[JENKINS-73904] Enable FIPS restrictions in the JWK signing algorithm…

… for SSL verification

src/main/java/org/jenkinsci/plugins/oic/OicAlgorithmValidatorFIPS140.java

@@ -0,0 +1,115 @@
+package org.jenkinsci.plugins.oic;
+
+import com.nimbusds.jose.Algorithm;
+import com.nimbusds.jose.EncryptionMethod;
+import com.nimbusds.jose.JWEAlgorithm;
+import com.nimbusds.jose.JWSAlgorithm;
+import com.nimbusds.jose.crypto.ECDSASigner;
+import com.nimbusds.jose.crypto.MACSigner;
+import com.nimbusds.jose.crypto.RSASSASigner;
+import com.nimbusds.jose.crypto.impl.AESCryptoProvider;
+import com.nimbusds.jose.crypto.impl.ContentCryptoProvider;
+import com.nimbusds.jose.crypto.impl.ECDHCryptoProvider;
+import com.nimbusds.jose.crypto.impl.PasswordBasedCryptoProvider;
+import com.nimbusds.jose.crypto.impl.RSACryptoProvider;
+import edu.umd.cs.findbugs.annotations.NonNull;
+import java.util.LinkedHashSet;
+import java.util.List;
+import java.util.Set;
+import java.util.function.Function;
+import java.util.stream.Collectors;
+
+/**
+ * This class helps in validating algorithms for FIPS-140 compliance and filtering the non-compliant algorithms when in
+ * FIPS mode.
+ */
+public class OicAlgorithmValidatorFIPS140 {
+
+    private static final Set<JWSAlgorithm> JWSSupportedAlgorithms = new LinkedHashSet<>();
+    private static final Set<JWEAlgorithm> JWESupportedAlgorithms = new LinkedHashSet<>();
+    private static final Set<EncryptionMethod> supportedEncryptionMethod = new LinkedHashSet<>();
+
+    // Below list of compliant algorithms will be used to block the FIPS non-compliant algorithms.
+    static {
+        // Init compliant JWS algorithms
+        JWSSupportedAlgorithms.addAll(MACSigner.SUPPORTED_ALGORITHMS);
+        JWSSupportedAlgorithms.addAll(RSASSASigner.SUPPORTED_ALGORITHMS);
+        JWSSupportedAlgorithms.addAll(ECDSASigner.SUPPORTED_ALGORITHMS);
+
+        // Init compliant JWE algorithms
+        JWESupportedAlgorithms.addAll(AESCryptoProvider.SUPPORTED_ALGORITHMS);
+        JWESupportedAlgorithms.addAll(RSACryptoProvider.SUPPORTED_ALGORITHMS);
+        // RSA1_5 is deprecated and not a compliant algorithm.
+        JWESupportedAlgorithms.remove(JWEAlgorithm.RSA1_5);
+        JWESupportedAlgorithms.addAll(ECDHCryptoProvider.SUPPORTED_ALGORITHMS);
+        JWESupportedAlgorithms.addAll(PasswordBasedCryptoProvider.SUPPORTED_ALGORITHMS);
+
+        // Init complaint EncryptionMethods
+        supportedEncryptionMethod.addAll(ContentCryptoProvider.SUPPORTED_ENCRYPTION_METHODS);
+        supportedEncryptionMethod.remove(EncryptionMethod.XC20P);
+    }
+
+    /**
+     * Checks if the JWS signing algorithm used for OIC configuration is FIPS-140 compliant.
+     */
+    public static boolean isJWSAlgorithmFipsCompliant(@NonNull JWSAlgorithm algorithm) {
+        return JWSSupportedAlgorithms.contains(algorithm);
+    }
+
+    /**
+     *  Checks if the JWE encryption algorithm used for OIC configuration is FIPS-140 compliant.
+     */
+    public static boolean isJWEAlgorithmFipsCompliant(@NonNull JWEAlgorithm algorithm) {
+        return JWESupportedAlgorithms.contains(algorithm);
+    }
+
+    /**
+     *  Checks if the encryption method used for OIC configuration is FIPS-140 compliant.
+     */
+    public static boolean isEncryptionMethodFipsCompliant(@NonNull EncryptionMethod encryptionMethod) {
+        return supportedEncryptionMethod.contains(encryptionMethod);
+    }
+
+    /**
+     *  Filter the list of JWE encryption lists used in OIC configuration and return only the FIPS-140 compliant
+     *  algorithms
+     * @return immutable list of FIPS-140 JWE encryption algorithms
+     */
+    @NonNull
+    public static List<JWEAlgorithm> getFipsCompliantJWEAlgorithm(@NonNull List<JWEAlgorithm> algorithms) {
+        return filterAlgorithms(algorithms, OicAlgorithmValidatorFIPS140::isJWEAlgorithmFipsCompliant);
+    }
+
+    /**
+     *  Filter the list of JWS encryption lists used in OIC configuration and return only the FIPS-140 compliant
+     *  algorithms
+     * @return immutable list of FIPS-140 JWS encryption algorithms
+     */
+    @NonNull
+    public static List<JWSAlgorithm> getFipsCompliantJWSAlgorithm(@NonNull List<JWSAlgorithm> algorithms) {
+        return filterAlgorithms(algorithms, OicAlgorithmValidatorFIPS140::isJWSAlgorithmFipsCompliant);
+    }
+
+    /**
+     *  Filter the list of encryption method lists used in OIC configuration and return only the FIPS-140 compliant
+     *  algorithms
+     * @return immutable list of FIPS-140 encryption methods
+     */
+    public static List<EncryptionMethod> getFipsCompliantEncryptionMethod(@NonNull List<EncryptionMethod> algorithms) {
+        return filterAlgorithms(algorithms, OicAlgorithmValidatorFIPS140::isEncryptionMethodFipsCompliant);
+    }
+
+    /**
+     * Filters out FIPS non-compliant algorithms from the provided list.
+     *
+     * @param <T> the type of the algorithm
+     * @param algorithms the list of algorithms to filter
+     * @param criteria that checks if an algorithm should be filtered or not
+     * @return immutable filtered list with elements matching the criteria
+     */
+    @NonNull
+    private static <T extends Algorithm> List<T> filterAlgorithms(
+            @NonNull List<T> algorithms, @NonNull Function<T, Boolean> criteria) {
+        return algorithms.stream().filter(criteria::apply).collect(Collectors.toList());
+    }
+}

