Skip to content

Commit

Permalink
feat: use BCFIPS library, but not BCFIPS provider to avoid failing ha…
Browse files Browse the repository at this point in the history 
…sh (#242)
  • Loading branch information
@MikeDombo
MikeDombo committed May 5, 2023
1 parent 8f4a131 commit 11caeba
Show file tree
Hide file tree
Showing 4 changed files with 27 additions and 30 deletions.
4 changes: 2 additions & 2 deletions pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -103,8 +103,8 @@
</dependency>
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcpkix-jdk15on</artifactId>
<version>1.66</version>
<artifactId>bcpkix-fips</artifactId>
<version>1.0.7</version>
</dependency>
</dependencies>
<pluginRepositories>
Expand Down
25 changes: 14 additions & 11 deletions src/main/java/com/aws/greengrass/clientdevices/auth/certificate/CertificateHelper.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,6 @@
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils;
import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.openssl.jcajce.JcaPEMWriter;
import org.bouncycastle.operator.ContentSigner;
import org.bouncycastle.operator.OperatorCreationException;
Expand Down Expand Up @@ -76,10 +75,8 @@ private CertificateHelper() {
}

static {
// If not added "BC" is not recognized as the security provider
Security.addProvider(new BouncyCastleProvider());
// Configure the default provider
providers.put(ProviderType.DEFAULT, "BC");
// Configure the default provider to empty which will use Java's defaults
providers.put(ProviderType.DEFAULT, "");
}

public enum ProviderType {
Expand Down Expand Up @@ -142,9 +139,12 @@ public static X509Certificate createCACertificate(@NonNull KeyPair keyPair, @Non
extUtils.createSubjectKeyIdentifier(keyPair.getPublic()));

String signingAlgorithm = CERTIFICATE_SIGNING_ALGORITHM.get(keyPair.getPrivate().getAlgorithm());
final ContentSigner contentSigner =
new JcaContentSignerBuilder(signingAlgorithm).setProvider(getProvider(providerType))
.build(keyPair.getPrivate());
String providerName = getProvider(providerType);
JcaContentSignerBuilder signerBuilder = new JcaContentSignerBuilder(signingAlgorithm);
if (Utils.isNotEmpty(providerName)) {
signerBuilder = signerBuilder.setProvider(providerName);
}
final ContentSigner contentSigner = signerBuilder.build(keyPair.getPrivate());

return new JcaX509CertificateConverter().getCertificate(builder.build(contentSigner));
}
Expand Down Expand Up @@ -221,9 +221,12 @@ private static X509Certificate issueCertificate(@NonNull X509Certificate caCert,
addSANFromConnectivityInfoToCertificate(connectivityInfoItems, builder);
}

final ContentSigner contentSigner =
new JcaContentSignerBuilder(caCert.getSigAlgName()).setProvider(getProvider(providerType))
.build(caPrivateKey);
String providerName = getProvider(providerType);
JcaContentSignerBuilder signerBuilder = new JcaContentSignerBuilder(caCert.getSigAlgName());
if (Utils.isNotEmpty(providerName)) {
signerBuilder = signerBuilder.setProvider(providerName);
}
final ContentSigner contentSigner = signerBuilder.build(caPrivateKey);

return new JcaX509CertificateConverter().getCertificate(builder.build(contentSigner));
}
Expand Down
6 changes: 4 additions & 2 deletions ...ava/com/aws/greengrass/clientdevices/auth/certificate/ClientCertificateGeneratorTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,12 +6,13 @@
package com.aws.greengrass.clientdevices.auth.certificate;

import com.aws.greengrass.clientdevices.auth.api.DomainEvents;
import com.aws.greengrass.clientdevices.auth.exception.CertificateGenerationException;
import com.aws.greengrass.componentmanager.KernelConfigResolver;
import com.aws.greengrass.config.Topics;
import com.aws.greengrass.dependency.Context;
import com.aws.greengrass.clientdevices.auth.exception.CertificateGenerationException;
import com.aws.greengrass.security.SecurityService;
import com.aws.greengrass.testcommons.testutilities.GGExtension;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.KeyPurposeId;
import org.junit.jupiter.api.AfterEach;
Expand Down Expand Up @@ -82,7 +83,8 @@ public void GIVEN_ClientCertificateGenerator_WHEN_generateCertificate_THEN_certi

