, XMLSecurityConstants.NS_XENC_AES128);
+ outConfig.put(ConfigurationConstants.ENC_SYM_ALGO, JavaUtils.isFIPSEnabled()
+ ? XMLSecurityConstants.NS_XENC11_AES128_GCM
+ : XMLSecurityConstants.NS_XENC_AES128);
WSS4JStaxOutInterceptor ohandler = new WSS4JStaxOutInterceptor(outConfig);
client.getOutInterceptors().add(ohandler);
@@ -293,7 +298,9 @@ public void testEncryptUsernameToken() throws Exception {
);
properties.setEncryptionUser("myalias");
properties.setTokenUser("username");
- properties.setEncryptionSymAlgorithm(XMLSecurityConstants.NS_XENC_AES128);
+ properties.setEncryptionSymAlgorithm(JavaUtils.isFIPSEnabled()
+ ? XMLSecurityConstants.NS_XENC11_AES128_GCM
+ : XMLSecurityConstants.NS_XENC_AES128);
Properties outCryptoProperties =
CryptoFactory.getProperties("outsecurity.properties", this.getClass().getClassLoader());
@@ -341,7 +348,9 @@ public void testEncryptUsernameTokenConfig() throws Exception {
outConfig.put(ConfigurationConstants.ENCRYPTION_USER, "myalias");
outConfig.put(ConfigurationConstants.PW_CALLBACK_REF, new TestPwdCallback());
outConfig.put(ConfigurationConstants.ENC_PROP_FILE, "outsecurity.properties");
- outConfig.put(ConfigurationConstants.ENC_SYM_ALGO, XMLSecurityConstants.NS_XENC_AES128);
+ outConfig.put(ConfigurationConstants.ENC_SYM_ALGO, JavaUtils.isFIPSEnabled()
+ ? XMLSecurityConstants.NS_XENC11_AES128_GCM
+ : XMLSecurityConstants.NS_XENC_AES128);
WSS4JStaxOutInterceptor ohandler = new WSS4JStaxOutInterceptor(outConfig);
client.getOutInterceptors().add(ohandler);
@@ -635,7 +644,9 @@ public void testEncryptSignature() throws Exception {
properties.setActions(actions);
properties.setEncryptionUser("myalias");
properties.setSignatureUser("myalias");
- properties.setEncryptionSymAlgorithm(XMLSecurityConstants.NS_XENC_AES128);
+ properties.setEncryptionSymAlgorithm(JavaUtils.isFIPSEnabled()
+ ? XMLSecurityConstants.NS_XENC11_AES128_GCM
+ : XMLSecurityConstants.NS_XENC_AES128);
Properties outCryptoProperties =
CryptoFactory.getProperties("outsecurity.properties", this.getClass().getClassLoader());
@@ -682,7 +693,9 @@ public void testEncryptSignatureConfig() throws Exception {
outConfig.put(ConfigurationConstants.PW_CALLBACK_REF, new TestPwdCallback());
outConfig.put(ConfigurationConstants.SIG_PROP_FILE, "outsecurity.properties");
outConfig.put(ConfigurationConstants.ENC_PROP_FILE, "outsecurity.properties");
- outConfig.put(ConfigurationConstants.ENC_SYM_ALGO, XMLSecurityConstants.NS_XENC_AES128);
+ outConfig.put(ConfigurationConstants.ENC_SYM_ALGO, JavaUtils.isFIPSEnabled()
+ ? XMLSecurityConstants.NS_XENC11_AES128_GCM
+ : XMLSecurityConstants.NS_XENC_AES128);
WSS4JStaxOutInterceptor ohandler = new WSS4JStaxOutInterceptor(outConfig);
client.getOutInterceptors().add(ohandler);
diff --git a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/StaxRoundTripTest.java b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/StaxRoundTripTest.java
index a7464875b5c..e516133bc12 100644
--- a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/StaxRoundTripTest.java
+++ b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/StaxRoundTripTest.java
@@ -35,6 +35,7 @@
import org.apache.cxf.ext.logging.LoggingInInterceptor;
import org.apache.cxf.ext.logging.LoggingOutInterceptor;
import org.apache.cxf.frontend.ClientProxy;
+import org.apache.cxf.helpers.JavaUtils;
import org.apache.cxf.jaxws.JaxWsProxyFactoryBean;
import org.apache.cxf.jaxws.JaxWsServerFactoryBean;
import org.apache.cxf.service.Service;
@@ -445,7 +446,9 @@ public void testEncrypt() throws Exception {
List actions = new ArrayList<>();
actions.add(XMLSecurityConstants.ENCRYPTION);
properties.setActions(actions);
- properties.setEncryptionSymAlgorithm(XMLSecurityConstants.NS_XENC_AES128);
+ properties.setEncryptionSymAlgorithm(JavaUtils.isFIPSEnabled()
+ ? XMLSecurityConstants.NS_XENC11_AES128_GCM
+ : XMLSecurityConstants.NS_XENC_AES128);
properties.setEncryptionUser("myalias");
Properties outCryptoProperties =
@@ -479,7 +482,9 @@ public void testEncryptConfig() throws Exception {
Map outConfig = new HashMap<>();
outConfig.put(ConfigurationConstants.ACTION, ConfigurationConstants.ENCRYPTION);
outConfig.put(ConfigurationConstants.ENCRYPTION_USER, "myalias");
- outConfig.put(ConfigurationConstants.ENC_SYM_ALGO, XMLSecurityConstants.NS_XENC_AES128);
+ outConfig.put(ConfigurationConstants.ENC_SYM_ALGO, JavaUtils.isFIPSEnabled()
+ ? XMLSecurityConstants.NS_XENC11_AES128_GCM
+ : XMLSecurityConstants.NS_XENC_AES128);
outConfig.put(ConfigurationConstants.PW_CALLBACK_REF, new TestPwdCallback());
outConfig.put(ConfigurationConstants.ENC_PROP_FILE, "outsecurity.properties");
WSS4JStaxOutInterceptor ohandler = new WSS4JStaxOutInterceptor(outConfig);
@@ -519,7 +524,9 @@ public void testEncryptUsernameToken() throws Exception {
);
properties.setEncryptionUser("myalias");
properties.setTokenUser("username");
- properties.setEncryptionSymAlgorithm(XMLSecurityConstants.NS_XENC_AES128);
+ properties.setEncryptionSymAlgorithm(JavaUtils.isFIPSEnabled()
+ ? XMLSecurityConstants.NS_XENC11_AES128_GCM
+ : XMLSecurityConstants.NS_XENC_AES128);
Properties outCryptoProperties =
CryptoFactory.getProperties("outsecurity.properties", this.getClass().getClassLoader());
@@ -562,7 +569,9 @@ public void testEncryptUsernameTokenConfig() throws Exception {
outConfig.put(ConfigurationConstants.ENCRYPTION_USER, "myalias");
outConfig.put(ConfigurationConstants.PW_CALLBACK_REF, new TestPwdCallback());
outConfig.put(ConfigurationConstants.ENC_PROP_FILE, "outsecurity.properties");
- outConfig.put(ConfigurationConstants.ENC_SYM_ALGO, XMLSecurityConstants.NS_XENC_AES128);
+ outConfig.put(ConfigurationConstants.ENC_SYM_ALGO, JavaUtils.isFIPSEnabled()
+ ? XMLSecurityConstants.NS_XENC11_AES128_GCM
+ : XMLSecurityConstants.NS_XENC_AES128);
WSS4JStaxOutInterceptor ohandler = new WSS4JStaxOutInterceptor(outConfig);
client.getOutInterceptors().add(ohandler);
@@ -973,7 +982,9 @@ public void testEncryptSignature() throws Exception {
properties.setActions(actions);
properties.setEncryptionUser("myalias");
properties.setSignatureUser("myalias");
- properties.setEncryptionSymAlgorithm(XMLSecurityConstants.NS_XENC_AES128);
+ properties.setEncryptionSymAlgorithm(JavaUtils.isFIPSEnabled()
+ ? XMLSecurityConstants.NS_XENC11_AES128_GCM
+ : XMLSecurityConstants.NS_XENC_AES128);
Properties outCryptoProperties =
CryptoFactory.getProperties("outsecurity.properties", this.getClass().getClassLoader());
@@ -1015,7 +1026,9 @@ public void testEncryptSignatureConfig() throws Exception {
outConfig.put(ConfigurationConstants.PW_CALLBACK_REF, new TestPwdCallback());
outConfig.put(ConfigurationConstants.SIG_PROP_FILE, "outsecurity.properties");
outConfig.put(ConfigurationConstants.ENC_PROP_FILE, "outsecurity.properties");
- outConfig.put(ConfigurationConstants.ENC_SYM_ALGO, XMLSecurityConstants.NS_XENC_AES128);
+ outConfig.put(ConfigurationConstants.ENC_SYM_ALGO, JavaUtils.isFIPSEnabled()
+ ? XMLSecurityConstants.NS_XENC11_AES128_GCM
+ : XMLSecurityConstants.NS_XENC_AES128);
WSS4JStaxOutInterceptor ohandler = new WSS4JStaxOutInterceptor(outConfig);
client.getOutInterceptors().add(ohandler);
diff --git a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/StaxToDOMEncryptionIdentifierTest.java b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/StaxToDOMEncryptionIdentifierTest.java
index 960d268f134..be0b013cfc9 100644
--- a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/StaxToDOMEncryptionIdentifierTest.java
+++ b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/StaxToDOMEncryptionIdentifierTest.java
@@ -29,6 +29,7 @@
import org.apache.cxf.ext.logging.LoggingInInterceptor;
import org.apache.cxf.ext.logging.LoggingOutInterceptor;
import org.apache.cxf.frontend.ClientProxy;
+import org.apache.cxf.helpers.JavaUtils;
import org.apache.cxf.jaxws.JaxWsProxyFactoryBean;
import org.apache.cxf.jaxws.JaxWsServerFactoryBean;
