Skip to content

Add FIPS support #2426

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
kalaiyarasiganeshalingam wants to merge 10 commits into
base: master
Choose a base branch
from
Open

Add FIPS support #2426

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
1b9f0c5
Add FIPS support
kalaiyarasiganeshalingam Oct 31, 2025
5d2b6bc
Merge branch 'wso2:master' into master
kalaiyarasiganeshalingam Nov 10, 2025
26d7992
Fix review comments
kalaiyarasiganeshalingam Dec 17, 2025
03dcf17
Add jaxen dependency
kalaiyarasiganeshalingam Dec 17, 2025
22cc307
Remove exculsion
kalaiyarasiganeshalingam Dec 17, 2025
51ac5ec
Revert "Remove exculsion"
kalaiyarasiganeshalingam Dec 17, 2025
025a6be
Remove exculsion
kalaiyarasiganeshalingam Dec 17, 2025
8fb7d22
Upgrade jaxen
kalaiyarasiganeshalingam Dec 18, 2025
68977c2
Revert the changes
kalaiyarasiganeshalingam Dec 19, 2025
5f5fa31
Remove else condition
kalaiyarasiganeshalingam Dec 22, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions modules/commons/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -149,6 +149,10 @@
<groupId>commons-pool</groupId>
<artifactId>commons-pool</artifactId>
</dependency>
<dependency>
<groupId>jaxen</groupId>
<artifactId>jaxen</artifactId>
</dependency>
<dependency>
<groupId>org.wso2.orbit.javax.activation</groupId>
<artifactId>activation</artifactId>
Expand Down
32 changes: 19 additions & 13 deletions modules/commons/src/main/java/org/apache/synapse/commons/crypto/CryptoUtil.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@
package org.apache.synapse.commons.crypto;

import org.apache.axis2.AxisFault;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.securevault.CipherFactory;
Expand All @@ -43,6 +44,7 @@ public class CryptoUtil {
private EncodeDecodeTypes inType = null;
private EncodeDecodeTypes outType = null;
private String algorithm = null;
private static final String SECURITY_JCE_PROVIDER = "security.jce.provider";

/**
* Public constructor
Expand Down Expand Up @@ -106,19 +108,7 @@ public void init(Properties secureVaultProperties) throws AxisFault {
cipherInformation.setInType(null); //skipping decoding encoding in securevault
cipherInformation.setOutType(null); //skipping decoding encoding in securevault
if (provider != null && !provider.isEmpty()) {
String providerClass;
if (CryptoConstants.BOUNCY_CASTLE_PROVIDER.equals(provider)) {
providerClass = "org.bouncycastle.jce.provider.BouncyCastleProvider";
} else if (CryptoConstants.BOUNCY_CASTLE_FIPS_PROVIDER.equals(provider)) {
providerClass = "org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider";
} else {
throw new AxisFault("Unsupported JCE Provider: " + provider);
}
try {
Security.addProvider((Provider) Class.forName(providerClass).getDeclaredConstructor().newInstance());
} catch (Exception e) {
throw new AxisFault("Error while initializing the JCE Provider: " + provider, e);
}
addProvider(provider);
cipherInformation.setProvider(provider);
//todo need to add other providers if there are any.
}
Expand Down Expand Up @@ -148,4 +138,20 @@ public boolean isInitialized() {
return isInitialized;
}

private static void addProvider(String jceProvider) throws AxisFault {
if (StringUtils.isEmpty(System.getProperty(SECURITY_JCE_PROVIDER))) {
String providerClass;
if (CryptoConstants.BOUNCY_CASTLE_FIPS_PROVIDER.equals(jceProvider)) {
providerClass = "org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider";
} else {
providerClass = "org.bouncycastle.jce.provider.BouncyCastleProvider";
}
try {
Security.addProvider((Provider) Class.forName(providerClass).getDeclaredConstructor().newInstance());
} catch (Exception e) {
throw new AxisFault("Error while initializing the JCE provider: " + providerClass, e);
}
}
}

}
23 changes: 20 additions & 3 deletions modules/core/src/main/java/org/apache/synapse/message/store/impl/rabbitmq/RabbitMQStore.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -84,6 +84,8 @@ public class RabbitMQStore extends AbstractMessageStore {
public static final String SSL_TRUSTSTORE_TYPE = "rabbitmq.connection.ssl.truststore.type";
public static final String SSL_TRUSTSTORE_PASSWORD = "rabbitmq.connection.ssl.truststore.password";
public static final String SSL_VERSION = "rabbitmq.connection.ssl.version";
private static final String PKIX = "PKIX";
private static final String JCE_PROVIDER = "security.jce.provider";

public static final String AMQ_PREFIX = "amq.";