src/main/java/org/jenkinsci/plugins/oic/OicSecurityRealm.java

@@ -25,6 +25,9 @@
 
 import com.google.common.annotations.VisibleForTesting;
 import com.google.common.base.Strings;
+import com.nimbusds.jose.EncryptionMethod;
+import com.nimbusds.jose.JWEAlgorithm;
+import com.nimbusds.jose.JWSAlgorithm;
 import com.nimbusds.jwt.JWT;
 import com.nimbusds.jwt.JWTParser;
 import com.nimbusds.oauth2.sdk.GrantType;
@@ -35,6 +38,7 @@
 import com.nimbusds.oauth2.sdk.token.RefreshToken;
 import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
 import edu.umd.cs.findbugs.annotations.CheckForNull;
+import edu.umd.cs.findbugs.annotations.NonNull;
 import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import hudson.Extension;
 import hudson.Util;
@@ -504,6 +508,7 @@ private OidcConfiguration buildOidcConfiguration() {
         // set many more as needed...
 
         OIDCProviderMetadata oidcProviderMetadata = serverConfiguration.toProviderMetadata();
+        filterNonFIPS140CompliantAlgorithms(oidcProviderMetadata);
         if (this.isDisableTokenVerification()) {
             conf.setAllowUnsignedIdTokens(true);
             conf.setTokenValidator(new AnythingGoesTokenValidator());
@@ -524,6 +529,144 @@ private OidcConfiguration buildOidcConfiguration() {
         return conf;
     }
 
