swt/rap/org.argeo.cms.e4.rap \
DEP_CATEGORIES = \
+crypto/fips/org.argeo.tp.crypto \
org.argeo.tp \
-org.argeo.tp.crypto \
org.argeo.tp.jetty \
osgi/api/org.argeo.tp.osgi \
osgi/equinox/org.argeo.tp.eclipse \
/hostkey.ser
/id_rsa
/id_rsa.pub
+/*.p12
\ No newline at end of file
org.apache.sshd.common.channel,\
org.apache.sshd.common.helpers,\
org.apache.sshd.common.file.util,\
+org.bouncycastle.jcajce.provider;resolution:="optional",\
+org.bouncycastle.jce.provider;resolution:="optional",\
+org.bouncycastle.*;resolution:="optional",\
+!java.*,\
*
+# NOTE: making the provider packages optional leaves open to switch back to BC non-fips provider.
+
Service-Component: \
OSGI-INF/cmsSshServer.xml
import java.io.InputStream;
import java.io.OutputStream;
import java.io.Reader;
+import java.lang.reflect.InvocationTargetException;
import java.math.BigInteger;
import java.net.InetAddress;
import java.nio.file.Files;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.PrivateKey;
+import java.security.Provider;
import java.security.SecureRandom;
import java.security.Security;
import java.security.cert.Certificate;
import org.bouncycastle.cert.X509v3CertificateBuilder;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
-import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.openssl.PEMParser;
import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;
import org.bouncycastle.openssl.jcajce.JceOpenSSLPKCS8DecryptorProviderBuilder;
public class BcUtils {
private final static CmsLog log = CmsLog.getLog(BcUtils.class);
- private final static String BC_SECURITY_PROVIDER;
+ private final static String BC_SECURITY_PROVIDER_FIPS = "BCFIPS";
+// private final static String BC_SECURITY_PROVIDER_NON_FIPS = "BC";
+ public final static String BC_SECURITY_PROVIDER;
static {
- Security.addProvider(new BouncyCastleProvider());
- BC_SECURITY_PROVIDER = "BC";
+ Class<?> clss = null;
+ try {
+ clss = Class.forName("org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider");
+ } catch (ClassNotFoundException e) {
+ log.warn("Bouncy Castle FIPS provider could not be initialised,"
+ + " we assume the non-FIPS provider is configured externally. (" + e + ")");
+ try {
+ clss = Class.forName("org.bouncycastle.jce.provider.BouncyCastleProvider");
+ } catch (ClassNotFoundException e1) {
+ // silent
+ }
+ }
+ if (clss != null) {
+ try {
+ Provider provider = (Provider) clss.getDeclaredConstructor().newInstance();
+ Security.addProvider(provider);
+ BC_SECURITY_PROVIDER = provider.getName();
+ } catch (IllegalAccessException | InstantiationException | IllegalArgumentException
+ | InvocationTargetException | NoSuchMethodException | SecurityException e) {
+ throw new IllegalStateException("Cannot load Bouncy Castle provider " + clss, e);
+ }
+ } else {
+ throw new IllegalStateException("Cannot load any Bouncy Castle provider");
+ }
+ }
+
+ public static boolean isFipsProvider() {
+ return BC_SECURITY_PROVIDER.equals(BC_SECURITY_PROVIDER_FIPS);
}
public static void createSelfSignedKeyStore(Path keyStorePath, char[] keyStorePassword, String keyStoreType) {
/** singleton */
private BcUtils() {
}
+
+// public static void main(String args[]) {
+// createSelfSignedKeyStore(Paths.get("./selfsigned.p12"), "demo".toCharArray(), "PKCS12");
+// }
}
import org.apache.sshd.common.config.keys.KeyUtils;
