Skip to content

Commit

Permalink
Merge pull request #428 from fcojfernandez/JENKINS-73904
Browse files Browse the repository at this point in the history
[JENKINS-73904] Enable FIPS restrictions in the JWK signing algorithm for SSL verification
  • Loading branch information
fcojfernandez authored Oct 11, 2024
2 parents 2679db6 + f1b33c3 commit a67b9d1
Show file tree
Hide file tree
Showing 7 changed files with 769 additions and 2 deletions.
Original file line number Diff line number Diff line change
@@ -0,0 +1,115 @@
package org.jenkinsci.plugins.oic;

Check warning on line 1 in src/main/java/org/jenkinsci/plugins/oic/OicAlgorithmValidatorFIPS140.java

View check run for this annotation

ci.jenkins.io / Java Compiler

checkstyle:check

ERROR: (misc) NewlineAtEndOfFile: Expected line ending for file is LF(\n), but CRLF(\r\n) is detected.

import com.nimbusds.jose.Algorithm;
import com.nimbusds.jose.EncryptionMethod;
import com.nimbusds.jose.JWEAlgorithm;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.crypto.ECDSASigner;
import com.nimbusds.jose.crypto.MACSigner;
import com.nimbusds.jose.crypto.RSASSASigner;
import com.nimbusds.jose.crypto.impl.AESCryptoProvider;
import com.nimbusds.jose.crypto.impl.ContentCryptoProvider;
import com.nimbusds.jose.crypto.impl.ECDHCryptoProvider;
import com.nimbusds.jose.crypto.impl.PasswordBasedCryptoProvider;
import com.nimbusds.jose.crypto.impl.RSACryptoProvider;
import edu.umd.cs.findbugs.annotations.NonNull;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Set;
import java.util.function.Function;
import java.util.stream.Collectors;

/**
* This class helps in validating algorithms for FIPS-140 compliance and filtering the non-compliant algorithms when in
* FIPS mode.
*/
public class OicAlgorithmValidatorFIPS140 {

Check warning on line 26 in src/main/java/org/jenkinsci/plugins/oic/OicAlgorithmValidatorFIPS140.java

View check run for this annotation

ci.jenkins.io / Code Coverage

Not covered line

Line 26 is not covered by tests

private static final Set<JWSAlgorithm> JWSSupportedAlgorithms = new LinkedHashSet<>();
private static final Set<JWEAlgorithm> JWESupportedAlgorithms = new LinkedHashSet<>();
private static final Set<EncryptionMethod> supportedEncryptionMethod = new LinkedHashSet<>();

// Below list of compliant algorithms will be used to block the FIPS non-compliant algorithms.
static {
// Init compliant JWS algorithms
JWSSupportedAlgorithms.addAll(MACSigner.SUPPORTED_ALGORITHMS);
JWSSupportedAlgorithms.addAll(RSASSASigner.SUPPORTED_ALGORITHMS);
JWSSupportedAlgorithms.addAll(ECDSASigner.SUPPORTED_ALGORITHMS);

// Init compliant JWE algorithms
JWESupportedAlgorithms.addAll(AESCryptoProvider.SUPPORTED_ALGORITHMS);
JWESupportedAlgorithms.addAll(RSACryptoProvider.SUPPORTED_ALGORITHMS);
// RSA1_5 is deprecated and not a compliant algorithm.
JWESupportedAlgorithms.remove(JWEAlgorithm.RSA1_5);
JWESupportedAlgorithms.addAll(ECDHCryptoProvider.SUPPORTED_ALGORITHMS);
JWESupportedAlgorithms.addAll(PasswordBasedCryptoProvider.SUPPORTED_ALGORITHMS);

// Init complaint EncryptionMethods
supportedEncryptionMethod.addAll(ContentCryptoProvider.SUPPORTED_ENCRYPTION_METHODS);
supportedEncryptionMethod.remove(EncryptionMethod.XC20P);
}

