Merge pull request #32537 from abutch3r/cli_fips_support

Add FIPS Env Var support for CLI commands

Author: abutch3r

dev/build.image/build.gradle

@@ -48,6 +48,13 @@ task copyPropertiesToBuildImage (type:Copy) {
            tokens: [PRODUCT_VERSION: bnd.libertyRelease, PRODUCT_EDITION: bnd.productEdition, PRODUCT_LICENSE_TYPE: bnd.productLicenseType])
 }
 
+task copyFips1403PropertiesToBuildImage( type: Copy) {
+    dependsOn jar
+    from project.file('publish/wlp/security')
+    into project.file('wlp/lib/security/fips140_3')
+    include 'FIPS140-3-Liberty.properties'
+}
+
 task copyPublicKeyToBuildImage (type:Copy) {
     dependsOn jar
     from project.file('publish')
@@ -154,6 +161,7 @@ jar {
 assemble {
     dependsOn publishTemplates
     dependsOn copyPropertiesToBuildImage
+    dependsOn copyFips1403PropertiesToBuildImage
     dependsOn addServiceFingerprint
     dependsOn copyReadmeToBuildImage
     dependsOn copyBetaLicenseToBuildImage
@@ -317,6 +325,12 @@ class PackageLibertyWithFeatures extends DefaultTask {
                 into "$outputTo/wlp"
             }
 
+            project.copy {
+                from project.file('wlp')
+                include 'lib/security/fips140_3/FIPS140-3-Liberty.properties'
+                into "$outputTo/wlp"
+            }
+
             if(isBeta) {
                 //Now add the BETA_NOTICES file
                 project.copy {

dev/build.image/publish/wlp/security/FIPS140-3-Liberty.properties

@@ -0,0 +1,28 @@
+# org.objectweb.asm.commons.SerialVersionUIDAdder: Allow for SHA-1 to generate SerialVersionUID's to conform Java specification
+# org.eclipse.persistence.internal.libraries.asm.commons.SerialVersionUIDAdder: Allow for SHA-1 to generate SerialVersionUID's to conform Java specification
+# org.apache.yoko.rmi.impl.ValueDescriptor: Alloww for SHA-1 to generate the hash code for the RepositoryId
+# com.ibm.ws.wsoc.util.Utils: Allow SHA-1 for the generation of the Sec-WebSocket-Accept header
+# com.ibm.security.certclient.util.PkUtils: Allof for SHA-1 to generate of certificate Key Identifier(KID) value
+RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3-Liberty.desc.name = OpenJCEPlusFIPS Cryptographic Module FIPS 140-3 for Liberty
+RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3-Liberty.extends = RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3-Strongly-Enforced
+RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3-Liberty.jce.provider.1 = com.ibm.crypto.plus.provider.OpenJCEPlusFIPS [+ \
+    {MessageDigest, SHA-1, *, FullClassName:org.objectweb.asm.commons.SerialVersionUIDAdder}, \
+    {MessageDigest, SHA-1, *, FullClassName:org.eclipse.persistence.internal.libraries.asm.commons.SerialVersionUIDAdder}, \
+    {MessageDigest, SHA-1, *, FullClassName:org.apache.yoko.rmi.impl.ValueDescriptor}, \
+    {MessageDigest, SHA-1, *, FullClassName:com.ibm.ws.wsoc.util.Utils}, \
+    {MessageDigest, SHA-1, *, FullClassName:com.ibm.security.certclient.util.PkUtils}]
+
+# For Collectives
+RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3-Liberty.jce.provider.7 = com.ibm.ws.collective.security.internal.provider.CollectiveProvider
+
+# For WebServices / SAML (uses JCE underneath)
+RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3-Liberty.jce.provider.8 = org.apache.jcp.xml.dsig.internal.dom.XMLDSigRI
+RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3-Liberty.jce.provider.9 = org.apache.wss4j.dom.transform.STRTransformProvider
+# Reserved Providers in case new providers are required
+RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3-Liberty.jce.provider.10 = io.openliberty.PLACEHOLDER
+RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3-Liberty.jce.provider.11 = io.openliberty.PLACEHOLDER
+RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3-Liberty.jce.provider.12 = io.openliberty.PLACEHOLDER
+RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3-Liberty.jce.provider.13 = io.openliberty.PLACEHOLDER
+RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3-Liberty.jce.provider.14 = io.openliberty.PLACEHOLDER
+RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3-Liberty.jce.provider.15 = io.openliberty.PLACEHOLDER
+

dev/build.sharedResources/usrShared/resources/security/semeruFips140_3CustomProfile.properties

