From e71a5e7696302332c274d3715f119a22972578a7 Mon Sep 17 00:00:00 2001 From: d036670 Date: Sat, 27 Jan 2024 15:58:17 +0100 Subject: [PATCH] Refactor BouncyCastleProvider to BouncyCastleFipsProvider Solves issue https://github.com/cloudfoundry/uaa/issues/2230 --- dependencies.gradle | 6 ++-- .../identity/uaa/cypto/EncryptionService.java | 23 ++++++++------- .../identity/uaa/oauth/KeyInfo.java | 2 ++ .../identity/uaa/oauth/jwt/JwtHelper.java | 3 +- .../identity/uaa/util/KeyWithCert.java | 28 +++++++++++-------- .../identity/uaa/util/SocketUtils.java | 4 +-- ...entityZoneConfigurationBootstrapTests.java | 4 +-- .../identity/uaa/login/AddBcProvider.java | 4 +-- ...rGoogleMfaCredentialsProvisioningTest.java | 2 ++ .../oauth/token/Saml2TokenGranterTest.java | 2 +- .../saml/SamlConfigurationBeanTest.java | 4 +-- .../saml/SamlKeyManagerFactoryTests.java | 4 +-- .../saml/ZoneAwareMetadataGeneratorTests.java | 4 +-- .../identity/uaa/util/KeyWithCertTest.java | 7 ++--- ...entityZoneConfigurationValidatorTests.java | 4 +-- .../WEB-INF/spring/multitenant-endpoints.xml | 2 +- 16 files changed, 57 insertions(+), 46 deletions(-) diff --git a/dependencies.gradle b/dependencies.gradle index 1984c5b61b3..686faece4ca 100644 --- a/dependencies.gradle +++ b/dependencies.gradle @@ -6,7 +6,7 @@ ext { // Versions shared between multiple dependencies versions.aspectJVersion = "1.9.4" versions.apacheDsVersion = "2.0.0.AM27" -versions.bouncyCastleVersion = "1.77" +versions.bouncyCastleVersion = "1.0.2.4" versions.hamcrestVersion = "2.2" versions.springBootVersion = "2.7.18" versions.springFrameworkVersion = "5.3.31" @@ -43,8 +43,8 @@ libraries.apacheDsProtocolLdap = "org.apache.directory.server:apacheds-protocol- libraries.apacheLdapApi = "org.apache.directory.api:api-ldap-model:2.1.5" libraries.aspectJRt = "org.aspectj:aspectjrt" libraries.aspectJWeaver = "org.aspectj:aspectjweaver" -libraries.bouncyCastlePkix = "org.bouncycastle:bcpkix-jdk18on:${versions.bouncyCastleVersion}" -libraries.bouncyCastleProv = "org.bouncycastle:bcprov-jdk18on:${versions.bouncyCastleVersion}" +libraries.bouncyCastlePkix = "org.bouncycastle:bcpkix-fips:1.0.7" +libraries.bouncyCastleProv = "org.bouncycastle:bc-fips:${versions.bouncyCastleVersion}" libraries.braveInstrumentationSpringWebmvc = "io.zipkin.brave:brave-instrumentation-spring-webmvc:${versions.braveVersion}" libraries.braveContextSlf4j = "io.zipkin.brave:brave-context-slf4j:${versions.braveVersion}" libraries.commonsIo = "commons-io:commons-io:2.15.1" diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/cypto/EncryptionService.java b/server/src/main/java/org/cloudfoundry/identity/uaa/cypto/EncryptionService.java index cda1531ecd0..9d206bc247e 100644 --- a/server/src/main/java/org/cloudfoundry/identity/uaa/cypto/EncryptionService.java +++ b/server/src/main/java/org/cloudfoundry/identity/uaa/cypto/EncryptionService.java @@ -1,8 +1,10 @@ package org.cloudfoundry.identity.uaa.cypto; -import org.bouncycastle.crypto.digests.SHA256Digest; -import org.bouncycastle.crypto.generators.PKCS5S2ParametersGenerator; -import org.bouncycastle.crypto.params.KeyParameter; +import org.bouncycastle.crypto.PasswordBasedDeriver; +import org.bouncycastle.crypto.PasswordConverter; +import org.bouncycastle.crypto.fips.FipsPBKD; +import org.bouncycastle.crypto.fips.FipsSHS; +import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider; import org.bouncycastle.util.Arrays; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -12,8 +14,6 @@ import javax.crypto.spec.GCMParameterSpec; import javax.crypto.spec.SecretKeySpec; import java.io.ByteArrayInputStream; -import