From 656302dff1b85fb0bc60328506b0f9cd07c26424 Mon Sep 17 00:00:00 2001
From: Mathieu Baudier <mbaudier@argeo.org>
Date: Wed, 22 Mar 2023 17:29:29 +0100
Subject: [PATCH] Adapt to changes in Argeo TP

---
 Makefile                                      |  2 +-
 org.argeo.cms.lib.sshd/.gitignore             |  1 +
 org.argeo.cms.lib.sshd/bnd.bnd                |  6 +++
 .../src/org/argeo/cms/bc/BcUtils.java         | 41 +++++++++++++++++--
 .../src/org/argeo/cms/ssh/SshKeyPair.java     |  7 +++-
 sdk/argeo-build                               |  2 +-
 sdk/cms-e4-rap.properties                     | 10 +++--
 sdk/init/private/dc=example,dc=com.ldif       | 39 ++++++++++++++++++
 8 files changed, 96 insertions(+), 12 deletions(-)
 create mode 100644 sdk/init/private/dc=example,dc=com.ldif

diff --git a/Makefile b/Makefile
index 8c15c1307..db2389ed6 100644
--- a/Makefile
+++ b/Makefile
@@ -29,8 +29,8 @@ swt/rap/org.argeo.cms.swt.rap \
 swt/rap/org.argeo.cms.e4.rap \
 
 DEP_CATEGORIES = \
+crypto/fips/org.argeo.tp.crypto \
 org.argeo.tp \
-org.argeo.tp.crypto \
 org.argeo.tp.jetty \
 osgi/api/org.argeo.tp.osgi \
 osgi/equinox/org.argeo.tp.eclipse \
diff --git a/org.argeo.cms.lib.sshd/.gitignore b/org.argeo.cms.lib.sshd/.gitignore
index 7fb0c180c..b0a3e6446 100644
--- a/org.argeo.cms.lib.sshd/.gitignore
+++ b/org.argeo.cms.lib.sshd/.gitignore
@@ -1,3 +1,4 @@
 /hostkey.ser
 /id_rsa
 /id_rsa.pub
+/*.p12
\ No newline at end of file
diff --git a/org.argeo.cms.lib.sshd/bnd.bnd b/org.argeo.cms.lib.sshd/bnd.bnd
index 85546f671..54c69b1c7 100644
--- a/org.argeo.cms.lib.sshd/bnd.bnd
+++ b/org.argeo.cms.lib.sshd/bnd.bnd
@@ -4,7 +4,13 @@ org.apache.sshd.common.forward,\
 org.apache.sshd.common.channel,\
 org.apache.sshd.common.helpers,\
 org.apache.sshd.common.file.util,\
+org.bouncycastle.jcajce.provider;resolution:="optional",\
+org.bouncycastle.jce.provider;resolution:="optional",\
+org.bouncycastle.*;resolution:="optional",\
+!java.*,\
 *
 
+# NOTE: making the provider packages optional leaves open to switch back to BC non-fips provider.
+
 Service-Component: \
 OSGI-INF/cmsSshServer.xml
diff --git a/org.argeo.cms.lib.sshd/src/org/argeo/cms/bc/BcUtils.java b/org.argeo.cms.lib.sshd/src/org/argeo/cms/bc/BcUtils.java
index d2fc89f79..00d3f7c44 100644
--- a/org.argeo.cms.lib.sshd/src/org/argeo/cms/bc/BcUtils.java
+++ b/org.argeo.cms.lib.sshd/src/org/argeo/cms/bc/BcUtils.java
@@ -4,6 +4,7 @@ import java.io.IOException;
 import java.io.InputStream;
 import java.io.OutputStream;
 import java.io.Reader;
+import java.lang.reflect.InvocationTargetException;
 import java.math.BigInteger;
 import java.net.InetAddress;
 import java.nio.file.Files;
@@ -13,6 +14,7 @@ import java.security.KeyPair;
 import java.security.KeyPairGenerator;
 import java.security.KeyStore;
 import java.security.PrivateKey;
+import java.security.Provider;
 import java.security.SecureRandom;
 import java.security.Security;
 import java.security.cert.Certificate;
@@ -29,7 +31,6 @@ import org.bouncycastle.cert.X509CertificateHolder;
 import org.bouncycastle.cert.X509v3CertificateBuilder;
 import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
 import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
-import org.bouncycastle.jce.provider.BouncyCastleProvider;
 import org.bouncycastle.openssl.PEMParser;
 import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;
 import org.bouncycastle.openssl.jcajce.JceOpenSSLPKCS8DecryptorProviderBuilder;
@@ -44,10 +45,38 @@ import org.bouncycastle.pkcs.PKCSException;
 public class BcUtils {
 	private final static CmsLog log = CmsLog.getLog(BcUtils.class);
 