import org.apache.cxf.service.Service;
@@ -77,7 +78,9 @@ public void testEncryptDirectReference() throws Exception {
properties.setEncryptionKeyIdentifier(
WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE
);
- properties.setEncryptionSymAlgorithm(XMLSecurityConstants.NS_XENC_AES128);
+ properties.setEncryptionSymAlgorithm(JavaUtils.isFIPSEnabled()
+ ? XMLSecurityConstants.NS_XENC11_AES128_GCM
+ : XMLSecurityConstants.NS_XENC_AES128);
Properties cryptoProperties =
CryptoFactory.getProperties("outsecurity.properties", this.getClass().getClassLoader());
@@ -116,7 +119,9 @@ public void testEncryptIssuerSerial() throws Exception {
properties.setEncryptionKeyIdentifier(
WSSecurityTokenConstants.KeyIdentifier_IssuerSerial
);
- properties.setEncryptionSymAlgorithm(XMLSecurityConstants.NS_XENC_AES128);
+ properties.setEncryptionSymAlgorithm(JavaUtils.isFIPSEnabled()
+ ? XMLSecurityConstants.NS_XENC11_AES128_GCM
+ : XMLSecurityConstants.NS_XENC_AES128);
Properties cryptoProperties =
CryptoFactory.getProperties("outsecurity.properties", this.getClass().getClassLoader());
@@ -155,7 +160,9 @@ public void testEncryptThumbprint() throws Exception {
properties.setEncryptionKeyIdentifier(
WSSecurityTokenConstants.KEYIDENTIFIER_THUMBPRINT_IDENTIFIER
);
- properties.setEncryptionSymAlgorithm(XMLSecurityConstants.NS_XENC_AES128);
+ properties.setEncryptionSymAlgorithm(JavaUtils.isFIPSEnabled()
+ ? XMLSecurityConstants.NS_XENC11_AES128_GCM
+ : XMLSecurityConstants.NS_XENC_AES128);
Properties cryptoProperties =
CryptoFactory.getProperties("outsecurity.properties", this.getClass().getClassLoader());
@@ -195,7 +202,9 @@ public void testEncryptX509() throws Exception {
properties.setEncryptionKeyIdentifier(
WSSecurityTokenConstants.KeyIdentifier_X509KeyIdentifier
);
- properties.setEncryptionSymAlgorithm(XMLSecurityConstants.NS_XENC_AES128);
+ properties.setEncryptionSymAlgorithm(JavaUtils.isFIPSEnabled()
+ ? XMLSecurityConstants.NS_XENC11_AES128_GCM
+ : XMLSecurityConstants.NS_XENC_AES128);
Properties cryptoProperties =
CryptoFactory.getProperties("outsecurity.properties", this.getClass().getClassLoader());
@@ -234,7 +243,9 @@ public void testEncryptEncryptedKeySHA1() throws Exception {
properties.setEncryptionKeyIdentifier(
WSSecurityTokenConstants.KEYIDENTIFIER_ENCRYPTED_KEY_SHA1_IDENTIFIER
);
- properties.setEncryptionSymAlgorithm(XMLSecurityConstants.NS_XENC_AES128);
+ properties.setEncryptionSymAlgorithm(JavaUtils.isFIPSEnabled()
+ ? XMLSecurityConstants.NS_XENC11_AES128_GCM
+ : XMLSecurityConstants.NS_XENC_AES128);
Properties cryptoProperties =
CryptoFactory.getProperties("outsecurity.properties", this.getClass().getClassLoader());
diff --git a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/StaxToDOMRoundTripTest.java b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/StaxToDOMRoundTripTest.java
index 4091869cd1b..534ef914458 100644
--- a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/StaxToDOMRoundTripTest.java
+++ b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/StaxToDOMRoundTripTest.java
@@ -31,6 +31,7 @@
import org.apache.cxf.ext.logging.LoggingInInterceptor;
import org.apache.cxf.ext.logging.LoggingOutInterceptor;
import org.apache.cxf.frontend.ClientProxy;
+import org.apache.cxf.helpers.JavaUtils;
import org.apache.cxf.jaxws.JaxWsProxyFactoryBean;
import org.apache.cxf.jaxws.JaxWsServerFactoryBean;
import org.apache.cxf.service.Service;
@@ -275,7 +276,9 @@ public void testEncrypt() throws Exception {
actions.add(XMLSecurityConstants.ENCRYPTION);
properties.setActions(actions);
properties.setEncryptionUser("myalias");
- properties.setEncryptionSymAlgorithm(XMLSecurityConstants.NS_XENC_AES128);
+ properties.setEncryptionSymAlgorithm(JavaUtils.isFIPSEnabled()
+ ? XMLSecurityConstants.NS_XENC11_AES128_GCM
+ : XMLSecurityConstants.NS_XENC_AES128);
Properties cryptoProperties =
CryptoFactory.getProperties("outsecurity.properties", this.getClass().getClassLoader());
@@ -311,7 +314,9 @@ public void testEncryptConfig() throws Exception {
outConfig.put(ConfigurationConstants.ENCRYPTION_USER, "myalias");
outConfig.put(ConfigurationConstants.PW_CALLBACK_REF, new TestPwdCallback());
outConfig.put(ConfigurationConstants.ENC_PROP_FILE, "outsecurity.properties");
- outConfig.put(ConfigurationConstants.ENC_SYM_ALGO, XMLSecurityConstants.NS_XENC_AES128);
+ outConfig.put(ConfigurationConstants.ENC_SYM_ALGO, JavaUtils.isFIPSEnabled()
+ ? XMLSecurityConstants.NS_XENC11_AES128_GCM
+ : XMLSecurityConstants.NS_XENC_AES128);
WSS4JStaxOutInterceptor ohandler = new WSS4JStaxOutInterceptor(outConfig);
client.getOutInterceptors().add(ohandler);
@@ -349,13 +354,18 @@ public void testEncryptionAlgorithms() throws Exception {
properties.setEncryptionCryptoProperties(cryptoProperties);
properties.setCallbackHandler(new TestPwdCallback());
properties.setEncryptionKeyTransportAlgorithm("http://www.w3.org/2001/04/xmlenc#rsa-1_5");
- properties.setEncryptionSymAlgorithm("http://www.w3.org/2001/04/xmlenc#tripledes-cbc");
+ if (JavaUtils.isFIPSEnabled()) {
+ properties.setEncryptionSymAlgorithm("http://www.w3.org/2009/xmlenc11#aes256-gcm");
+ inProperties.put(ConfigurationConstants.ALLOW_RSA15_KEY_TRANSPORT_ALGORITHM, "false");
+ } else {
+ properties.setEncryptionSymAlgorithm("http://www.w3.org/2001/04/xmlenc#tripledes-cbc");
+ }
WSS4JStaxOutInterceptor ohandler = new WSS4JStaxOutInterceptor(properties);
client.getOutInterceptors().add(ohandler);
try {
echo.echo("test");
- fail("Failure expected as RSA v1.5 is not allowed by default");
+ fail("Failure expected as RSA v1.5 is not allowed by configuration");
} catch (jakarta.xml.ws.soap.SOAPFaultException ex) {
// expected
}
@@ -391,15 +401,20 @@ public void testEncryptionAlgorithmsConfig() throws Exception {
ConfigurationConstants.ENC_KEY_TRANSPORT,
"http://www.w3.org/2001/04/xmlenc#rsa-1_5"
);
- outConfig.put(ConfigurationConstants.ENC_SYM_ALGO, XMLSecurityConstants.NS_XENC_AES128);
+ outConfig.put(ConfigurationConstants.ENC_SYM_ALGO, JavaUtils.isFIPSEnabled()
+ ? XMLSecurityConstants.NS_XENC11_AES128_GCM
+ : XMLSecurityConstants.NS_XENC_AES128);
outConfig.put(ConfigurationConstants.ENC_PROP_FILE, "outsecurity.properties");
+ if (JavaUtils.isFIPSEnabled()) {
+ inProperties.put(ConfigurationConstants.ALLOW_RSA15_KEY_TRANSPORT_ALGORITHM, "false");
+ }
WSS4JStaxOutInterceptor ohandler = new WSS4JStaxOutInterceptor(outConfig);
client.getOutInterceptors().add(ohandler);
try {
echo.echo("test");
- fail("Failure expected as RSA v1.5 is not allowed by default");
+ fail("Failure expected as RSA v1.5 is not allowed by configuration");
} catch (jakarta.xml.ws.soap.SOAPFaultException ex) {
// expected
}
@@ -440,7 +455,9 @@ public void testEncryptUsernameToken() throws Exception {
);
properties.setEncryptionUser("myalias");
properties.setTokenUser("username");
- properties.setEncryptionSymAlgorithm(XMLSecurityConstants.NS_XENC_AES128);
+ properties.setEncryptionSymAlgorithm(JavaUtils.isFIPSEnabled()
+ ? XMLSecurityConstants.NS_XENC11_AES128_GCM
+ : XMLSecurityConstants.NS_XENC_AES128);
Properties cryptoProperties =
CryptoFactory.getProperties("outsecurity.properties", this.getClass().getClassLoader());
@@ -487,7 +504,9 @@ public void testEncryptUsernameTokenConfig() throws Exception {
outConfig.put(ConfigurationConstants.ENCRYPTION_USER, "myalias");
outConfig.put(ConfigurationConstants.PW_CALLBACK_REF, new TestPwdCallback());
outConfig.put(ConfigurationConstants.ENC_PROP_FILE, "outsecurity.properties");
- outConfig.put(ConfigurationConstants.ENC_SYM_ALGO, XMLSecurityConstants.NS_XENC_AES128);
+ outConfig.put(ConfigurationConstants.ENC_SYM_ALGO, JavaUtils.isFIPSEnabled()
+ ? XMLSecurityConstants.NS_XENC11_AES128_GCM
+ : XMLSecurityConstants.NS_XENC_AES128);
WSS4JStaxOutInterceptor ohandler = new WSS4JStaxOutInterceptor(outConfig);
client.getOutInterceptors().add(ohandler);
@@ -979,7 +998,9 @@ public void testEncryptSignature() throws Exception {
