Merge pull request #26 from nats-io/fips-impl

FIPS Implementation

Author: scottf

.github/workflows/fips-main.yml

@@ -0,0 +1,45 @@
+name: FIPS Main Snapshot
+permissions:
+  contents: read
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - 'fips/**'
+
+jobs:
+  build:
+    strategy:
+      matrix:
+        tc: [ 17, 21, 25 ]
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: ./fips
+    env:
+      BUILD_EVENT: ${{ github.event_name }}
+      TARGET_COMPATIBILITY: ${{ matrix.tc }}
+      OSSRH_USERNAME: ${{ secrets.OSSRH_USERNAME }}
+      OSSRH_PASSWORD: ${{ secrets.OSSRH_TOKEN }}
+      SIGNING_KEY_ID: ${{ secrets.SIGNING_KEY_ID }}
+      SIGNING_KEY: ${{ secrets.SIGNING_KEY }}
+      SIGNING_PASSWORD: ${{ secrets.SIGNING_PASSWORD }}
+    steps:
+      - name: Set up JDK
+        uses: actions/setup-java@v5
+        with:
+          java-version: 25
+          distribution: 'temurin'
+      - name: Setup Gradle
+        uses: gradle/actions/setup-gradle@v5
+        with:
+          gradle-version: current
+      - name: Check out code
+        uses: actions/checkout@v4
+      - name: Build and Test
+        run: chmod +x gradlew && ./gradlew clean test jacocoTestReport
+      - name: Verify Javadoc
+        run: ./gradlew javadoc
+      - name: Publish Snapshot
+        run: ./gradlew -i publishToSonatype

.github/workflows/fips-pr.yml

@@ -0,0 +1,37 @@
+name: Fips Pull Request
+permissions:
+  contents: read
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+    paths:
+      - 'fips/**'
+
+jobs:
+  build:
+    strategy:
+      matrix:
+        tc: [ 17, 21, 25 ]
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: ./fips
+    env:
+      BUILD_EVENT: ${{ github.event_name }}
+      TARGET_COMPATIBILITY: ${{ matrix.tc }}
+    steps:
+      - name: Set up JDK
+        uses: actions/setup-java@v5
+        with:
+          java-version: 25
+          distribution: 'temurin'
+      - name: Setup Gradle
+        uses: gradle/actions/setup-gradle@v5
+        with:
+          gradle-version: current
+      - name: Check out code
+        uses: actions/checkout@v4
+      - name: Build and Test
+        run: chmod +x gradlew && ./gradlew clean test jacocoTestReport
+      - name: Verify Javadoc
+        run: ./gradlew javadoc

.github/workflows/fips-release.yml

@@ -0,0 +1,38 @@
+name: Fips Publish Release
+permissions:
+  contents: read
+on:
+  push:
+    tags: [ 'fips/*' ]
+
+jobs:
+  build:
+    strategy:
+      matrix:
+        tc: [ 17, 21, 25 ]
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: ./fips
+    env:
+      BUILD_EVENT: "release"
+      TARGET_COMPATIBILITY: ${{ matrix.tc }}
+      OSSRH_USERNAME: ${{ secrets.OSSRH_USERNAME }}
+      OSSRH_PASSWORD: ${{ secrets.OSSRH_TOKEN }}
+      SIGNING_KEY_ID: ${{ secrets.SIGNING_KEY_ID }}
+      SIGNING_KEY: ${{ secrets.SIGNING_KEY }}
+      SIGNING_PASSWORD: ${{ secrets.SIGNING_PASSWORD }}
+    steps:
+      - name: Set up JDK
+        uses: actions/setup-java@v5
+        with:
+          java-version: 25
+          distribution: 'temurin'
+      - name: Setup Gradle
+        uses: gradle/actions/setup-gradle@v5
+        with:
+          gradle-version: current
+      - name: Check out code
+        uses: actions/checkout@v4
+      - name: Build, Sign and Publish Release
+        run: chmod +x gradlew && ./gradlew clean compileJava publishToSonatype closeAndReleaseSonatypeStagingRepository

fips/src/main/java/io/nats/nkey/FipsNKeyProvider.java

@@ -1,10 +1,22 @@
 package io.nats.nkey;
 
+import org.bouncycastle.crypto.UpdateOutputStream;
+import org.bouncycastle.crypto.asymmetric.AsymmetricEdDSAPrivateKey;
+import org.bouncycastle.crypto.asymmetric.AsymmetricEdDSAPublicKey;
+import org.bouncycastle.crypto.fips.FipsEdEC;
+import org.bouncycastle.crypto.fips.FipsOutputSigner;
+import org.bouncycastle.crypto.fips.FipsOutputVerifier;
 import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider;
 import org.jspecify.annotations.NullMarked;
 