@@ -20,3 +20,4 @@ RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3-Custom.jce.provider.4 = com.sun.cry
     {SecretKeyFactory, PBEWithMD5AndDES, *, ModuleAndFullClassName:java.base/sun.security.pkcs12.PKCS12KeyStore}, \
     {Cipher, PBEWithHmacSHA256AndAES_256, *, ModuleAndFullClassName:java.base/sun.security.pkcs12.PKCS12KeyStore}, \
     {Mac, HmacPBESHA256, *, ModuleAndFullClassName:java.base/sun.security.pkcs12.PKCS12KeyStore}]
+RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3-Custom.jce.provider.5 = com.ibm.ws.collective.security.internal.provider.CollectiveProvider

dev/cnf/resources/bin/tool

@@ -278,16 +278,34 @@ if [ -z "${JAVA_HOME}" ]; then
   JAVA_PATH_FROM_PATH=$(command -v java)
   if [ -n "${JAVA_PATH_FROM_PATH}" ] ; then
     JPMS_MODULE_FILE_LOCATION=$(dirname $(dirname $JAVA_PATH_FROM_PATH))/lib/modules
+    IBM_SDK_FIPS140_3_FILE_LOCATION=$(dirname "$(dirname "${JAVA_PATH_FROM_PATH}")")/jre/fips140-3
   fi
 else
   JPMS_MODULE_FILE_LOCATION="${JAVA_HOME}/lib/modules"
+  IBM_SDK_FIPS140_3_FILE_LOCATION="${JAVA_HOME}/fips140-3"
 fi
 
 # If this is a Java 9 JDK, add some JDK 9 workarounds to the JVM_ARGS
 if [ -f "${JPMS_MODULE_FILE_LOCATION}" ]; then
   JVM_ARGS="--add-opens java.base/java.lang=ALL-UNNAMED ${JVM_ARGS}"
 fi
 
+# If ENABLE_FIPS140_3 is set by the user then add appropiate FIPS140-3 JVM options
+if [ -n "${ENABLE_FIPS140_3+set}" ] && [ "${ENABLE_FIPS140_3}" != false ]; then
+  if [ -d "${IBM_SDK_FIPS140_3_FILE_LOCATION}" ]; then
+    JVM_ARGS="-Xenablefips140-3 -Dcom.ibm.jsse2.usefipsprovider=true -Dcom.ibm.jsse2.usefipsProviderName=IBMJCEPlusFIPS ${JVM_ARGS}"
+  else
+    if grep -q "OpenJCEPlusFIPS.FIPS140-3-Strongly-Enforced" "${JAVA_HOME}/conf/security/java.security" ; then
+      SEMERU_FIPS=true
+    elif grep -q "OpenJCEPlusFIPS.FIPS140-3-Strongly-Enforced" "$(dirname $(dirname $(command -v java)))/conf/security/java.security" ; then
+      SEMERU_FIPS=true
+    fi
+    if [ -n SEMERU_FIPS ]; then
+      JVM_ARGS="-Dsemeru.fips=true -Dsemeru.customprofile=OpenJCEPlusFIPS.FIPS140-3-Liberty -Djava.security.properties=${WLP_INSTALL_DIR}/lib/security/fips140_3/FIPS140-3-Liberty.properties ${JVM_ARGS}"
+    fi
+  fi
+fi
+
 # Prevent the Java invocation appearing as an application on a mac
 # Setting on all platforms to avoid cross platform bugs
 JVM_ARGS="-Djava.awt.headless=true ${JVM_ARGS}"

dev/cnf/resources/bin/tool.bat

@@ -56,6 +56,34 @@ if NOT defined JAVA_HOME (
 @REM If this is a Java 9 JDK, add some JDK 9 workarounds to the JVM_ARGS
 if exist "%JAVA_HOME%\lib\modules" set JVM_ARGS=--add-opens java.base/java.lang=ALL-UNNAMED !JVM_ARGS!
 