properties.setActions(actions);
properties.setEncryptionUser("myalias");
properties.setSignatureUser("myalias");
- properties.setEncryptionSymAlgorithm(XMLSecurityConstants.NS_XENC_AES128);
+ properties.setEncryptionSymAlgorithm(JavaUtils.isFIPSEnabled()
+ ? XMLSecurityConstants.NS_XENC11_AES128_GCM
+ : XMLSecurityConstants.NS_XENC_AES128);
Properties cryptoProperties =
CryptoFactory.getProperties("outsecurity.properties", this.getClass().getClassLoader());
@@ -1025,7 +1046,9 @@ public void testEncryptSignatureConfig() throws Exception {
outConfig.put(ConfigurationConstants.PW_CALLBACK_REF, new TestPwdCallback());
outConfig.put(ConfigurationConstants.SIG_PROP_FILE, "outsecurity.properties");
outConfig.put(ConfigurationConstants.ENC_PROP_FILE, "outsecurity.properties");
- outConfig.put(ConfigurationConstants.ENC_SYM_ALGO, XMLSecurityConstants.NS_XENC_AES128);
+ outConfig.put(ConfigurationConstants.ENC_SYM_ALGO, JavaUtils.isFIPSEnabled()
+ ? XMLSecurityConstants.NS_XENC11_AES128_GCM
+ : XMLSecurityConstants.NS_XENC_AES128);
WSS4JStaxOutInterceptor ohandler = new WSS4JStaxOutInterceptor(outConfig);
client.getOutInterceptors().add(ohandler);
diff --git a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/WSS4JFaultCodeTest.java b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/WSS4JFaultCodeTest.java
index 885c3524bf8..9601b160c4d 100644
--- a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/WSS4JFaultCodeTest.java
+++ b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/WSS4JFaultCodeTest.java
@@ -28,6 +28,7 @@
import jakarta.xml.soap.SOAPMessage;
import org.apache.cxf.binding.soap.SoapFault;
import org.apache.cxf.binding.soap.SoapMessage;
+import org.apache.cxf.helpers.JavaUtils;
import org.apache.cxf.message.Exchange;
import org.apache.cxf.message.ExchangeImpl;
import org.apache.cxf.message.MessageImpl;
@@ -37,6 +38,7 @@
import org.apache.wss4j.common.ConfigurationConstants;
import org.apache.wss4j.common.WSS4JConstants;
+import org.junit.Assume;
import org.junit.Test;
import static org.junit.Assert.assertEquals;
@@ -190,6 +192,8 @@ public void testActionMismatch() throws Exception {
// See CXF-6900.
@Test
public void testSignedEncryptedSOAP12Fault() throws Exception {
+ //fips: CBC mode not supported
+ Assume.assumeFalse(JavaUtils.isFIPSEnabled());
Document doc = readDocument("wsse-response-fault.xml");
SoapMessage msg = getSoapMessageForDom(doc, SOAPConstants.SOAP_1_2_PROTOCOL);
@@ -211,6 +215,7 @@ public void testSignedEncryptedSOAP12Fault() throws Exception {
inHandler.setProperty(ConfigurationConstants.DEC_PROP_FILE, "insecurity.properties");
inHandler.setProperty(ConfigurationConstants.SIG_VER_PROP_FILE, "insecurity.properties");
inHandler.setProperty(ConfigurationConstants.PW_CALLBACK_CLASS, TestPwdCallback.class.getName());
+
inHandler.setProperty(
ConfigurationConstants.PW_CALLBACK_CLASS,
"org.apache.cxf.ws.security.wss4j.TestPwdCallback"
diff --git a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/WSS4JInOutTest.java b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/WSS4JInOutTest.java
index afdef21757f..a3166d2fce9 100644
--- a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/WSS4JInOutTest.java
+++ b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/WSS4JInOutTest.java
@@ -37,6 +37,7 @@
import org.apache.cxf.binding.soap.interceptor.MustUnderstandInterceptor;
import org.apache.cxf.binding.soap.saaj.SAAJInInterceptor;
import org.apache.cxf.helpers.CastUtils;
+import org.apache.cxf.helpers.JavaUtils;
import org.apache.cxf.interceptor.Interceptor;
import org.apache.cxf.message.Exchange;
import org.apache.cxf.message.ExchangeImpl;
@@ -156,12 +157,12 @@ public void testEncryption() throws Exception {
outProperties.put(ConfigurationConstants.ENC_PROP_FILE, "outsecurity.properties");
outProperties.put(ConfigurationConstants.USER, "myalias");
outProperties.put("password", "myAliasPassword");
-
+
Map inProperties = new HashMap<>();
inProperties.put(ConfigurationConstants.ACTION, ConfigurationConstants.ENCRYPTION);
inProperties.put(ConfigurationConstants.DEC_PROP_FILE, "insecurity.properties");
inProperties.put(ConfigurationConstants.PW_CALLBACK_REF, new TestPwdCallback());
-
+
List xpaths = new ArrayList<>();
xpaths.add("//wsse:Security");
xpaths.add("//s:Body/xenc:EncryptedData");
@@ -199,12 +200,16 @@ public void testEncryption() throws Exception {
@Test
public void testEncryptionWithAgreementMethodsX448() throws Exception {
+ //X448 isn't compliant in FIPS mode
+ Assume.assumeFalse(JavaUtils.isFIPSEnabled());
Assume.assumeTrue(getJDKVersion() >= 16);
testEncryptionWithAgreementMethod("x448", "//dsig11:DEREncodedKeyValue");
}
@Test
public void testEncryptionWithAgreementMethodsX25519() throws Exception {
+ //X25519 isn't compliant in FIPS mode
+ Assume.assumeFalse(JavaUtils.isFIPSEnabled());
Assume.assumeTrue(getJDKVersion() >= 16);
testEncryptionWithAgreementMethod("x25519", "//dsig11:DEREncodedKeyValue");
}
@@ -293,7 +298,7 @@ public void testEncryptedUsernameToken() throws Exception {
ConfigurationConstants.ENCRYPTION_PARTS,
"{Content}{" + WSS4JConstants.WSSE_NS + "}UsernameToken"
);
-
+
Map inProperties = new HashMap<>();
inProperties.put(
ConfigurationConstants.ACTION,
@@ -301,6 +306,7 @@ public void testEncryptedUsernameToken() throws Exception {
);
inProperties.put(ConfigurationConstants.DEC_PROP_FILE, "insecurity.properties");
inProperties.put(ConfigurationConstants.PW_CALLBACK_REF, new TestPwdCallback());
+
List xpaths = new ArrayList<>();
xpaths.add("//wsse:Security");
diff --git a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/WSS4JInOutWithAttachmentsTest.java b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/WSS4JInOutWithAttachmentsTest.java
index 7db888644ac..0bb52d56023 100644
--- a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/WSS4JInOutWithAttachmentsTest.java
+++ b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/WSS4JInOutWithAttachmentsTest.java
@@ -42,6 +42,7 @@
import org.apache.cxf.binding.soap.saaj.SAAJInInterceptor;
import org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor;
import org.apache.cxf.bus.managers.PhaseManagerImpl;
+import org.apache.cxf.helpers.JavaUtils;
import org.apache.cxf.interceptor.AttachmentInInterceptor;
import org.apache.cxf.interceptor.AttachmentOutInterceptor;
import org.apache.cxf.interceptor.Interceptor;
@@ -88,6 +89,8 @@ public WSS4JInOutWithAttachmentsTest() {
@Test
public void testEncryptWithAgreementConcatKDFWithXECAndEDKeys() throws Exception {
Assume.assumeTrue(getJDKVersion() >= 16);
+ //ed25519 isn't compliant in FIPS mode
+ Assume.assumeFalse(JavaUtils.isFIPSEnabled());
testEncryptWithAgreementMethod("ed25519", "x25519",
WSS4JConstants.AGREEMENT_METHOD_X25519, WSS4JConstants.KEYDERIVATION_CONCATKDF);
}
@@ -101,6 +104,8 @@ public void testEncryptWithAgreementConcatKDFWithECKeys() throws Exception {
@Test
public void testEncryptWithAgreementHKDFWithXECAndEDKeys() throws Exception {
Assume.assumeTrue(getJDKVersion() >= 16);
+ //XDH (X25519/X448) is not FIPS 140-2 approved,
+ Assume.assumeFalse(JavaUtils.isFIPSEnabled());
testEncryptWithAgreementMethod("ed25519", "x25519",
WSS4JConstants.AGREEMENT_METHOD_X25519, WSS4JConstants.KEYDERIVATION_HKDF);
}
diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/service/EncryptionProperties.java b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/service/EncryptionProperties.java
index b6e106c8b3d..06b5ab19233 100644
--- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/service/EncryptionProperties.java
+++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/service/EncryptionProperties.java
@@ -21,6 +21,7 @@
import java.util.ArrayList;
import java.util.List;
+import org.apache.cxf.helpers.JavaUtils;
import org.apache.wss4j.common.WSS4JConstants;
import org.apache.wss4j.dom.WSConstants;
@@ -30,8 +31,10 @@
* certificate from a KeyStore) - everything else is optional.