/**
* Checks if the JWS signing algorithm used for OIC configuration is FIPS-140 compliant.
*/
public static boolean isJWSAlgorithmFipsCompliant(@NonNull JWSAlgorithm algorithm) {
return JWSSupportedAlgorithms.contains(algorithm);
}

/**
* Checks if the JWE encryption algorithm used for OIC configuration is FIPS-140 compliant.
*/
public static boolean isJWEAlgorithmFipsCompliant(@NonNull JWEAlgorithm algorithm) {
return JWESupportedAlgorithms.contains(algorithm);
}

/**
* Checks if the encryption method used for OIC configuration is FIPS-140 compliant.
*/
public static boolean isEncryptionMethodFipsCompliant(@NonNull EncryptionMethod encryptionMethod) {
return supportedEncryptionMethod.contains(encryptionMethod);
}

/**
* Filter the list of JWE encryption lists used in OIC configuration and return only the FIPS-140 compliant
* algorithms
* @return immutable list of FIPS-140 JWE encryption algorithms
*/
@NonNull
public static List<JWEAlgorithm> getFipsCompliantJWEAlgorithm(@NonNull List<JWEAlgorithm> algorithms) {
return filterAlgorithms(algorithms, OicAlgorithmValidatorFIPS140::isJWEAlgorithmFipsCompliant);
}

/**
* Filter the list of JWS encryption lists used in OIC configuration and return only the FIPS-140 compliant
* algorithms
* @return immutable list of FIPS-140 JWS encryption algorithms
*/
@NonNull
public static List<JWSAlgorithm> getFipsCompliantJWSAlgorithm(@NonNull List<JWSAlgorithm> algorithms) {
return filterAlgorithms(algorithms, OicAlgorithmValidatorFIPS140::isJWSAlgorithmFipsCompliant);
}

/**
* Filter the list of encryption method lists used in OIC configuration and return only the FIPS-140 compliant
* algorithms
* @return immutable list of FIPS-140 encryption methods
*/
public static List<EncryptionMethod> getFipsCompliantEncryptionMethod(@NonNull List<EncryptionMethod> algorithms) {
return filterAlgorithms(algorithms, OicAlgorithmValidatorFIPS140::isEncryptionMethodFipsCompliant);
}

/**
* Filters out FIPS non-compliant algorithms from the provided list.
*
* @param <T> the type of the algorithm
* @param algorithms the list of algorithms to filter
* @param criteria that checks if an algorithm should be filtered or not
* @return immutable filtered list with elements matching the criteria
*/
@NonNull
private static <T extends Algorithm> List<T> filterAlgorithms(
@NonNull List<T> algorithms, @NonNull Function<T, Boolean> criteria) {
return algorithms.stream().filter(criteria::apply).collect(Collectors.toList());
}
}
143 changes: 143 additions & 0 deletions src/main/java/org/jenkinsci/plugins/oic/OicSecurityRealm.java
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,9 @@

import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Strings;
import com.nimbusds.jose.EncryptionMethod;
import com.nimbusds.jose.JWEAlgorithm;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.JWTParser;
import com.nimbusds.oauth2.sdk.GrantType;
Expand All @@ -35,6 +38,7 @@
import com.nimbusds.oauth2.sdk.token.RefreshToken;
import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
import edu.umd.cs.findbugs.annotations.CheckForNull;
import edu.umd.cs.findbugs.annotations.NonNull;
import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import hudson.Extension;
import hudson.Util;
Expand Down Expand Up @@ -512,6 +516,7 @@ private OidcConfiguration buildOidcConfiguration() {
// set many more as needed...