+@REM If ENABLE_FIPS140_3 is specified and has a value, add FIPS140-3
+if defined ENABLE_FIPS140_3 (
+    if "%ENABLE_FIPS140_3" neq "false" (
+      @REM determine if we are using IBM SDK 8 with FIPS140-3 support
+      if exist "%JAVA_HOME%\fips140-3" set IBM_SDK_8=true
+      if NOT defined IBM_SDK_8 (
+        if exist "%JRE_HOME%\fips140-3" set IBM_SDK_8=true
+        if NOT defined IBM_SDK_8 (
+          if exist "%WLP_DEFAULT_JAVA_HOME%\jre\fips140-3" set IBM_SDK_8=true
+        )
+      )
+      if not defined IBM_SDK_8 (
+      for /f "delims=" %%a in ('find "OpenJCEPlusFIPS.FIPS140-3-Strongly-Enforced" "!JAVA_HOME!\conf\security\java.security"') do (
+          if defined SKIP_FIRST_LINE (
+             set SEMERU_FIPS=true
+          ) else (
+             set SKIP_FIRST_LINE="true"
+          )
+        )
+      )
+      if defined IBM_SDK_8 (
+          set JVM_ARGS=-Xenablefips140-3 -Dcom.ibm.jsse2.usefipsprovider=true -Dcom.ibm.jsse2.usefipsProviderName=IBMJCEPlusFIPS !JVM_ARGS!
+      ) else if defined SEMERU_FIPS (
+          set JVM_ARGS=-Dsemeru.fips=true -Dsemeru.customprofile=OpenJCEPlusFIPS.FIPS140-3-Liberty -Djava.security.properties=!WLP_INSTALL_DIR!\lib\security\fips140_3\FIPS140-3-Liberty.properties !JVM_ARGS!
+      )
+    )
+)
+
 set JVM_ARGS=-Djava.awt.headless=true !JVM_ARGS!
 set TOOL_JAVA_CMD_QUOTED=!JAVA_CMD_QUOTED! !JVM_ARGS! -jar "!WLP_INSTALL_DIR!\bin\@TOOL_JAR@"
 

dev/com.ibm.ws.appclient.boot.ws-client/publish/bin/client

@@ -390,7 +390,7 @@ clientEnvDefaults()
       JVM_ARGS="${JVM_ARGS} -Dfile.encoding=$defaultFileEncoding"
     fi
   fi
-  
+
   clientUmask
 }
 
@@ -441,6 +441,8 @@ clientEnvAndJVMOptions()
     mergeJVMOptions "${WLP_INSTALL_DIR}/lib/platform/java/java9.options"
   fi
 
+  enableFIPS140_3
+
   return $rc
 }
 
@@ -468,6 +470,39 @@ mergeJVMOptions()
     fi
 }
 
+enableFIPS140_3()
+{
+  if [ -n "${ENABLE_FIPS140_3+set}" ] && [ "$ENABLE_FIPS140_3" != false ]; then
+    if [ -d "${JAVA_HOME}/jre/fips140-3" ] || [ -d "${JAVA_HOME}/fips140-3" ] || [ -d "$(dirname $(dirname $(command -v java)))/jre/fips140-3" ]; then
+      JVM_ARGS="${JVM_ARGS} -Xenablefips140-3 -Dcom.ibm.jsse2.usefipsprovider=true -Dcom.ibm.jsse2.usefipsProviderName=IBMJCEPlusFIPS"
+    else
+      if [ -f "${JAVA_HOME}/conf/security/java.security" ]; then
+        if grep -q "OpenJCEPlusFIPS.FIPS140-3-Strongly-Enforced" "${JAVA_HOME}/conf/security/java.security" ; then
+          SEMERU_FIPS=true
+        elif grep -q "OpenJCEPlusFIPS.FIPS140-3-Strongly-Enforced" "$(dirname $(dirname $(command -v java)))/conf/security/java.security" ; then
+          SEMERU_FIPS=true
+        fi
+        if [ -n "${SEMERU_FIPS}" ]; then
+          saveIFS=$IFS
+          IFS=":"
+          ENABLE_FIPS140_3="${WLP_INSTALL_DIR}/lib/security/fips140_3/FIPS140-3-Liberty.properties:${ENABLE_FIPS140_3}"
+          for file in ${ENABLE_FIPS140_3}; do
+            profileFile=$file
+          done
+          IFS=$saveIFS
+          for line in $(readNativeFile "$profileFile" '[#_A-Za-z=]' | tr -d '\r'); do
+            match=$(echo "$line" | sed -n 's/.*RestrictedSecurity\.\([a-zA-Z0-9\.-]*\)\.extends$/\1/p')
+            if [ -n "$match" ]; then
+              profile=$match
+            fi
+          done
+          JVM_ARGS="${JVM_ARGS} -Dsemeru.fips=true -Dsemeru.customprofile=${profile} -Djava.security.propertiesList=${ENABLE_FIPS140_3}"
+        fi
+      fi
+    fi
+  fi
+}
+
 ##
 ## readClientEnv: Read client.env file and export environment variables.
 readClientEnv()

