Add auth-callout-bcfips example

auth-callout-bcfips/README.md

@@ -0,0 +1,7 @@
+![NATS](../images/large-logo.png)
+
+# Auth Callout with BCFIPS
+
+This example is an extension of the [Auth Callout](../auth-callout/README.md) example,
+that swaps out the default BouncyCastle security provider with the BCFIPS provider.
+This allows the example to run in FIPS mode.

auth-callout-bcfips/build.gradle

@@ -0,0 +1,36 @@
+plugins {
+    id 'java'
+    id 'application'
+}
+
+repositories {
+    mavenLocal() // TODO: remove once dependencies are released
+    mavenCentral()
+    maven { url "https://repo1.maven.org/maven2/" }
+    maven { url "https://central.sonatype.com/repository/maven-snapshots" }
+}
+
+sourceSets {
+    main {
+        java {
+            srcDirs = ['src/main/java', '../auth-callout/src/main/java']
+        }
+    }
+}
+
+dependencies {
+    implementation('io.nats:nkeys-java:2.1.2-SNAPSHOT') {
+        // To use BouncyCastle FIPS, we first need to exclude the standard BouncyCastle library
+        exclude group: 'org.bouncycastle'
+    }
+    implementation 'io.nats:jnats-json:2.22.0'
+    implementation 'io.nats:jwt-java:2.2.0'
+    implementation('io.nats:jnats:2.24.1') {
+        // To use BouncyCastle FIPS, we first need to exclude the standard BouncyCastle library
+        exclude group: 'org.bouncycastle'
+    }
+    // After excluding the normal edition we can include the FIPS edition, here a debug version
+    implementation("org.bouncycastle:bc-fips-debug:2.1.2")
+    testImplementation(platform('org.junit:junit-bom:5.8.2'))
+    testImplementation('org.junit.jupiter:junit-jupiter')
+}

auth-callout-bcfips/gradle/wrapper/gradle-wrapper.properties

@@ -0,0 +1,5 @@
+distributionBase=GRADLE_USER_HOME
+distributionPath=wrapper/dists
+distributionUrl=https\://services.gradle.org/distributions/gradle-6.3-bin.zip
+zipStoreBase=GRADLE_USER_HOME
+zipStorePath=wrapper/dists

auth-callout-bcfips/settings.gradle

@@ -0,0 +1 @@
+rootProject.name = 'auth-callout-bcfips'

auth-callout-bcfips/src/main/java/io/nats/authcalloutbcfips/AuthCalloutServiceBcFipsExample.java

@@ -0,0 +1,44 @@
+package io.nats.authcalloutbcfips;
+
+import io.nats.authcallout.AuthCalloutServiceExample;
+import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider;
+
+import java.security.Provider;
+import java.security.Security;
+
+import static org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider.PROVIDER_NAME;
+
+public class AuthCalloutServiceBcFipsExample {
+    public static void main(String[] args) throws Exception {
+        setupBcFips();
+
+        // Normally set via JVM argument:
+        // -Dio.nats.nkey.security.provider=BCFIPS
+        System.setProperty("io.nats.nkey.security.provider", PROVIDER_NAME);
+        // or
+        // -Dio.nats.nkey.security.provider
+        // System.setProperty("io.nats.nkey.security.provider", "");
+        // if BCFIPS is configured as the default provider
+
+        AuthCalloutServiceExample.main(args);
+    }
+
+    private static void setupBcFips() {
+        // For test purposes. This is not a BCFIPS guide.
+        if (Security.getProvider(PROVIDER_NAME) != null) {
+            return;
+        }
+        Security.setProperty("ssl.KeyManagerFactory.algorithm", "PKIX");
+        Security.setProperty("ssl.TrustManagerFactory.algorithm", "PKIX");
+        Security.setProperty("org.bouncycastle.fips.approved_only", "true");
+
+        for (Provider otherProvider : Security.getProviders()) {
+            String providerName = otherProvider.getName();
+            if (!"SUN".equals(providerName)) {
+                Security.removeProvider(providerName);
+            }
+        }
+
+        Security.insertProviderAt(new BouncyCastleFipsProvider("C:DEFRND[SHA256];ENABLE{ALL};"), 1);
+    }
+}