opentdf
diff --git a/‎pom.xml‎
Lines changed: 23 additions & 0 deletions b/‎pom.xml‎
Lines changed: 23 additions & 0 deletions
diff --git a/‎sdk/pom.xml‎
Lines changed: 62 additions & 13 deletions b/‎sdk/pom.xml‎
Lines changed: 62 additions & 13 deletions
diff --git a/‎sdk/src/main/java/io/opentdf/platform/sdk/AesGcm.java‎
Lines changed: 18 additions & 0 deletions b/‎sdk/src/main/java/io/opentdf/platform/sdk/AesGcm.java‎
Lines changed: 18 additions & 0 deletions
diff --git a/‎sdk/src/main/java/io/opentdf/platform/sdk/TDF.java‎
Lines changed: 1 addition & 4 deletions b/‎sdk/src/main/java/io/opentdf/platform/sdk/TDF.java‎
Lines changed: 1 addition & 4 deletions
diff --git a/‎sdk/src/test/java.security.fips.test‎
Lines changed: 19 additions & 0 deletions b/‎sdk/src/test/java.security.fips.test‎
Lines changed: 19 additions & 0 deletions
diff --git a/‎sdk/src/test/java.security.test‎
Lines changed: 8 additions & 0 deletions b/‎sdk/src/test/java.security.test‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎sdk/src/test/java/io/opentdf/platform/sdk/CryptoProviderSetupExtension.java‎
Lines changed: 0 additions & 26 deletions b/‎sdk/src/test/java/io/opentdf/platform/sdk/CryptoProviderSetupExtension.java‎
Lines changed: 0 additions & 26 deletions
@@ -17,6 +17,9 @@
         <grpc.version>1.75.0</grpc.version>
         <protobuf.version>4.29.2</protobuf.version>
         <bouncycastle.version>1.82</bouncycastle.version>
+        <bc-fips.version>2.1.2</bc-fips.version>
+        <bcpkix-fips.version>2.1.11</bcpkix-fips.version>
+        <bctls-fips.version>2.1.23</bctls-fips.version>
         <bytebuddy.version>1.18.3</bytebuddy.version>
         <!-- JaCoCo Properties -->
         <jacoco.version>0.8.13</jacoco.version>
@@ -123,6 +126,26 @@
                 <artifactId>bcprov-jdk18on</artifactId>
                 <version>${bouncycastle.version}</version>
             </dependency>
+            <dependency>
+                <groupId>org.bouncycastle</groupId>
+                <artifactId>bctls-jdk18on</artifactId>
+                <version>${bouncycastle.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>org.bouncycastle</groupId>
+                <artifactId>bc-fips</artifactId>
+                <version>${bc-fips.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>org.bouncycastle</groupId>
+                <artifactId>bcpkix-fips</artifactId>
+                <version>${bcpkix-fips.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>org.bouncycastle</groupId>
+                <artifactId>bctls-fips</artifactId>
+                <version>${bctls-fips.version}</version>
+            </dependency>
             <!--
                 Pin Byte Buddy for test-time Mockito instrumentation on newer JVMs (e.g. Java 21).
                 This does NOT add a runtime dependency; it only manages the version used by modules.
 
@@ -17,6 +17,7 @@
         <connect.version>0.7.2</connect.version>
         <okhttp.version>4.12.0</okhttp.version>
         <platform.branch>protocol/go/v0.16.0</platform.branch>
+        <!-- test.java.security.file is set by the `non-fips` (default) or `fips` profile -->
     </properties>
     <dependencies>
         <!-- Logging Dependencies -->
@@ -148,17 +149,7 @@
             <version>6.0.53</version>
             <scope>provided</scope>
         </dependency>
-        <!-- Crypto Dependencies -->
-        <dependency>
-            <groupId>org.bouncycastle</groupId>
-            <artifactId>bcpkix-jdk18on</artifactId>
-            <scope>test</scope>
-        </dependency>
-        <dependency>
-            <groupId>org.bouncycastle</groupId>
-            <artifactId>bcprov-jdk18on</artifactId>
-            <scope>test</scope>
-        </dependency>
+        <!-- Crypto Dependencies are pulled in via the `non-fips` (default) or `fips` profile -->
         <!-- Testing Dependencies -->
         <dependency>
             <groupId>org.junit.jupiter</groupId>
@@ -473,11 +464,69 @@
                     </execution>
                 </executions>
             </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-surefire-plugin</artifactId>
+                <configuration>
+                    <argLine>-Djava.security.properties=${test.java.security.file}</argLine>
+                </configuration>
+            </plugin>
         </plugins>
     </build>
-    <!--profile
-    to execute fuzz test -->
     <profiles>
+        <profile>
+            <id>non-fips</id>
+            <activation>
+                <activeByDefault>true</activeByDefault>
+            </activation>
+            <properties>
+                <test.java.security.file>${project.basedir}/src/test/java.security.test</test.java.security.file>
+            </properties>
+            <dependencies>
+                <dependency>
+                    <groupId>org.bouncycastle</groupId>
+                    <artifactId>bcprov-jdk18on</artifactId>
+                    <scope>runtime</scope>
+                </dependency>
+                <dependency>
+                    <groupId>org.bouncycastle</groupId>
+                    <artifactId>bcpkix-jdk18on</artifactId>
+                    <scope>runtime</scope>
+                </dependency>
+                <dependency>
+                    <groupId>org.bouncycastle</groupId>
+                    <artifactId>bctls-jdk18on</artifactId>
+                    <scope>runtime</scope>
+                </dependency>
+            </dependencies>
+        </profile>
+        <profile>
+            <id>fips</id>
+            <activation>
+                <activeByDefault>false</activeByDefault>
+            </activation>
+            <properties>
+                <test.java.security.file>${project.basedir}/src/test/java.security.fips.test</test.java.security.file>
+            </properties>
+            <dependencies>
+                <dependency>
+                    <groupId>org.bouncycastle</groupId>
+                    <artifactId>bc-fips</artifactId>
+                    <scope>runtime</scope>
+                </dependency>
+                <dependency>
+                    <groupId>org.bouncycastle</groupId>
+                    <artifactId>bcpkix-fips</artifactId>
+                    <scope>runtime</scope>
+                </dependency>
+                <dependency>
+                    <groupId>org.bouncycastle</groupId>
+                    <artifactId>bctls-fips</artifactId>
+                    <scope>runtime</scope>
+                </dependency>
+            </dependencies>
+        </profile>
+        <!-- profile to execute fuzz test -->
         <profile>
             <id>fuzz</id>
             <activation>
 
