Java Code Examples for org.bouncycastle.crypto.CryptoServicesRegistrar#setApprovedOnlyMode()

The following examples show how to use org.bouncycastle.crypto.CryptoServicesRegistrar#setApprovedOnlyMode() . You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: FIPSTest.java    From snowflake-kafka-connector with Apache License 2.0 6 votes vote down vote up 
@Test
public void testFips() throws IOException, OperatorCreationException
{
  PrivateKey key = InternalUtils.parsePrivateKey(TestUtils.getKeyString());
  String password = "sfdsfs1312AAAFDSf121!!!";
  String AESKey = generateAESKey(key, password.toCharArray());
  //since bc-fips doesn't support encrypt rsa private key with DES,
  //load test key from test profile
  String DESKey = TestUtils.getDesRsaKey();
  //all key works by default
  EncryptionUtils.parseEncryptedPrivateKey(AESKey, password);
  EncryptionUtils.parseEncryptedPrivateKey(DESKey, password);

  //turn on approved only mode
  CryptoServicesRegistrar.setApprovedOnlyMode(true);
  //AES works
  EncryptionUtils.parseEncryptedPrivateKey(AESKey, password);
  //DES doesn't work
  TestUtils.assertError(SnowflakeErrors.ERROR_0018,
    () -> EncryptionUtils.parseEncryptedPrivateKey(DESKey, password));
}
Example 2
Source File: GenericCryptoModule.java    From fido2 with GNU Lesser General Public License v2.1 5 votes vote down vote up 
/**
 * Constructor for the class.
 *
 * @param cryptomodule - The hardware cryptographic module
 */
public GenericCryptoModule(CryptoModule cryptomodule) {
    Security.addProvider(new BouncyCastleFipsProvider());
    if (fipsmode) {
        CryptoServicesRegistrar.setApprovedOnlyMode(true);
    }
    this.cryptomodule = cryptomodule;
}
Example 3
Source File: GenericCryptoModule.java    From fido2 with GNU Lesser General Public License v2.1 5 votes vote down vote up 
/**
 * Constructor for the class.
 *
 * @param cryptomodule - The hardware cryptographic module
 * @param fipsmode - The fipsmode to set
 */
public GenericCryptoModule(CryptoModule cryptomodule, Boolean fipsmode) {
    Security.addProvider(new BouncyCastleFipsProvider());
    if (fipsmode) {
        CryptoServicesRegistrar.setApprovedOnlyMode(true);
    }
    this.cryptomodule = cryptomodule;
}
Example 4
Source File: ConnectionFipsIT.java    From snowflake-jdbc with Apache License 2.0 4 votes vote down vote up 
@BeforeClass
public static void setup() throws Exception {
    System.setProperty("javax.net.debug", "ssl");
    // get keystore types for BouncyCastle libraries
    JAVA_SYSTEM_PROPERTY_SSL_KEYSTORE_TYPE_ORIGINAL_VALUE =
            System.getProperty(JAVA_SYSTEM_PROPERTY_SSL_KEYSTORE_TYPE);
    JAVA_SYSTEM_PROPERTY_SSL_TRUSTSTORE_TYPE_ORIGINAL_VALUE =
            System.getProperty(JAVA_SYSTEM_PROPERTY_SSL_TRUSTSTORE_TYPE);

    // set keystore types for BouncyCastle libraries
    System.setProperty(JAVA_SYSTEM_PROPERTY_SSL_KEYSTORE_TYPE,
            JCE_KEYSTORE_BOUNCY_CASTLE);
    System.setProperty(JAVA_SYSTEM_PROPERTY_SSL_TRUSTSTORE_TYPE,
            JCE_KEYSTORE_JKS);
    // remove Java's standard encryption and SSL providers
    List<Provider> providers = Arrays.asList(Security.getProviders());
    JCE_PROVIDER_SUN_JCE_PROVIDER_VALUE = Security.getProvider(JCE_PROVIDER_SUN_JCE);
    JCE_PROVIDER_SUN_JCE_PROVIDER_POSITION = providers.indexOf(JCE_PROVIDER_SUN_JCE_PROVIDER_VALUE);
    JCE_PROVIDER_SUN_RSA_SIGN_PROVIDER_VALUE = Security.getProvider(JCE_PROVIDER_SUN_RSA_SIGN);
    JCE_PROVIDER_SUN_RSA_SIGN_PROVIDER_POSITION = providers.indexOf(JCE_PROVIDER_SUN_RSA_SIGN_PROVIDER_VALUE);
    Security.removeProvider(JCE_PROVIDER_SUN_JCE);
    Security.removeProvider(JCE_PROVIDER_SUN_RSA_SIGN);

    // workaround to connect to accounts.google.com over HTTPS, which consists
    // of disabling TLS 1.3 and disabling default SSL cipher suites that are
    // using CHACHA20_POLY1305 algorithms
    JAVA_SYSTEM_PROPERTY_SSL_PROTOCOLS_ORIGINAL_VALUE =
            System.getProperty(JAVA_SYSTEM_PROPERTY_SSL_PROTOCOLS);
    JAVA_SYSTEM_PROPERTY_SSL_CIPHERSUITES_ORIGINAL_VALUE =
            System.getProperty(JAVA_SYSTEM_PROPERTY_SSL_CIPHERSUITES);
    System.setProperty(JAVA_SYSTEM_PROPERTY_SSL_PROTOCOLS,
            SSL_ENABLED_PROTOCOLS);
    System.setProperty(JAVA_SYSTEM_PROPERTY_SSL_CIPHERSUITES,
            SSL_ENABLED_CIPHERSUITES);
    /*
     * Insert BouncyCastle's FIPS-compliant encryption and SSL providers.
     */
    BouncyCastleFipsProvider bcFipsProvider =
            new BouncyCastleFipsProvider(BOUNCY_CASTLE_RNG_HYBRID_MODE);

    /*
     * We remove BCFIPS provider pessimistically. This is a no-op if provider
     * does not exist. This is necessary to always add it to the first
     * position when calling insertProviderAt.
     *
     * JavaDoc for insertProviderAt states:
     *   "A provider cannot be added if it is already installed."
     */
    Security.removeProvider(JCE_PROVIDER_BOUNCY_CASTLE_FIPS);
    Security.insertProviderAt(bcFipsProvider, 1);
    if (!CryptoServicesRegistrar.isInApprovedOnlyMode()) {
        if (FipsStatus.isReady()) {
            CryptoServicesRegistrar.setApprovedOnlyMode(true);
        } else {
            throw new RuntimeException("FIPS is not ready to be enabled and FIPS " +
                    "mode is required for this test to run");
        }
    }

    // attempts an SSL connection to Google
    connectToGoogle();
}
Example 5
Source File: CredHubApp.java    From credhub with Apache License 2.0 4 votes vote down vote up 
public static void main(final String[] args) {
  CryptoServicesRegistrar.setApprovedOnlyMode(true);
  SpringApplication.run(CredHubApp.class, args);
}