java.io.UnsupportedEncodingException; -import java.nio.charset.StandardCharsets; import java.security.SecureRandom; public class EncryptionService { @@ -40,7 +40,7 @@ public byte[] encrypt(String plaintext) throws EncryptionServiceException { SecretKey key = new SecretKeySpec(generateKey(newSalt), CIPHER); - Cipher myCipher = Cipher.getInstance(CIPHERSCHEME); + Cipher myCipher = Cipher.getInstance(CIPHERSCHEME, BouncyCastleFipsProvider.PROVIDER_NAME); byte[] newNonce = generateRandomArray(GCM_IV_NONCE_SIZE_BYTES); GCMParameterSpec spec = new GCMParameterSpec(GCM_AUTHENTICATION_TAG_SIZE_BITS, newNonce); @@ -84,9 +84,12 @@ private byte[] generateRandomArray(int sizeInBytes) { } private byte[] generateKey(byte[] salt) { - PKCS5S2ParametersGenerator gen = new PKCS5S2ParametersGenerator(new SHA256Digest()); - - gen.init(this.passphrase.getBytes(StandardCharsets.UTF_8), salt, PBKDF2_ITERATIONS); - return ((KeyParameter) gen.generateDerivedParameters(AES_KEY_LENGTH_BITS)).getKey(); + PasswordBasedDeriver gen = new FipsPBKD.DeriverFactory().createDeriver( + FipsPBKD.PBKDF2.using(FipsSHS.Algorithm.SHA256_HMAC, + PasswordConverter.UTF8.convert(this.passphrase.toCharArray())) + .withIterationCount(PBKDF2_ITERATIONS) + .withSalt(salt) + ); + return gen.deriveKey(PasswordBasedDeriver.KeyType.CIPHER, (AES_KEY_LENGTH_BITS + 7) / 8); } } diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/oauth/KeyInfo.java b/server/src/main/java/org/cloudfoundry/identity/uaa/oauth/KeyInfo.java index 7c75fb891b1..f7fc4c0ed93 100644 --- a/server/src/main/java/org/cloudfoundry/identity/uaa/oauth/KeyInfo.java +++ b/server/src/main/java/org/cloudfoundry/identity/uaa/oauth/KeyInfo.java @@ -6,6 +6,7 @@ import com.nimbusds.jose.JWSSigner; import com.nimbusds.jose.crypto.ECDSASigner; import com.nimbusds.jose.crypto.RSASSASigner; +import com.nimbusds.jose.crypto.bc.BouncyCastleFIPSProviderSingleton; import com.nimbusds.jose.jwk.JWK; import com.nimbusds.jose.jwk.JWKParameterNames; import com.nimbusds.jose.jwk.OctetSequenceKey; @@ -81,6 +82,7 @@ public KeyInfo(String keyId, String signingKey, String keyUrl, String sigAlg, St } this.verifierCertificate = getValidX509Certificate(signingCert); this.verifierKey = JsonWebKey.pemEncodePublicKey(keyPair.getPublic()).orElse(null); + this.signer.getJCAContext().setProvider(BouncyCastleFIPSProviderSingleton.getInstance()); } else { jwk = new OctetSequenceKey.Builder(signingKey.getBytes()).build(); algorithm = Optional.ofNullable(sigAlg).orElse(JWSAlgorithm.HS256.getName()); diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/oauth/jwt/JwtHelper.java b/server/src/main/java/org/cloudfoundry/identity/uaa/oauth/jwt/JwtHelper.java index 98fa3b8f5c5..ad41b68a9c0 100644 --- a/server/src/main/java/org/cloudfoundry/identity/uaa/oauth/jwt/JwtHelper.java +++ b/server/src/main/java/org/cloudfoundry/identity/uaa/oauth/jwt/JwtHelper.java @@ -7,6 +7,7 @@ import com.nimbusds.jose.JWSHeader; import com.nimbusds.jose.JWSSigner; import com.nimbusds.jose.KeyLengthException; +import com.nimbusds.jose.crypto.bc.BouncyCastleFIPSProviderSingleton; import com.nimbusds.jose.jwk.JWKSet; import com.nimbusds.jose.jwk.source.ImmutableJWKSet; import com.nimbusds.jose.jwk.source.JWKSource; @@ -257,7 +258,7 @@ private JWTClaimsSet validateClientJWToken(JWT jwtAssertion, JWKSet jwkSet) { ConfigurableJWTProcessor jwtProcessor = new DefaultJWTProcessor<>(); jwtProcessor.setJWSKeySelector(keySelector); jwtProcessor.setJWTClaimsSetVerifier(new DefaultJWTClaimsVerifier<>(null, null)); - + jwtProcessor.getJWSVerifierFactory().getJCAContext().setProvider(BouncyCastleFIPSProviderSingleton.getInstance()); try { return