From 5b76fdf3107f6023bbb74bd2f37c09dd3793bd83 Mon Sep 17 00:00:00 2001
From: Mathieu Baudier <mbaudier@argeo.org>
Date: Wed, 22 Mar 2023 13:36:12 +0100
Subject: [PATCH] Introduce Bouncy Castle FIPS

---
 repackage/Makefile                                           | 4 ++++
 .../bouncycastle/{org.bouncycastle.mail.bnd => bcmail.bnd}   | 1 -
 .../bouncycastle/{org.bouncycastle.pg.bnd => bcpg.bnd}       | 1 -
 .../bouncycastle/{org.bouncycastle.pkix.bnd => bcpkix.bnd}   | 1 -
 .../{org.bouncycastle.provider.bnd => bcprov.bnd}            | 1 -
 repackage/org.argeo.tp.crypto/bouncycastle/bctls.bnd         | 1 +
 .../bouncycastle/{org.bouncycastle.util.bnd => bcutil.bnd}   | 1 -
 repackage/org.argeo.tp.crypto/bouncycastle/common.bnd        | 1 +
 .../org.argeo.tp.fips/bouncycastle/bc-fips.bnd.disabled      | 3 +++
 repackage/org.argeo.tp.fips/bouncycastle/bc-noncert.bnd      | 5 +++++
 repackage/org.argeo.tp.fips/bouncycastle/bcmail-fips.bnd     | 1 +
 repackage/org.argeo.tp.fips/bouncycastle/bcpg-fips.bnd       | 1 +
 repackage/org.argeo.tp.fips/bouncycastle/bcpkix-fips.bnd     | 1 +
 repackage/org.argeo.tp.fips/bouncycastle/bctls-fips.bnd      | 1 +
 repackage/org.argeo.tp.fips/bouncycastle/common.bnd          | 4 ++++
 sdk/argeo-build                                              | 2 +-
 16 files changed, 23 insertions(+), 6 deletions(-)
 rename repackage/org.argeo.tp.crypto/bouncycastle/{org.bouncycastle.mail.bnd => bcmail.bnd} (55%)
 rename repackage/org.argeo.tp.crypto/bouncycastle/{org.bouncycastle.pg.bnd => bcpg.bnd} (57%)
 rename repackage/org.argeo.tp.crypto/bouncycastle/{org.bouncycastle.pkix.bnd => bcpkix.bnd} (55%)
 rename repackage/org.argeo.tp.crypto/bouncycastle/{org.bouncycastle.provider.bnd => bcprov.bnd} (55%)
 create mode 100644 repackage/org.argeo.tp.crypto/bouncycastle/bctls.bnd
 rename repackage/org.argeo.tp.crypto/bouncycastle/{org.bouncycastle.util.bnd => bcutil.bnd} (55%)
 create mode 100644 repackage/org.argeo.tp.fips/bouncycastle/bc-fips.bnd.disabled
 create mode 100644 repackage/org.argeo.tp.fips/bouncycastle/bc-noncert.bnd
 create mode 100644 repackage/org.argeo.tp.fips/bouncycastle/bcmail-fips.bnd
 create mode 100644 repackage/org.argeo.tp.fips/bouncycastle/bcpg-fips.bnd
 create mode 100644 repackage/org.argeo.tp.fips/bouncycastle/bcpkix-fips.bnd
 create mode 100644 repackage/org.argeo.tp.fips/bouncycastle/bctls-fips.bnd
 create mode 100644 repackage/org.argeo.tp.fips/bouncycastle/common.bnd

diff --git a/repackage/Makefile b/repackage/Makefile
index 62f1c04..799cbfd 100644
--- a/repackage/Makefile
+++ b/repackage/Makefile
@@ -22,5 +22,9 @@ org.argeo.tp.utils \
 org.argeo.tp.jcr \
 org.argeo.tp.poi \
 org.argeo.tp.gis \
+org.argeo.tp.fips \
+
+# NOTE: FIPS support is experimental, in order to preapre for the 2.0.0 stream
+# see https://www.bouncycastle.org/fips_java_roadmap.html
 
 include  $(SDK_SRC_BASE)/sdk/argeo-build/repackage.mk
\ No newline at end of file
diff --git a/repackage/org.argeo.tp.crypto/bouncycastle/org.bouncycastle.mail.bnd b/repackage/org.argeo.tp.crypto/bouncycastle/bcmail.bnd
similarity index 55%
rename from repackage/org.argeo.tp.crypto/bouncycastle/org.bouncycastle.mail.bnd
