Skip to content

Commit

Permalink
Add a method for getting FIPS provider name
Browse files Browse the repository at this point in the history
Updated CryptoHelper to add a method that makes it possible to
retrieve the name of the active FIPS provider.
  • Loading branch information
dirmgr committed Oct 11, 2024
1 parent 61b1268 commit 8da9461
Show file tree
Hide file tree
Showing 2 changed files with 43 additions and 0 deletions.
40 changes: 40 additions & 0 deletions src/com/unboundid/util/CryptoHelper.java
Original file line number Diff line number Diff line change
Expand Up @@ -232,6 +232,15 @@ public final class CryptoHelper
@NotNull private static final AtomicReference<String>
FIPS_DEFAULT_TRUST_MANAGER_FACTORY_ALGORITHM =
new AtomicReference<>();



/**
* A reference to the name of the provider used to provide FIPS compliance,
* if applicable.
*/
@NotNull private static final AtomicReference<String> FIPS_PROVIDER_NAME =
new AtomicReference<>();
static
{
ALLOWED_FIPS_MODE_PROVIDERS.addAll(StaticUtils.setOf(
Expand Down Expand Up @@ -272,6 +281,7 @@ public final class CryptoHelper
fipsModePropertyValue.equalsIgnoreCase("false"))
{
FIPS_MODE = new AtomicBoolean(false);
FIPS_PROVIDER_NAME.set(null);
}
else if (fipsModePropertyValue.equalsIgnoreCase("true"))
{
Expand All @@ -283,24 +293,30 @@ else if (fipsModePropertyValue.equalsIgnoreCase("true"))
BouncyCastleFIPSHelper.FIPS_PROVIDER_NAME))
{
fipsProviderVersionString = null;
FIPS_PROVIDER_NAME.set(BouncyCastleFIPSHelper.FIPS_PROVIDER_NAME);
}
else if (fipsProviderPropertyValue.equalsIgnoreCase(
BouncyCastleFIPSHelper.FIPS_PROVIDER_NAME +
BouncyCastleFIPSHelper.FIPS_PROVIDER_VERSION_1))
{
fipsProviderVersionString =
BouncyCastleFIPSHelper.FIPS_PROVIDER_VERSION_1;
FIPS_PROVIDER_NAME.set(BouncyCastleFIPSHelper.FIPS_PROVIDER_NAME +
BouncyCastleFIPSHelper.FIPS_PROVIDER_VERSION_1);
}
else if (fipsProviderPropertyValue.equalsIgnoreCase(
BouncyCastleFIPSHelper.FIPS_PROVIDER_NAME +
BouncyCastleFIPSHelper.FIPS_PROVIDER_VERSION_2))
{
fipsProviderVersionString =
BouncyCastleFIPSHelper.FIPS_PROVIDER_VERSION_2;
FIPS_PROVIDER_NAME.set(BouncyCastleFIPSHelper.FIPS_PROVIDER_NAME +
BouncyCastleFIPSHelper.FIPS_PROVIDER_VERSION_2);
}
else
{
fipsProviderVersionString = null;
FIPS_PROVIDER_NAME.set(null);
Validator.violation(
ERR_CRYPTO_HELPER_UNSUPPORTED_FIPS_PROVIDER.get(
fipsProviderPropertyValue,
Expand Down Expand Up @@ -354,11 +370,13 @@ else if (! prunePropertyValue.equalsIgnoreCase("false"))
get(PROPERTY_FIPS_MODE, StaticUtils.getExceptionMessage(e)),
e);
FIPS_MODE.set(false);
FIPS_PROVIDER_NAME.set(null);
}
}
else
{
FIPS_MODE = new AtomicBoolean(false);
FIPS_PROVIDER_NAME.set(null);
Validator.violation(
ERR_CRYPTO_HELPER_INVALID_FIPS_MODE_PROPERTY_VALUE.get(
PROPERTY_FIPS_MODE, fipsModePropertyValue));
Expand Down Expand Up @@ -488,6 +506,22 @@ public static boolean usingFIPSMode()