+    // Visible for testing
+    @Restricted(NoExternalUse.class)
+    protected void filterNonFIPS140CompliantAlgorithms(@NonNull OIDCProviderMetadata oidcProviderMetadata) {
+        if (FIPS140.useCompliantAlgorithms()) {
+            // If FIPS is not enabled, then we don't have to filter the algorithms
+            filterJwsAlgorithms(oidcProviderMetadata);
+            filterJweAlgorithms(oidcProviderMetadata);
+            filterEncryptionMethods(oidcProviderMetadata);
+        }
+    }
+
+    private void filterEncryptionMethods(@NonNull OIDCProviderMetadata oidcProviderMetadata) {
+        if (oidcProviderMetadata.getRequestObjectJWEEncs() != null) {
+            List<EncryptionMethod> requestObjectJWEEncs = OicAlgorithmValidatorFIPS140.getFipsCompliantEncryptionMethod(
+                    oidcProviderMetadata.getRequestObjectJWEEncs());
+            oidcProviderMetadata.setRequestObjectJWEEncs(requestObjectJWEEncs);
+        }
+
+        if (oidcProviderMetadata.getAuthorizationJWEEncs() != null) {
+            List<EncryptionMethod> authorizationJWEEncs = OicAlgorithmValidatorFIPS140.getFipsCompliantEncryptionMethod(
+                    oidcProviderMetadata.getAuthorizationJWEEncs());
+            oidcProviderMetadata.setAuthorizationJWEEncs(authorizationJWEEncs);
+        }
+
+        if (oidcProviderMetadata.getIDTokenJWEEncs() != null) {
+            List<EncryptionMethod> idTokenJWEEncs = OicAlgorithmValidatorFIPS140.getFipsCompliantEncryptionMethod(
+                    oidcProviderMetadata.getIDTokenJWEEncs());
+            oidcProviderMetadata.setIDTokenJWEEncs(idTokenJWEEncs);
+        }
+
+        if (oidcProviderMetadata.getUserInfoJWEEncs() != null) {
+            List<EncryptionMethod> userInfoJWEEncs = OicAlgorithmValidatorFIPS140.getFipsCompliantEncryptionMethod(
+                    oidcProviderMetadata.getUserInfoJWEEncs());
+            oidcProviderMetadata.setUserInfoJWEEncs(userInfoJWEEncs);
+        }
+
+        if (oidcProviderMetadata.getRequestObjectJWEEncs() != null) {
+            List<EncryptionMethod> requestObjectJweEncs = OicAlgorithmValidatorFIPS140.getFipsCompliantEncryptionMethod(
+                    oidcProviderMetadata.getRequestObjectJWEEncs());
+            oidcProviderMetadata.setRequestObjectJWEEncs(requestObjectJweEncs);
+        }
+
+        if (oidcProviderMetadata.getAuthorizationJWEEncs() != null) {
+            List<EncryptionMethod> authJweEncs = OicAlgorithmValidatorFIPS140.getFipsCompliantEncryptionMethod(
+                    oidcProviderMetadata.getAuthorizationJWEEncs());
+            oidcProviderMetadata.setAuthorizationJWEEncs(authJweEncs);
+        }
+    }
+
+    private void filterJweAlgorithms(@NonNull OIDCProviderMetadata oidcProviderMetadata) {
+        if (oidcProviderMetadata.getIDTokenJWEAlgs() != null) {
+            List<JWEAlgorithm> idTokenJWEAlgs =
+                    OicAlgorithmValidatorFIPS140.getFipsCompliantJWEAlgorithm(oidcProviderMetadata.getIDTokenJWEAlgs());
+            oidcProviderMetadata.setIDTokenJWEAlgs(idTokenJWEAlgs);
+        }
+
+        if (oidcProviderMetadata.getUserInfoJWEAlgs() != null) {
+            List<JWEAlgorithm> userTokenJWEAlgs = OicAlgorithmValidatorFIPS140.getFipsCompliantJWEAlgorithm(
+                    oidcProviderMetadata.getUserInfoJWEAlgs());
+            oidcProviderMetadata.setUserInfoJWEAlgs(userTokenJWEAlgs);
+        }
+
+        if (oidcProviderMetadata.getRequestObjectJWEAlgs() != null) {
+            List<JWEAlgorithm> requestObjectJWEAlgs = OicAlgorithmValidatorFIPS140.getFipsCompliantJWEAlgorithm(
+                    oidcProviderMetadata.getRequestObjectJWEAlgs());
+            oidcProviderMetadata.setRequestObjectJWEAlgs(requestObjectJWEAlgs);
+        }
+
+        if (oidcProviderMetadata.getAuthorizationJWEAlgs() != null) {
+            List<JWEAlgorithm> authorizationJWEAlgs = OicAlgorithmValidatorFIPS140.getFipsCompliantJWEAlgorithm(
+                    oidcProviderMetadata.getAuthorizationJWEAlgs());