OIDCProviderMetadata oidcProviderMetadata = serverConfiguration.toProviderMetadata();
filterNonFIPS140CompliantAlgorithms(oidcProviderMetadata);
if (this.isDisableTokenVerification()) {
conf.setAllowUnsignedIdTokens(true);
conf.setTokenValidator(new AnythingGoesTokenValidator());
Expand All @@ -532,6 +537,144 @@ private OidcConfiguration buildOidcConfiguration() {
return conf;
}

// Visible for testing
@Restricted(NoExternalUse.class)
protected void filterNonFIPS140CompliantAlgorithms(@NonNull OIDCProviderMetadata oidcProviderMetadata) {
if (FIPS140.useCompliantAlgorithms()) {
// If FIPS is not enabled, then we don't have to filter the algorithms
filterJwsAlgorithms(oidcProviderMetadata);
filterJweAlgorithms(oidcProviderMetadata);
filterEncryptionMethods(oidcProviderMetadata);
}
}

private void filterEncryptionMethods(@NonNull OIDCProviderMetadata oidcProviderMetadata) {
if (oidcProviderMetadata.getRequestObjectJWEEncs() != null) {

Check warning on line 552 in src/main/java/org/jenkinsci/plugins/oic/OicSecurityRealm.java

View check run for this annotation

ci.jenkins.io / Code Coverage

Partially covered line

Line 552 is only partially covered, one branch is missing
List<EncryptionMethod> requestObjectJWEEncs = OicAlgorithmValidatorFIPS140.getFipsCompliantEncryptionMethod(
oidcProviderMetadata.getRequestObjectJWEEncs());
oidcProviderMetadata.setRequestObjectJWEEncs(requestObjectJWEEncs);
}

if (oidcProviderMetadata.getAuthorizationJWEEncs() != null) {

Check warning on line 558 in src/main/java/org/jenkinsci/plugins/oic/OicSecurityRealm.java

View check run for this annotation

ci.jenkins.io / Code Coverage

Partially covered line

Line 558 is only partially covered, one branch is missing
List<EncryptionMethod> authorizationJWEEncs = OicAlgorithmValidatorFIPS140.getFipsCompliantEncryptionMethod(
oidcProviderMetadata.getAuthorizationJWEEncs());
oidcProviderMetadata.setAuthorizationJWEEncs(authorizationJWEEncs);
}

if (oidcProviderMetadata.getIDTokenJWEEncs() != null) {

Check warning on line 564 in src/main/java/org/jenkinsci/plugins/oic/OicSecurityRealm.java

View check run for this annotation

ci.jenkins.io / Code Coverage

Partially covered line

Line 564 is only partially covered, one branch is missing
List<EncryptionMethod> idTokenJWEEncs = OicAlgorithmValidatorFIPS140.getFipsCompliantEncryptionMethod(
oidcProviderMetadata.getIDTokenJWEEncs());
oidcProviderMetadata.setIDTokenJWEEncs(idTokenJWEEncs);
}

if (oidcProviderMetadata.getUserInfoJWEEncs() != null) {

Check warning on line 570 in src/main/java/org/jenkinsci/plugins/oic/OicSecurityRealm.java

View check run for this annotation

ci.jenkins.io / Code Coverage

Partially covered line

Line 570 is only partially covered, one branch is missing
List<EncryptionMethod> userInfoJWEEncs = OicAlgorithmValidatorFIPS140.getFipsCompliantEncryptionMethod(
oidcProviderMetadata.getUserInfoJWEEncs());
oidcProviderMetadata.setUserInfoJWEEncs(userInfoJWEEncs);
}

if (oidcProviderMetadata.getRequestObjectJWEEncs() != null) {

Check warning on line 576 in src/main/java/org/jenkinsci/plugins/oic/OicSecurityRealm.java

View check run for this annotation

ci.jenkins.io / Code Coverage

Partially covered line

Line 576 is only partially covered, one branch is missing
List<EncryptionMethod> requestObjectJweEncs = OicAlgorithmValidatorFIPS140.getFipsCompliantEncryptionMethod(
oidcProviderMetadata.getRequestObjectJWEEncs());
oidcProviderMetadata.setRequestObjectJWEEncs(requestObjectJweEncs);
}

if (oidcProviderMetadata.getAuthorizationJWEEncs() != null) {

Check warning on line 582 in src/main/java/org/jenkinsci/plugins/oic/OicSecurityRealm.java