/**
* Retrieves the name of the security provider used to provide FIPS
* compliance, if applicable.
*
* @return The name of the security provider used to provide FIPS compliance,
* or {@code null} if the LDAP SDK is not operating in FIPS-compliant
* mode.
*/
@Nullable()
public static String getFIPSModeProviderName()
{
return FIPS_PROVIDER_NAME.get();
}



/**
* Specifies whether the LDAP SDK should operate in a strict FIPS-compliant
* mode. If the LDAP SDK should operate in FIPS mode, then the Bouncy Castle
Expand All @@ -510,6 +544,7 @@ public static void setUseFIPSMode(final boolean useFIPSMode)
else
{
FIPS_MODE.set(false);
FIPS_PROVIDER_NAME.set(null);
}
}

Expand Down Expand Up @@ -545,6 +580,7 @@ public static void setUseFIPSMode(@NotNull final String providerName)
{
fipsProvider = BouncyCastleFIPSHelper.loadBouncyCastleFIPSProvider(true);
jsseProvider = BouncyCastleFIPSHelper.loadBouncyCastleJSSEProvider(true);
FIPS_PROVIDER_NAME.set(BouncyCastleFIPSHelper.FIPS_PROVIDER_NAME);
}
else if (providerName.equalsIgnoreCase(
BouncyCastleFIPSHelper.FIPS_PROVIDER_NAME +
Expand All @@ -554,6 +590,8 @@ else if (providerName.equalsIgnoreCase(
BouncyCastleFIPSHelper.FIPS_PROVIDER_VERSION_1, true);
jsseProvider = BouncyCastleFIPSHelper.loadBouncyCastleJSSEProvider(true,
BouncyCastleFIPSHelper.FIPS_PROVIDER_VERSION_1, true);
FIPS_PROVIDER_NAME.set(BouncyCastleFIPSHelper.FIPS_PROVIDER_NAME +
BouncyCastleFIPSHelper.FIPS_PROVIDER_VERSION_1);
}
else if (providerName.equalsIgnoreCase(
BouncyCastleFIPSHelper.FIPS_PROVIDER_NAME +
Expand All @@ -563,6 +601,8 @@ else if (providerName.equalsIgnoreCase(
BouncyCastleFIPSHelper.FIPS_PROVIDER_VERSION_2, true);
jsseProvider = BouncyCastleFIPSHelper.loadBouncyCastleJSSEProvider(true,
BouncyCastleFIPSHelper.FIPS_PROVIDER_VERSION_2, true);
FIPS_PROVIDER_NAME.set(BouncyCastleFIPSHelper.FIPS_PROVIDER_NAME +
BouncyCastleFIPSHelper.FIPS_PROVIDER_VERSION_2);
}
else
{
Expand Down
3 changes: 3 additions & 0 deletions tests/unit/src/com/unboundid/util/CryptoHelperTestCase.java
Original file line number Diff line number Diff line change
Expand Up @@ -93,6 +93,7 @@ public void testUsingFIPSMode()
throws Exception
{
assertFalse(CryptoHelper.usingFIPSMode());
assertNull(CryptoHelper.getFIPSModeProviderName());

try
{
Expand All @@ -105,10 +106,12 @@ public void testUsingFIPSMode()
}

assertFalse(CryptoHelper.usingFIPSMode());
assertNull(CryptoHelper.getFIPSModeProviderName());

CryptoHelper.setUseFIPSMode(false);

assertFalse(CryptoHelper.usingFIPSMode());
assertNull(CryptoHelper.getFIPSModeProviderName());

assertNotNull(CryptoHelper.getAllowedFIPSModeProviders());
assertFalse(CryptoHelper.getAllowedFIPSModeProviders().isEmpty());
Expand Down

0 comments on commit 8da9461

Please sign in to comment.