Merge pull request #30675 from adriankalafut/improve-fips-exception-handling-2025-01-30

Repair NullPointer exception thrown in AESKeyManager.java

Author: adriankalafut

dev/com.ibm.ws.crypto.passwordutil/bnd.bnd

@@ -49,7 +49,8 @@ instrument.disabled: true
 	com.ibm.websphere.org.osgi.service.component;version=latest,\
 	com.ibm.wsspi.org.osgi.service.component.annotations;version=latest,\
 	com.ibm.ws.kernel.service;version=latest,\
-	com.ibm.ws.kernel.boot;version=latest, \
+	com.ibm.ws.kernel.boot;version=latest,\
+	com.ibm.ws.kernel.boot.core;version=latest,\
 	com.ibm.ws.kernel.security.thread;version=latest,\
 	com.ibm.ws.org.osgi.annotation.versioning;version=latest
 

dev/com.ibm.ws.crypto.passwordutil/resources/com/ibm/ws/crypto/util/internal/resources/Messages.nlsprops

@@ -49,12 +49,20 @@ PASSWORDUTIL_UNSUPPORTEDENCODING_EXCEPTION.explanation=The password was not encr
 PASSWORDUTIL_UNSUPPORTEDENCODING_EXCEPTION.useraction=Check the server log and if the custom password encryption is used check the custom password encryption logs for further information.
 PASSWORDUTIL_INVALID_BASE64_STRING=CWWKS1859E: The password was not decrypted because a decoding error was reported.
 PASSWORDUTIL_INVALID_BASE64_STRING.explanation=The encrypted password was not encoded properly.
-PASSWORDUTIL_INVALID_BASE64_STRING.useraction=Make sure that the encrypted password is not truncated and encoded by using Base64 encoding.
-
+PASSWORDUTIL_INVALID_BASE64_STRING.useraction=Make sure that the encrypted password is not truncated and encoded with Base64 encoding.
+PASSWORDUTIL_EXCEPTION_FIPS130_AES128_UNAVAILABLE_ALGORITHM=CWWKS1860E: AES-128 encrypted passwords cannot be used when FIPS 140-3 is enabled. Regenerate the password with AES-256 using the securityUtility command.
+PASSWORDUTIL_EXCEPTION_FIPS130_AES128_UNAVAILABLE_ALGORITHM.explanation=FIPS-130 is enabled and does not support AES-128. Use the securityUtility command to encrypt the password using AES-256.
+PASSWORDUTIL_EXCEPTION_FIPS130_AES128_UNAVAILABLE_ALGORITHM.useraction=Make sure the password is encrypted with AES-256.
+PASSWORDUTIL_UNAVAILABLE_ENCRYPTION_ALGORITHM_EXCEPTION=CWWKS1861E: AES password encryption failed. Check your java.security settings and add the missing algorithm.
+PASSWORDUTIL_UNAVAILABLE_ENCRYPTION_ALGORITHM_EXCEPTION.explanation=An encryption algorithm is missing from your java.security file.
+PASSWORDUTIL_UNAVAILABLE_ENCRYPTION_ALGORITHM_EXCEPTION.useraction=Make sure that the algorithm is added to your java.security file.
+PASSWORDUTIL_UNAVAILABLE_DECRYPTION_ALGORITHM_EXCEPTION=CWWKS1862E: AES password decryption failed. Check your java.security settings and add the missing algorithm.
+PASSWORDUTIL_UNAVAILABLE_DECRYPTION_ALGORITHM_EXCEPTION.explanation=An encryption algorithm is missing from your java.security file.
+PASSWORDUTIL_UNAVAILABLE_DECRYPTION_ALGORITHM_EXCEPTION.useraction=Make sure that the algorithm is added to your java.security file.
 
 # ---------------- This is an exception message ------------
 PASSWORDUTIL_DUPLICATE_CUSTOM_ENCRYPTION=More than one CustomPasswordEncryption implementation is detected. Only one CustomPasswordEncryption implementation is supported. The list of detected CustomPasswordEncryption implementation is as follows:
 PASSWORDUTIL_ERROR_IN_EXTENSION_MANIFEST_FILE=An error was reported while processing the extension manifest file {0}. This file was ignored. The custom encryption is not available. The error message is {1}.
 PASSWORDUTIL_ERROR_MISSING_HEADER=The required header {0} was not found in the extension manifest file {1}. The custom encryption is not available.
 PASSWORDUTIL_ERROR_NO_FEATURE_MANIFEST=The feature manifest file which corresponds with the extension manifest file {0} was not found. The custom encryption is not available.
-PASSWORDUTIL_ERROR_UNSUPPORTED_OPERATION=The decryption operation is not supported by the hash algorithm. 
+PASSWORDUTIL_ERROR_UNSUPPORTED_OPERATION=The decryption operation is not supported by the hash algorithm.