import org.apache.sshd.common.config.keys.PublicKeyEntry;
+import org.argeo.cms.bc.BcUtils;
import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
import org.bouncycastle.openssl.PEMDecryptorProvider;
import org.bouncycastle.openssl.PEMEncryptedKeyPair;
import org.bouncycastle.openssl.PEMKeyPair;
import org.bouncycastle.openssl.PEMParser;
import org.bouncycastle.openssl.PKCS8Generator;
-import org.bouncycastle.openssl.bc.BcPEMDecryptorProvider;
import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;
import org.bouncycastle.openssl.jcajce.JcaPEMWriter;
import org.bouncycastle.openssl.jcajce.JcaPKCS8Generator;
import org.bouncycastle.openssl.jcajce.JceOpenSSLPKCS8DecryptorProviderBuilder;
import org.bouncycastle.openssl.jcajce.JceOpenSSLPKCS8EncryptorBuilder;
+import org.bouncycastle.openssl.jcajce.JcePEMDecryptorProviderBuilder;
import org.bouncycastle.operator.InputDecryptorProvider;
import org.bouncycastle.operator.OutputEncryptor;
import org.bouncycastle.pkcs.PKCS8EncryptedPrivateKeyInfo;
KeyPair kp;
if (object instanceof PEMEncryptedKeyPair) {
PEMEncryptedKeyPair ekp = (PEMEncryptedKeyPair) object;
- PEMDecryptorProvider decryptorProvider = new BcPEMDecryptorProvider(password);
+ JcePEMDecryptorProviderBuilder decryptorProviderBuilder = new JcePEMDecryptorProviderBuilder();
+ decryptorProviderBuilder.setProvider(BcUtils.BC_SECURITY_PROVIDER);
+ PEMDecryptorProvider decryptorProvider = decryptorProviderBuilder.build(password);
PEMKeyPair pemKp = ekp.decryptKeyPair(decryptorProvider);
kp = converter.getKeyPair(pemKp);
} else if (object instanceof PKCS8EncryptedPrivateKeyInfo) {
-Subproject commit c8f6d0e6aa4d9a6f24dd4ba4f9ac7878945d6e89
+Subproject commit fd3449421a3d3e61756cc1ed8bd6e698ecd9eb11
# Local
argeo.node.repo.type=h2
-org.osgi.service.http.port=7070
-#org.eclipse.equinox.http.jetty.http.host=[IP address to listen to]
-#org.osgi.service.http.port.secure=7073
-#org.eclipse.equinox.http.jetty.websocket.enabled=true
+argeo.http.port=7070
+#argeo.http.host=[IP address to listen to]
+#argeo.https.port=7073
+argeo.sshd.port=2222
# Logging
log.org.argeo=DEBUG
# DON'T CHANGE BELOW
org.eclipse.equinox.http.jetty.autostart=false
org.osgi.framework.system.packages.extra=\
+sun.security.internal.spec,\
+sun.security.provider,\
com.sun.net.httpserver,\
com.sun.jndi.ldap,\
com.sun.jndi.ldap.sasl,\
--- /dev/null
+dn: uid=coworker,ou=People,dc=example,dc=com
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+objectClass: person
+objectClass: top
+givenName: John
+sn: Coworker
+userPassword:: e1NIQX1pZVNWNTVRYytlUU9hWURSU2hhL0Fqek5USkU9
+mail: coworker@localhost
+uid: coworker
+cn: John Coworker
+description: A regular coworker
+
+dn: uid=manager,ou=People,dc=example,dc=com
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+objectClass: person
+objectClass: top
+givenName: Mary
+sn: Manager
+userPassword:: e1NIQX1pZVNWNTVRYytlUU9hWURSU2hhL0Fqek5USkU9
+mail: manager@localhost
+uid: manager
+cn: Mary Manager
+description: A manager
+
+dn: uid=root,ou=People,dc=example,dc=com
+objectClass: inetOrgPerson
+objectClass: person
+objectClass: organizationalPerson
+objectClass: top
+givenName: Super
+sn: User
+userPassword:: e1NIQX1pZVNWNTVRYytlUU9hWURSU2hhL0Fqek5USkU9
+mail: root@localhost
+uid: root
+cn: Super User
+description: Superuser
+