+import java.io.IOException;
 import java.security.*;
 
+import static io.nats.nkey.NKeyConstants.ED25519_PUBLIC_KEYSIZE;
+import static io.nats.nkey.NKeyConstants.ED25519_SEED_SIZE;
+import static io.nats.nkey.NKeyProviderUtils.encodeSeed;
+import static io.nats.nkey.NKeyProviderUtils.nkeyDecode;
+
 @NullMarked
 public class FipsNKeyProvider extends NKeyProvider {
     static {
@@ -26,7 +38,14 @@ public FipsNKeyProvider() {
      */
     @Override
     public NKey createNKey(NKeyType type, byte[] seed) {
-        throw new UnsupportedOperationException("createPair not supported yet.");
+        byte[] pubBytes = FipsEdEC.computePublicData(FipsEdEC.Ed25519.getAlgorithm(), seed);
+
+        byte[] bytes = new byte[pubBytes.length + seed.length];
+        System.arraycopy(seed, 0, bytes, 0, seed.length);
+        System.arraycopy(pubBytes, 0, bytes, seed.length, pubBytes.length);
+
+        char[] encoded = encodeSeed(type, bytes);
+        return new NKey(this, type, null, encoded);
     }
 
     /**
@@ -35,22 +54,70 @@ public NKey createNKey(NKeyType type, byte[] seed) {
     @Override
     public KeyPair getKeyPair(NKey nkey) {
         nkey.ensurePair();
-        throw new UnsupportedOperationException("getKeyPair not supported yet.");
+        NKeyDecodedSeed decoded = nkey.getDecodedSeed();
+        byte[] seedBytes = new byte[ED25519_SEED_SIZE];
+        byte[] pubBytes = new byte[ED25519_PUBLIC_KEYSIZE];
+
+        System.arraycopy(decoded.bytes, 0, seedBytes, 0, seedBytes.length);
+        System.arraycopy(decoded.bytes, seedBytes.length, pubBytes, 0, pubBytes.length);
+
+        AsymmetricEdDSAPrivateKey privateKey = new AsymmetricEdDSAPrivateKey(FipsEdEC.Ed25519.getAlgorithm(), seedBytes, pubBytes);
+        AsymmetricEdDSAPublicKey publicKey = new AsymmetricEdDSAPublicKey(FipsEdEC.Ed25519.getAlgorithm(), pubBytes);
+
+        return new KeyPair(new PublicKeyWrapper(publicKey), new PrivateKeyWrapper(privateKey));
     }
 
     /**
      * {@inheritDoc}
      */
     @Override
     public byte[] sign(NKey nkey, byte[] input) {
-        throw new UnsupportedOperationException("sign not supported yet.");
+        KeyPair keyPair = nkey.getKeyPair();
+        byte[] seedBytes = keyPair.getPrivate().getEncoded();
+        byte[] pubBytes = keyPair.getPublic().getEncoded();
+        AsymmetricEdDSAPrivateKey privateKey = new AsymmetricEdDSAPrivateKey(FipsEdEC.Ed25519.getAlgorithm(), seedBytes, pubBytes);
+
+        FipsEdEC.EdDSAOperatorFactory factory = new FipsEdEC.EdDSAOperatorFactory();
+        FipsOutputSigner<FipsEdEC.Parameters> signer = factory.createSigner(privateKey, FipsEdEC.EdDSA);
+
+        try {
+            UpdateOutputStream stream = signer.getSigningStream();
+            stream.update(input, 0, input.length);
+            stream.finished();
+            return signer.getSignature();
+        }
+        catch (IOException e) {
+            throw new RuntimeException(e);
+        }
     }
 
     /**
      * {@inheritDoc}
      */
     @Override
     public boolean verify(NKey nkey, byte[] input, byte[] signature) {
-        throw new UnsupportedOperationException("verify not supported yet.");
+        AsymmetricEdDSAPublicKey publicKey;
+        if (nkey.isPair()) {
+            byte[] pubBytes = nkey.getKeyPair().getPublic().getEncoded();
+            publicKey = new AsymmetricEdDSAPublicKey(FipsEdEC.Ed25519.getAlgorithm(), pubBytes);
+        }
+        else {
+            char[] encodedPublicKey = nkey.getPublicKey();
+            byte[] decodedPublicKey = nkeyDecode(nkey.getType(), encodedPublicKey);
+            publicKey = new AsymmetricEdDSAPublicKey(FipsEdEC.Ed25519.getAlgorithm(), decodedPublicKey);
+        }
+
+        FipsEdEC.EdDSAOperatorFactory factory = new FipsEdEC.EdDSAOperatorFactory();
+        FipsOutputVerifier<FipsEdEC.Parameters> verifier = factory.createVerifier(publicKey, FipsEdEC.EdDSA);
+
+        try {
+            UpdateOutputStream stream = verifier.getVerifyingStream();
+            stream.update(input, 0, input.length);
+            stream.close();
+            return verifier.isVerified(signature);
+        }
+        catch (IOException e) {
+            throw new RuntimeException(e);
+        }
     }
 }