View check run for this annotation

ci.jenkins.io / Code Coverage

Partially covered line

Line 582 is only partially covered, one branch is missing
List<EncryptionMethod> authJweEncs = OicAlgorithmValidatorFIPS140.getFipsCompliantEncryptionMethod(
oidcProviderMetadata.getAuthorizationJWEEncs());
oidcProviderMetadata.setAuthorizationJWEEncs(authJweEncs);
}
}

private void filterJweAlgorithms(@NonNull OIDCProviderMetadata oidcProviderMetadata) {
if (oidcProviderMetadata.getIDTokenJWEAlgs() != null) {

Check warning on line 590 in src/main/java/org/jenkinsci/plugins/oic/OicSecurityRealm.java

View check run for this annotation

ci.jenkins.io / Code Coverage

Partially covered line

Line 590 is only partially covered, one branch is missing
List<JWEAlgorithm> idTokenJWEAlgs =
OicAlgorithmValidatorFIPS140.getFipsCompliantJWEAlgorithm(oidcProviderMetadata.getIDTokenJWEAlgs());
oidcProviderMetadata.setIDTokenJWEAlgs(idTokenJWEAlgs);
}

if (oidcProviderMetadata.getUserInfoJWEAlgs() != null) {

Check warning on line 596 in src/main/java/org/jenkinsci/plugins/oic/OicSecurityRealm.java

View check run for this annotation

ci.jenkins.io / Code Coverage

Partially covered line

Line 596 is only partially covered, one branch is missing
List<JWEAlgorithm> userTokenJWEAlgs = OicAlgorithmValidatorFIPS140.getFipsCompliantJWEAlgorithm(
oidcProviderMetadata.getUserInfoJWEAlgs());
oidcProviderMetadata.setUserInfoJWEAlgs(userTokenJWEAlgs);
}

if (oidcProviderMetadata.getRequestObjectJWEAlgs() != null) {

Check warning on line 602 in src/main/java/org/jenkinsci/plugins/oic/OicSecurityRealm.java

View check run for this annotation

ci.jenkins.io / Code Coverage

Partially covered line

Line 602 is only partially covered, one branch is missing
List<JWEAlgorithm> requestObjectJWEAlgs = OicAlgorithmValidatorFIPS140.getFipsCompliantJWEAlgorithm(
oidcProviderMetadata.getRequestObjectJWEAlgs());
oidcProviderMetadata.setRequestObjectJWEAlgs(requestObjectJWEAlgs);
}

if (oidcProviderMetadata.getAuthorizationJWEAlgs() != null) {

Check warning on line 608 in src/main/java/org/jenkinsci/plugins/oic/OicSecurityRealm.java

View check run for this annotation

ci.jenkins.io / Code Coverage

Partially covered line

Line 608 is only partially covered, one branch is missing
List<JWEAlgorithm> authorizationJWEAlgs = OicAlgorithmValidatorFIPS140.getFipsCompliantJWEAlgorithm(
oidcProviderMetadata.getAuthorizationJWEAlgs());
oidcProviderMetadata.setAuthorizationJWEAlgs(authorizationJWEAlgs);
}
}

private void filterJwsAlgorithms(@NonNull OIDCProviderMetadata oidcProviderMetadata) {
if (oidcProviderMetadata.getIDTokenJWSAlgs() != null) {

Check warning on line 616 in src/main/java/org/jenkinsci/plugins/oic/OicSecurityRealm.java