jwtProcessor.process(jwtAssertion, null); } catch (BadJWSException | BadJWTException jwtException) { // signature failed diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/util/KeyWithCert.java b/server/src/main/java/org/cloudfoundry/identity/uaa/util/KeyWithCert.java index 297a1e30625..40fd2c5b256 100644 --- a/server/src/main/java/org/cloudfoundry/identity/uaa/util/KeyWithCert.java +++ b/server/src/main/java/org/cloudfoundry/identity/uaa/util/KeyWithCert.java @@ -3,6 +3,7 @@ import org.bouncycastle.asn1.pkcs.PrivateKeyInfo; import org.bouncycastle.cert.X509CertificateHolder; import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter; +import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider; import org.bouncycastle.openssl.PEMDecryptorProvider; import org.bouncycastle.openssl.PEMEncryptedKeyPair; import org.bouncycastle.openssl.PEMKeyPair; @@ -20,6 +21,8 @@ import java.security.cert.CertificateException; import java.security.cert.X509Certificate; +import static org.cloudfoundry.identity.uaa.oauth.jwt.JwtAlgorithms.DEFAULT_RSA; + public class KeyWithCert { private X509Certificate certificate; private PrivateKey privateKey; @@ -53,16 +56,8 @@ public PrivateKey getPrivateKey() { private boolean keysMatch(PublicKey publicKey, PrivateKey privateKey) { byte[] data = {42}; - String privateKeyAlgorithm = privateKey.getAlgorithm(); - String publicKeyAlgorithm = publicKey.getAlgorithm(); - - if (privateKeyAlgorithm.equals("EC")) { - privateKeyAlgorithm = "ECDSA"; - } - - if (publicKeyAlgorithm.equals("EC")) { - publicKeyAlgorithm = "ECDSA"; - } + String privateKeyAlgorithm = getJavaAlgorithm(privateKey.getAlgorithm()); + String publicKeyAlgorithm = getJavaAlgorithm(publicKey.getAlgorithm()); try { Signature sig = Signature.getInstance(privateKeyAlgorithm); @@ -81,10 +76,19 @@ private boolean keysMatch(PublicKey publicKey, PrivateKey privateKey) { } } + private static String getJavaAlgorithm(String publicKeyAlgorithm) { + if ("EC".equals(publicKeyAlgorithm)) { + publicKeyAlgorithm = "ECDSA"; + } else if ("RSA".equals(publicKeyAlgorithm)) { + publicKeyAlgorithm = DEFAULT_RSA; + } + return publicKeyAlgorithm; + } + private PrivateKey loadPrivateKey(String encodedPrivateKey, String passphrase) throws CertificateException { PrivateKey privateKey = null; try (PEMParser pemParser = new PEMParser(new InputStreamReader(new ByteArrayInputStream(encodedPrivateKey.getBytes())))) { - JcaPEMKeyConverter converter = new JcaPEMKeyConverter().setProvider("BC"); + JcaPEMKeyConverter converter = new JcaPEMKeyConverter().setProvider(BouncyCastleFipsProvider.PROVIDER_NAME); Object object = pemParser.readObject(); @@ -116,7 +120,7 @@ private X509Certificate loadCertificate(String encodedCertificate) throws Certif try (PEMParser pemParser = new PEMParser(new InputStreamReader(new ByteArrayInputStream(encodedCertificate.getBytes())))) { Object object = pemParser.readObject(); if (object instanceof X509CertificateHolder) { - certificate = new JcaX509CertificateConverter().setProvider("BC").getCertificate((X509CertificateHolder) object); + certificate = new JcaX509CertificateConverter().setProvider(BouncyCastleFipsProvider.PROVIDER_NAME).getCertificate((X509CertificateHolder) object); } else { throw new CertificateException("Unsupported certificate type, not an X509CertificateHolder."); } diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/util/SocketUtils.java b/server/src/main/java/org/cloudfoundry/identity/uaa/util/SocketUtils.java index d1e82766849..83f1c3ec0cb 100644 --- a/server/src/main/java/org/cloudfoundry/identity/uaa/util/SocketUtils.java +++ b/server/src/main/java/org/cloudfoundry/identity/uaa/util/SocketUtils.java @@ -32,14 +32,14 @@ public class SocketUtils { - private static final String BC = org.bouncycastle.jce.provider.BouncyCastleProvider.PROVIDER_NAME; + private static final String BC = org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider.PROVIDER_NAME; public static X509Certificate getSelfCertificate(KeyPair keyPair, String organisation, String orgUnit, String commonName, Date issueDate, long validForSeconds, String signatureAlgorithm) throws CertificateException, InvalidKeyException, SignatureException, NoSuchAlgorithmException, NoSuchProviderException { try { - Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider()); + Security.addProvider(new org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider()); X500NameBuilder builder = new X500NameBuilder(BCStyle.INSTANCE); builder.addRDN(BCStyle.OU, orgUnit); diff --git a/server/src/test/java/org/cloudfoundry/identity/uaa/config/IdentityZoneConfigurationBootstrapTests.java b/server/src/test/java/org/cloudfoundry/identity/uaa/config/IdentityZoneConfigurationBootstrapTests.java index dc846518e1a..df6beb52ad4 100644 --- a/server/src/test/java/org/cloudfoundry/identity/uaa/config/IdentityZoneConfigurationBootstrapTests.java +++ b/server/src/test/java/org/cloudfoundry/identity/uaa/config/IdentityZoneConfigurationBootstrapTests.java @@ -1,6 +1,6 @@ package org.cloudfoundry.identity.uaa.config; -import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider; import org.cloudfoundry.identity.uaa.annotations.WithDatabaseContext; import org.cloudfoundry.identity.uaa.impl.config.IdentityZoneConfigurationBootstrap; import org.cloudfoundry.identity.uaa.login.Prompt; @@ -94,7 +94,7 @@ void configureProvisioning(@Autowired JdbcTemplate jdbcTemplate) throws SQLExcep bootstrap.setValidator(validator); //For the SamlTestUtils keys we are using. - Security.addProvider(new BouncyCastleProvider()); + Security.addProvider(new BouncyCastleFipsProvider()); } @Test diff --git a/server/src/test/java/org/cloudfoundry/identity/uaa/login/AddBcProvider.java b/server/src/test/java/org/cloudfoundry/identity/uaa/login/AddBcProvider.java index 13ca69d6348..8f001d4b35c 100644 --- a/server/src/test/java/org/cloudfoundry/identity/uaa/login/AddBcProvider.java +++ b/server/src/test/java/org/cloudfoundry/identity/uaa/login/AddBcProvider.java @@ -12,14 +12,14 @@ *******************************************************************************/ package org.cloudfoundry.identity.uaa.login; -import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider; import java.security.Security; public class AddBcProvider { static { - Security.addProvider(new BouncyCastleProvider()); + Security.addProvider(new BouncyCastleFipsProvider()); } public static void noop() { diff --git a/server/src/test/java/org/cloudfoundry/identity/uaa/mfa/JdbcUserGoogleMfaCredentialsProvisioningTest.java b/server/src/test/java/org/cloudfoundry/identity/uaa/mfa/JdbcUserGoogleMfaCredentialsProvisioningTest.java index f10903e90bb..ad6c7e8ca01 100644 --- a/server/src/test/java/org/cloudfoundry/identity/uaa/mfa/JdbcUserGoogleMfaCredentialsProvisioningTest.java +++ b/server/src/test/java/org/cloudfoundry/identity/uaa/mfa/JdbcUserGoogleMfaCredentialsProvisioningTest.java @@ -2,6 +2,7 @@ import com.google.common.collect.Lists; import org.apache.commons.lang3.StringUtils; +import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider; import org.cloudfoundry.identity.uaa.annotations.WithDatabaseContext; import org.cloudfoundry.identity.uaa.cypto.EncryptionKeyService; import org.cloudfoundry.identity.uaa.cypto.EncryptionServiceException; @@ -54,6 +55,7 @@ class