dev/com.ibm.ws.appclient.boot.ws-client/publish/bin/client.bat

@@ -175,6 +175,8 @@ goto:eof
   if %RC% == 2 goto:eof
 
   call:clientWorkingDirectory
+  call:enableFIPS140_3
+
   !JAVA_CMD_QUOTED! !JAVA_AGENT_QUOTED! !JVM_OPTIONS! !JAVA_PARAMS_QUOTED! --batch-file !PARAMS_QUOTED!
   set RC=%errorlevel%
   call:javaCmdResult
@@ -260,7 +262,6 @@ goto:eof
     if exist "%JAVA_HOME%\jre\bin\java.exe" set JAVA_HOME=!JAVA_HOME!\jre
     set JAVA_CMD_QUOTED="!JAVA_HOME!\bin\java"
   )
-
 goto:eof
 
 @REM
@@ -302,7 +303,7 @@ goto:eof
   )
 
   set JVM_OPTIONS=!JVM_OPTIONS!%JVM_TEMP_OPTIONS%
-  
+
 goto:eof
 
 @REM
@@ -350,6 +351,61 @@ goto:eof
   cd /d "%CLIENT_OUTPUT_DIR%"
 goto:eof
 
+@REM Check if the ENABLE_FIPS140_3 variable has been set by the user
+@REM If ENABLE_FIPS140_3 is set, determine the correct JVM options depending on the version of Java to be used and add to list
+@REM The version of java is determined to correctly set IBM SDK 8 or Semeru FIPS140-3 flags
+:enableFIPS140_3
+  @REM CHeck if FIPS140-3 is enabled for the client
+  if defined ENABLE_FIPS140_3 (
+    if "%ENABLE_FIPS140_3%" neq "false" (
+      @REM determine if we are using IBM SDK 8 with FIPS140-3 support
+      if exist "%JAVA_HOME%\fips140-3" set IBM_SDK_8=true
+      if NOT defined IBM_SDK_8 (
+        if exist "%JRE_HOME%\fips140-3" set IBM_SDK_8=true
+        if NOT defined IBM_SDK_8 (
+          if exist "%WLP_DEFAULT_JAVA_HOME%\jre\fips140-3" set IBM_SDK_8=true
+        )
+      )
+      if not defined IBM_SDK_8 (
+        for /f "delims=" %%a in ('find "OpenJCEPlusFIPS.FIPS140-3-Strongly-Enforced" "!JAVA_HOME!\conf\security\java.security"') do (
+          if defined SKIP_FIRST_LINE (
+             set SEMERU_FIPS=true
+          ) else (
+             set SKIP_FIRST_LINE="true"
+          )
+        )
+      )
+
+      if defined IBM_SDK_8 (
+        set JVM_OPTIONS=-Xenablefips140-3 -Dcom.ibm.jsse2.usefipsprovider=true -Dcom.ibm.jsse2.usefipsProviderName=IBMJCEPlusFIPS !JVM_OPTIONS!
+      ) else (
+        if defined SEMERU_FIPS (
+          @REM de-quote input variable
+          set ENABLE_FIPS140_3=!ENABLE_FIPS140_3:"=!
+          @REM add Liberty FIPS profile
+          set ENABLE_FIPS140_3=!WLP_INSTALL_DIR!\lib\security\fips140_3\FIPS140-3-Liberty.properties;!ENABLE_FIPS140_3!
+          @REM Retrieve name of Semeru FIPS140-3 profile from the last file in provided paths
+          for %%i in ("!ENABLE_FIPS140_3:;=";"!") do (
+            set "file=%%~i"
+          )
+          for /f "delims== " %%l in (!file!) do (
+            set line=%%l
+            if /i "!line:~0,18!" == "RestrictedSecurity" (
+              set "line=!line:~19!"
+              if "!line:~-7!" == "extends" (
+                set profileName=!line:~0,-8!
+              )
+            )
+          )
+          set JVM_OPTIONS=-Dsemeru.fips=true -Dsemeru.customprofile=!profileName! -Djava.security.propertiesList=!ENABLE_FIPS140_3! !JVM_OPTIONS!
+        )
+      )
+    )
+  )
+
+goto:eof
+
+
 @REM
 @REM Check the result of a Java command.
 @REM