dev/com.ibm.ws.crypto.passwordutil/src/com/ibm/websphere/crypto/PasswordUtil.java

@@ -14,6 +14,8 @@
 package com.ibm.websphere.crypto;
 
 import java.nio.charset.StandardCharsets;
+import java.security.NoSuchAlgorithmException;
+import java.security.spec.InvalidKeySpecException;
 import java.util.HashMap;
 import java.util.Map;
 import java.util.logging.Level;
@@ -22,6 +24,7 @@
 import com.ibm.ws.common.encoder.Base64Coder;
 import com.ibm.ws.crypto.util.InvalidPasswordCipherException;
 import com.ibm.ws.crypto.util.PasswordCipherUtil;
+import com.ibm.ws.crypto.util.MessageUtils;
 import com.ibm.ws.crypto.util.PasswordHashGenerator;
 import com.ibm.wsspi.security.crypto.EncryptedInfo;
 
@@ -637,13 +640,20 @@ private static String decode_password(String encoded_string, String crypto_algor
                     try {
                         decrypted_bytes = PasswordCipherUtil.decipher(encrypted_bytes, crypto_algorithm);
                     } catch (InvalidPasswordCipherException e) {
-                        logger.logp(Level.SEVERE, PasswordUtil.class.getName(), "decode_password", "PASSWORDUTIL_CYPHER_EXCEPTION", e);
+                        String message = e.getMessage();
+                        if (message != null && message.contains("FIPS 140-3")) {
+                            logger.logp(Level.SEVERE, PasswordUtil.class.getName(), "decode_password", MessageUtils.getMessage("PASSWORDUTIL_EXCEPTION_FIPS130_AES128_UNAVAILABLE_ALGORITHM"), e);
+                        } else {
+                            logger.logp(Level.SEVERE, PasswordUtil.class.getName(), "decode_password", "PASSWORDUTIL_CYPHER_EXCEPTION", e);
+                        }
                         return null;
                     } catch (UnsupportedCryptoAlgorithmException e) {
                         logger.logp(Level.SEVERE, PasswordUtil.class.getName(), "decode_password", "PASSWORDUTIL_UNKNOWN_ALGORITHM_EXCEPTION", e);
                         return null;
+                    } catch (InvalidKeySpecException | NoSuchAlgorithmException e) {
+                        logger.logp(Level.SEVERE, PasswordUtil.class.getName(), "decode_password", MessageUtils.getMessage("PASSWORDUTIL_UNAVAILABLE_DECRYPTION_ALGORITHM_EXCEPTION"), e);
+                        return null;
                     }
-
                     if ((decrypted_bytes != null) && (decrypted_bytes.length > 0)) {
                         // convert decrypted password byte[] to string
                         decoded_string = convert_to_string(decrypted_bytes);
@@ -714,6 +724,9 @@ public static String encode_password(String decoded_string, String crypto_algori
                         } catch (UnsupportedCryptoAlgorithmException e) {
                             logger.logp(Level.SEVERE, PasswordUtil.class.getName(), "encode_password", "PASSWORDUTIL_UNKNOWN_ALGORITHM_EXCEPTION", e);
                             return null;
+                        } catch (InvalidKeySpecException | NoSuchAlgorithmException e) {
+                            logger.logp(Level.SEVERE, PasswordUtil.class.getName(), "decode_password", MessageUtils.getMessage("PASSWORDUTIL_UNAVAILABLE_ENCRYPTION_ALGORITHM_EXCEPTION"), e);
+                            return null;
                         }
                     }
                     if ((encrypted_bytes != null) && (encrypted_bytes.length > 0)) {
@@ -744,5 +757,4 @@ public static String encode_password(String decoded_string, String crypto_algori
 
         return buffer.toString();
     }
-
 }

dev/com.ibm.ws.crypto.passwordutil/src/com/ibm/ws/crypto/util/AESKeyManager.java

@@ -31,7 +31,6 @@
  */
 public class AESKeyManager {
     private static final AtomicReference<KeyStringResolver> _resolver = new AtomicReference<KeyStringResolver>();
-    private static final boolean DEBUG = Boolean.getBoolean("enableDebug"); // Used exclusively for debugging securityUtility
 
     public static enum KeyVersion {
         AES_V0("PBKDF2WithHmacSHA1", 84756, 128, new byte[] { -89, -94, -125, 57, 76, 90, -77, 79, 50, 21, 10, -98, 47, 23, 17, 56, -61, 46, 125, -128 }),
@@ -56,41 +55,21 @@ private KeyVersion(String alg, int iterations, int keyLength, byte[] salt) {
             this.salt = salt;
         }
 