Expand Down Expand Up @@ -214,15 +216,14 @@ private void setSSL(boolean sslEnabled) {
KeyStore ks = KeyStore.getInstance(keyStoreType);
ks.load(new FileInputStream(keyStoreLocation), keyPassphrase);

KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
KeyManagerFactory kmf = KeyManagerFactory.getInstance(getKeyManagerType());
kmf.init(ks, keyPassphrase);

char[] trustPassphrase = trustStorePassword.toCharArray();
KeyStore tks = KeyStore.getInstance(trustStoreType);
tks.load(new FileInputStream(trustStoreLocation), trustPassphrase);

TrustManagerFactory tmf = TrustManagerFactory
.getInstance(KeyManagerFactory.getDefaultAlgorithm());
TrustManagerFactory tmf = TrustManagerFactory.getInstance(getTrustManagerType());
tmf.init(tks);

SSLContext c = SSLContext.getInstance(sslVersion);
Expand Down Expand Up @@ -477,4 +478,20 @@ public MessageContext get(String messageId) {
private String nameString() {
return "Store [" + getName() + "]";
}

private static String getTrustManagerType() {
String provider = System.getProperty(JCE_PROVIDER);
if (StringUtils.isNotEmpty(provider)) {
return PKIX;
}
return TrustManagerFactory.getDefaultAlgorithm();
}

private static String getKeyManagerType() {
String provider = System.getProperty(JCE_PROVIDER);
if (StringUtils.isNotEmpty(provider)) {
return PKIX;
}
return KeyManagerFactory.getDefaultAlgorithm();
}
}
17 changes: 15 additions & 2 deletions modules/core/src/main/java/org/apache/synapse/util/xpath/DecryptFunction.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@
*/
package org.apache.synapse.util.xpath;

import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.jaxen.Context;
Expand Down Expand Up @@ -44,7 +45,10 @@ public class DecryptFunction implements Function {
private static final Log log = LogFactory.getLog(DecryptFunction.class);
private static final String DEFAULT_ALGORITHM = "RSA";
private static final String DEFAULT_KEYSTORE_TYPE = "JKS";
private static Map<String, Cipher> cipherInstancesMap = new ConcurrentHashMap<>();
private static final Map<String, Cipher> cipherInstancesMap = new ConcurrentHashMap<>();
private static final String SECURITY_JCE_PROVIDER = "security.jce.provider";
private static final String PRIMARY_KEY_STORE_TYPE_PROPERTY = "primary.key.type";
public static final String BCFKS = "BCFKS";

@Override
public Object call(Context context, List args) throws FunctionCallException {
Expand All @@ -62,7 +66,7 @@ public Object call(Context context, List args) throws FunctionCallException {
String keyStore = StringFunction.evaluate(args.get(1), context.getNavigator());
String keyStorePassword = StringFunction.evaluate(args.get(2), context.getNavigator());
String keyStoreAlias = StringFunction.evaluate(args.get(3), context.getNavigator());
return decrypt(encryptedText.getBytes(), keyStore, keyStorePassword, keyStoreAlias, DEFAULT_KEYSTORE_TYPE,
return decrypt(encryptedText.getBytes(), keyStore, keyStorePassword, keyStoreAlias, getKeyType(),
DEFAULT_ALGORITHM);
}
if (size == 5) {
Expand Down Expand Up @@ -132,4 +136,13 @@ private Cipher getCipherInstance(String algorithm) throws NoSuchPaddingException
}
return cipherInstance;
}

private static String getKeyType() {
String keyType = System.getProperty(PRIMARY_KEY_STORE_TYPE_PROPERTY);
if (StringUtils.isNotEmpty(System.getProperty(SECURITY_JCE_PROVIDER))) {
return StringUtils.isNotEmpty(keyType) ? keyType : BCFKS;
} else {
return StringUtils.isNotEmpty(keyType) ? keyType : DEFAULT_KEYSTORE_TYPE;
}
}
}
17 changes: 15 additions & 2 deletions modules/core/src/main/java/org/apache/synapse/util/xpath/EncryptFunction.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@
*/
package org.apache.synapse.util.xpath;

import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.jaxen.Context;
Expand Down Expand Up @@ -43,7 +44,10 @@ public class EncryptFunction implements Function {
private static final Log log = LogFactory.getLog(EncryptFunction.class);
private static final String DEFAULT_ALGORITHM = "RSA";
private static final String DEFAULT_KEYSTORE_TYPE ="JKS";
private static Map<String, Cipher> cipherInstancesMap = new ConcurrentHashMap<>();
private static final Map<String, Cipher> cipherInstancesMap = new ConcurrentHashMap<>();
private static final String SECURITY_JCE_PROVIDER = "security.jce.provider";
private static final String PRIMARY_KEY_STORE_TYPE_PROPERTY = "primary.key.type";
public static final String BCFKS = "BCFKS";