View check run for this annotation

ci.jenkins.io / Code Coverage

Partially covered line

Line 616 is only partially covered, one branch is missing
List<JWSAlgorithm> idTokenJWSAlgs =
OicAlgorithmValidatorFIPS140.getFipsCompliantJWSAlgorithm(oidcProviderMetadata.getIDTokenJWSAlgs());
oidcProviderMetadata.setIDTokenJWSAlgs(idTokenJWSAlgs);
}

if (oidcProviderMetadata.getUserInfoJWSAlgs() != null) {

Check warning on line 622 in src/main/java/org/jenkinsci/plugins/oic/OicSecurityRealm.java

View check run for this annotation

ci.jenkins.io / Code Coverage

Partially covered line

Line 622 is only partially covered, one branch is missing
List<JWSAlgorithm> userInfoJwsAlgo = OicAlgorithmValidatorFIPS140.getFipsCompliantJWSAlgorithm(
oidcProviderMetadata.getUserInfoJWSAlgs());
oidcProviderMetadata.setUserInfoJWSAlgs(userInfoJwsAlgo);
}

if (oidcProviderMetadata.getTokenEndpointJWSAlgs() != null) {

Check warning on line 628 in src/main/java/org/jenkinsci/plugins/oic/OicSecurityRealm.java

View check run for this annotation

ci.jenkins.io / Code Coverage

Partially covered line

Line 628 is only partially covered, one branch is missing
List<JWSAlgorithm> tokenEndpointJWSAlgs = OicAlgorithmValidatorFIPS140.getFipsCompliantJWSAlgorithm(
oidcProviderMetadata.getTokenEndpointJWSAlgs());
oidcProviderMetadata.setTokenEndpointJWSAlgs(tokenEndpointJWSAlgs);
}

if (oidcProviderMetadata.getIntrospectionEndpointJWSAlgs() != null) {

Check warning on line 634 in src/main/java/org/jenkinsci/plugins/oic/OicSecurityRealm.java

View check run for this annotation

ci.jenkins.io / Code Coverage

Partially covered line

Line 634 is only partially covered, one branch is missing
List<JWSAlgorithm> introspectionEndpointJWSAlgs = OicAlgorithmValidatorFIPS140.getFipsCompliantJWSAlgorithm(
oidcProviderMetadata.getIntrospectionEndpointJWSAlgs());
oidcProviderMetadata.setIntrospectionEndpointJWSAlgs(introspectionEndpointJWSAlgs);
}

if (oidcProviderMetadata.getRevocationEndpointJWSAlgs() != null) {

Check warning on line 640 in src/main/java/org/jenkinsci/plugins/oic/OicSecurityRealm.java

View check run for this annotation

ci.jenkins.io / Code Coverage

Partially covered line

Line 640 is only partially covered, one branch is missing
List<JWSAlgorithm> revocationEndpointJWSAlgs = OicAlgorithmValidatorFIPS140.getFipsCompliantJWSAlgorithm(
oidcProviderMetadata.getRevocationEndpointJWSAlgs());
oidcProviderMetadata.setRevocationEndpointJWSAlgs(revocationEndpointJWSAlgs);
}

if (oidcProviderMetadata.getRequestObjectJWSAlgs() != null) {

Check warning on line 646 in src/main/java/org/jenkinsci/plugins/oic/OicSecurityRealm.java

View check run for this annotation

ci.jenkins.io / Code Coverage

Partially covered line

Line 646 is only partially covered, one branch is missing
List<JWSAlgorithm> requestObjectJWSAlgs = OicAlgorithmValidatorFIPS140.getFipsCompliantJWSAlgorithm(
oidcProviderMetadata.getRequestObjectJWSAlgs());
oidcProviderMetadata.setRequestObjectJWSAlgs(requestObjectJWSAlgs);
}

if (oidcProviderMetadata.getDPoPJWSAlgs() != null) {

Check warning on line 652 in src/main/java/org/jenkinsci/plugins/oic/OicSecurityRealm.java