*/
public class EncryptionProperties {
- private String encryptionAlgorithm = WSConstants.AES_256;
- private String keyWrapAlgorithm = WSConstants.KEYTRANSPORT_RSAOAEP;
+ private String encryptionAlgorithm =
+ JavaUtils.isFIPSEnabled() ? WSConstants.AES_256_GCM : WSConstants.AES_256;
+ private String keyWrapAlgorithm =
+ JavaUtils.isFIPSEnabled() ? WSS4JConstants.KEYTRANSPORT_RSAOAEP_XENC11 : WSConstants.KEYTRANSPORT_RSAOAEP;
private int keyIdentifierType = WSConstants.ISSUER_SERIAL;
private List acceptedEncryptionAlgorithms = new ArrayList<>();
private List acceptedKeyWrapAlgorithms = new ArrayList<>();
@@ -39,17 +42,22 @@ public class EncryptionProperties {
public EncryptionProperties() {
// Default symmetric encryption algorithms
- acceptedEncryptionAlgorithms.add(WSS4JConstants.TRIPLE_DES);
- acceptedEncryptionAlgorithms.add(WSS4JConstants.AES_128);
- acceptedEncryptionAlgorithms.add(WSS4JConstants.AES_192);
- acceptedEncryptionAlgorithms.add(WSS4JConstants.AES_256);
+ if (!JavaUtils.isFIPSEnabled()) {
+ acceptedEncryptionAlgorithms.add(WSS4JConstants.TRIPLE_DES);
+ acceptedEncryptionAlgorithms.add(WSS4JConstants.AES_128);
+ acceptedEncryptionAlgorithms.add(WSS4JConstants.AES_192);
+ acceptedEncryptionAlgorithms.add(WSS4JConstants.AES_256);
+ }
acceptedEncryptionAlgorithms.add(WSS4JConstants.AES_128_GCM);
acceptedEncryptionAlgorithms.add(WSS4JConstants.AES_192_GCM);
acceptedEncryptionAlgorithms.add(WSS4JConstants.AES_256_GCM);
// Default key wrap algorithms
- acceptedKeyWrapAlgorithms.add(WSS4JConstants.KEYTRANSPORT_RSA15);
+ if (!JavaUtils.isFIPSEnabled()) {
+ acceptedKeyWrapAlgorithms.add(WSS4JConstants.KEYTRANSPORT_RSA15);
+ }
acceptedKeyWrapAlgorithms.add(WSS4JConstants.KEYTRANSPORT_RSAOAEP);
+ acceptedKeyWrapAlgorithms.add(WSS4JConstants.KEYTRANSPORT_RSAOAEP_XENC11);
}
/**
diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/jwt/JWTTokenProvider.java b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/jwt/JWTTokenProvider.java
index cc9ade1616a..0e751983605 100644
--- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/jwt/JWTTokenProvider.java
+++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/jwt/JWTTokenProvider.java
@@ -32,6 +32,7 @@
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.common.util.StringUtils;
+import org.apache.cxf.helpers.JavaUtils;
import org.apache.cxf.rs.security.jose.common.JoseConstants;
import org.apache.cxf.rs.security.jose.jwa.ContentAlgorithm;
import org.apache.cxf.rs.security.jose.jwa.KeyAlgorithm;
@@ -303,7 +304,8 @@ private String encryptToken(
try {
KeyAlgorithm.getAlgorithm(keyWrapAlgorithm);
} catch (IllegalArgumentException ex) {
- keyWrapAlgorithm = KeyAlgorithm.RSA_OAEP.name();
+ keyWrapAlgorithm = JavaUtils.isFIPSEnabled()
+ ? KeyAlgorithm.RSA_OAEP_256.name() : KeyAlgorithm.RSA_OAEP.name();
}
encProperties.put(JoseConstants.RSSEC_ENCRYPTION_KEY_ALGORITHM, keyWrapAlgorithm);
diff --git a/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/IssueEncryptedUnitTest.java b/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/IssueEncryptedUnitTest.java
index db80b7add68..c06b8960999 100644
--- a/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/IssueEncryptedUnitTest.java
+++ b/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/IssueEncryptedUnitTest.java
@@ -27,6 +27,7 @@
import jakarta.xml.bind.JAXBElement;
import org.apache.cxf.helpers.DOMUtils;
+import org.apache.cxf.helpers.JavaUtils;
import org.apache.cxf.jaxws.context.WrappedMessageContext;
import org.apache.cxf.message.MessageImpl;
import org.apache.cxf.sts.QNameConstants;
@@ -77,7 +78,10 @@ public void testIssueEncryptedToken() throws Exception {
service.setEndpoints(Collections.singletonList("http://dummy-service.com/dummy"));
EncryptionProperties encryptionProperties = new EncryptionProperties();
if (!unrestrictedPoliciesInstalled) {
- encryptionProperties.setEncryptionAlgorithm(WSS4JConstants.AES_128);
+ encryptionProperties.setEncryptionAlgorithm(
+ JavaUtils.isFIPSEnabled()
+ ? WSS4JConstants.AES_128_GCM
+ : WSS4JConstants.AES_128);
}
service.setEncryptionProperties(encryptionProperties);
issueOperation.setServices(Collections.singletonList(service));
@@ -128,7 +132,9 @@ public void testEncryptionName() throws Exception {
service.setEndpoints(Collections.singletonList("http://dummy-service.com/dummy"));
EncryptionProperties encryptionProperties = new EncryptionProperties();
if (!unrestrictedPoliciesInstalled) {
- encryptionProperties.setEncryptionAlgorithm(WSS4JConstants.AES_128);
+ encryptionProperties.setEncryptionAlgorithm(JavaUtils.isFIPSEnabled()
+ ? WSS4JConstants.AES_128_GCM
+ : WSS4JConstants.AES_128);
}
service.setEncryptionProperties(encryptionProperties);
issueOperation.setServices(Collections.singletonList(service));
@@ -187,7 +193,9 @@ public void testConfiguredEncryptionAlgorithm() throws Exception {
service.setEndpoints(Collections.singletonList("http://dummy-service.com/dummy"));
EncryptionProperties encryptionProperties = new EncryptionProperties();
encryptionProperties.setEncryptionName("myservicekey");
- encryptionProperties.setEncryptionAlgorithm(WSS4JConstants.AES_128);
+ encryptionProperties.setEncryptionAlgorithm(JavaUtils.isFIPSEnabled()
+ ? WSS4JConstants.AES_128_GCM
+ : WSS4JConstants.AES_128);
service.setEncryptionProperties(encryptionProperties);
issueOperation.setServices(Collections.singletonList(service));
@@ -219,6 +227,7 @@ public void testConfiguredEncryptionAlgorithm() throws Exception {
assertFalse(securityTokenResponse.isEmpty());
encryptionProperties.setEncryptionAlgorithm(WSS4JConstants.KEYTRANSPORT_RSA15);
+
try {
issueOperation.issue(request, null, msgCtx);
fail("Failure expected on a bad encryption algorithm");
@@ -264,7 +273,9 @@ public void testReceivedEncryptionAlgorithm() throws Exception {
request.getAny().add(createAppliesToElement("http://dummy-service.com/dummy"));
JAXBElement encryptionAlgorithmType =
new JAXBElement(
- QNameConstants.ENCRYPTION_ALGORITHM, String.class, WSS4JConstants.AES_128
+ QNameConstants.ENCRYPTION_ALGORITHM, String.class, JavaUtils.isFIPSEnabled()
+ ? WSS4JConstants.AES_128_GCM
+ : WSS4JConstants.AES_128
);
request.getAny().add(encryptionAlgorithmType);
@@ -323,9 +334,13 @@ public void testConfiguredKeyWrapAlgorithm() throws Exception {
EncryptionProperties encryptionProperties = new EncryptionProperties();
encryptionProperties.setEncryptionName("myservicekey");
if (!unrestrictedPoliciesInstalled) {
- encryptionProperties.setEncryptionAlgorithm(WSS4JConstants.AES_128);
+ encryptionProperties.setEncryptionAlgorithm(JavaUtils.isFIPSEnabled()
+ ? WSS4JConstants.AES_128_GCM
+ : WSS4JConstants.AES_128);
}
- encryptionProperties.setKeyWrapAlgorithm(WSS4JConstants.KEYTRANSPORT_RSAOAEP);
+ encryptionProperties.setKeyWrapAlgorithm(JavaUtils.isFIPSEnabled()
+ ? WSS4JConstants.KEYTRANSPORT_RSAOAEP_XENC11
+ : WSS4JConstants.KEYTRANSPORT_RSAOAEP);
service.setEncryptionProperties(encryptionProperties);
issueOperation.setServices(Collections.singletonList(service));
@@ -356,7 +371,9 @@ public void testConfiguredKeyWrapAlgorithm() throws Exception {
response.getRequestSecurityTokenResponse();
assertFalse(securityTokenResponse.isEmpty());
- encryptionProperties.setKeyWrapAlgorithm(WSS4JConstants.AES_128);
+ encryptionProperties.setKeyWrapAlgorithm(JavaUtils.isFIPSEnabled()
+ ? WSS4JConstants.AES_128_GCM
+ : WSS4JConstants.AES_128);
try {
issueOperation.issue(request, null, msgCtx);
