Merge pull request #32693 from tloodu/remove-rsaOaep-FipsProfile

Remove RSA-OAEP filters and update tests to work with ECDH-ES JWEs

Author: tloodu

dev/com.ibm.ws.security.fat.common.jwt/src/com/ibm/ws/security/fat/common/jwt/utils/JwtTokenBuilderUtils.java

@@ -123,21 +123,22 @@ public void updateBuilderWithRSASettings(JWTTokenBuilder builder, String alg, St
      * @throws Exception
      */
     public String buildAlternatePayloadJWEToken(Key key) throws Exception {
-        JWTTokenBuilder builder = createAlternateJWEPayload(populateAlternateJWEToken(key));
-        String jwtToken = builder.buildAlternateJWE();
-        return jwtToken;
+        return buildAlternatePayloadJWEToken(key, (String) null, (List<NameValuePair>) null);
     }
 
     public String buildAlternatePayloadJWEToken(Key key, List<NameValuePair> extraPayload) throws Exception {
-        JWTTokenBuilder builder = createAlternateJWEPayload(populateAlternateJWEToken(key), extraPayload);
-        String jwtToken = builder.buildAlternateJWE();
-        return jwtToken;
+        return buildAlternatePayloadJWEToken(key, (String) null, extraPayload);
     }
 
     public String buildAlternatePayloadJWEToken(Key key, String keyMgmtKeyAlg) throws Exception {
-        JWTTokenBuilder builder = createAlternateJWEPayload(populateAlternateJWEToken(key, keyMgmtKeyAlg));
-        String jwtToken = builder.buildAlternateJWE();
-        return jwtToken;
+        return buildAlternatePayloadJWEToken(key, keyMgmtKeyAlg, (List<NameValuePair>) null);
+    }
+
+    public String buildAlternatePayloadJWEToken(Key key, String keyMgmtKeyAlg, List<NameValuePair> extraPayload) throws Exception {
+        JWTTokenBuilder builder;
+        builder = keyMgmtKeyAlg != null ? createAlternateJWEPayload(populateAlternateJWEToken(key, keyMgmtKeyAlg), extraPayload) : createAlternateJWEPayload(populateAlternateJWEToken(key), extraPayload);
+
+        return builder.buildAlternateJWE();
     }
 
     /**

dev/com.ibm.ws.security.fat.common/publish/shared/securityKeys/allAlgKeyStore.p12

@@ -111,7 +111,9 @@
 					http://localhost:${bvt.prop.security_2_HTTP_default}/oidcclient/redirect/SignRS384Encryptnone,
 					http://localhost:${bvt.prop.security_2_HTTP_default}/oidcclient/redirect/SignRS512Encryptnone,
 					http://localhost:${bvt.prop.security_2_HTTP_default}/oidcclient/redirect/SignRS256EncryptShortRS256,
+					http://localhost:${bvt.prop.security_2_HTTP_default}/oidcclient/redirect/SignES256EncryptShortES256,
 					http://localhost:${bvt.prop.security_2_HTTP_default}/oidcclient/redirect/SignRS256EncryptPublicRS256,
+					http://localhost:${bvt.prop.security_2_HTTP_default}/oidcclient/redirect/SignES256EncryptPublicES256,
 					http://localhost:${bvt.prop.security_2_HTTP_default}/oidcclient/redirect/RP_trustStoreRefOmitted,
 					http://localhost:${bvt.prop.security_2_HTTP_default}/oidcclient/redirect/RP_sslRefOmitted"
 				scope="ALL_SCOPES"

dev/com.ibm.ws.security.fat.common/publish/shared/securityKeys/allAlgTrustStore.p12

@@ -1738,6 +1738,33 @@
 		audiences="client01"
 	>
 	</openidConnectClient>	
+
+	<authFilter id="authFilterES256ShortES256">
+		<requestUrl
+			id="requestUrlES256ShortES256"
+			urlPattern="/snoop/SignES256EncryptShortES256"
+			matchType="contains" />
+	</authFilter>
+
+	<openidConnectClient
+		id="SignES256EncryptShortES256"
+		scope="openid profile"
+		clientId="client01"
+		clientSecret="{xor}LDo8LTorbm1saw=="
+		mapIdentityToRegistryUser="true"
+		httpsRequired="false"
+		redirectToRPHostAndPort="http://localhost:${bvt.prop.security_3_HTTP_default}"
+		authFilterRef="authFilterES256ShortES256"
+		signatureAlgorithm="ES256"
+		trustStoreRef="trust_allSigAlg"
+		trustAliasName="es256"
+		keyManagementKeyAlias="short_es256"
+		sslRef="ssl_allSigAlg"
+		inboundPropagation="required"
+		issuerIdentifier="client01"
+		audiences="client01"
+	>
+	</openidConnectClient>
 
