Merge pull request OpenLiberty#12 from utle/FIPSwork-audit

Fips work audit
utle · Nov 13, 2024 · 8d27f64 · 8d27f64
2 parents 5946a39 + 45259ba
commit 8d27f64
Show file tree

Hide file tree

Showing 9 changed files with 238 additions and 131 deletions.
diff --git a/dev/com.ibm.ws.kernel.service/src/com/ibm/ws/common/crypto/CryptoUtils.java b/dev/com.ibm.ws.kernel.service/src/com/ibm/ws/common/crypto/CryptoUtils.java
@@ -358,6 +358,9 @@ public static boolean isFIPSEnabled() {
         } else {
             fipsEnabled = isFips140_2Enabled() || isFips140_3Enabled();
             fipsChecked = true;
+            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
+                Tr.debug(tc, "isFIPSEnabled: " + fipsEnabled);
+            }
             return fipsEnabled;
         }
     }

diff --git a/dev/com.ibm.ws.security.audit.file/src/com/ibm/ws/security/audit/file/AuditFileHandler.java b/dev/com.ibm.ws.security.audit.file/src/com/ibm/ws/security/audit/file/AuditFileHandler.java
@@ -1,10 +1,10 @@
 /*******************************************************************************
- * Copyright (c) 2018, 2019, 2022 IBM Corporation and others.
+ * Copyright (c) 2018, 2019, 2024 IBM Corporation and others.
  * All rights reserved. This program and the accompanying materials
  * are made available under the terms of the Eclipse Public License 2.0
  * which accompanies this distribution, and is available at
  * http://www.eclipse.org/legal/epl-2.0/
- * 
+ *
  * SPDX-License-Identifier: EPL-2.0
  *
  * Contributors:
@@ -60,8 +60,8 @@
 import com.ibm.ws.security.audit.logutils.FileLog;
 import com.ibm.ws.ssl.KeyStoreService;
 import com.ibm.wsspi.collector.manager.BufferManager;
-import com.ibm.wsspi.collector.manager.Handler;
 import com.ibm.wsspi.collector.manager.CollectorManager;
+import com.ibm.wsspi.collector.manager.Handler;
 import com.ibm.wsspi.collector.manager.SynchronousHandler;
 import com.ibm.wsspi.kernel.service.location.WsLocationAdmin;
 import com.ibm.wsspi.kernel.service.utils.AtomicServiceReference;
@@ -224,6 +224,7 @@ protected void activate(ComponentContext cc) throws KeyStoreException, AuditEncr
         Map<String, Object> configuration = (Map) cc.getProperties();
         thisConfiguration = configuration;
 
+        //TODO: UTLE - new config option to enable FIPS 140-3 or just use SSL config?
         if (configuration != null && !configuration.isEmpty()) {
             for (Map.Entry<String, Object> entry : configuration.entrySet()) {
                 String key = entry.getKey();
@@ -438,7 +439,7 @@ private String mapToJSONString(Map<String, Object> eventMap) {
     /**
      * Given a Map, add the corresponding JSON to the given JSONObject.
      *
-     * @param jo - JSONObject
+     * @param jo  - JSONObject
      * @param map - Java Map object
      */
     private JSONObject map2JSON(JSONObject jo, Map<String, Object> map) {
@@ -504,7 +505,7 @@ private JSONObject map2JSON(JSONObject jo, Map<String, Object> map) {
     /**
      * Given a Java array, add the corresponding JSON to the given JSONArray object
      *
-     * @param ja - JSONArray object
+     * @param ja    - JSONArray object
      * @param array - Java array object
      */
     private JSONArray array2JSON(JSONArray ja, Object[] array) {