rename to repackage/org.argeo.tp.crypto/bouncycastle/bcmail.bnd
index 55de32d..ec30584 100644
--- a/repackage/org.argeo.tp.crypto/bouncycastle/org.bouncycastle.mail.bnd
+++ b/repackage/org.argeo.tp.crypto/bouncycastle/bcmail.bnd
@@ -1,2 +1 @@
-Argeo-Origin-NoMetadataGeneration: true
 Argeo-Origin-M2: org.bouncycastle:bcmail-jdk18on
diff --git a/repackage/org.argeo.tp.crypto/bouncycastle/org.bouncycastle.pg.bnd b/repackage/org.argeo.tp.crypto/bouncycastle/bcpg.bnd
similarity index 57%
rename from repackage/org.argeo.tp.crypto/bouncycastle/org.bouncycastle.pg.bnd
rename to repackage/org.argeo.tp.crypto/bouncycastle/bcpg.bnd
index 70b7352..86d4e74 100644
--- a/repackage/org.argeo.tp.crypto/bouncycastle/org.bouncycastle.pg.bnd
+++ b/repackage/org.argeo.tp.crypto/bouncycastle/bcpg.bnd
@@ -1,2 +1 @@
-Argeo-Origin-NoMetadataGeneration: true
 Argeo-Origin-M2: org.bouncycastle:bcpg-jdk18on:1.72.2
diff --git a/repackage/org.argeo.tp.crypto/bouncycastle/org.bouncycastle.pkix.bnd b/repackage/org.argeo.tp.crypto/bouncycastle/bcpkix.bnd
similarity index 55%
rename from repackage/org.argeo.tp.crypto/bouncycastle/org.bouncycastle.pkix.bnd
rename to repackage/org.argeo.tp.crypto/bouncycastle/bcpkix.bnd
index 78ba1b3..1634680 100644
--- a/repackage/org.argeo.tp.crypto/bouncycastle/org.bouncycastle.pkix.bnd
+++ b/repackage/org.argeo.tp.crypto/bouncycastle/bcpkix.bnd
@@ -1,2 +1 @@
-Argeo-Origin-NoMetadataGeneration: true
 Argeo-Origin-M2: org.bouncycastle:bcpkix-jdk18on
diff --git a/repackage/org.argeo.tp.crypto/bouncycastle/org.bouncycastle.provider.bnd b/repackage/org.argeo.tp.crypto/bouncycastle/bcprov.bnd
similarity index 55%
rename from repackage/org.argeo.tp.crypto/bouncycastle/org.bouncycastle.provider.bnd
rename to repackage/org.argeo.tp.crypto/bouncycastle/bcprov.bnd
index bbe70be..2941b4e 100644
--- a/repackage/org.argeo.tp.crypto/bouncycastle/org.bouncycastle.provider.bnd
+++ b/repackage/org.argeo.tp.crypto/bouncycastle/bcprov.bnd
@@ -1,2 +1 @@
-Argeo-Origin-NoMetadataGeneration: true
 Argeo-Origin-M2: org.bouncycastle:bcprov-jdk18on
diff --git a/repackage/org.argeo.tp.crypto/bouncycastle/bctls.bnd b/repackage/org.argeo.tp.crypto/bouncycastle/bctls.bnd
new file mode 100644
index 0000000..5ac9fb2
--- /dev/null
+++ b/repackage/org.argeo.tp.crypto/bouncycastle/bctls.bnd
@@ -0,0 +1 @@
+Argeo-Origin-M2: org.bouncycastle:bctls-jdk18on
diff --git a/repackage/org.argeo.tp.crypto/bouncycastle/org.bouncycastle.util.bnd b/repackage/org.argeo.tp.crypto/bouncycastle/bcutil.bnd
similarity index 55%
rename from repackage/org.argeo.tp.crypto/bouncycastle/org.bouncycastle.util.bnd
rename to repackage/org.argeo.tp.crypto/bouncycastle/bcutil.bnd
index ad1134b..0a71f96 100644
--- a/repackage/org.argeo.tp.crypto/bouncycastle/org.bouncycastle.util.bnd
+++ b/repackage/org.argeo.tp.crypto/bouncycastle/bcutil.bnd
@@ -1,2 +1 @@
-Argeo-Origin-NoMetadataGeneration: true
 Argeo-Origin-M2: org.bouncycastle:bcutil-jdk18on
diff --git a/repackage/org.argeo.tp.crypto/bouncycastle/common.bnd b/repackage/org.argeo.tp.crypto/bouncycastle/common.bnd
index aad8cdf..0c2cd37 100644
--- a/repackage/org.argeo.tp.crypto/bouncycastle/common.bnd