JdbcUserGoogleMfaCredentialsProvisioningTest { @BeforeAll static void key() { + Security.addProvider(new BouncyCastleFipsProvider()); Security.setProperty("crypto.policy", "unlimited"); } diff --git a/server/src/test/java/org/cloudfoundry/identity/uaa/oauth/token/Saml2TokenGranterTest.java b/server/src/test/java/org/cloudfoundry/identity/uaa/oauth/token/Saml2TokenGranterTest.java index 056ee37f5b8..87225d39b82 100644 --- a/server/src/test/java/org/cloudfoundry/identity/uaa/oauth/token/Saml2TokenGranterTest.java +++ b/server/src/test/java/org/cloudfoundry/identity/uaa/oauth/token/Saml2TokenGranterTest.java @@ -116,7 +116,7 @@ public void setup() { MockHttpServletRequest request = new MockHttpServletRequest(); ServletRequestAttributes attrs = new ServletRequestAttributes(request); RequestContextHolder.setRequestAttributes(attrs); - Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider()); + Security.addProvider(new org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider()); userAuthentication = mock(UaaAuthentication.class); granter = new Saml2TokenGranter( diff --git a/server/src/test/java/org/cloudfoundry/identity/uaa/provider/saml/SamlConfigurationBeanTest.java b/server/src/test/java/org/cloudfoundry/identity/uaa/provider/saml/SamlConfigurationBeanTest.java index a27ed1bb486..0716eec6959 100644 --- a/server/src/test/java/org/cloudfoundry/identity/uaa/provider/saml/SamlConfigurationBeanTest.java +++ b/server/src/test/java/org/cloudfoundry/identity/uaa/provider/saml/SamlConfigurationBeanTest.java @@ -14,7 +14,7 @@ */ package org.cloudfoundry.identity.uaa.provider.saml; -import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider; import org.junit.BeforeClass; import org.junit.Test; import org.opensaml.DefaultBootstrap; @@ -30,7 +30,7 @@ public class SamlConfigurationBeanTest { @BeforeClass public static void initVM() throws Exception { - Security.addProvider(new BouncyCastleProvider()); + Security.addProvider(new BouncyCastleFipsProvider()); DefaultBootstrap.bootstrap(); } diff --git a/server/src/test/java/org/cloudfoundry/identity/uaa/provider/saml/SamlKeyManagerFactoryTests.java b/server/src/test/java/org/cloudfoundry/identity/uaa/provider/saml/SamlKeyManagerFactoryTests.java index 42c85bd0d9c..cd994f10ce3 100644 --- a/server/src/test/java/org/cloudfoundry/identity/uaa/provider/saml/SamlKeyManagerFactoryTests.java +++ b/server/src/test/java/org/cloudfoundry/identity/uaa/provider/saml/SamlKeyManagerFactoryTests.java @@ -1,6 +1,6 @@ package org.cloudfoundry.identity.uaa.provider.saml; -import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider; import org.cloudfoundry.identity.uaa.saml.SamlKey; import org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder; import org.cloudfoundry.identity.uaa.zone.MultitenancyFixture; @@ -169,7 +169,7 @@ public class SamlKeyManagerFactoryTests { @BeforeAll static void addBCProvider() { try { - Security.addProvider(new BouncyCastleProvider()); + Security.addProvider(new BouncyCastleFipsProvider()); } catch (SecurityException e) { e.printStackTrace(); System.err.println("Ignoring provider error, may already be added."); diff --git a/server/src/test/java/org/cloudfoundry/identity/uaa/provider/saml/ZoneAwareMetadataGeneratorTests.java b/server/src/test/java/org/cloudfoundry/identity/uaa/provider/saml/ZoneAwareMetadataGeneratorTests.java index 7fa2c1f823f..25ac5b0d0e2 100644 --- a/server/src/test/java/org/cloudfoundry/identity/uaa/provider/saml/ZoneAwareMetadataGeneratorTests.java +++ b/server/src/test/java/org/cloudfoundry/identity/uaa/provider/saml/ZoneAwareMetadataGeneratorTests.java @@ -1,6 +1,6 @@ package