From 5ece4cfd2bc26006e78b0e6359fb51631a41d083 Mon Sep 17 00:00:00 2001 From: Olivier Lamy Date: Sat, 31 Aug 2024 09:24:45 +1000 Subject: [PATCH 1/2] Add option to be able to use BCFIPS when BC is blocked in a FIPS environment Signed-off-by: Olivier Lamy --- .../common/util/security/SecurityUtils.java | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/sshd-common/src/main/java/org/apache/sshd/common/util/security/SecurityUtils.java b/sshd-common/src/main/java/org/apache/sshd/common/util/security/SecurityUtils.java index afb03a48b..266b4d59e 100644 --- a/sshd-common/src/main/java/org/apache/sshd/common/util/security/SecurityUtils.java +++ b/sshd-common/src/main/java/org/apache/sshd/common/util/security/SecurityUtils.java @@ -92,7 +92,8 @@ public final class SecurityUtils { /** * Bouncycastle JCE provider name */ - public static final String BOUNCY_CASTLE = "BC"; + public static final String BOUNCY_CASTLE + = System.getProperty("org.apache.sshd.common.util.security.bouncycastle.provider.name", "BC"); /** * EDDSA support - should match {@code EdDSAKey.KEY_ALGORITHM} @@ -165,6 +166,12 @@ public final class SecurityUtils { public static final String PROP_DEFAULT_SECURITY_PROVIDER = "org.apache.sshd.security.defaultProvider"; + /** + * class name of the default random factory to use, the class must have a default empty constructor. If empty + * standard algorithm will be used + */ + public static final String PROP_RANDOM_FACTORY_CLASS = "org.apache.sshd.random.defaultFactory"; + private static final AtomicInteger MIN_DHG_KEY_SIZE_HOLDER = new AtomicInteger(0); private static final AtomicInteger MAX_DHG_KEY_SIZE_HOLDER = new AtomicInteger(0); @@ -552,6 +559,16 @@ public static Decryptor getBouncycastleEncryptedPrivateKeyInfoDecryptor() { * {@link JceRandomFactory} one */ public static RandomFactory getRandomFactory() { + String factoryClassName = System.getProperty(PROP_RANDOM_FACTORY_CLASS); + if (factoryClassName != null) { + try { + return ThreadUtils.createDefaultInstance(SecurityUtils.class, RandomFactory.class, + factoryClassName); + } catch (ReflectiveOperationException e) { + throw new IllegalArgumentException("instance of " + factoryClassName + " cannot be created"); + } + } + if (isBouncyCastleRegistered()) { return BouncyCastleRandomFactory.INSTANCE; } else { From 3bc2a69014c704ebc9cc1a0ab1e03202edc9915c Mon Sep 17 00:00:00 2001 From: Olivier Lamy Date: Mon, 2 Sep 2024 06:49:34 +1000 Subject: [PATCH 2/2] use ServiceLoader to get a RandomFactory Signed-off-by: Olivier Lamy --- .../sshd/common/util/security/SecurityUtils.java | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) diff --git a/sshd-common/src/main/java/org/apache/sshd/common/util/security/SecurityUtils.java b/sshd-common/src/main/java/org/apache/sshd/common/util/security/SecurityUtils.java index 266b4d59e..1395a47cd 100644 --- a/sshd-common/src/main/java/org/apache/sshd/common/util/security/SecurityUtils.java +++ b/sshd-common/src/main/java/org/apache/sshd/common/util/security/SecurityUtils.java @@ -43,6 +43,7 @@ import java.util.List; import java.util.Map; import java.util.Objects; +import java.util.ServiceLoader; import java.util.Set; import java.util.TreeMap; import java.util.TreeSet; @@ -559,16 +560,10 @@ public static Decryptor getBouncycastleEncryptedPrivateKeyInfoDecryptor() { * {@link JceRandomFactory} one */ public static RandomFactory getRandomFactory() { - String factoryClassName = System.getProperty(PROP_RANDOM_FACTORY_CLASS); - if (factoryClassName != null) { - try { - return ThreadUtils.createDefaultInstance(SecurityUtils.class, RandomFactory.class, - factoryClassName); - } catch (ReflectiveOperationException e) { - throw new IllegalArgumentException("instance of " + factoryClassName + " cannot be created"); - } + RandomFactory randomFactory = ServiceLoader.load(RandomFactory.class).iterator().next(); + if (randomFactory != null) { + return randomFactory; } - if (isBouncyCastleRegistered()) { return BouncyCastleRandomFactory.INSTANCE; } else {