fail("Failure expected on a bad key-wrap algorithm");
@@ -391,7 +408,9 @@ public void testSpecifiedKeyWrapAlgorithm() throws Exception {
EncryptionProperties encryptionProperties = new EncryptionProperties();
encryptionProperties.setEncryptionName("myservicekey");
if (!unrestrictedPoliciesInstalled) {
- encryptionProperties.setEncryptionAlgorithm(WSS4JConstants.AES_128);
+ encryptionProperties.setEncryptionAlgorithm(JavaUtils.isFIPSEnabled()
+ ? WSS4JConstants.AES_128_GCM
+ : WSS4JConstants.AES_128);
}
service.setEncryptionProperties(encryptionProperties);
issueOperation.setServices(Collections.singletonList(service));
@@ -413,7 +432,9 @@ public void testSpecifiedKeyWrapAlgorithm() throws Exception {
request.getAny().add(createAppliesToElement("http://dummy-service.com/dummy"));
JAXBElement encryptionAlgorithmType =
new JAXBElement(
- QNameConstants.KEYWRAP_ALGORITHM, String.class, WSS4JConstants.KEYTRANSPORT_RSAOAEP
+ QNameConstants.KEYWRAP_ALGORITHM, String.class, JavaUtils.isFIPSEnabled()
+ ? WSS4JConstants.KEYTRANSPORT_RSAOAEP_XENC11
+ : WSS4JConstants.KEYTRANSPORT_RSAOAEP
);
request.getAny().add(encryptionAlgorithmType);
@@ -464,7 +485,9 @@ public void testConfiguredKeyIdentifiers() throws Exception {
EncryptionProperties encryptionProperties = new EncryptionProperties();
encryptionProperties.setEncryptionName("myservicekey");
if (!unrestrictedPoliciesInstalled) {
- encryptionProperties.setEncryptionAlgorithm(WSS4JConstants.AES_128);
+ encryptionProperties.setEncryptionAlgorithm(JavaUtils.isFIPSEnabled()
+ ? WSS4JConstants.AES_128_GCM
+ : WSS4JConstants.AES_128);
}
encryptionProperties.setKeyIdentifierType(WSConstants.SKI_KEY_IDENTIFIER);
service.setEncryptionProperties(encryptionProperties);
diff --git a/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/IssueSCTUnitTest.java b/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/IssueSCTUnitTest.java
index 4f7565dc280..2f1a069c521 100644
--- a/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/IssueSCTUnitTest.java
+++ b/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/IssueSCTUnitTest.java
@@ -30,6 +30,7 @@
import jakarta.xml.bind.JAXBElement;
import org.apache.cxf.helpers.DOMUtils;
+import org.apache.cxf.helpers.JavaUtils;
import org.apache.cxf.jaxws.context.WrappedMessageContext;
import org.apache.cxf.message.MessageImpl;
import org.apache.cxf.security.SecurityContext;
@@ -177,7 +178,9 @@ public void testIssueEncryptedSCT() throws Exception {
service.setEndpoints(Collections.singletonList("http://dummy-service.com/dummy"));
EncryptionProperties encryptionProperties = new EncryptionProperties();
if (!unrestrictedPoliciesInstalled) {
- encryptionProperties.setEncryptionAlgorithm(WSS4JConstants.AES_128);
+ encryptionProperties.setEncryptionAlgorithm(JavaUtils.isFIPSEnabled()
+ ? WSS4JConstants.AES_128_GCM
+ : WSS4JConstants.AES_128);
}
service.setEncryptionProperties(encryptionProperties);
issueOperation.setServices(Collections.singletonList(service));
diff --git a/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/IssueSamlRealmUnitTest.java b/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/IssueSamlRealmUnitTest.java
index e63da9afc5f..df3402169f8 100644
--- a/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/IssueSamlRealmUnitTest.java
+++ b/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/IssueSamlRealmUnitTest.java
@@ -32,6 +32,7 @@
import jakarta.xml.bind.JAXBElement;
import org.apache.cxf.helpers.DOMUtils;
+import org.apache.cxf.helpers.JavaUtils;
import org.apache.cxf.jaxws.context.WrappedMessageContext;
import org.apache.cxf.message.MessageImpl;
import org.apache.cxf.security.SecurityContext;
@@ -538,7 +539,9 @@ private Properties getEncryptionPropertiesPKCS12() {
"org.apache.wss4j.crypto.provider", "org.apache.wss4j.common.crypto.Merlin"
);
properties.put("org.apache.wss4j.crypto.merlin.keystore.password", "security");
- properties.put("org.apache.wss4j.crypto.merlin.keystore.file", "x509.p12");
+ properties.put("org.apache.wss4j.crypto.merlin.keystore.file", JavaUtils.isFIPSEnabled()
+ ? "x509-fips.p12"
+ : "x509.p12");
properties.put("org.apache.wss4j.crypto.merlin.keystore.type", "pkcs12");
properties.put("org.apache.wss4j.crypto.merlin.keystore.private.password", "security");
diff --git a/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/IssueSamlUnitTest.java b/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/IssueSamlUnitTest.java
index 8ae39dae99d..fed38a381da 100644
--- a/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/IssueSamlUnitTest.java
+++ b/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/IssueSamlUnitTest.java
@@ -32,6 +32,7 @@
import jakarta.xml.bind.JAXBElement;
import org.apache.cxf.helpers.DOMUtils;
+import org.apache.cxf.helpers.JavaUtils;
import org.apache.cxf.jaxws.context.WrappedMessageContext;
import org.apache.cxf.message.MessageImpl;
import org.apache.cxf.security.SecurityContext;
@@ -433,7 +434,9 @@ public void testIssueEncryptedSaml2Token() throws Exception {
service.setEndpoints(Collections.singletonList("http://dummy-service.com/dummy"));
EncryptionProperties encryptionProperties = new EncryptionProperties();
if (!unrestrictedPoliciesInstalled) {
- encryptionProperties.setEncryptionAlgorithm(WSS4JConstants.AES_128);
+ encryptionProperties.setEncryptionAlgorithm(
+ JavaUtils.isFIPSEnabled()
+ ? WSS4JConstants.AES_128_GCM : WSS4JConstants.AES_128);
}
service.setEncryptionProperties(encryptionProperties);
issueOperation.setServices(Collections.singletonList(service));
@@ -834,9 +837,14 @@ public void testIssueSaml2SymmetricKeyTokenEncryptedKey() throws Exception {
WSSecEncryptedKey builder = new WSSecEncryptedKey(doc);
builder.setUserInfo("mystskey");
builder.setKeyIdentifierType(WSConstants.ISSUER_SERIAL);
- builder.setKeyEncAlgo(WSS4JConstants.KEYTRANSPORT_RSAOAEP);
-
- KeyGenerator keyGen = KeyUtils.getKeyGenerator(WSConstants.AES_128);
+ builder.setKeyEncAlgo(
+ JavaUtils.isFIPSEnabled()
+ ? WSS4JConstants.KEYTRANSPORT_RSAOAEP_XENC11
+ : WSS4JConstants.KEYTRANSPORT_RSAOAEP);
+
+ KeyGenerator keyGen = KeyUtils.getKeyGenerator(
+ JavaUtils.isFIPSEnabled()
+ ? WSConstants.AES_128_GCM : WSConstants.AES_128);
SecretKey symmetricKey = keyGen.generateKey();
builder.prepare(stsProperties.getSignatureCrypto(), symmetricKey);
diff --git a/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/SAMLProviderKeyTypeTest.java b/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/SAMLProviderKeyTypeTest.java
index 95938a8e9d8..2cecbfbd721 100644
--- a/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/SAMLProviderKeyTypeTest.java
+++ b/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/SAMLProviderKeyTypeTest.java
@@ -25,6 +25,7 @@
import org.w3c.dom.Element;
+import org.apache.cxf.helpers.JavaUtils;
import org.apache.cxf.jaxws.context.WrappedMessageContext;
import org.apache.cxf.message.MessageImpl;
import org.apache.cxf.sts.STSConstants;
@@ -602,14 +603,18 @@ public void testDefaultSaml2EncryptWith() throws Exception {
createProviderParameters(WSS4JConstants.WSS_SAML2_TOKEN_TYPE, STSConstants.SYMMETRIC_KEY_KEYTYPE);
KeyRequirements keyRequirements = providerParameters.getKeyRequirements();
- keyRequirements.setEncryptWith(WSS4JConstants.AES_128);
+ keyRequirements.setEncryptWith(JavaUtils.isFIPSEnabled()
+ ? WSS4JConstants.AES_128_GCM
+ : WSS4JConstants.AES_128);
keyRequirements.setKeySize(92);
TokenProviderResponse providerResponse = samlTokenProvider.createToken(providerParameters);
