fix: set bc in approved only

.github/workflows/checks.yaml

@@ -92,7 +92,10 @@ jobs:
           BUF_INPUT_HTTPS_PASSWORD: ${{ secrets.PERSONAL_ACCESS_TOKEN_OPENTDF }}
         run: mvn clean --batch-mode clean generate-sources
       - name: Tests and enforcer (fips)
-        run: mvn --batch-mode test enforcer:enforce -P 'fips,!non-fips' -Dmaven.antrun.skip
+        run: |
+          mvn --batch-mode test enforcer:enforce -P 'fips,!non-fips' \
+            -Dmaven.antrun.skip \
+            -Dorg.bouncycastle.fips.approved_only=true
       - name: Tests with coverage and javadoc (non-fips)
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

sdk/pom.xml

@@ -496,7 +496,7 @@
                 <activeByDefault>false</activeByDefault>
             </activation>
             <properties>
-                <java.security.properties.test>-Djava.security.properties=${project.basedir}/src/test/resources/java.security.fips.test</java.security.properties.test>
+                <java.security.properties.test>-Djava.security.properties==${project.basedir}/src/test/resources/java.security.fips.test -Dorg.bouncycastle.fips.approved_only=true -Djavax.net.ssl.trustStore=${project.basedir}/src/test/resources/empty-fips-truststore.bcfks -Djavax.net.ssl.trustStorePassword=changeit -Djavax.net.ssl.trustStoreType=BCFKS</java.security.properties.test>
             </properties>
             <dependencies>
                 <dependency>

sdk/src/main/java/io/opentdf/platform/sdk/AsymDecryption.java

@@ -1,8 +1,6 @@
 package io.opentdf.platform.sdk;
 
-import javax.crypto.BadPaddingException;
 import javax.crypto.Cipher;
-import javax.crypto.IllegalBlockSizeException;
 import javax.crypto.NoSuchPaddingException;
 import java.security.*;
 import java.security.spec.InvalidKeySpecException;
@@ -67,13 +65,14 @@ public byte[] decrypt(byte[] data) {
             throw new SDKException("error getting instance of cipher", e);
         }
         try {
-            cipher.init(Cipher.DECRYPT_MODE, this.privateKey);
+            cipher.init(Cipher.UNWRAP_MODE, this.privateKey);
         } catch (InvalidKeyException e) {
             throw new SDKException("error initializing cipher", e);
         }
         try {
-            return cipher.doFinal(data);
-        } catch (IllegalBlockSizeException | BadPaddingException e) {
+            Key key = cipher.unwrap(data, "AES", Cipher.SECRET_KEY);
+            return key.getEncoded();
+        } catch (NoSuchAlgorithmException | InvalidKeyException e) {
             throw new SDKException("error performing decryption", e);
         }
     }

sdk/src/main/java/io/opentdf/platform/sdk/AsymEncryption.java

@@ -1,9 +1,9 @@
 package io.opentdf.platform.sdk;
 
-import javax.crypto.BadPaddingException;
 import javax.crypto.Cipher;
 import javax.crypto.IllegalBlockSizeException;
 import javax.crypto.NoSuchPaddingException;
+import javax.crypto.spec.SecretKeySpec;
 
 import java.io.ByteArrayInputStream;
 import java.security.*;
@@ -99,13 +99,13 @@ public byte[] encrypt(byte[] data) {
             throw new SDKException("error getting instance of cipher during encryption", e);
         }
         try {
-            cipher.init(Cipher.ENCRYPT_MODE, this.publicKey);
+            cipher.init(Cipher.WRAP_MODE, this.publicKey);
         } catch (InvalidKeyException e) {
             throw new SDKException("error encrypting with private key", e);
         }
         try {
-            return cipher.doFinal(data);
-        } catch (IllegalBlockSizeException | BadPaddingException e) {
+            return cipher.wrap(new SecretKeySpec(data, "AES"));
+        } catch (IllegalBlockSizeException | InvalidKeyException e) {
             throw new SDKException("error performing encryption", e);
         }
     }

sdk/src/test/java/io/opentdf/platform/sdk/FipsProviderVerificationTest.java

@@ -0,0 +1,45 @@
+package io.opentdf.platform.sdk;
+
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.condition.EnabledIfSystemProperty;
+
+import java.security.Security;
+
+import static org.junit.jupiter.api.Assertions.*;
+
+/**
+ * Verifies that the java.security.fips.test properties file was actually loaded when running
+ * under the fips Maven profile. Without this check, a misconfigured argLine would silently run
+ * all other tests against the default (non-FIPS) provider stack.
+ */
+@EnabledIfSystemProperty(named = "org.bouncycastle.fips.approved_only", matches = "true")
+class FipsProviderVerificationTest {
+
+    @Test
+    void bcFipsIsFirstProvider() {
+        var providers = Security.getProviders();
+        assertNotNull(providers, "No security providers registered");
+        assertTrue(providers.length > 0, "Provider list is empty");
+        assertEquals("BCFIPS", providers[0].getName(),
+                "Expected BCFIPS as the first security provider but got: " + providers[0].getName()
+                + " — the java.security.fips.test file was likely not loaded");
+    }
+
+    @Test
+    void bcJsseIsRegistered() {
+        assertNotNull(Security.getProvider("BCJSSE"),
+                "BCJSSE provider is not registered — the java.security.fips.test file was likely not loaded");
+    }
+
+    @Test
+    void sunJceIsNotRegistered() {
+        assertNull(Security.getProvider("SunJCE"),
+                "SunJCE provider is still registered — it should have been removed by java.security.fips.test");
+    }
+
+    @Test
+    void keyManagerFactoryAlgorithmIsPkix() {
+        assertEquals("PKIX", Security.getProperty("ssl.KeyManagerFactory.algorithm"),
+                "ssl.KeyManagerFactory.algorithm was not overridden to PKIX — the java.security.fips.test file was likely not loaded");
+    }
+}

sdk/src/test/resources/java.security.fips.test

@@ -2,23 +2,11 @@
 # support them. tell it to use PKIX instead which is supported by BC
 ssl.KeyManagerFactory.algorithm=PKIX
 ssl.TrustManagerFactory.algorithm=PKIX
+keystore.type=FIPS
 
 # the SUN provider is required so that we can get the NativePRNGBlocking algorithm
 securerandom.strongAlgorithms=NativePRNGBlocking:SUN
 
 security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
 security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS
 security.provider.3=SUN
-
-# since this file is appended we need to make sure that we remove the other providers
-security.provider.4=
-security.provider.5=
-security.provider.6=
-security.provider.7=
-security.provider.8=
-security.provider.9=
-security.provider.10=
-security.provider.11=
-security.provider.12=
-security.provider.13=
-security.provider.14=