View check run for this annotation

ci.jenkins.io / Code Coverage

Partially covered line

Line 652 is only partially covered, one branch is missing
List<JWSAlgorithm> dPoPJWSAlgs =
OicAlgorithmValidatorFIPS140.getFipsCompliantJWSAlgorithm(oidcProviderMetadata.getDPoPJWSAlgs());
oidcProviderMetadata.setDPoPJWSAlgs(dPoPJWSAlgs);

Check warning on line 655 in src/main/java/org/jenkinsci/plugins/oic/OicSecurityRealm.java

View check run for this annotation

ci.jenkins.io / Code Coverage

Not covered lines

Lines 653-655 are not covered by tests
}

if (oidcProviderMetadata.getAuthorizationJWSAlgs() != null) {

Check warning on line 658 in src/main/java/org/jenkinsci/plugins/oic/OicSecurityRealm.java

View check run for this annotation

ci.jenkins.io / Code Coverage

Partially covered line

Line 658 is only partially covered, one branch is missing
List<JWSAlgorithm> authorizationJWSAlgs = OicAlgorithmValidatorFIPS140.getFipsCompliantJWSAlgorithm(
oidcProviderMetadata.getAuthorizationJWSAlgs());
oidcProviderMetadata.setAuthorizationJWSAlgs(authorizationJWSAlgs);
}

if (oidcProviderMetadata.getBackChannelAuthenticationRequestJWSAlgs() != null) {

Check warning on line 664 in src/main/java/org/jenkinsci/plugins/oic/OicSecurityRealm.java

View check run for this annotation

ci.jenkins.io / Code Coverage

Partially covered line

Line 664 is only partially covered, one branch is missing
List<JWSAlgorithm> backChannelAuthenticationRequestJWSAlgs =
OicAlgorithmValidatorFIPS140.getFipsCompliantJWSAlgorithm(
oidcProviderMetadata.getBackChannelAuthenticationRequestJWSAlgs());
oidcProviderMetadata.setBackChannelAuthenticationRequestJWSAlgs(backChannelAuthenticationRequestJWSAlgs);
}

if (oidcProviderMetadata.getClientRegistrationAuthnJWSAlgs() != null) {

Check warning on line 671 in src/main/java/org/jenkinsci/plugins/oic/OicSecurityRealm.java

View check run for this annotation

ci.jenkins.io / Code Coverage

Partially covered line

Line 671 is only partially covered, one branch is missing
List<JWSAlgorithm> clientRegisterationAuth = OicAlgorithmValidatorFIPS140.getFipsCompliantJWSAlgorithm(
oidcProviderMetadata.getClientRegistrationAuthnJWSAlgs());
oidcProviderMetadata.setClientRegistrationAuthnJWSAlgs(clientRegisterationAuth);

Check warning on line 674 in src/main/java/org/jenkinsci/plugins/oic/OicSecurityRealm.java

View check run for this annotation

ci.jenkins.io / Code Coverage

Not covered lines

Lines 672-674 are not covered by tests
}
}

@Restricted(NoExternalUse.class) // exposed for testing only
protected OidcClient buildOidcClient() {
OidcConfiguration oidcConfiguration = buildOidcConfiguration();
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@
import java.util.Locale;
import java.util.Objects;
import jenkins.model.Jenkins;
import jenkins.security.FIPS140;
import org.jenkinsci.Symbol;
import org.jenkinsci.plugins.oic.OicSecurityRealm.TokenAuthMethod;
import org.kohsuke.stapler.DataBoundConstructor;
Expand Down Expand Up @@ -155,7 +156,13 @@ public OIDCProviderMetadata toProviderMetadata() {
// rather we just say "I support anything, and let the check for the specific ones fail and fall through
ArrayList<JWSAlgorithm> allAlgorthms = new ArrayList<>();
allAlgorthms.addAll(JWSAlgorithm.Family.HMAC_SHA);
allAlgorthms.addAll(JWSAlgorithm.Family.SIGNATURE);
if (FIPS140.useCompliantAlgorithms()) {

