From 8da9461b41e32bfa9a31a0ded93c6e3ad0d3e461 Mon Sep 17 00:00:00 2001 From: Neil Wilson Date: Fri, 11 Oct 2024 10:51:46 -0500 Subject: [PATCH] Add a method for getting FIPS provider name Updated CryptoHelper to add a method that makes it possible to retrieve the name of the active FIPS provider. --- src/com/unboundid/util/CryptoHelper.java | 40 +++++++++++++++++++ .../unboundid/util/CryptoHelperTestCase.java | 3 ++ 2 files changed, 43 insertions(+) diff --git a/src/com/unboundid/util/CryptoHelper.java b/src/com/unboundid/util/CryptoHelper.java index c50b82a1a..b35a15eb8 100644 --- a/src/com/unboundid/util/CryptoHelper.java +++ b/src/com/unboundid/util/CryptoHelper.java @@ -232,6 +232,15 @@ public final class CryptoHelper @NotNull private static final AtomicReference FIPS_DEFAULT_TRUST_MANAGER_FACTORY_ALGORITHM = new AtomicReference<>(); + + + + /** + * A reference to the name of the provider used to provide FIPS compliance, + * if applicable. + */ + @NotNull private static final AtomicReference FIPS_PROVIDER_NAME = + new AtomicReference<>(); static { ALLOWED_FIPS_MODE_PROVIDERS.addAll(StaticUtils.setOf( @@ -272,6 +281,7 @@ public final class CryptoHelper fipsModePropertyValue.equalsIgnoreCase("false")) { FIPS_MODE = new AtomicBoolean(false); + FIPS_PROVIDER_NAME.set(null); } else if (fipsModePropertyValue.equalsIgnoreCase("true")) { @@ -283,6 +293,7 @@ else if (fipsModePropertyValue.equalsIgnoreCase("true")) BouncyCastleFIPSHelper.FIPS_PROVIDER_NAME)) { fipsProviderVersionString = null; + FIPS_PROVIDER_NAME.set(BouncyCastleFIPSHelper.FIPS_PROVIDER_NAME); } else if (fipsProviderPropertyValue.equalsIgnoreCase( BouncyCastleFIPSHelper.FIPS_PROVIDER_NAME + @@ -290,6 +301,8 @@ else if (fipsProviderPropertyValue.equalsIgnoreCase( { fipsProviderVersionString = BouncyCastleFIPSHelper.FIPS_PROVIDER_VERSION_1; + FIPS_PROVIDER_NAME.set(BouncyCastleFIPSHelper.FIPS_PROVIDER_NAME + + BouncyCastleFIPSHelper.FIPS_PROVIDER_VERSION_1); } else if (fipsProviderPropertyValue.equalsIgnoreCase( BouncyCastleFIPSHelper.FIPS_PROVIDER_NAME + @@ -297,10 +310,13 @@ else if (fipsProviderPropertyValue.equalsIgnoreCase( { fipsProviderVersionString = BouncyCastleFIPSHelper.FIPS_PROVIDER_VERSION_2; + FIPS_PROVIDER_NAME.set(BouncyCastleFIPSHelper.FIPS_PROVIDER_NAME + + BouncyCastleFIPSHelper.FIPS_PROVIDER_VERSION_2); } else { fipsProviderVersionString = null; + FIPS_PROVIDER_NAME.set(null); Validator.violation( ERR_CRYPTO_HELPER_UNSUPPORTED_FIPS_PROVIDER.get( fipsProviderPropertyValue, @@ -354,11 +370,13 @@ else if (! prunePropertyValue.equalsIgnoreCase("false")) get(PROPERTY_FIPS_MODE, StaticUtils.getExceptionMessage(e)), e); FIPS_MODE.set(false); + FIPS_PROVIDER_NAME.set(null); } } else { FIPS_MODE = new AtomicBoolean(false); + FIPS_PROVIDER_NAME.set(null); Validator.violation( ERR_CRYPTO_HELPER_INVALID_FIPS_MODE_PROPERTY_VALUE.get( PROPERTY_FIPS_MODE, fipsModePropertyValue)); @@ -488,6 +506,22 @@ public static boolean usingFIPSMode() + /** + * Retrieves the name of the security provider used to provide FIPS + * compliance, if applicable. + * + * @return The name of the security provider used to provide FIPS compliance, + * or {@code null} if the LDAP SDK is not operating in FIPS-compliant + * mode. + */ + @Nullable() + public static String getFIPSModeProviderName() + { + return FIPS_PROVIDER_NAME.get(); + } + + + /** * Specifies whether the LDAP SDK should operate in a strict FIPS-compliant * mode. If the LDAP SDK should operate in FIPS mode, then the Bouncy Castle @@ -510,6 +544,7 @@ public static void setUseFIPSMode(final boolean useFIPSMode) else { FIPS_MODE.set(false); + FIPS_PROVIDER_NAME.set(null); } } @@ -545,6 +580,7 @@ public static void setUseFIPSMode(@NotNull final String providerName) { fipsProvider = BouncyCastleFIPSHelper.loadBouncyCastleFIPSProvider(true); jsseProvider = BouncyCastleFIPSHelper.loadBouncyCastleJSSEProvider(true); + FIPS_PROVIDER_NAME.set(BouncyCastleFIPSHelper.FIPS_PROVIDER_NAME); } else if (providerName.equalsIgnoreCase( BouncyCastleFIPSHelper.FIPS_PROVIDER_NAME + @@ -554,6 +590,8 @@ else if (providerName.equalsIgnoreCase( BouncyCastleFIPSHelper.FIPS_PROVIDER_VERSION_1, true); jsseProvider = BouncyCastleFIPSHelper.loadBouncyCastleJSSEProvider(true, BouncyCastleFIPSHelper.FIPS_PROVIDER_VERSION_1, true); + FIPS_PROVIDER_NAME.set(BouncyCastleFIPSHelper.FIPS_PROVIDER_NAME + + BouncyCastleFIPSHelper.FIPS_PROVIDER_VERSION_1); } else if (providerName.equalsIgnoreCase( BouncyCastleFIPSHelper.FIPS_PROVIDER_NAME + @@ -563,6 +601,8 @@ else if (providerName.equalsIgnoreCase( BouncyCastleFIPSHelper.FIPS_PROVIDER_VERSION_2, true); jsseProvider = BouncyCastleFIPSHelper.loadBouncyCastleJSSEProvider(true, BouncyCastleFIPSHelper.FIPS_PROVIDER_VERSION_2, true); + FIPS_PROVIDER_NAME.set(BouncyCastleFIPSHelper.FIPS_PROVIDER_NAME + + BouncyCastleFIPSHelper.FIPS_PROVIDER_VERSION_2); } else { diff --git a/tests/unit/src/com/unboundid/util/CryptoHelperTestCase.java b/tests/unit/src/com/unboundid/util/CryptoHelperTestCase.java index d9c70cc9e..e4513c30f 100644 --- a/tests/unit/src/com/unboundid/util/CryptoHelperTestCase.java +++ b/tests/unit/src/com/unboundid/util/CryptoHelperTestCase.java @@ -93,6 +93,7 @@ public void testUsingFIPSMode() throws Exception { assertFalse(CryptoHelper.usingFIPSMode()); + assertNull(CryptoHelper.getFIPSModeProviderName()); try { @@ -105,10 +106,12 @@ public void testUsingFIPSMode() } assertFalse(CryptoHelper.usingFIPSMode()); + assertNull(CryptoHelper.getFIPSModeProviderName()); CryptoHelper.setUseFIPSMode(false); assertFalse(CryptoHelper.usingFIPSMode()); + assertNull(CryptoHelper.getFIPSModeProviderName()); assertNotNull(CryptoHelper.getAllowedFIPSModeProviders()); assertFalse(CryptoHelper.getAllowedFIPSModeProviders().isEmpty());