-        private KeyHolder get(char[] keyChars) {
+        private KeyHolder get(char[] keyChars) throws NoSuchAlgorithmException, InvalidKeySpecException {
             KeyHolder holder = _key.get();
             if (holder == null || !!!holder.matches(keyChars)) {
-                try {
-                    SecretKeyFactory keyFactory = SecretKeyFactory.getInstance(alg);
-                    KeySpec aesKey = new PBEKeySpec(keyChars, salt, iterations, keyLength);
-                    byte[] data = keyFactory.generateSecret(aesKey).getEncoded();
-                    KeyHolder holder2 = new KeyHolder(keyChars, new SecretKeySpec(data, "AES"), new IvParameterSpec(data));
-                    _key.compareAndSet(holder, holder2);
-                    // Still use this holder for returns even if I do not end up caching it.
-                    holder = holder2;
-                } catch (InvalidKeySpecException e) {
-                    if (DEBUG) {
-                        securityUtilDebug("InvalidKeySpecException received. Returning null", e);
-                    }
-                    return null;
-                } catch (NoSuchAlgorithmException e) {
-                    if (DEBUG) {
-                        securityUtilDebug("InvalidKeySpecException received. Returning null", e);
-                    }
-                    return null;
-                }
-
+                SecretKeyFactory keyFactory = SecretKeyFactory.getInstance(alg);
+                KeySpec aesKey = new PBEKeySpec(keyChars, salt, iterations, keyLength);
+                byte[] data = keyFactory.generateSecret(aesKey).getEncoded();
+                KeyHolder holder2 = new KeyHolder(keyChars, new SecretKeySpec(data, "AES"), new IvParameterSpec(data));
+                _key.compareAndSet(holder, holder2);
+                // Still use this holder for returns even if I do not end up caching it.
+                holder = holder2;
             }
-
             return holder;
         }
     }
 
-    // Used exclusively for debugging securityUtility
-    private static void securityUtilDebug(String message, Throwable throwable) {
-        System.out.println("[DEBUG] " + message);
-        throwable.printStackTrace(System.out); // Prints the exception stack trace
-    }
-
     private static class KeyHolder {
         private final char[] keyChars;
         private final Key key;
@@ -121,15 +100,13 @@ public IvParameterSpec getIv() {
         setKeyStringResolver(null);
     }
 
-    public static Key getKey(KeyVersion version, String key) {
-
+    public static Key getKey(KeyVersion version, String key) throws NoSuchAlgorithmException, InvalidKeySpecException {
         KeyHolder holder = getHolder(version, key);
-
         return holder.getKey();
     }
 
     @Deprecated
-    public static Key getKey(String key) {
+    public static Key getKey(String key) throws NoSuchAlgorithmException, InvalidKeySpecException {
 
         KeyHolder holder = getHolder(KeyVersion.AES_V0, key);
 
@@ -141,9 +118,8 @@ public static Key getKey(String key) {
      * @param keyChars
      * @return
      */
-    private static KeyHolder getHolder(KeyVersion version, String key) {
+    private static KeyHolder getHolder(KeyVersion version, String key) throws NoSuchAlgorithmException, InvalidKeySpecException {
         char[] keyChars = _resolver.get().getKey(key == null ? "${wlp.password.encryption.key}" : key);
-
         return version.get(keyChars);
     }
 
@@ -167,7 +143,7 @@ public char[] getKey(String key) {
      * @param cryptoKey
      * @return
      */
-    public static IvParameterSpec getIV(KeyVersion version, String cryptoKey) {
+    public static IvParameterSpec getIV(KeyVersion version, String cryptoKey) throws NoSuchAlgorithmException, InvalidKeySpecException {
         if (version == KeyVersion.AES_V0) {
             return getHolder(version, cryptoKey).getIv();
         } else {
@@ -180,7 +156,7 @@ public static IvParameterSpec getIV(KeyVersion version, String cryptoKey) {
      * @return
      */
     @Deprecated
-    public static IvParameterSpec getIV(String cryptoKey) {
+    public static IvParameterSpec getIV(String cryptoKey) throws NoSuchAlgorithmException, InvalidKeySpecException {
         return getHolder(KeyVersion.AES_V0, cryptoKey).getIv();
     }
-}
+}