-	private final static String BC_SECURITY_PROVIDER;
+	private final static String BC_SECURITY_PROVIDER_FIPS = "BCFIPS";
+//	private final static String BC_SECURITY_PROVIDER_NON_FIPS = "BC";
+	public final static String BC_SECURITY_PROVIDER;
 	static {
-		Security.addProvider(new BouncyCastleProvider());
-		BC_SECURITY_PROVIDER = "BC";
+		Class<?> clss = null;
+		try {
+			clss = Class.forName("org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider");
+		} catch (ClassNotFoundException e) {
+			log.warn("Bouncy Castle FIPS provider could not be initialised,"
+					+ " we assume the non-FIPS provider is configured externally. (" + e + ")");
+			try {
+				clss = Class.forName("org.bouncycastle.jce.provider.BouncyCastleProvider");
+			} catch (ClassNotFoundException e1) {
+				// silent
+			}
+		}
+		if (clss != null) {
+			try {
+				Provider provider = (Provider) clss.getDeclaredConstructor().newInstance();
+				Security.addProvider(provider);
+				BC_SECURITY_PROVIDER = provider.getName();
+			} catch (IllegalAccessException | InstantiationException | IllegalArgumentException
+					| InvocationTargetException | NoSuchMethodException | SecurityException e) {
+				throw new IllegalStateException("Cannot load Bouncy Castle provider " + clss, e);
+			}
+		} else {
+			throw new IllegalStateException("Cannot load any Bouncy Castle provider");
+		}
+	}
+
+	public static boolean isFipsProvider() {
+		return BC_SECURITY_PROVIDER.equals(BC_SECURITY_PROVIDER_FIPS);
 	}
 
 	public static void createSelfSignedKeyStore(Path keyStorePath, char[] keyStorePassword, String keyStoreType) {
@@ -165,4 +194,8 @@ public class BcUtils {
 	/** singleton */
 	private BcUtils() {
 	}
+
+//	public static void main(String args[]) {
+//		createSelfSignedKeyStore(Paths.get("./selfsigned.p12"), "demo".toCharArray(), "PKCS12");
+//	}
 }
diff --git a/org.argeo.cms.lib.sshd/src/org/argeo/cms/ssh/SshKeyPair.java b/org.argeo.cms.lib.sshd/src/org/argeo/cms/ssh/SshKeyPair.java
index f5cbb0450..f8153f38a 100644
--- a/org.argeo.cms.lib.sshd/src/org/argeo/cms/ssh/SshKeyPair.java
+++ b/org.argeo.cms.lib.sshd/src/org/argeo/cms/ssh/SshKeyPair.java
@@ -19,18 +19,19 @@ import java.security.spec.RSAPublicKeySpec;
 