X509Certificate generatedCert = certificateGenerator.getCertificate();
assertThat(generatedCert.getSubjectX500Principal().getName(), is(SUBJECT_PRINCIPAL));
assertThat(new KeyPurposeId(generatedCert.getExtendedKeyUsage().get(0)), is(KeyPurposeId.id_kp_clientAuth));
assertThat(KeyPurposeId.getInstance(new ASN1ObjectIdentifier(generatedCert.getExtendedKeyUsage().get(0))),
is(KeyPurposeId.id_kp_clientAuth));
assertThat(generatedCert.getPublicKey(), is(publicKey));
verify(mockCallback, times(1)).accept(generatedCert, certificateStore.getCaCertificateChain());

Expand Down
22 changes: 7 additions & 15 deletions src/test/java/com/aws/greengrass/clientdevices/auth/helpers/CertificateTestHelpers.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,14 +17,13 @@
import org.bouncycastle.asn1.x509.ExtendedKeyUsage;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.KeyPurposeId;
import org.bouncycastle.asn1.x509.KeyUsage;
import org.bouncycastle.cert.CertIOException;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.X509v3CertificateBuilder;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils;
import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
import org.bouncycastle.jce.X509KeyUsage;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.operator.ContentSigner;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
Expand All @@ -43,7 +42,6 @@
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.Security;
import java.security.cert.CertPath;
import java.security.cert.CertPathValidator;
import java.security.cert.CertPathValidatorException;
Expand All @@ -55,7 +53,6 @@
import java.security.cert.X509Certificate;
import java.time.Instant;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
Expand All @@ -75,11 +72,6 @@ public final class CertificateTestHelpers {
private CertificateTestHelpers() {
}

static {
// If not added "BC" is not recognized as the security provider
Security.addProvider(new BouncyCastleProvider());
}

private enum CertificateTypes {
ROOT_CA, INTERMEDIATE_CA, SERVER_CERTIFICATE, CLIENT_CERTIFICATE
}
Expand Down Expand Up @@ -124,14 +116,14 @@ private static X509Certificate createCertificate(X509Certificate caCert, String

buildCertificateExtensions(builder, caCert, publicKey, type);
X509CertificateHolder certHolder = signCertificate(builder, caPrivateKey);
return new JcaX509CertificateConverter().setProvider("BC").getCertificate(certHolder);
return new JcaX509CertificateConverter().getCertificate(certHolder);
}

private static X509CertificateHolder signCertificate(X509v3CertificateBuilder certBuilder, PrivateKey privateKey)
throws OperatorCreationException {
String signingAlgorithm = CERTIFICATE_SIGNING_ALGORITHM.get(privateKey.getAlgorithm());
final ContentSigner contentSigner =
new JcaContentSignerBuilder(signingAlgorithm).setProvider("BC").build(privateKey);
new JcaContentSignerBuilder(signingAlgorithm).build(privateKey);

return certBuilder.build(contentSigner);
}
Expand All @@ -151,8 +143,8 @@ private static void buildCertificateExtensions(X509v3CertificateBuilder builder,
if (type == CertificateTypes.INTERMEDIATE_CA) {
builder.addExtension(Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(caCert))
.addExtension(Extension.basicConstraints, true, new BasicConstraints(true))
.addExtension(Extension.keyUsage, true, new X509KeyUsage(
X509KeyUsage.digitalSignature | X509KeyUsage.keyCertSign | X509KeyUsage.cRLSign));
.addExtension(Extension.keyUsage, true, new KeyUsage(
KeyUsage.digitalSignature | KeyUsage.keyCertSign | KeyUsage.cRLSign));
}

if (type == CertificateTypes.SERVER_CERTIFICATE) {
Expand All @@ -179,7 +171,7 @@ private static Pair<Date, Date> getValidityDateRange() {
// TODO: caller should pass a clock or date range in instead
Date notBefore = Date.from(now.minusSeconds(1));
Date notAfter = Date.from(now.plusSeconds(DEFAULT_TEST_CA_DURATION_SECONDS));
return new Pair(notBefore, notAfter);
return new Pair<>(notBefore, notAfter);
}

private static X500Name getX500Name(String commonName) {
Expand All @@ -204,7 +196,7 @@ private static X500Name getX500Name(String commonName) {
public static boolean wasCertificateIssuedBy(X509Certificate issuerCA, X509Certificate certificate)
throws CertificateException {
CertificateFactory cf = CertificateFactory.getInstance("X.509");
List<X509Certificate> leafCertificate = Arrays.asList(certificate);
List<X509Certificate> leafCertificate = Collections.singletonList(certificate);
CertPath leafCertPath = cf.generateCertPath(leafCertificate);

try {
Expand Down

0 comments on commit 11caeba

Please sign in to comment.