assertNotNull(providerResponse);
assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId() != null);
keyRequirements.setKeySize(128);
- keyRequirements.setEncryptWith(WSS4JConstants.AES_256);
+ keyRequirements.setEncryptWith(JavaUtils.isFIPSEnabled()
+ ? WSS4JConstants.AES_256_GCM
+ : WSS4JConstants.AES_256);
providerResponse = samlTokenProvider.createToken(providerParameters);
assertNotNull(providerResponse);
assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId() != null);
@@ -706,7 +711,9 @@ private Properties getEncryptionPropertiesPKCS12() {
"org.apache.wss4j.crypto.provider", "org.apache.wss4j.common.crypto.Merlin"
);
properties.put("org.apache.wss4j.crypto.merlin.keystore.password", "security");
- properties.put("org.apache.wss4j.crypto.merlin.keystore.file", "x509.p12");
+ properties.put("org.apache.wss4j.crypto.merlin.keystore.file", JavaUtils.isFIPSEnabled()
+ ? "x509-fips.p12"
+ : "x509.p12");
properties.put("org.apache.wss4j.crypto.merlin.keystore.type", "pkcs12");
properties.put("org.apache.wss4j.crypto.merlin.keystore.private.password", "security");
diff --git a/services/sts/sts-core/src/test/resources/x509-fips.p12 b/services/sts/sts-core/src/test/resources/x509-fips.p12
new file mode 100644
index 00000000000..737cf5f2e72
Binary files /dev/null and b/services/sts/sts-core/src/test/resources/x509-fips.p12 differ
diff --git a/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/asymmetric_encr/AsymmetricEncryptionTest.java b/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/asymmetric_encr/AsymmetricEncryptionTest.java
index dfe8cd86cc1..6f9d52ce923 100644
--- a/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/asymmetric_encr/AsymmetricEncryptionTest.java
+++ b/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/asymmetric_encr/AsymmetricEncryptionTest.java
@@ -22,6 +22,7 @@
import java.util.Map;
import org.apache.cxf.Bus;
+import org.apache.cxf.helpers.JavaUtils;
import org.apache.cxf.systest.sts.common.TestParam;
import org.apache.cxf.systest.sts.deployment.STSServer;
import org.apache.cxf.systest.sts.deployment.StaxSTSServer;
@@ -56,8 +57,12 @@ public AsymmetricEncryptionTest(TestParam type) {
@BeforeClass
public static void startServers() throws Exception {
assertTrue(launchServer(new STSServer(
- AsymmetricEncryptionTest.class.getResource("cxf-sts.xml"),
- AsymmetricEncryptionTest.class.getResource("stax-cxf-sts.xml"))));
+ AsymmetricEncryptionTest.class.getResource(JavaUtils.isFIPSEnabled()
+ ? "cxf-sts-fips.xml"
+ : "cxf-sts.xml"),
+ AsymmetricEncryptionTest.class.getResource(JavaUtils.isFIPSEnabled()
+ ? "stax-cxf-sts-fips.xml"
+ : "stax-cxf-sts.xml"))));
}
@Parameters(name = "{0}")
diff --git a/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/binarysecuritytoken/BinarySecurityTokenTest.java b/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/binarysecuritytoken/BinarySecurityTokenTest.java
index b6b24480cb5..dc38115e5dc 100644
--- a/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/binarysecuritytoken/BinarySecurityTokenTest.java
+++ b/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/binarysecuritytoken/BinarySecurityTokenTest.java
@@ -23,6 +23,7 @@
import javax.xml.namespace.QName;
import jakarta.xml.ws.Service;
+import org.apache.cxf.helpers.JavaUtils;
import org.apache.cxf.systest.sts.common.SecurityTestUtil;
import org.apache.cxf.systest.sts.common.TestParam;
import org.apache.cxf.systest.sts.deployment.DoubleItServer;
@@ -66,8 +67,12 @@ public BinarySecurityTokenTest(TestParam type) {
@BeforeClass
public static void startServers() throws Exception {
assertTrue(launchServer(new DoubleItServer(
- BinarySecurityTokenTest.class.getResource("cxf-service.xml"),
- BinarySecurityTokenTest.class.getResource("stax-cxf-service.xml")
+ BinarySecurityTokenTest.class.getResource(JavaUtils.isFIPSEnabled()
+ ? "cxf-service-fips.xml"
+ : "cxf-service.xml"),
+ BinarySecurityTokenTest.class.getResource(JavaUtils.isFIPSEnabled()
+ ? "stax-cxf-service-fips.xml"
+ : "stax-cxf-service.xml")
)));
assertTrue(launchServer(new StaxSTSServer()));
}
@@ -85,7 +90,9 @@ public static TestParam[] data() {
public void testBinarySecurityToken() throws Exception {
createBus(getClass().getResource("cxf-client.xml").toString());
- URL wsdl = BinarySecurityTokenTest.class.getResource("DoubleIt.wsdl");
+ URL wsdl = BinarySecurityTokenTest.class.getResource(JavaUtils.isFIPSEnabled()
+ ? "DoubleIt-fips.wsdl"
+ : "DoubleIt.wsdl");
Service service = Service.create(wsdl, SERVICE_QNAME);
QName portQName = new QName(NAMESPACE, "DoubleItAsymmetricBSTPort");
DoubleItPortType asymmetricBSTPort =
@@ -105,7 +112,9 @@ public void testBinarySecurityToken() throws Exception {
public void testBadBinarySecurityToken() throws Exception {
createBus(getClass().getResource("cxf-bad-client.xml").toString());
- URL wsdl = BinarySecurityTokenTest.class.getResource("DoubleIt.wsdl");
+ URL wsdl = BinarySecurityTokenTest.class.getResource(JavaUtils.isFIPSEnabled()
+ ? "DoubleIt-fips.wsdl"
+ : "DoubleIt.wsdl");
Service service = Service.create(wsdl, SERVICE_QNAME);
QName portQName = new QName(NAMESPACE, "DoubleItAsymmetricBSTPort");
DoubleItPortType asymmetricBSTPort =
diff --git a/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/caching/CachingTest.java b/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/caching/CachingTest.java
index e22910ae7ff..0b3ee176484 100644
--- a/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/caching/CachingTest.java
+++ b/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/caching/CachingTest.java
@@ -30,6 +30,7 @@
import org.apache.cxf.endpoint.Client;
import org.apache.cxf.endpoint.Endpoint;
import org.apache.cxf.frontend.ClientProxy;
+import org.apache.cxf.helpers.JavaUtils;
import org.apache.cxf.systest.sts.deployment.DoubleItServer;
import org.apache.cxf.systest.sts.deployment.STSServer;
import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase;
@@ -61,7 +62,9 @@ public class CachingTest extends AbstractBusClientServerTestBase {
@BeforeClass
public static void startServers() throws Exception {
assertTrue(launchServer(new DoubleItServer(
- ServerCachingTest.class.getResource("cxf-service.xml")
+ ServerCachingTest.class.getResource(JavaUtils.isFIPSEnabled()
+ ? "cxf-service-fips.xml"
+ : "cxf-service.xml")
)));
assertTrue(launchServer(new STSServer()));
}
@@ -70,7 +73,9 @@ public static void startServers() throws Exception {
public void testSTSClientCaching() throws Exception {
createBus(getClass().getResource("cxf-client.xml").toString());
- URL wsdl = CachingTest.class.getResource("DoubleIt.wsdl");
+ URL wsdl = CachingTest.class.getResource(JavaUtils.isFIPSEnabled()
+ ? "DoubleIt-fips.wsdl"
+ : "DoubleIt.wsdl");
Service service = Service.create(wsdl, SERVICE_QNAME);
QName portQName = new QName(NAMESPACE, "DoubleItTransportSAML1Port");
DoubleItPortType port =
@@ -108,7 +113,9 @@ public void testSTSClientCaching() throws Exception {
public void testDisableProxyCaching() throws Exception {
createBus(getClass().getResource("cxf-client.xml").toString());
- URL wsdl = CachingTest.class.getResource("DoubleIt.wsdl");
+ URL wsdl = CachingTest.class.getResource(JavaUtils.isFIPSEnabled()
+ ? "DoubleIt-fips.wsdl"
+ : "DoubleIt.wsdl");
Service service = Service.create(wsdl, SERVICE_QNAME);
QName portQName = new QName(NAMESPACE, "DoubleItTransportSAML1Port2");
DoubleItPortType port =
