Skip to content

Commit 9bf8ebc

Browse files
committed
set bc in approved only
1 parent 63b49af commit 9bf8ebc

2 files changed

Lines changed: 49 additions & 1 deletion

File tree

.github/workflows/checks.yaml

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -92,7 +92,10 @@ jobs:
9292
BUF_INPUT_HTTPS_PASSWORD: ${{ secrets.PERSONAL_ACCESS_TOKEN_OPENTDF }}
9393
run: mvn clean --batch-mode clean generate-sources
9494
- name: Tests and enforcer (fips)
95-
run: mvn --batch-mode test enforcer:enforce -P 'fips,!non-fips' -Dmaven.antrun.skip
95+
run: |
96+
mvn --batch-mode test enforcer:enforce -P 'fips,!non-fips' \
97+
-Dmaven.antrun.skip \
98+
-Dorg.bouncycastle.fips.approved_only=true
9699
- name: Tests with coverage and javadoc (non-fips)
97100
env:
98101
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
Lines changed: 45 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,45 @@
1+
package io.opentdf.platform.sdk;
2+
3+
import org.junit.jupiter.api.Test;
4+
import org.junit.jupiter.api.condition.EnabledIfSystemProperty;
5+
6+
import java.security.Security;
7+
8+
import static org.junit.jupiter.api.Assertions.*;
9+
10+
/**
11+
* Verifies that the java.security.fips.test properties file was actually loaded when running
12+
* under the fips Maven profile. Without this check, a misconfigured argLine would silently run
13+
* all other tests against the default (non-FIPS) provider stack.
14+
*/
15+
@EnabledIfSystemProperty(named = "org.bouncycastle.fips.approved_only", matches = "true")
16+
class FipsProviderVerificationTest {
17+
18+
@Test
19+
void bcFipsIsFirstProvider() {
20+
var providers = Security.getProviders();
21+
assertNotNull(providers, "No security providers registered");
22+
assertTrue(providers.length > 0, "Provider list is empty");
23+
assertEquals("BCFIPS", providers[0].getName(),
24+
"Expected BCFIPS as the first security provider but got: " + providers[0].getName()
25+
+ " — the java.security.fips.test file was likely not loaded");
26+
}
27+
28+
@Test
29+
void bcJsseIsRegistered() {
30+
assertNotNull(Security.getProvider("BCJSSE"),
31+
"BCJSSE provider is not registered — the java.security.fips.test file was likely not loaded");
32+
}
33+
34+
@Test
35+
void sunJceIsNotRegistered() {
36+
assertNull(Security.getProvider("SunJCE"),
37+
"SunJCE provider is still registered — it should have been removed by java.security.fips.test");
38+
}
39+
40+
@Test
41+
void keyManagerFactoryAlgorithmIsPkix() {
42+
assertEquals("PKIX", Security.getProperty("ssl.KeyManagerFactory.algorithm"),
43+
"ssl.KeyManagerFactory.algorithm was not overridden to PKIX — the java.security.fips.test file was likely not loaded");
44+
}
45+
}

0 commit comments

Comments
 (0)