@Override
public Object call(Context context, List args) throws FunctionCallException {
Expand All @@ -61,7 +65,7 @@ public Object call(Context context, List args) throws FunctionCallException {
String keyStore = StringFunction.evaluate(args.get(1), context.getNavigator());
String keyStorePassword = StringFunction.evaluate(args.get(2), context.getNavigator());
String keyStoreAlias = StringFunction.evaluate(args.get(3), context.getNavigator());
return encrypt(plainText.getBytes(), keyStore, keyStorePassword, keyStoreAlias, DEFAULT_KEYSTORE_TYPE,
return encrypt(plainText.getBytes(), keyStore, keyStorePassword, keyStoreAlias, getKeyType(),
DEFAULT_ALGORITHM);
}
if (size == 5) {
Expand Down Expand Up @@ -131,4 +135,13 @@ private Cipher getCipherInstance(String algorithm) throws NoSuchPaddingException
}
return cipherInstance;
}

private static String getKeyType() {
String keyType = System.getProperty(PRIMARY_KEY_STORE_TYPE_PROPERTY);
if (StringUtils.isNotEmpty(System.getProperty(SECURITY_JCE_PROVIDER))) {
return StringUtils.isNotEmpty(keyType) ? keyType : BCFKS;
} else {
return StringUtils.isNotEmpty(keyType) ? keyType : DEFAULT_KEYSTORE_TYPE;
}
}
}
18 changes: 17 additions & 1 deletion modules/extensions/src/main/java/org/apache/synapse/mediators/opa/OPAClient.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@
package org.apache.synapse.mediators.opa;

import org.apache.commons.httpclient.HttpStatus;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.http.HttpEntity;
Expand Down Expand Up @@ -69,6 +70,10 @@ public class OPAClient {
private int connectionTimeout = 30;

private CloseableHttpClient httpClient = null;
private static final String PRIMARY_KEY_STORE_TYPE_PROPERTY = "primary.key.type";
private static final String DEFAULT_KEYSTORE_TYPE ="JKS";
private static final String SECURITY_JCE_PROVIDER = "security.jce.provider";
public static final String BCFKS = "BCFKS";

public OPAClient(String url, Map<String, String> additionalParameters) throws OPASecurityException {

Expand Down Expand Up @@ -191,7 +196,7 @@ private PoolingHttpClientConnectionManager getPoolingHttpClientConnectionManager
String trustStoreLocation = System.getProperty(OPAConstants.TRUST_STORE_LOCATION_SYSTEM_PROPERTY);
File trustStoreFile = new File(trustStoreLocation);
try (InputStream localTrustStoreStream = new FileInputStream(trustStoreFile)) {
KeyStore trustStore = KeyStore.getInstance("JKS");
KeyStore trustStore = KeyStore.getInstance(getKeyType());
trustStore.load(localTrustStoreStream, trustStorePassword);
SSLContext sslContext = SSLContexts.custom().loadTrustMaterial(trustStore).build();

Expand Down Expand Up @@ -251,4 +256,15 @@ public CloseableHttpClient createHttpClient(String url) throws OPASecurityExcept

return HttpClients.custom().setConnectionManager(pool).setDefaultRequestConfig(params).build();
}

private static String getKeyType() {
String keyType = System.getProperty(PRIMARY_KEY_STORE_TYPE_PROPERTY);
if (StringUtils.isNotEmpty(keyType)) {
return keyType;
}
if (System.getProperty(SECURITY_JCE_PROVIDER) != null) {
return BCFKS;
}
return DEFAULT_KEYSTORE_TYPE;
}
}
15 changes: 13 additions & 2 deletions .../src/main/java/org/apache/synapse/securevault/definition/IdentityKeyStoreInformation.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@
*/
package org.apache.synapse.securevault.definition;

import org.apache.commons.lang.StringUtils;
import org.apache.synapse.securevault.secret.SecretInformation;

import javax.net.ssl.KeyManagerFactory;
Expand All @@ -30,6 +31,8 @@ public class IdentityKeyStoreInformation extends KeyStoreInformation {

/* Password for access private key*/
private SecretInformation keyPasswordProvider;
private static final String PKIX = "PKIX";
private static final String JCE_PROVIDER = "security.jce.provider";

public void setKeyPasswordProvider(SecretInformation keyPasswordProvider) {
this.keyPasswordProvider = keyPasswordProvider;
Expand All @@ -48,8 +51,7 @@ public KeyManagerFactory getIdentityKeyManagerFactoryInstance() {
}