 	<authFilter id="authFilterRS256PublicRS256">
 		<requestUrl
@@ -1764,24 +1791,51 @@
 		issuerIdentifier="client01"
 		audiences="client01"
 	>
-	</openidConnectClient>		
+	</openidConnectClient>	
+
+	<authFilter id="authFilterES256PublicES256">
+		<requestUrl
+			id="requestUrlES256PublicES256"
+			urlPattern="/snoop/SignES256EncryptPublicES256"
+			matchType="contains" />
+	</authFilter>
+
+	<openidConnectClient
+		id="SignES256EncryptPublicES256"
+		scope="openid profile"
+		clientId="client01"
+		clientSecret="{xor}LDo8LTorbm1saw=="
+		mapIdentityToRegistryUser="true"
+		httpsRequired="false"
+		redirectToRPHostAndPort="http://localhost:${bvt.prop.security_3_HTTP_default}"
+		authFilterRef="authFilterES256PublicES256"
+		signatureAlgorithm="ES256"
+		trustStoreRef="trust_allSigAlg"
+		trustAliasName="es256"
+		keyManagementKeyAlias="es256"
+		sslRef="ssl_allSigAlg_badKeyStore"
+		inboundPropagation="required"
+		issuerIdentifier="client01"
+		audiences="client01"
+	>
+	</openidConnectClient>	
 
-	<authFilter id="authFilterRS_trustStoreRefOmitted">
+	<authFilter id="authFilterRS_trustStoreRefOmitted_RSA_OAEP">
 		<requestUrl
-			id="requestUrlRS_trustStoreRefOmitted"
-			urlPattern="/snoop/RS_trustStoreRefOmitted"
+			id="requestUrlRS_trustStoreRefOmitted_RSA_OAEP"
+			urlPattern="/snoop/RS_trustStoreRefOmitted_RSA_OAEP"
 			matchType="contains" />
 	</authFilter>
 
 	<openidConnectClient
-		id="RS_trustStoreRefOmitted"
+		id="RS_trustStoreRefOmitted_RSA_OAEP"
 		scope="openid profile"
 		clientId="client01"
 		clientSecret="{xor}LDo8LTorbm1saw=="
 		mapIdentityToRegistryUser="true"
 		httpsRequired="false"
 		redirectToRPHostAndPort="http://localhost:${bvt.prop.security_3_HTTP_default}"
-		authFilterRef="authFilterRS_trustStoreRefOmitted"
+		authFilterRef="authFilterRS_trustStoreRefOmitted_RSA_OAEP"
 		signatureAlgorithm="RS256"
 		trustAliasName="rs256"
 		keyManagementKeyAlias="rs256"
@@ -1790,31 +1844,82 @@
 		issuerIdentifier="client01"
 		audiences="client01"
 	>
-	</openidConnectClient>		
+	</openidConnectClient>	
+
+	<authFilter id="authFilterRS_trustStoreRefOmitted_ECDH_ES">
+		<requestUrl
+			id="requestUrlRS_trustStoreRefOmitted_ECDH_ES"
+			urlPattern="/snoop/RS_trustStoreRefOmitted_ECDH_ES"
+			matchType="contains" />
+	</authFilter>
+
+	<openidConnectClient
+		id="RS_trustStoreRefOmitted_ECDH_ES"
+		scope="openid profile"
+		clientId="client01"
+		clientSecret="{xor}LDo8LTorbm1saw=="
+		mapIdentityToRegistryUser="true"
+		httpsRequired="false"
+		redirectToRPHostAndPort="http://localhost:${bvt.prop.security_3_HTTP_default}"
+		authFilterRef="authFilterRS_trustStoreRefOmitted_ECDH_ES"
+		signatureAlgorithm="ES256"
+		trustAliasName="es256"
+		keyManagementKeyAlias="es256"
+		sslRef="ssl_allSigAlg"
+		inboundPropagation="required"
+		issuerIdentifier="client01"
+		audiences="client01"
+	>
+	</openidConnectClient>	
 
-	<authFilter id="authFilterRS_sslRefOmitted">
+	<authFilter id="authFilterRS_sslRefOmitted_RSA_OAEP">
 		<requestUrl
-			id="requestUrlRS_sslRefOmitted"
-			urlPattern="/snoop/RS_sslRefOmitted"
+			id="requestUrlRS_sslRefOmitted_RSA_OAEP"
+			urlPattern="/snoop/RS_sslRefOmitted_RSA_OAEP"
 			matchType="contains" />
 	</authFilter>
 