@@ -143,7 +150,9 @@ public void testDisableProxyCaching() throws Exception {
public void testImminentExpiry() throws Exception {
createBus(getClass().getResource("cxf-client.xml").toString());
- URL wsdl = CachingTest.class.getResource("DoubleIt.wsdl");
+ URL wsdl = CachingTest.class.getResource(JavaUtils.isFIPSEnabled()
+ ? "DoubleIt-fips.wsdl"
+ : "DoubleIt.wsdl");
Service service = Service.create(wsdl, SERVICE_QNAME);
QName portQName = new QName(NAMESPACE, "DoubleItTransportSAML1Port");
DoubleItPortType port =
diff --git a/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/caching/ServerCachingTest.java b/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/caching/ServerCachingTest.java
index bd5161e73cb..0ea92f82913 100644
--- a/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/caching/ServerCachingTest.java
+++ b/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/caching/ServerCachingTest.java
@@ -32,6 +32,7 @@
import org.apache.cxf.endpoint.Client;
import org.apache.cxf.endpoint.Endpoint;
import org.apache.cxf.frontend.ClientProxy;
+import org.apache.cxf.helpers.JavaUtils;
import org.apache.cxf.systest.sts.deployment.DoubleItServer;
import org.apache.cxf.systest.sts.deployment.STSServer;
import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase;
@@ -72,10 +73,14 @@ public class ServerCachingTest extends AbstractBusClientServerTestBase {
@BeforeClass
public static void startServers() throws Exception {
assertTrue(launchServer(new DoubleItServer(
- ServerCachingTest.class.getResource("cxf-service.xml")
+ ServerCachingTest.class.getResource(JavaUtils.isFIPSEnabled()
+ ? "cxf-service-fips.xml"
+ : "cxf-service.xml")
)));
assertTrue(launchServer(new DoubleItServer(
- ServerCachingTest.class.getResource("cxf-caching-service.xml")
+ ServerCachingTest.class.getResource(JavaUtils.isFIPSEnabled()
+ ? "cxf-caching-service-fips.xml"
+ : "cxf-caching-service.xml")
)));
assertTrue(launchServer(new STSServer()));
@@ -85,7 +90,9 @@ public static void startServers() throws Exception {
public void testServerSideSAMLTokenCaching() throws Exception {
createBus(getClass().getResource("cxf-client.xml").toString());
- URL wsdl = ServerCachingTest.class.getResource("DoubleIt.wsdl");
+ URL wsdl = ServerCachingTest.class.getResource(JavaUtils.isFIPSEnabled()
+ ? "DoubleIt-fips.wsdl"
+ : "DoubleIt.wsdl");
Service service = Service.create(wsdl, SERVICE_QNAME);
QName portQName = new QName(NAMESPACE, "DoubleItTransportSAML1AlternativePort");
DoubleItPortType port =
@@ -130,7 +137,9 @@ public void testServerSideSAMLTokenCaching() throws Exception {
public void testServerSideUsernameTokenCaching() throws Exception {
createBus(getClass().getResource("cxf-client.xml").toString());
- URL wsdl = ServerCachingTest.class.getResource("DoubleIt.wsdl");
+ URL wsdl = ServerCachingTest.class.getResource(JavaUtils.isFIPSEnabled()
+ ? "DoubleIt-fips.wsdl"
+ : "DoubleIt.wsdl");
Service service = Service.create(wsdl, SERVICE_QNAME);
QName portQName = new QName(NAMESPACE, "DoubleItTransportUTPort");
DoubleItPortType transportUTPort =
@@ -162,7 +171,9 @@ public void testServerSideUsernameTokenCaching() throws Exception {
public void testServerSideBinarySecurityTokenCaching() throws Exception {
createBus(getClass().getResource("cxf-client.xml").toString());
- URL wsdl = ServerCachingTest.class.getResource("DoubleIt.wsdl");
+ URL wsdl = ServerCachingTest.class.getResource(JavaUtils.isFIPSEnabled()
+ ? "DoubleIt-fips.wsdl"
+ : "DoubleIt.wsdl");
Service service = Service.create(wsdl, SERVICE_QNAME);
QName portQName = new QName(NAMESPACE, "DoubleItAsymmetricBSTPort");
DoubleItPortType bstPort =
diff --git a/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/secure_conv/SecureConversationTest.java b/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/secure_conv/SecureConversationTest.java
index 13bc973ee6a..9d6d10a4e31 100644
--- a/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/secure_conv/SecureConversationTest.java
+++ b/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/secure_conv/SecureConversationTest.java
@@ -23,6 +23,7 @@
import javax.xml.namespace.QName;
import jakarta.xml.ws.Service;
+import org.apache.cxf.helpers.JavaUtils;
import org.apache.cxf.systest.sts.deployment.DoubleItServer;
import org.apache.cxf.systest.sts.deployment.STSServer;
import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase;
@@ -50,17 +51,23 @@ public class SecureConversationTest extends AbstractBusClientServerTestBase {
@BeforeClass
public static void startServers() throws Exception {
assertTrue(launchServer(new DoubleItServer(
- SecureConversationTest.class.getResource("cxf-service.xml")
+ SecureConversationTest.class.getResource(JavaUtils.isFIPSEnabled()
+ ? "cxf-service-fips.xml"
+ : "cxf-service.xml")
)));
assertTrue(launchServer(new STSServer(
- SecureConversationTest.class.getResource("cxf-sts.xml"))));
+ SecureConversationTest.class.getResource(JavaUtils.isFIPSEnabled()
+ ? "cxf-sts-fips.xml"
+ : "cxf-sts.xml"))));
}
@org.junit.Test
public void testSecureConversation() throws Exception {
createBus(getClass().getResource("cxf-client.xml").toString());
- URL wsdl = SecureConversationTest.class.getResource("DoubleIt.wsdl");
+ URL wsdl = SecureConversationTest.class.getResource(JavaUtils.isFIPSEnabled()
+ ? "DoubleIt-fips.wsdl"
+ : "DoubleIt.wsdl");
Service service = Service.create(wsdl, SERVICE_QNAME);
QName portQName = new QName(NAMESPACE, "DoubleItTransportSecureConvPort");
DoubleItPortType transportPort =
@@ -74,7 +81,9 @@ public void testSecureConversation() throws Exception {
public void testSecureConversationSymmetric() throws Exception {
createBus(getClass().getResource("cxf-client.xml").toString());
- URL wsdl = SecureConversationTest.class.getResource("DoubleIt.wsdl");
+ URL wsdl = SecureConversationTest.class.getResource(JavaUtils.isFIPSEnabled()
+ ? "DoubleIt-fips.wsdl"
+ : "DoubleIt.wsdl");
Service service = Service.create(wsdl, SERVICE_QNAME);
QName portQName = new QName(NAMESPACE, "DoubleItSymmetricSecureConvPort");
DoubleItPortType symmetricPort =
diff --git a/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/secure_conv/SecurityContextTokenCancelTest.java b/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/secure_conv/SecurityContextTokenCancelTest.java
index 5e58be64a38..c7b1eb70db0 100644
--- a/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/secure_conv/SecurityContextTokenCancelTest.java
+++ b/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/secure_conv/SecurityContextTokenCancelTest.java
@@ -22,6 +22,7 @@
import java.util.Map;
import org.apache.cxf.Bus;
+import org.apache.cxf.helpers.JavaUtils;
import org.apache.cxf.systest.sts.deployment.STSServer;
import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase;
import org.apache.cxf.ws.security.SecurityConstants;
@@ -46,7 +47,9 @@ public class SecurityContextTokenCancelTest extends AbstractBusClientServerTestB
@BeforeClass
public static void startServers() throws Exception {
assertTrue(launchServer(new STSServer(
- SecurityContextTokenCancelTest.class.getResource("cxf-sts.xml"))));
+ SecurityContextTokenCancelTest.class.getResource(JavaUtils.isFIPSEnabled()
+ ? "cxf-sts-fips.xml"
+ : "cxf-sts.xml"))));
}
@org.junit.Test
diff --git a/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/secure_conv/SecurityContextTokenUnitTest.java b/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/secure_conv/SecurityContextTokenUnitTest.java