diff --git a/...m.ws.security.audit.reader/src/com/ibm/ws/security/audit/reader/tasks/AuditLogReader.java b/...m.ws.security.audit.reader/src/com/ibm/ws/security/audit/reader/tasks/AuditLogReader.java
@@ -4,7 +4,7 @@
  * are made available under the terms of the Eclipse Public License 2.0
  * which accompanies this distribution, and is available at
  * http://www.eclipse.org/legal/epl-2.0/
- * 
+ *
  * SPDX-License-Identifier: EPL-2.0
  *
  * Contributors:
@@ -29,6 +29,7 @@
 
 import com.ibm.websphere.ras.Tr;
 import com.ibm.websphere.ras.TraceComponent;
+import com.ibm.ws.common.crypto.CryptoUtils;
 import com.ibm.ws.common.encoder.Base64Coder;
 import com.ibm.ws.security.audit.encryption.AuditEncryptionImpl;
 import com.ibm.ws.security.audit.encryption.AuditSigningImpl;
@@ -443,11 +444,17 @@ public static void processRecord(FileReader file_reader, boolean signedLog, bool
         boolean startOfRecord = false;
         int num_captured_records = 0;
         String rec = null;
-
+        if (debugEnabled) {
+            theLogger.fine("processRecord: decryptedSharedKey: " + decryptedSharedKey);
+            theLogger.fine("processRecord: file_reader: " + file_reader.toString());
+        }
         try {
             do {
                 inByte = file_reader.read();
                 if (inByte != -1) {
+                    if (debugEnabled)
+                        theLogger.fine("processRecord: inByte: " + inByte);
+
                     auditRecord = auditRecord.concat(Character.toString((char) inByte));
 
                     if (startOfRecord) {
@@ -506,8 +513,12 @@ public static void processRecord(FileReader file_reader, boolean signedLog, bool
                         } else if (!signedLog && encryptedLog) {
 
                             // Recreate the shared key
-                            javax.crypto.spec.SecretKeySpec recreatedSharedKey = new javax.crypto.spec.SecretKeySpec(decryptedSharedKey, "DESede");
-                            // Decrypt the record
+                            String algorithm = CryptoUtils.getEncryptionAlgorithm();
+
+                            if (debugEnabled) {
+                                theLogger.fine("processRecord: recreate shared key with algoritm: " + algorithm);
+                            }
+                            javax.crypto.spec.SecretKeySpec recreatedSharedKey = new javax.crypto.spec.SecretKeySpec(decryptedSharedKey, algorithm);
 
                             byte[] decryptedRecord = ae.decrypt(decodedRecord, recreatedSharedKey);
                             if (decryptedRecord != null) {
@@ -525,13 +536,15 @@ public static void processRecord(FileReader file_reader, boolean signedLog, bool
                                     break;
                                 }
                             }
+                            String algorithm = CryptoUtils.getEncryptionAlgorithm();
 
-                            // Recreate the shared key
+                            if (debugEnabled)
+                                theLogger.fine("processRecord: recreate shared key with algorithm: " + algorithm);
 
-                            javax.crypto.spec.SecretKeySpec recreatedSharedKey = new javax.crypto.spec.SecretKeySpec(decryptedSharedKey, "DESede");
+                            // Recreate the shared key
+                            javax.crypto.spec.SecretKeySpec recreatedSharedKey = new javax.crypto.spec.SecretKeySpec(decryptedSharedKey, algorithm);
 
                             // Decrypt the record
-
                             if (tc.isDebugEnabled()) {
                                 byte[] rkey = ((java.security.Key) recreatedSharedKey).getEncoded();
                             }

diff --git a/dev/com.ibm.ws.security.audit.source/bnd.bnd b/dev/com.ibm.ws.security.audit.source/bnd.bnd
@@ -32,7 +32,7 @@ Private-Package: \
    com.ibm.ws.security.audit.source.internal.resources
 
 DynamicImport-Package: \
-  com.ibm.wsspi.request.probe.*, \
+  com.ibm.wsspi.request.probe.*,\
   com.ibm.webcontainer.security.*
 
 Include-Resource: \