From e4bf4ed03e5a5813f062b288e17c693560df9afd Mon Sep 17 00:00:00 2001
From: Maxim Thomas <maxim.thomas@gmail.com>
Date: Fri, 28 Jan 2022 19:47:20 +0000
Subject: [PATCH] do not use fips when bc-fips classes not found (#207)
---
opendj-config/src/main/java/org/forgerock/opendj/config/dsconfig/DSConfig.java | 2
opendj-server-legacy/src/main/java/org/opends/server/core/DirectoryServer.java | 2
opendj-server-legacy/src/main/java/org/opends/quicksetup/util/ServerController.java | 4 +-
opendj-server-legacy/src/main/java/org/opends/quicksetup/installer/SetupLauncher.java | 2
opendj-server-legacy/src/main/java/org/opends/server/extensions/FileBasedTrustManagerProvider.java | 2
opendj-cli/src/main/java/com/forgerock/opendj/cli/ConnectionFactoryProvider.java | 6 +-
opendj-server-legacy/src/main/java/org/opends/server/tools/ConfigureDS.java | 4 +-
opendj-core/src/main/java/com/forgerock/opendj/util/FipsStaticUtils.java | 31 ++++-----------
opendj-server-legacy/src/main/java/org/opends/quicksetup/installer/Installer.java | 3 -
opendj-server-legacy/src/main/java/org/opends/server/tools/SSLConnectionFactory.java | 2
opendj-core/src/main/java/com/forgerock/opendj/util/StaticUtils.java | 17 ++++++++
opendj-ldap-toolkit/src/main/java/com/forgerock/opendj/ldap/tools/Utils.java | 2
opendj-server-legacy/src/main/java/org/forgerock/opendj/reactive/LDAPConnectionHandler2.java | 2
opendj-grizzly/src/main/java/org/forgerock/opendj/grizzly/GrizzlyLDAPConnection.java | 4 +-
14 files changed, 43 insertions(+), 40 deletions(-)
diff --git a/opendj-cli/src/main/java/com/forgerock/opendj/cli/ConnectionFactoryProvider.java b/opendj-cli/src/main/java/com/forgerock/opendj/cli/ConnectionFactoryProvider.java
index 345c0ed..a63d46b 100644
--- a/opendj-cli/src/main/java/com/forgerock/opendj/cli/ConnectionFactoryProvider.java
+++ b/opendj-cli/src/main/java/com/forgerock/opendj/cli/ConnectionFactoryProvider.java
@@ -47,7 +47,7 @@
import javax.net.ssl.X509KeyManager;
import javax.net.ssl.X509TrustManager;
-import com.forgerock.opendj.util.FipsStaticUtils;
+import com.forgerock.opendj.util.StaticUtils;
import org.forgerock.i18n.LocalizableMessage;
import org.forgerock.i18n.slf4j.LocalizedLogger;
import org.forgerock.opendj.ldap.ConnectionFactory;
@@ -721,7 +721,7 @@
keyStorePIN = keyStorePass.toCharArray();
}
- boolean isFips = FipsStaticUtils.isFips();
+ boolean isFips = StaticUtils.isFips();
final String keyStoreType = KeyStore.getDefaultType();
final KeyStore keystore = KeyStore.getInstance(keyStoreType);
if (isFips) {
@@ -829,7 +829,7 @@
return TrustManagers.trustAll();
}
- boolean isFips = FipsStaticUtils.isFips();
+ boolean isFips = StaticUtils.isFips();
X509TrustManager tm = null;
if (trustStorePathArg.isPresent() && trustStorePathArg.getValue().length() > 0) {
if (isFips) {
diff --git a/opendj-config/src/main/java/org/forgerock/opendj/config/dsconfig/DSConfig.java b/opendj-config/src/main/java/org/forgerock/opendj/config/dsconfig/DSConfig.java
index 35768fa..44abe97 100644
--- a/opendj-config/src/main/java/org/forgerock/opendj/config/dsconfig/DSConfig.java
+++ b/opendj-config/src/main/java/org/forgerock/opendj/config/dsconfig/DSConfig.java
@@ -28,7 +28,7 @@
import static org.forgerock.opendj.config.PropertyOption.*;
import static org.forgerock.opendj.config.dsconfig.ArgumentExceptionFactory.*;
-import static com.forgerock.opendj.util.FipsStaticUtils.registerBcProvider;
+import static com.forgerock.opendj.util.StaticUtils.registerBcProvider;
import java.io.BufferedReader;
import java.io.BufferedWriter;
diff --git a/opendj-core/src/main/java/com/forgerock/opendj/util/FipsStaticUtils.java b/opendj-core/src/main/java/com/forgerock/opendj/util/FipsStaticUtils.java
index 60466ac..a8960ae 100644