+            oidcProviderMetadata.setAuthorizationJWEAlgs(authorizationJWEAlgs);
+        }
+    }
+
+    private void filterJwsAlgorithms(@NonNull OIDCProviderMetadata oidcProviderMetadata) {
+        if (oidcProviderMetadata.getIDTokenJWSAlgs() != null) {
+            List<JWSAlgorithm> idTokenJWSAlgs =
+                    OicAlgorithmValidatorFIPS140.getFipsCompliantJWSAlgorithm(oidcProviderMetadata.getIDTokenJWSAlgs());
+            oidcProviderMetadata.setIDTokenJWSAlgs(idTokenJWSAlgs);
+        }
+
+        if (oidcProviderMetadata.getUserInfoJWSAlgs() != null) {
+            List<JWSAlgorithm> userInfoJwsAlgo = OicAlgorithmValidatorFIPS140.getFipsCompliantJWSAlgorithm(
+                    oidcProviderMetadata.getUserInfoJWSAlgs());
+            oidcProviderMetadata.setUserInfoJWSAlgs(userInfoJwsAlgo);
+        }
+
+        if (oidcProviderMetadata.getTokenEndpointJWSAlgs() != null) {
+            List<JWSAlgorithm> tokenEndpointJWSAlgs = OicAlgorithmValidatorFIPS140.getFipsCompliantJWSAlgorithm(
+                    oidcProviderMetadata.getTokenEndpointJWSAlgs());
+            oidcProviderMetadata.setTokenEndpointJWSAlgs(tokenEndpointJWSAlgs);
+        }
+
+        if (oidcProviderMetadata.getIntrospectionEndpointJWSAlgs() != null) {
+            List<JWSAlgorithm> introspectionEndpointJWSAlgs = OicAlgorithmValidatorFIPS140.getFipsCompliantJWSAlgorithm(
+                    oidcProviderMetadata.getIntrospectionEndpointJWSAlgs());
+            oidcProviderMetadata.setIntrospectionEndpointJWSAlgs(introspectionEndpointJWSAlgs);
+        }
+
+        if (oidcProviderMetadata.getRevocationEndpointJWSAlgs() != null) {
+            List<JWSAlgorithm> revocationEndpointJWSAlgs = OicAlgorithmValidatorFIPS140.getFipsCompliantJWSAlgorithm(
+                    oidcProviderMetadata.getRevocationEndpointJWSAlgs());
+            oidcProviderMetadata.setRevocationEndpointJWSAlgs(revocationEndpointJWSAlgs);
+        }
+
+        if (oidcProviderMetadata.getRequestObjectJWSAlgs() != null) {
+            List<JWSAlgorithm> requestObjectJWSAlgs = OicAlgorithmValidatorFIPS140.getFipsCompliantJWSAlgorithm(
+                    oidcProviderMetadata.getRequestObjectJWSAlgs());
+            oidcProviderMetadata.setRequestObjectJWSAlgs(requestObjectJWSAlgs);
+        }
+
+        if (oidcProviderMetadata.getDPoPJWSAlgs() != null) {
+            List<JWSAlgorithm> dPoPJWSAlgs =
+                    OicAlgorithmValidatorFIPS140.getFipsCompliantJWSAlgorithm(oidcProviderMetadata.getDPoPJWSAlgs());
+            oidcProviderMetadata.setDPoPJWSAlgs(dPoPJWSAlgs);
+        }
+
+        if (oidcProviderMetadata.getAuthorizationJWSAlgs() != null) {
+            List<JWSAlgorithm> authorizationJWSAlgs = OicAlgorithmValidatorFIPS140.getFipsCompliantJWSAlgorithm(
+                    oidcProviderMetadata.getAuthorizationJWSAlgs());
+            oidcProviderMetadata.setAuthorizationJWSAlgs(authorizationJWSAlgs);
+        }
+
+        if (oidcProviderMetadata.getBackChannelAuthenticationRequestJWSAlgs() != null) {
+            List<JWSAlgorithm> backChannelAuthenticationRequestJWSAlgs =
+                    OicAlgorithmValidatorFIPS140.getFipsCompliantJWSAlgorithm(
+                            oidcProviderMetadata.getBackChannelAuthenticationRequestJWSAlgs());
+            oidcProviderMetadata.setBackChannelAuthenticationRequestJWSAlgs(backChannelAuthenticationRequestJWSAlgs);
+        }
+
+        if (oidcProviderMetadata.getClientRegistrationAuthnJWSAlgs() != null) {
+            List<JWSAlgorithm> clientRegisterationAuth = OicAlgorithmValidatorFIPS140.getFipsCompliantJWSAlgorithm(
+                    oidcProviderMetadata.getClientRegistrationAuthnJWSAlgs());
+            oidcProviderMetadata.setClientRegistrationAuthnJWSAlgs(clientRegisterationAuth);
+        }
+    }
+
     @Restricted(NoExternalUse.class) // exposed for testing only
     protected OidcClient buildOidcClient() {
         OidcConfiguration oidcConfiguration = buildOidcConfiguration();