 import org.apache.sshd.common.config.keys.KeyUtils;
 import org.apache.sshd.common.config.keys.PublicKeyEntry;
+import org.argeo.cms.bc.BcUtils;
 import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
 import org.bouncycastle.openssl.PEMDecryptorProvider;
 import org.bouncycastle.openssl.PEMEncryptedKeyPair;
 import org.bouncycastle.openssl.PEMKeyPair;
 import org.bouncycastle.openssl.PEMParser;
 import org.bouncycastle.openssl.PKCS8Generator;
-import org.bouncycastle.openssl.bc.BcPEMDecryptorProvider;
 import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;
 import org.bouncycastle.openssl.jcajce.JcaPEMWriter;
 import org.bouncycastle.openssl.jcajce.JcaPKCS8Generator;
 import org.bouncycastle.openssl.jcajce.JceOpenSSLPKCS8DecryptorProviderBuilder;
 import org.bouncycastle.openssl.jcajce.JceOpenSSLPKCS8EncryptorBuilder;
+import org.bouncycastle.openssl.jcajce.JcePEMDecryptorProviderBuilder;
 import org.bouncycastle.operator.InputDecryptorProvider;
 import org.bouncycastle.operator.OutputEncryptor;
 import org.bouncycastle.pkcs.PKCS8EncryptedPrivateKeyInfo;
@@ -150,7 +151,9 @@ public class SshKeyPair {
 			KeyPair kp;
 			if (object instanceof PEMEncryptedKeyPair) {
 				PEMEncryptedKeyPair ekp = (PEMEncryptedKeyPair) object;
-				PEMDecryptorProvider decryptorProvider = new BcPEMDecryptorProvider(password);
+				JcePEMDecryptorProviderBuilder decryptorProviderBuilder = new JcePEMDecryptorProviderBuilder();
+				decryptorProviderBuilder.setProvider(BcUtils.BC_SECURITY_PROVIDER);
+				PEMDecryptorProvider decryptorProvider = decryptorProviderBuilder.build(password);
 				PEMKeyPair pemKp = ekp.decryptKeyPair(decryptorProvider);
 				kp = converter.getKeyPair(pemKp);
 			} else if (object instanceof PKCS8EncryptedPrivateKeyInfo) {
diff --git a/sdk/argeo-build b/sdk/argeo-build
index c8f6d0e6a..fd3449421 160000
--- a/sdk/argeo-build
+++ b/sdk/argeo-build
@@ -1 +1 @@
-Subproject commit c8f6d0e6aa4d9a6f24dd4ba4f9ac7878945d6e89
+Subproject commit fd3449421a3d3e61756cc1ed8bd6e698ecd9eb11
diff --git a/sdk/cms-e4-rap.properties b/sdk/cms-e4-rap.properties
index 1ca557b7e..9e903ba82 100644
--- a/sdk/cms-e4-rap.properties
+++ b/sdk/cms-e4-rap.properties
@@ -16,10 +16,10 @@ org.argeo.cms.lib.jetty,\
 
 # Local
 argeo.node.repo.type=h2
-org.osgi.service.http.port=7070
-#org.eclipse.equinox.http.jetty.http.host=[IP address to listen to]
-#org.osgi.service.http.port.secure=7073
-#org.eclipse.equinox.http.jetty.websocket.enabled=true
+argeo.http.port=7070
+#argeo.http.host=[IP address to listen to]
+#argeo.https.port=7073
+argeo.sshd.port=2222
 
 # Logging
 log.org.argeo=DEBUG
@@ -60,6 +60,8 @@ log.org.argeo=DEBUG
 # DON'T CHANGE BELOW
 org.eclipse.equinox.http.jetty.autostart=false
 org.osgi.framework.system.packages.extra=\
+sun.security.internal.spec,\
+sun.security.provider,\
 com.sun.net.httpserver,\
 com.sun.jndi.ldap,\
 com.sun.jndi.ldap.sasl,\
diff --git a/sdk/init/private/dc=example,dc=com.ldif b/sdk/init/private/dc=example,dc=com.ldif
new file mode 100644
index 000000000..537130603
--- /dev/null
+++ b/sdk/init/private/dc=example,dc=com.ldif
@@ -0,0 +1,39 @@
+dn: uid=coworker,ou=People,dc=example,dc=com
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+objectClass: person
+objectClass: top
+givenName: John
+sn: Coworker
+userPassword:: e1NIQX1pZVNWNTVRYytlUU9hWURSU2hhL0Fqek5USkU9
+mail: coworker@localhost
+uid: coworker
+cn: John Coworker
+description: A regular coworker
+
+dn: uid=manager,ou=People,dc=example,dc=com
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+objectClass: person
+objectClass: top
+givenName: Mary
+sn: Manager
+userPassword:: e1NIQX1pZVNWNTVRYytlUU9hWURSU2hhL0Fqek5USkU9
+mail: manager@localhost
+uid: manager
+cn: Mary Manager
+description: A manager
+
+dn: uid=root,ou=People,dc=example,dc=com
+objectClass: inetOrgPerson
+objectClass: person
+objectClass: organizationalPerson
+objectClass: top
+givenName: Super
+sn: User
+userPassword:: e1NIQX1pZVNWNTVRYytlUU9hWURSU2hhL0Fqek5USkU9
+mail: root@localhost
+uid: root
+cn: Super User
+description: Superuser
+
-- 
2.30.2