 	<openidConnectClient
-		id="RS_sslRefOmitted"
+		id="RS_sslRefOmitted_RSA_OAEP"
 		scope="openid profile"
 		clientId="client01"
 		clientSecret="{xor}LDo8LTorbm1saw=="
 		mapIdentityToRegistryUser="true"
 		httpsRequired="false"
 		redirectToRPHostAndPort="http://localhost:${bvt.prop.security_3_HTTP_default}"
-		authFilterRef="authFilterRS_sslRefOmitted"
+		authFilterRef="authFilterRS_sslRefOmitted_RSA_OAEP"
 		signatureAlgorithm="RS256"
 		trustAliasName="rs256"
 		keyManagementKeyAlias="rs256"
 		inboundPropagation="required"
 		issuerIdentifier="client01"
 		audiences="client01"
 	>
+	</openidConnectClient>
+
+	<authFilter id="authFilterRS_sslRefOmitted_ECDH_ES">
+		<requestUrl
+			id="requestUrlRS_sslRefOmitted_ECDH_ES"
+			urlPattern="/snoop/RS_sslRefOmitted_ECDH_ES"
+			matchType="contains" />
+	</authFilter>
+
+	<openidConnectClient
+		id="RS_sslRefOmitted_ECDH_ES"
+		scope="openid profile"
+		clientId="client01"
+		clientSecret="{xor}LDo8LTorbm1saw=="
+		mapIdentityToRegistryUser="true"
+		httpsRequired="false"
+		redirectToRPHostAndPort="http://localhost:${bvt.prop.security_3_HTTP_default}"
+		authFilterRef="authFilterRS_sslRefOmitted_ECDH_ES"
+		signatureAlgorithm="ES256"
+		trustAliasName="es256"
+		keyManagementKeyAlias="es256"
+		inboundPropagation="required"
+		issuerIdentifier="client01"
+		audiences="client01"
+	>
 	</openidConnectClient>		
 
 </server>

dev/com.ibm.ws.security.oidc.client_fat.jaxrs/publish/servers/com.ibm.ws.security.openidconnect.client-1.0_fat.jaxrs.opWithStub/configs/op_server_encrypt.xml

@@ -18,6 +18,7 @@
 
 import org.junit.BeforeClass;
 import org.junit.ClassRule;
+import org.junit.Rule;
 import org.junit.runner.RunWith;
 
 import com.ibm.ws.security.oauth_oidc.fat.commonTest.Constants;
@@ -31,6 +32,8 @@
 import componenttest.custom.junit.runner.Mode;
 import componenttest.custom.junit.runner.Mode.TestMode;
 import componenttest.rules.repeater.RepeatTests;
+import componenttest.rules.SkipJavaSemeruWithFipsEnabled;
+import componenttest.rules.SkipJavaSemeruWithFipsEnabled.SkipJavaSemeruWithFipsEnabledRule;
 import componenttest.topology.impl.LibertyServerWrapper;
 
 @RunWith(FATRunner.class)
@@ -45,6 +48,9 @@ public class LibertyOP_Encryption_oidc_usingSocialConfig extends Social_Encrypti
     @ClassRule
     public static RepeatTests r = RepeatTests.withoutModification();
 
+    @Rule
+    public static final SkipJavaSemeruWithFipsEnabled skipJavaSemeruWithFipsEnabled = new SkipJavaSemeruWithFipsEnabled(SocialConstants.SERVER_NAME + ".LibertyOP.opWithStub");
+
     @BeforeClass
     public static void setUp() throws Exception {
 

dev/com.ibm.ws.security.oidc.server_fat.jaxrs.config.commonTest/fat/src/com/ibm/ws/security/openidconnect/server/fat/jaxrs/config/noOP/NoOPEncryptionRSServerTests.java

@@ -104,7 +104,9 @@
 					https://localhost:${bvt.prop.security_2_HTTP_default.secure}/ibm/api/social-login/redirect/SignES384Encryptnone,
 					https://localhost:${bvt.prop.security_2_HTTP_default.secure}/ibm/api/social-login/redirect/SignES512Encryptnone,
 					https://localhost:${bvt.prop.security_2_HTTP_default.secure}/ibm/api/social-login/redirect/SignRS256EncryptShortRS256,
+					https://localhost:${bvt.prop.security_2_HTTP_default.secure}/ibm/api/social-login/redirect/SignES256EncryptShortES256,
 					https://localhost:${bvt.prop.security_2_HTTP_default.secure}/ibm/api/social-login/redirect/SignRS256EncryptPublicRS256,
+					https://localhost:${bvt.prop.security_2_HTTP_default.secure}/ibm/api/social-login/redirect/SignES256EncryptPublicES256,
 					https://localhost:${bvt.prop.security_2_HTTP_default.secure}/ibm/api/social-login/redirect/RP_trustStoreRefOmitted,
 					https://localhost:${bvt.prop.security_2_HTTP_default.secure}/ibm/api/social-login/redirect/RP_sslRefOmitted"
 				scope="ALL_SCOPES"