KeyStore keyStore = this.getIdentityKeyStore();
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(
KeyManagerFactory.getDefaultAlgorithm());
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(getManagerType());
keyManagerFactory.init(keyStore, keyPasswordProvider.getResolvedSecret().toCharArray());

return keyManagerFactory;
Expand All @@ -72,4 +74,13 @@ public KeyStore getIdentityKeyStore() {
public SecretInformation getKeyPasswordProvider() {
return keyPasswordProvider;
}

private static String getManagerType() {
String provider = System.getProperty(JCE_PROVIDER);
if (StringUtils.isNotEmpty(provider)) {
return PKIX;
} else {
return KeyManagerFactory.getDefaultAlgorithm();
}
}
}
15 changes: 13 additions & 2 deletions ...ult/src/main/java/org/apache/synapse/securevault/definition/TrustKeyStoreInformation.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,8 @@
*/
package org.apache.synapse.securevault.definition;

import org.apache.commons.lang.StringUtils;

import javax.net.ssl.TrustManagerFactory;
import java.security.KeyStore;

Expand All @@ -26,6 +28,9 @@
*/
public class TrustKeyStoreInformation extends KeyStoreInformation {

private static final String PKIX = "PKIX";
private static final String JCE_PROVIDER = "security.jce.provider";

/**
* Returns the TrustManagerFactory instance
*
Expand All @@ -38,8 +43,7 @@ public TrustManagerFactory getTrustManagerFactoryInstance() {
log.debug("Creating a TrustManagerFactory instance");
}
KeyStore trustStore = this.getTrustStore();
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(
TrustManagerFactory.getDefaultAlgorithm());
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(getManagerType());
trustManagerFactory.init(trustStore);

return trustManagerFactory;
Expand All @@ -60,4 +64,11 @@ public KeyStore getTrustStore() {

}

private static String getManagerType() {
String provider = System.getProperty(JCE_PROVIDER);
if (StringUtils.isNotEmpty(provider)) {
return PKIX;
}
return TrustManagerFactory.getDefaultAlgorithm();
}
}
36 changes: 21 additions & 15 deletions ...p/src/main/java/org/apache/synapse/transport/certificatevalidation/ocsp/OCSPVerifier.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@
*/
package org.apache.synapse.transport.certificatevalidation.ocsp;

import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.http.HttpResponse;
Expand All @@ -27,6 +28,7 @@
import org.apache.http.entity.ContentType;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClientBuilder;
import org.apache.synapse.commons.crypto.CryptoConstants;
import org.apache.synapse.transport.certificatevalidation.CertificateVerificationException;
import org.apache.synapse.transport.certificatevalidation.Constants;
import org.apache.synapse.transport.certificatevalidation.RevocationStatus;
Expand Down Expand Up @@ -79,7 +81,7 @@ public OCSPVerifier(OCSPCache cache) {
public static final String ACCEPT_TYPE = "Accept";
public static final String OCSP_REQUEST_TYPE = "application/ocsp-request";
public static final String OCSP_RESPONSE_TYPE = "application/ocsp-response";

private static final String SECURITY_JCE_PROVIDER = "security.jce.provider";

/**
* Gets the revocation status (Good, Revoked or Unknown) of the given peer certificate.
Expand Down Expand Up @@ -201,20 +203,7 @@ protected OCSPResp getOCSPResponce(String serviceUrl, OCSPReq request) throws Ce
private OCSPReq generateOCSPRequest(X509Certificate issuerCert, BigInteger serialNumber)
throws CertificateVerificationException {
String jceProvider = getPreferredJceProvider();
String providerClass;
if (jceProvider.equals(Constants.BOUNCY_CASTLE_PROVIDER)) {
providerClass = "org.bouncycastle.jce.provider.BouncyCastleProvider";
} else if (jceProvider.equals(Constants.BOUNCY_CASTLE_FIPS_PROVIDER)) {
providerClass = "org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider";
} else {
throw new CertificateVerificationException("Unsupported JCE provider: " + jceProvider);
}
try {
Security.addProvider((Provider) Class.forName(providerClass).getDeclaredConstructor().newInstance());
} catch (Exception e) {
throw new CertificateVerificationException("Error while initializing the JCE provider: "
+ providerClass, e);
}
addProvider(jceProvider);

try {

Expand Down Expand Up @@ -299,4 +288,21 @@ private static String getPreferredJceProvider() {
}
return Constants.BOUNCY_CASTLE_PROVIDER;
}

public static void addProvider(String jceProvider) throws CertificateVerificationException {
if (StringUtils.isEmpty(System.getProperty(SECURITY_JCE_PROVIDER))) {
String providerClass;
if (CryptoConstants.BOUNCY_CASTLE_FIPS_PROVIDER.equals(jceProvider)) {
providerClass = "org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider";
} else {
providerClass = "org.bouncycastle.jce.provider.BouncyCastleProvider";
}
try {
Security.addProvider((Provider) Class.forName(providerClass).getDeclaredConstructor().newInstance());
} catch (Exception e) {
throw new CertificateVerificationException("Error while initializing the JCE provider: " +
providerClass, e);
}
}
}
}
Loading
Loading