org.cloudfoundry.identity.uaa.provider.saml; -import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider; import org.cloudfoundry.identity.uaa.provider.saml.idp.SamlTestUtils; import org.cloudfoundry.identity.uaa.saml.SamlKey; import org.cloudfoundry.identity.uaa.extensions.PollutionPreventionExtension; @@ -49,7 +49,7 @@ public class ZoneAwareMetadataGeneratorTests { @BeforeAll static void bootstrap() throws Exception { - Security.addProvider(new BouncyCastleProvider()); + Security.addProvider(new BouncyCastleFipsProvider()); DefaultBootstrap.bootstrap(); NamedKeyInfoGeneratorManager keyInfoGeneratorManager = Configuration.getGlobalSecurityConfiguration().getKeyInfoGeneratorManager(); keyInfoGeneratorManager.getManager(SAMLConstants.SAML_METADATA_KEY_INFO_GENERATOR); diff --git a/server/src/test/java/org/cloudfoundry/identity/uaa/util/KeyWithCertTest.java b/server/src/test/java/org/cloudfoundry/identity/uaa/util/KeyWithCertTest.java index d4df0345cdc..742c4c5cc78 100644 --- a/server/src/test/java/org/cloudfoundry/identity/uaa/util/KeyWithCertTest.java +++ b/server/src/test/java/org/cloudfoundry/identity/uaa/util/KeyWithCertTest.java @@ -12,8 +12,7 @@ *******************************************************************************/ package org.cloudfoundry.identity.uaa.util; -import org.bouncycastle.jce.provider.BouncyCastleProvider; -import org.bouncycastle.util.encoders.DecoderException; +import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider; import org.junit.BeforeClass; import org.junit.Test; @@ -26,7 +25,7 @@ public class KeyWithCertTest { @BeforeClass public static void addProvider() { - Security.addProvider(new BouncyCastleProvider()); + Security.addProvider(new BouncyCastleFipsProvider()); } public static final String key = "-----BEGIN RSA PRIVATE KEY-----\n" + @@ -183,7 +182,7 @@ public static void addProvider() { "y9mayfAcKPti4MbPR6ADAo9NxKbdsZjA138=\n" + "-----END PRIVATE KEY-----\n"; - @Test(expected = DecoderException.class) + @Test(expected = CertificateException.class) public void testInvalidCert() throws Exception { new KeyWithCert(key, password, invalidCert); } diff --git a/server/src/test/java/org/cloudfoundry/identity/uaa/zone/GeneralIdentityZoneConfigurationValidatorTests.java b/server/src/test/java/org/cloudfoundry/identity/uaa/zone/GeneralIdentityZoneConfigurationValidatorTests.java index 373fef678ef..2b957ce64e3 100644 --- a/server/src/test/java/org/cloudfoundry/identity/uaa/zone/GeneralIdentityZoneConfigurationValidatorTests.java +++ b/server/src/test/java/org/cloudfoundry/identity/uaa/zone/GeneralIdentityZoneConfigurationValidatorTests.java @@ -12,7 +12,7 @@ *******************************************************************************/ package org.cloudfoundry.identity.uaa.zone; -import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider; import org.cloudfoundry.identity.uaa.saml.SamlKey; import org.junit.After; import org.junit.Before; @@ -202,7 +202,7 @@ public GeneralIdentityZoneConfigurationValidatorTests(IdentityZoneValidator.Mode @BeforeClass public static void addBCProvider() { try { - Security.addProvider(new BouncyCastleProvider()); + Security.addProvider(new BouncyCastleFipsProvider()); } catch (SecurityException e) { e.printStackTrace(); System.err.println("Ignoring provider error, may already be added."); diff --git a/uaa/src/main/webapp/WEB-INF/spring/multitenant-endpoints.xml b/uaa/src/main/webapp/WEB-INF/spring/multitenant-endpoints.xml index e89d9ac5c20..de9f3e1346a 100644 --- a/uaa/src/main/webapp/WEB-INF/spring/multitenant-endpoints.xml +++ b/uaa/src/main/webapp/WEB-INF/spring/multitenant-endpoints.xml @@ -11,7 +11,7 @@ - +