src/main/java/org/jenkinsci/plugins/oic/OicServerManualConfiguration.java

@@ -26,6 +26,7 @@
 import java.util.Locale;
 import java.util.Objects;
 import jenkins.model.Jenkins;
+import jenkins.security.FIPS140;
 import org.jenkinsci.Symbol;
 import org.jenkinsci.plugins.oic.OicSecurityRealm.TokenAuthMethod;
 import org.kohsuke.stapler.DataBoundConstructor;
@@ -155,7 +156,13 @@ public OIDCProviderMetadata toProviderMetadata() {
             // rather we just say "I support anything, and let the check for the specific ones fail and fall through
             ArrayList<JWSAlgorithm> allAlgorthms = new ArrayList<>();
             allAlgorthms.addAll(JWSAlgorithm.Family.HMAC_SHA);
-            allAlgorthms.addAll(JWSAlgorithm.Family.SIGNATURE);
+            if (FIPS140.useCompliantAlgorithms()) {
+                // In FIPS-140 Family.ED is not supported
+                allAlgorthms.addAll(JWSAlgorithm.Family.RSA);
+                allAlgorthms.addAll(JWSAlgorithm.Family.EC);
+            } else {
+                allAlgorthms.addAll(JWSAlgorithm.Family.SIGNATURE);
+            }
             providerMetadata.setIDTokenJWSAlgs(allAlgorthms);
             return providerMetadata;
         } catch (URISyntaxException e) {

src/main/java/org/jenkinsci/plugins/oic/OicServerWellKnownConfiguration.java

@@ -155,7 +155,7 @@ public OIDCProviderMetadata toProviderMetadata() {
             // hope.
             return oidcProviderMetadata;
         }
-        throw new IllegalStateException("Well known configuration could not be loaded, login can not preceed.");
+        throw new IllegalStateException("Well known configuration could not be loaded, login can not proceed.");
     }
 
     /**

src/test/java/org/jenkinsci/plugins/oic/OicAlgorithmValidatorFIPS140Test.java

@@ -0,0 +1,34 @@
+package org.jenkinsci.plugins.oic;
+
+import com.nimbusds.jose.JWSAlgorithm;
+import jenkins.security.FIPS140;
+import org.junit.jupiter.api.Test;
+import org.mockito.MockedStatic;
+
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+import static org.mockito.Mockito.mockStatic;
+
+public class OicAlgorithmValidatorFIPS140Test {
+
+    @Test
+    void isJwsAlgorithmFipsCompliant() {
+        try (MockedStatic<FIPS140> fips140Mock = mockStatic(FIPS140.class)) {
+            fips140Mock.when(FIPS140::useCompliantAlgorithms).thenReturn(true);
+            assertFalse(OicAlgorithmValidatorFIPS140.isJWSAlgorithmFipsCompliant(new JWSAlgorithm("")));
+            assertFalse(OicAlgorithmValidatorFIPS140.isJWSAlgorithmFipsCompliant(new JWSAlgorithm(" ")));
+            assertFalse(OicAlgorithmValidatorFIPS140.isJWSAlgorithmFipsCompliant(new JWSAlgorithm("invalid-algo")));
+
+            String[] validAlgoArray = {
+                "HS256", "HS384", "HS512", "RS256", "RS384", "RS512", "ES256", "ES256K", "ES384", "ES512", "PS256",
+                "PS384", "PS512"
+            };
+            for (String algo : validAlgoArray) {
+                assertTrue(OicAlgorithmValidatorFIPS140.isJWSAlgorithmFipsCompliant(new JWSAlgorithm(algo)));
+            }
+            assertFalse(OicAlgorithmValidatorFIPS140.isJWSAlgorithmFipsCompliant(new JWSAlgorithm("EdDSA")));
+            assertFalse(OicAlgorithmValidatorFIPS140.isJWSAlgorithmFipsCompliant(new JWSAlgorithm("Ed25519")));
+            assertFalse(OicAlgorithmValidatorFIPS140.isJWSAlgorithmFipsCompliant(new JWSAlgorithm("Ed448")));
+        }
+    }
+}