--- a/opendj-core/src/main/java/com/forgerock/opendj/util/FipsStaticUtils.java
+++ b/opendj-core/src/main/java/com/forgerock/opendj/util/FipsStaticUtils.java
@@ -13,30 +13,17 @@
*/
public static final byte[] EMPTY_BYTES = new byte[0];
- public static boolean isFips() {
- java.security.Provider[] providers = java.security.Security.getProviders();
- for (int i = 0; i < providers.length; i++) {
- if (providers[i].getName().toLowerCase().contains("fips"))
- return true;
- }
-
- return false;
- }
-
public static void registerBcProvider()
{
- if (!isFips()) {
- return;
- }
+ org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider bouncyCastleProvider = (org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider) java.security.Security.getProvider(org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider.PROVIDER_NAME);
+ if (bouncyCastleProvider == null) {
+ FipsStaticUtils.logger.info(INFO_BC_PROVIDER_REGISTER.get());
- org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider bouncyCastleProvider = (org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider) java.security.Security.getProvider(org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider.PROVIDER_NAME);
- if (bouncyCastleProvider == null) {
- logger.info(INFO_BC_PROVIDER_REGISTER.get());
-
- bouncyCastleProvider = new org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider();
- java.security.Security.insertProviderAt(bouncyCastleProvider, 1);
- } else {
- logger.info(INFO_BC_PROVIDER_REGISTERED_ALREADY.get());
- }
+ bouncyCastleProvider = new org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider();
+ java.security.Security.insertProviderAt(bouncyCastleProvider, 1);
+ } else {
+ FipsStaticUtils.logger.info(INFO_BC_PROVIDER_REGISTERED_ALREADY.get());
+ }
}
+
}
diff --git a/opendj-core/src/main/java/com/forgerock/opendj/util/StaticUtils.java b/opendj-core/src/main/java/com/forgerock/opendj/util/StaticUtils.java
index 6c2de14..ed0f3bb 100644
--- a/opendj-core/src/main/java/com/forgerock/opendj/util/StaticUtils.java
+++ b/opendj-core/src/main/java/com/forgerock/opendj/util/StaticUtils.java
@@ -36,6 +36,9 @@
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.ThreadFactory;
+import static com.forgerock.opendj.ldap.CoreMessages.INFO_BC_PROVIDER_REGISTER;
+import static com.forgerock.opendj.ldap.CoreMessages.INFO_BC_PROVIDER_REGISTERED_ALREADY;
+
/**
* Common utility methods.
*/
@@ -775,4 +778,18 @@
}
}
+ public static boolean isFips() {
+ java.security.Provider[] providers = java.security.Security.getProviders();
+ for (int i = 0; i < providers.length; i++) {
+ if (providers[i].getName().toLowerCase().contains("fips"))
+ return true;
+ }
+ return false;
+ }
+
+ public static void registerBcProvider() {
+ try {
+ FipsStaticUtils.registerBcProvider();
+ } catch (NoClassDefFoundError e) {}
+ }
}
diff --git a/opendj-grizzly/src/main/java/org/forgerock/opendj/grizzly/GrizzlyLDAPConnection.java b/opendj-grizzly/src/main/java/org/forgerock/opendj/grizzly/GrizzlyLDAPConnection.java
index 1f55002..8a2f9df 100644
--- a/opendj-grizzly/src/main/java/org/forgerock/opendj/grizzly/GrizzlyLDAPConnection.java
+++ b/opendj-grizzly/src/main/java/org/forgerock/opendj/grizzly/GrizzlyLDAPConnection.java
@@ -38,7 +38,7 @@
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
-import com.forgerock.opendj.util.FipsStaticUtils;
+import com.forgerock.opendj.util.StaticUtils;
import org.forgerock.i18n.LocalizableMessage;
import org.forgerock.i18n.slf4j.LocalizedLogger;
import org.forgerock.opendj.io.LDAPWriter;
@@ -100,7 +100,7 @@
static {
try {
// We need to use FIPS compatible Trust Manasger in FIPS mode
- if (!FipsStaticUtils.isFips()) {
+ if (!StaticUtils.isFips()) {
DUMMY_SSL_ENGINE_CONFIGURATOR =
