Extracion of crypto-pgp and making crypto work on FIPS #6241

JiriOndrusek · 2024-06-28T14:14:02Z

Crypto component was split into crypto and crypto-pgp to support FIPS. See the commit. (this is the reason of why this PR is opened against camel-main)

crypto-pgp is not registering BC as a provider; component contains only PGPDataFormat
crypto contains all other (CryptoDataFormat, components)

How to run crypto on FIPS the BC dependency has to be excluded and BCFIPS added (or another BC implementation for FIPS) .

Limitation: Because of the BCFIPS, it is not possible to use crypto and crypto-pgp together on FIPS system (if BCFIPS is utilized)

This PR contains:

new extension based on crypto-pgp component (uses BC). The component and all tests are extracted from the crypto component. All tests work on FIPS system.
fixes in bouncycastle-support to work correctly on FIPS system
added fips profile in crypto integration test module, to allow execution on FIPS systems
some *.adoc addition for FIPS in crypto and crypto-pgp etensions
it is not possible to utilize certificate-generator-support because the tests require DES and the certificate-generator-support uses RSA.

JiriOndrusek · 2024-06-28T14:14:15Z

@ppalaga FYI

aldettinger · 2024-07-01T07:27:31Z

The failure seems merely linked to uncommitted changes.

docs/modules/ROOT/pages/reference/extensions/crypto-pgp.adoc

docs/modules/ROOT/pages/reference/extensions/crypto.adoc

...untime/src/main/java/org/apache/camel/quarkus/support/bouncycastle/BouncyCastleRecorder.java

extensions/crypto-pgp/runtime/src/main/doc/limitations.adoc

extensions/crypto/runtime/src/main/doc/limitations.adoc

...ployment/src/main/java/org/apache/camel/quarkus/component/joor/deployment/JoorProcessor.java

...ts/crypto/src/test/java/org/apache/camel/quarkus/component/crypto/it/AbstractCryptoTest.java

aldettinger · 2024-07-01T07:48:40Z

That's quite a pr. Many thanks for transparently explaining the intent in the first note and putting so much useful comment in the code. It really helps one without much fips knowledge to review :)

...a/org/apache/camel/quarkus/support/bouncycastle/deployment/BouncyCastleSupportProcessor.java

extensions-support/bouncycastle/runtime/pom.xml

docs/modules/ROOT/pages/reference/extensions/crypto.adoc

extensions/crypto-pgp/runtime/pom.xml

docs/modules/ROOT/pages/reference/extensions/crypto-pgp.adoc

JiriOndrusek · 2024-07-08T13:26:15Z

@ppalaga

It is still not clear to me what happens when bcprov is excluded from crypto-pgp and replaced with BCFIPS. Have you tried that by any chance?

There might be more problems related to this question. The major one is that bcpg depends on bcprov. Class BcKeyFingerprintCalculator references org.bouncycastle.crypto.Digest; The same class is not part of the bcfips. (I checked the jar downloaded by maven, and you can see it e.g in this fork)

Therefore it is not possible to replace bcprov with bcfips.

The only workaround I'm aware of is to have a different bouncycastle fips implementation, which uses different packages. In this case the bcprov and custom_bcfips can coexist in the project and should work together)
For illustration, the bcprov package org.bouncycastle contains 11 sub-packages; bcfip's org.bouncycastle contains 2 sub-packages. (So I expect more possible issues.)

aldettinger

@JiriOndrusek The ci failure seems linked to needed regeneration, beyond looks good

JiriOndrusek · 2024-07-08T14:40:49Z

@JiriOndrusek The ci failure seems linked to needed regeneration, beyond looks good

Yes, I forgot to regenerate POMS when I was maintaining camel-main, hopefully now it is ok

ppalaga · 2024-07-09T11:31:14Z

@ppalaga

It is still not clear to me what happens when bcprov is excluded from crypto-pgp and replaced with BCFIPS. Have you tried that by any chance?

There might be more problems related to this question. The major one is that bcpg depends on bcprov. Class BcKeyFingerprintCalculator references org.bouncycastle.crypto.Digest; The same class is not part of the bcfips. (I checked the jar downloaded by maven, and you can see it e.g in this fork)

Therefore it is not possible to replace bcprov with bcfips.

Good to know, thanks for the information!

...untime/src/main/java/org/apache/camel/quarkus/support/bouncycastle/BouncyCastleRecorder.java

JiriOndrusek · 2024-07-10T08:36:15Z

I switched this PR to draft and I'll rebase to main, as soon as Upgrade to Camel 4.7.0 is merged (#6264)

extensions/crypto/runtime/src/main/doc/usage.adoc

JiriOndrusek · 2024-07-11T09:32:27Z

@ppalaga I applied the idea of crypto not needing BC.
• I excluded BC from camel-crypto (until getting change from Camel) via BOM
• User has to add dependency to BCFIPS and quarkus-security and register BCFIPS provider to make crypto work on FIPS -> I described that in README.adoc
• the tests for crypto extension got simplified

JiriOndrusek · 2024-08-08T14:17:42Z

The crypto/crypto-pgp changes are present in Camel 3.7.0.
I rebased this PR against main and I think that it could be approved/merged. All the questions and suggestions are answered or fixed.

JiriOndrusek · 2024-08-12T07:03:43Z

@ppalaga WDYT? Can we merge this PR?

ppalaga

Looks great, thanks @JiriOndrusek !