Skip to content

Add support for FIPS for TlsKeyGenerator #289

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Add support for FIPS for TlsKeyGenerator #289

wants to merge 2 commits into from

Conversation

fzakaria
Copy link

Some changes I made internally at our company to support FIPS.
We are on a pretty old version but upstreaming the changes if other people find it useful.

elecharny and others added 2 commits April 28, 2015 20:58
@elecharny
[maven-release-plugin] copy for tag 2.0.0-M20
03f2b7a 
git-svn-id: https://svn.apache.org/repos/asf/directory/apacheds/tags/2.0.0-M20@1676627 13f79535-47bb-0310-9956-ffa450edef68
@fzakaria
Add support for BouncyCastle FIPS
7adf0d6 
Modify TlsKeyGenerator to support the BouncyCastle FIPS provider.
Additional changes
* key size expanded
* methods that create X509 were modified
trnguyencflt
trnguyencflt reviewed Jul 22, 2025
View reviewed changes
core/src/main/java/org/apache/directory/server/core/security/TlsKeyGenerator.java
import java.security.spec.X509EncodedKeySpec;
import java.util.Date;

import javax.security.auth.x500.X500Principal;
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should keep the order of import as is (to conform with the code style of this repo)

trnguyencflt
trnguyencflt reviewed Jul 22, 2025
View reviewed changes
core/src/main/java/org/apache/directory/server/core/security/TlsKeyGenerator.java
/**
* Generates the default RSA key pair for the server.
*
* @see https://github.com/apache/directory-server/blob/2.0.0-M20/core/src/main/java/org/apache/directory/server/core/security/TlsKeyGenerator.java
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This comment is a bit superfluous I think, please remove this.

trnguyencflt
trnguyencflt reviewed Jul 22, 2025
View reviewed changes
core/src/main/java/org/apache/directory/server/core/security/TlsKeyGenerator.java
*/
public class TlsKeyGenerator
@SuppressWarnings("all")
public final class TlsKeyGenerator
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a reason to make this a final class?

trnguyencflt
trnguyencflt reviewed Jul 22, 2025
View reviewed changes
core/src/main/java/org/apache/directory/server/core/security/TlsKeyGenerator.java
static
{
Security.addProvider( new BouncyCastleProvider() );
System.out.println("Using a modified version of TlsKeyGenerator to ensure Bouncy Castle FIPS provider is used.");
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please use LOG for this.

trnguyencflt
trnguyencflt reviewed Jul 22, 2025
View reviewed changes
core/src/main/java/org/apache/directory/server/core/security/TlsKeyGenerator.java
* http://www.apache.org/licenses/exports
*/
private static final int KEY_SIZE = 512;
private static final int KEY_SIZE = 1024;
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this change required?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes FIPS requires 1024+ key size

trnguyencflt
trnguyencflt reviewed Jul 22, 2025
View reviewed changes
pom.xml
<configuration>
<source>1.7</source>
<target>1.7</target>
<source>1.8</source>
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is this ok to keep 1.7?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I couldn't compile any more unless this was set.
1.7 is not supported on my JDK.. Authors can reject this part of the contributions.

@elecharny
Copy link
Contributor

Thanks, will have a look at it!

@fzakaria
Copy link
Author

Thanks, will have a look at it!

I mostly wanted to share my fixes for anyone else struggling with FIPS compliance -- I am not sure on the stance of FIPS generally for the repo.
If you think this can be merged upstream; I can do more work to clean it up as needed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@trnguyencflt trnguyencflt trnguyencflt left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@fzakaria @elecharny @trnguyencflt