new SSLEngineConfigurator(new SSLContextBuilder().setTrustManager(
TrustManagers.distrustAll()).getSSLContext());
diff --git a/opendj-ldap-toolkit/src/main/java/com/forgerock/opendj/ldap/tools/Utils.java b/opendj-ldap-toolkit/src/main/java/com/forgerock/opendj/ldap/tools/Utils.java
index c629acc..54651f3 100644
--- a/opendj-ldap-toolkit/src/main/java/com/forgerock/opendj/ldap/tools/Utils.java
+++ b/opendj-ldap-toolkit/src/main/java/com/forgerock/opendj/ldap/tools/Utils.java
@@ -26,7 +26,7 @@
import static com.forgerock.opendj.ldap.tools.LDAPToolException.newToolParamException;
import static com.forgerock.opendj.ldap.tools.ToolsMessages.*;
-import static com.forgerock.opendj.util.FipsStaticUtils.registerBcProvider;
+import static com.forgerock.opendj.util.StaticUtils.registerBcProvider;
import java.io.BufferedReader;
import java.io.FileInputStream;
diff --git a/opendj-server-legacy/src/main/java/org/forgerock/opendj/reactive/LDAPConnectionHandler2.java b/opendj-server-legacy/src/main/java/org/forgerock/opendj/reactive/LDAPConnectionHandler2.java
index e89dc52..7fa1602 100644
--- a/opendj-server-legacy/src/main/java/org/forgerock/opendj/reactive/LDAPConnectionHandler2.java
+++ b/opendj-server-legacy/src/main/java/org/forgerock/opendj/reactive/LDAPConnectionHandler2.java
@@ -22,7 +22,7 @@
import static org.opends.server.util.ServerConstants.*;
import static org.opends.server.util.StaticUtils.*;
-import static com.forgerock.opendj.util.FipsStaticUtils.isFips;
+import static com.forgerock.opendj.util.StaticUtils.isFips;
import java.io.IOException;
import java.net.InetAddress;
diff --git a/opendj-server-legacy/src/main/java/org/opends/quicksetup/installer/Installer.java b/opendj-server-legacy/src/main/java/org/opends/quicksetup/installer/Installer.java
index e3f39d4..83935d6 100644
--- a/opendj-server-legacy/src/main/java/org/opends/quicksetup/installer/Installer.java
+++ b/opendj-server-legacy/src/main/java/org/opends/quicksetup/installer/Installer.java
@@ -59,7 +59,6 @@
import javax.naming.ldap.Rdn;
import javax.swing.JPanel;
-import com.forgerock.opendj.util.FipsStaticUtils;
import org.forgerock.i18n.LocalizableMessage;
import org.forgerock.i18n.LocalizableMessageBuilder;
import org.forgerock.i18n.LocalizableMessageDescriptor.Arg0;
@@ -1417,7 +1416,7 @@
}
// Set default trustManager to allow check server startup status
- if (FipsStaticUtils.isFips()) {
+ if (com.forgerock.opendj.util.StaticUtils.isFips()) {
KeyStore truststore = null;
try (final FileInputStream fis = new FileInputStream(trustStorePath))
{
diff --git a/opendj-server-legacy/src/main/java/org/opends/quicksetup/installer/SetupLauncher.java b/opendj-server-legacy/src/main/java/org/opends/quicksetup/installer/SetupLauncher.java
index 1e4142c..ff6820b 100644
--- a/opendj-server-legacy/src/main/java/org/opends/quicksetup/installer/SetupLauncher.java
+++ b/opendj-server-legacy/src/main/java/org/opends/quicksetup/installer/SetupLauncher.java
@@ -20,7 +20,7 @@
import static org.opends.messages.ToolMessages.*;
import static org.opends.server.util.ServerConstants.*;
-import static com.forgerock.opendj.util.FipsStaticUtils.registerBcProvider;
+import static com.forgerock.opendj.util.StaticUtils.registerBcProvider;
import org.forgerock.i18n.LocalizableMessage;
import org.opends.quicksetup.CliApplication;
diff --git a/opendj-server-legacy/src/main/java/org/opends/quicksetup/util/ServerController.java b/opendj-server-legacy/src/main/java/org/opends/quicksetup/util/ServerController.java
index ec325a4..8d5d5a4 100644
--- a/opendj-server-legacy/src/main/java/org/opends/quicksetup/util/ServerController.java
+++ b/opendj-server-legacy/src/main/java/org/opends/quicksetup/util/ServerController.java
@@ -25,7 +25,7 @@
import javax.net.ssl.TrustManager;