@@ -3,6 +3,7 @@
 import javax.crypto.BadPaddingException;
 import javax.crypto.Cipher;
 import javax.crypto.IllegalBlockSizeException;
+import javax.crypto.KeyGenerator;
 import javax.crypto.NoSuchPaddingException;
 import javax.crypto.SecretKey;
 import javax.crypto.spec.GCMParameterSpec;
@@ -20,10 +21,27 @@
 public class AesGcm {
     public static final int GCM_NONCE_LENGTH = 12; // in bytes
     public static final int GCM_TAG_LENGTH = 16; // in bytes
+    public static final int GCM_KEY_SIZE_BITS = 256;
+    private static final String KEY_ALGORITHM = "AES";
     private static final String CIPHER_TRANSFORM = "AES/GCM/NoPadding";
 
     private final SecretKey key;
 
+    /**
+     * <p>Generate a fresh 256-bit AES key using the JCA {@link KeyGenerator}.</p>
+     *
+     * @return the encoded key bytes
+     */
+    public static byte[] generateKey() {
+        try {
+            KeyGenerator keyGenerator = KeyGenerator.getInstance(KEY_ALGORITHM);
+            keyGenerator.init(GCM_KEY_SIZE_BITS);
+            return keyGenerator.generateKey().getEncoded();
+        } catch (NoSuchAlgorithmException e) {
+            throw new SDKException("error generating AES key", e);
+        }
+    }
+
 
     /**
      * <p>Return symmetric key</p>
 
@@ -98,8 +98,6 @@ private static byte[] tdfECKeySaltCompute() {
     private static final String kTDFAsZip = "zip";
     private static final String kTDFZipReference = "reference";
 
-    private static final SecureRandom sRandom = new SecureRandom();
-
     private static final Gson gson = new GsonBuilder().create();
 
     static class EncryptedMetadata {
@@ -162,8 +160,7 @@ private void prepareManifest(Config.TDFConfig tdfConfig, Map<String, List<KASInf
                 String splitID = split.getKey();
 
                 // Symmetric key
-                byte[] symKey = new byte[GCM_KEY_SIZE];
-                sRandom.nextBytes(symKey);
+                byte[] symKey = AesGcm.generateKey();
                 symKeys.add(symKey);
 
                 // Add policyBinding
 
@@ -0,0 +1,19 @@
+ssl.KeyManagerFactory.algorithm=PKIX
+ssl.TrustManagerFactory.algorithm=PKIX
+
+securerandom.strongAlgorithms=DRBG:SUN
+
+security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
+security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS
+security.provider.3=SUN
+security.provider.4=
+security.provider.5=
+security.provider.6=
+security.provider.7=
+security.provider.8=
+security.provider.9=
+security.provider.10=
+security.provider.11=
+security.provider.12=
+security.provider.13=
+security.provider.14=
@@ -0,0 +1,8 @@
+keystore.type.compat=false
+ssl.KeyManagerFactory.algorithm=PKIX
+ssl.TrustManagerFactory.algorithm=PKIX
+
+# TODO: get rid of the BC providers, we should not need them
+security.provider.1=org.bouncycastle.jce.provider.BouncyCastleProvider
+security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider
+security.provider.3=SUN