+++ b/repackage/org.argeo.tp.crypto/bouncycastle/common.bnd
@@ -1,2 +1,3 @@
 SPDX-License-Identifier: MIT
 Argeo-Origin-M2: :1.72
+Argeo-Origin-NoMetadataGeneration: true
diff --git a/repackage/org.argeo.tp.fips/bouncycastle/bc-fips.bnd.disabled b/repackage/org.argeo.tp.fips/bouncycastle/bc-fips.bnd.disabled
new file mode 100644
index 0000000..b3384ca
--- /dev/null
+++ b/repackage/org.argeo.tp.fips/bouncycastle/bc-fips.bnd.disabled
@@ -0,0 +1,3 @@
+# !! The current version is unsafe, see:
+# https://github.com/bcgit/bc-java/wiki/CVE-2022-45146
+Argeo-Origin-M2: org.bouncycastle:bc-fips
diff --git a/repackage/org.argeo.tp.fips/bouncycastle/bc-noncert.bnd b/repackage/org.argeo.tp.fips/bouncycastle/bc-noncert.bnd
new file mode 100644
index 0000000..4788299
--- /dev/null
+++ b/repackage/org.argeo.tp.fips/bouncycastle/bc-noncert.bnd
@@ -0,0 +1,5 @@
+# !! The current version is unsafe, see:
+# https://github.com/bcgit/bc-java/wiki/CVE-2022-45146
+Argeo-Origin-M2: org.bouncycastle:bc-noncert:1.0.2.4
+Argeo-Origin-URI: https://downloads.bouncycastle.org/fips-java/bc-noncert-1.0.2.4.jar
+Argeo-Origin-Sources-URI: https://downloads.bouncycastle.org/fips-java/bc-noncert-1.0.2.4-sources.jar
diff --git a/repackage/org.argeo.tp.fips/bouncycastle/bcmail-fips.bnd b/repackage/org.argeo.tp.fips/bouncycastle/bcmail-fips.bnd
new file mode 100644
index 0000000..34dc61f
--- /dev/null
+++ b/repackage/org.argeo.tp.fips/bouncycastle/bcmail-fips.bnd
@@ -0,0 +1 @@
+Argeo-Origin-M2: org.bouncycastle:bcmail-fips:1.0.4
diff --git a/repackage/org.argeo.tp.fips/bouncycastle/bcpg-fips.bnd b/repackage/org.argeo.tp.fips/bouncycastle/bcpg-fips.bnd
new file mode 100644
index 0000000..be773b7
--- /dev/null
+++ b/repackage/org.argeo.tp.fips/bouncycastle/bcpg-fips.bnd
@@ -0,0 +1 @@
+Argeo-Origin-M2: org.bouncycastle:bcpg-fips:1.0.7.1
diff --git a/repackage/org.argeo.tp.fips/bouncycastle/bcpkix-fips.bnd b/repackage/org.argeo.tp.fips/bouncycastle/bcpkix-fips.bnd
new file mode 100644
index 0000000..f2f46d6
--- /dev/null
+++ b/repackage/org.argeo.tp.fips/bouncycastle/bcpkix-fips.bnd
@@ -0,0 +1 @@
+Argeo-Origin-M2: org.bouncycastle:bcpkix-fips:1.0.7
diff --git a/repackage/org.argeo.tp.fips/bouncycastle/bctls-fips.bnd b/repackage/org.argeo.tp.fips/bouncycastle/bctls-fips.bnd
new file mode 100644
index 0000000..7de0139
--- /dev/null
+++ b/repackage/org.argeo.tp.fips/bouncycastle/bctls-fips.bnd
@@ -0,0 +1 @@
+Argeo-Origin-M2: org.bouncycastle:bctls-fips:1.0.14.1
diff --git a/repackage/org.argeo.tp.fips/bouncycastle/common.bnd b/repackage/org.argeo.tp.fips/bouncycastle/common.bnd
new file mode 100644
index 0000000..3658686
--- /dev/null
+++ b/repackage/org.argeo.tp.fips/bouncycastle/common.bnd
@@ -0,0 +1,4 @@
+SPDX-License-Identifier: MIT
+Argeo-Origin-NoMetadataGeneration: true
+Argeo-Origin-Do-Not-Modify: true
+Argeo-Origin-M2: :1.0.2.3
\ No newline at end of file
diff --git a/sdk/argeo-build b/sdk/argeo-build
index 884c8b0..948d50f 160000
--- a/sdk/argeo-build
+++ b/sdk/argeo-build
@@ -1 +1 @@
-Subproject commit 884c8b0c0b76b4d60fcb4a65d48a898f3ba27f0e
+Subproject commit 948d50f9792c1984eb055e58b8199f5778df901f
-- 
2.30.2