-import com.forgerock.opendj.util.FipsStaticUtils;
+import com.forgerock.opendj.util.StaticUtils;
import org.forgerock.i18n.LocalizableMessage;
import org.forgerock.i18n.LocalizableMessageBuilder;
import org.forgerock.i18n.slf4j.LocalizedLogger;
@@ -460,7 +460,7 @@
}
TrustManager trustManager = null;
- if (FipsStaticUtils.isFips()) {
+ if (StaticUtils.isFips()) {
trustManager = application.getTrustManager().getX509TrustManager();
}
diff --git a/opendj-server-legacy/src/main/java/org/opends/server/core/DirectoryServer.java b/opendj-server-legacy/src/main/java/org/opends/server/core/DirectoryServer.java
index a07b046..7c09ce0 100644
--- a/opendj-server-legacy/src/main/java/org/opends/server/core/DirectoryServer.java
+++ b/opendj-server-legacy/src/main/java/org/opends/server/core/DirectoryServer.java
@@ -27,7 +27,7 @@
import static org.opends.server.util.ServerConstants.*;
import static org.opends.server.util.StaticUtils.*;
-import static com.forgerock.opendj.util.FipsStaticUtils.registerBcProvider;
+import static com.forgerock.opendj.util.StaticUtils.registerBcProvider;
import java.io.File;
import java.io.FileOutputStream;
diff --git a/opendj-server-legacy/src/main/java/org/opends/server/extensions/FileBasedTrustManagerProvider.java b/opendj-server-legacy/src/main/java/org/opends/server/extensions/FileBasedTrustManagerProvider.java
index 60ad289..f82d64c 100644
--- a/opendj-server-legacy/src/main/java/org/opends/server/extensions/FileBasedTrustManagerProvider.java
+++ b/opendj-server-legacy/src/main/java/org/opends/server/extensions/FileBasedTrustManagerProvider.java
@@ -43,7 +43,7 @@
import static org.opends.server.extensions.FileBasedKeyManagerProvider.getKeyStorePIN;
import static org.opends.server.util.StaticUtils.*;
-import static com.forgerock.opendj.util.FipsStaticUtils.isFips;
+import static com.forgerock.opendj.util.StaticUtils.isFips;
/**
* This class defines a trust manager provider that will reference certificates
diff --git a/opendj-server-legacy/src/main/java/org/opends/server/tools/ConfigureDS.java b/opendj-server-legacy/src/main/java/org/opends/server/tools/ConfigureDS.java
index 34d2f61..b5da0ef 100644
--- a/opendj-server-legacy/src/main/java/org/opends/server/tools/ConfigureDS.java
+++ b/opendj-server-legacy/src/main/java/org/opends/server/tools/ConfigureDS.java
@@ -43,7 +43,7 @@
import javax.crypto.Cipher;
-import com.forgerock.opendj.util.FipsStaticUtils;
+import com.forgerock.opendj.util.StaticUtils;
import org.forgerock.i18n.LocalizableMessage;
import org.forgerock.i18n.LocalizedIllegalArgumentException;
import org.forgerock.opendj.adapter.server3x.Converters;
@@ -881,7 +881,7 @@
putKeyManagerConfigAttribute(enableStartTLS, DN_LDAP_CONNECTION_HANDLER);
putKeyManagerConfigAttribute(ldapsPort, DN_LDAPS_CONNECTION_HANDLER);
putKeyManagerConfigAttribute(ldapsPort, DN_HTTP_CONNECTION_HANDLER);
- if (FipsStaticUtils.isFips()) {
+ if (StaticUtils.isFips()) {
putAdminKeyManagerConfigAttribute(ldapsPort, DN_ADMIN_KEY_MANAGER);
}
diff --git a/opendj-server-legacy/src/main/java/org/opends/server/tools/SSLConnectionFactory.java b/opendj-server-legacy/src/main/java/org/opends/server/tools/SSLConnectionFactory.java
index 1517fc6..5a7f3cd 100644
--- a/opendj-server-legacy/src/main/java/org/opends/server/tools/SSLConnectionFactory.java
+++ b/opendj-server-legacy/src/main/java/org/opends/server/tools/SSLConnectionFactory.java
@@ -47,7 +47,7 @@
import com.forgerock.opendj.cli.ConnectionFactoryProvider;
import static org.opends.messages.ToolMessages.*;
-import static com.forgerock.opendj.util.FipsStaticUtils.isFips;
+import static com.forgerock.opendj.util.StaticUtils.isFips;
/**
* This class provides SSL connection related utility functions.
--
Gitblit v1.10.0