index a89402a023f..7ca0a1737f4 100644
--- a/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/secure_conv/SecurityContextTokenUnitTest.java
+++ b/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/secure_conv/SecurityContextTokenUnitTest.java
@@ -22,6 +22,7 @@
import java.util.Map;
import org.apache.cxf.Bus;
+import org.apache.cxf.helpers.JavaUtils;
import org.apache.cxf.systest.sts.common.TestParam;
import org.apache.cxf.systest.sts.deployment.STSServer;
import org.apache.cxf.systest.sts.deployment.StaxSTSServer;
@@ -54,8 +55,12 @@ public SecurityContextTokenUnitTest(TestParam type) {
@BeforeClass
public static void startServers() throws Exception {
assertTrue(launchServer(new StaxSTSServer(
- SecurityContextTokenUnitTest.class.getResource("cxf-sts.xml"),
- SecurityContextTokenUnitTest.class.getResource("stax-cxf-sts.xml"))));
+ SecurityContextTokenUnitTest.class.getResource(JavaUtils.isFIPSEnabled()
+ ? "cxf-sts-fips.xml"
+ : "cxf-sts.xml"),
+ SecurityContextTokenUnitTest.class.getResource(JavaUtils.isFIPSEnabled()
+ ? "stax-cxf-sts-fips.xml"
+ : "stax-cxf-sts.xml"))));
}
@Parameters(name = "{0}")
diff --git a/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/sts_sender_vouches/STSSenderVouchesTest.java b/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/sts_sender_vouches/STSSenderVouchesTest.java
index ecdda2893bd..b6eb631a920 100644
--- a/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/sts_sender_vouches/STSSenderVouchesTest.java
+++ b/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/sts_sender_vouches/STSSenderVouchesTest.java
@@ -24,6 +24,7 @@
import jakarta.xml.ws.BindingProvider;
import jakarta.xml.ws.Service;
+import org.apache.cxf.helpers.JavaUtils;
import org.apache.cxf.systest.sts.common.SecurityTestUtil;
import org.apache.cxf.systest.sts.common.TestParam;
import org.apache.cxf.systest.sts.deployment.DoubleItServer;
@@ -62,11 +63,17 @@ public STSSenderVouchesTest(TestParam type) {
@BeforeClass
public static void startServers() throws Exception {
assertTrue(launchServer(new DoubleItServer(
- STSSenderVouchesTest.class.getResource("cxf-service.xml")
+ STSSenderVouchesTest.class.getResource(JavaUtils.isFIPSEnabled()
+ ? "cxf-service-fips.xml"
+ : "cxf-service.xml")
)));
assertTrue(launchServer(new StaxSTSServer(
- STSSenderVouchesTest.class.getResource("cxf-sts.xml"),
- STSSenderVouchesTest.class.getResource("stax-cxf-sts.xml")
+ STSSenderVouchesTest.class.getResource(JavaUtils.isFIPSEnabled()
+ ? "cxf-sts-fips.xml"
+ : "cxf-sts.xml"),
+ STSSenderVouchesTest.class.getResource(JavaUtils.isFIPSEnabled()
+ ? "stax-cxf-sts-fips.xml"
+ : "stax-cxf-sts.xml")
)));
}
@@ -81,7 +88,9 @@ public static TestParam[] data() {
public void testSAML2SenderVouches() throws Exception {
createBus(getClass().getResource("cxf-client.xml").toString());
- URL wsdl = STSSenderVouchesTest.class.getResource("DoubleIt.wsdl");
+ URL wsdl = STSSenderVouchesTest.class.getResource(JavaUtils.isFIPSEnabled()
+ ? "DoubleIt-fips.wsdl"
+ : "DoubleIt.wsdl");
Service service = Service.create(wsdl, SERVICE_QNAME);
QName portQName = new QName(NAMESPACE, "DoubleItAsymmetricSAML2Port");
DoubleItPortType port =
diff --git a/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/asymmetric_encr/cxf-sts-fips.xml b/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/asymmetric_encr/cxf-sts-fips.xml
new file mode 100644
index 00000000000..25e16d5e1a9
--- /dev/null
+++ b/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/asymmetric_encr/cxf-sts-fips.xml
@@ -0,0 +1,70 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ https://localhost:(\d)*/doubleit/services/doubleittransport.*
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/asymmetric_encr/stax-cxf-sts-fips.xml b/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/asymmetric_encr/stax-cxf-sts-fips.xml
new file mode 100644
index 00000000000..5a70c8aa525
--- /dev/null
+++ b/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/asymmetric_encr/stax-cxf-sts-fips.xml
@@ -0,0 +1,71 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ https://localhost:(\d)*/doubleit/services/doubleittransport.*
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/binarysecuritytoken/DoubleIt-fips.wsdl b/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/binarysecuritytoken/DoubleIt-fips.wsdl
new file mode 100644
index 00000000000..8612625b891
--- /dev/null
+++ b/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/binarysecuritytoken/DoubleIt-fips.wsdl
@@ -0,0 +1,146 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/binarysecuritytoken/cxf-service-fips.xml b/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/binarysecuritytoken/cxf-service-fips.xml
new file mode 100644
index 00000000000..859434a1dfa
--- /dev/null
+++ b/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/binarysecuritytoken/cxf-service-fips.xml
@@ -0,0 +1,70 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/binarysecuritytoken/stax-cxf-service-fips.xml b/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/binarysecuritytoken/stax-cxf-service-fips.xml
new file mode 100644
index 00000000000..8db1ec185e6
--- /dev/null
+++ b/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/binarysecuritytoken/stax-cxf-service-fips.xml
@@ -0,0 +1,72 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/caching/DoubleIt-fips.wsdl b/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/caching/DoubleIt-fips.wsdl
new file mode 100644
index 00000000000..e61418b01cd
--- /dev/null
+++ b/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/caching/DoubleIt-fips.wsdl
@@ -0,0 +1,308 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
+ http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/caching/cxf-caching-service-fips.xml b/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/caching/cxf-caching-service-fips.xml
new file mode 100644
index 00000000000..3560726fa65
--- /dev/null
+++ b/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/caching/cxf-caching-service-fips.xml
@@ -0,0 +1,110 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/caching/cxf-service-fips.xml b/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/caching/cxf-service-fips.xml
new file mode 100644
index 00000000000..aabee6e0a86
--- /dev/null
+++ b/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/caching/cxf-service-fips.xml
@@ -0,0 +1,70 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/secure_conv/DoubleIt-fips.wsdl b/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/secure_conv/DoubleIt-fips.wsdl
new file mode 100644
index 00000000000..1b1f86dcefc
--- /dev/null
+++ b/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/secure_conv/DoubleIt-fips.wsdl
@@ -0,0 +1,336 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/secure_conv/cxf-service-fips.xml b/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/secure_conv/cxf-service-fips.xml
new file mode 100644
index 00000000000..e1f1b3b336c
--- /dev/null
+++ b/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/secure_conv/cxf-service-fips.xml
@@ -0,0 +1,112 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/secure_conv/cxf-sts-fips.xml b/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/secure_conv/cxf-sts-fips.xml
new file mode 100644
index 00000000000..75f87c4a071
--- /dev/null
+++ b/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/secure_conv/cxf-sts-fips.xml
@@ -0,0 +1,162 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+