fips/src/main/java/io/nats/nkey/PrivateKeyWrapper.java

@@ -0,0 +1,32 @@
+// Copyright 2025-2026 The NATS Authors
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at:
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package io.nats.nkey;
+
+import org.bouncycastle.crypto.asymmetric.AsymmetricEdDSAPrivateKey;
+
+import java.security.PrivateKey;
+
+class PrivateKeyWrapper extends KeyWrapper implements PrivateKey {
+
+    final AsymmetricEdDSAPrivateKey privateKey;
+
+    public PrivateKeyWrapper(AsymmetricEdDSAPrivateKey privateKey) {
+        this.privateKey = privateKey;
+    }
+
+    @Override
+    public byte[] getEncoded() {
+        return privateKey.getSecret();
+    }
+}

fips/src/main/java/io/nats/nkey/PublicKeyWrapper.java

@@ -0,0 +1,32 @@
+// Copyright 2025-2026 The NATS Authors
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at:
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package io.nats.nkey;
+
+import org.bouncycastle.crypto.asymmetric.AsymmetricEdDSAPublicKey;
+
+import java.security.PublicKey;
+
+class PublicKeyWrapper extends KeyWrapper implements PublicKey {
+
+    final AsymmetricEdDSAPublicKey publicKey;
+
+    public PublicKeyWrapper(AsymmetricEdDSAPublicKey publicKey) {
+        this.publicKey = publicKey;
+    }
+
+    @Override
+    public byte[] getEncoded() {
+        return publicKey.getPublicData();
+    }
+}

fips/src/test/java/io/nats/nkey/FipsProviderTests.java

@@ -21,6 +21,7 @@
 import java.nio.charset.StandardCharsets;
 import java.util.Arrays;
 import java.util.Base64;
+import java.util.List;
 
 import static io.nats.nkey.NKeyConstants.NKEY_PROVIDER_CLASS_SYSTEM_PROPERTY;
 import static io.nats.nkey.NKeyProvider.getProvider;
@@ -463,4 +464,44 @@ private static void _testFromPublicKey(String userEncodedSeed, String userEncode
         assertArrayEquals(userEncodedPubKey.toCharArray(), fromSeed.getPublicKey());
         assertArrayEquals(userEncodedPubKey.toCharArray(), fromKey.getPublicKey());
     }
+
+    static byte[] TO_SIGN = "Synadia".getBytes(StandardCharsets.UTF_8);
+
+    @Test
+    public void testFromText() {
+        List<String> inputs = ResourceUtils.resourceAsLines("test-nkeys.txt");
+        for (int i = 0; i < inputs.size(); ) {
+            String name = inputs.get(i++);
+            int prefix = Integer.parseInt(inputs.get(i++));
+            char[] seed = inputs.get(i++).toCharArray();
+            char[] publicKey = inputs.get(i++).toCharArray();
+            char[] privateKey = inputs.get(i++).toCharArray();
+            byte[] decoded = toBytes(inputs.get(i++));
+            byte[] signed = toBytes(inputs.get(i++));
+
+            NKeyType type = NKeyType.fromPrefix(prefix);
+            assertNotNull(type);
+            assertEquals(name, type.name());
+
+            NKey fromSeed = PROVIDER.fromSeed(seed);
+            NKey fromPublicKey = PROVIDER.fromPublicKey(publicKey);
+
+            assertArrayEquals(seed, fromSeed.getSeed());
+            assertArrayEquals(publicKey, fromSeed.getPublicKey());
+            assertArrayEquals(privateKey, fromSeed.getPrivateKey());
+            assertArrayEquals(publicKey, fromPublicKey.getPublicKey());
+            assertEquals(prefix, fromSeed.getDecodedSeed().prefix);
+            assertArrayEquals(decoded, fromSeed.getDecodedSeed().bytes);
+            assertArrayEquals(signed, fromSeed.sign(TO_SIGN));
+        }
+    }
+
+    private byte[] toBytes(String s) {
+        String[] split = s.split(",");
+        byte[] decoded = new byte[split.length];
+        for (int i = 0; i < split.length; i++) {
+            decoded[i] = (byte) Integer.parseInt(split[i]);
+        }
+        return decoded;
+    }
 }