Check warning on line 159 in src/main/java/org/jenkinsci/plugins/oic/OicServerManualConfiguration.java

View check run for this annotation

ci.jenkins.io / Code Coverage

Partially covered line

Line 159 is only partially covered, one branch is missing
// In FIPS-140 Family.ED is not supported
allAlgorthms.addAll(JWSAlgorithm.Family.RSA);
allAlgorthms.addAll(JWSAlgorithm.Family.EC);

Check warning on line 162 in src/main/java/org/jenkinsci/plugins/oic/OicServerManualConfiguration.java

View check run for this annotation

ci.jenkins.io / Code Coverage

Not covered lines

Lines 161-162 are not covered by tests
} else {
allAlgorthms.addAll(JWSAlgorithm.Family.SIGNATURE);
}
providerMetadata.setIDTokenJWSAlgs(allAlgorthms);
return providerMetadata;
} catch (URISyntaxException e) {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -155,7 +155,7 @@ public OIDCProviderMetadata toProviderMetadata() {
// hope.
return oidcProviderMetadata;
}
throw new IllegalStateException("Well known configuration could not be loaded, login can not preceed.");
throw new IllegalStateException("Well known configuration could not be loaded, login can not proceed.");

Check warning on line 158 in src/main/java/org/jenkinsci/plugins/oic/OicServerWellKnownConfiguration.java

View check run for this annotation

ci.jenkins.io / Code Coverage

Not covered line

Line 158 is not covered by tests
}

/**
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
package org.jenkinsci.plugins.oic;

Check warning on line 1 in src/test/java/org/jenkinsci/plugins/oic/OicAlgorithmValidatorFIPS140Test.java

View check run for this annotation

ci.jenkins.io / Java Compiler

checkstyle:check

ERROR: (misc) NewlineAtEndOfFile: Expected line ending for file is LF(\n), but CRLF(\r\n) is detected.

import com.nimbusds.jose.JWSAlgorithm;
import jenkins.security.FIPS140;
import org.junit.jupiter.api.Test;
import org.mockito.MockedStatic;

import static org.junit.jupiter.api.Assertions.assertFalse;
import static org.junit.jupiter.api.Assertions.assertTrue;
import static org.mockito.Mockito.mockStatic;

public class OicAlgorithmValidatorFIPS140Test {

@Test
void isJwsAlgorithmFipsCompliant() {
try (MockedStatic<FIPS140> fips140Mock = mockStatic(FIPS140.class)) {
fips140Mock.when(FIPS140::useCompliantAlgorithms).thenReturn(true);
assertFalse(OicAlgorithmValidatorFIPS140.isJWSAlgorithmFipsCompliant(new JWSAlgorithm("")));
assertFalse(OicAlgorithmValidatorFIPS140.isJWSAlgorithmFipsCompliant(new JWSAlgorithm(" ")));
assertFalse(OicAlgorithmValidatorFIPS140.isJWSAlgorithmFipsCompliant(new JWSAlgorithm("invalid-algo")));

String[] validAlgoArray = {
"HS256", "HS384", "HS512", "RS256", "RS384", "RS512", "ES256", "ES256K", "ES384", "ES512", "PS256",
"PS384", "PS512"
};
for (String algo : validAlgoArray) {
assertTrue(OicAlgorithmValidatorFIPS140.isJWSAlgorithmFipsCompliant(new JWSAlgorithm(algo)));
}
assertFalse(OicAlgorithmValidatorFIPS140.isJWSAlgorithmFipsCompliant(new JWSAlgorithm("EdDSA")));
assertFalse(OicAlgorithmValidatorFIPS140.isJWSAlgorithmFipsCompliant(new JWSAlgorithm("Ed25519")));
assertFalse(OicAlgorithmValidatorFIPS140.isJWSAlgorithmFipsCompliant(new JWSAlgorithm("Ed448")));
}
}
}
Loading

0 comments on commit a67b9d1

Please sign in to comment.