From da0a2cd9b254b670117d58c4fb7cbc0ef0b12960 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20Vav=C5=99=C3=ADk?= <mvavrik@redhat.com>
Date: Wed, 15 May 2024 19:22:19 +0200
Subject: [PATCH] Workaround OpenJDK17 & RHEL & BCFIPS provider issue in FIPS

---
 .../runtime/SecurityProviderRecorder.java     | 29 +++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/extensions/security/runtime/src/main/java/io/quarkus/security/runtime/SecurityProviderRecorder.java b/extensions/security/runtime/src/main/java/io/quarkus/security/runtime/SecurityProviderRecorder.java
index 01eb8e2c6bc88..1426988511198 100644
--- a/extensions/security/runtime/src/main/java/io/quarkus/security/runtime/SecurityProviderRecorder.java
+++ b/extensions/security/runtime/src/main/java/io/quarkus/security/runtime/SecurityProviderRecorder.java
@@ -6,16 +6,27 @@
 import static io.quarkus.security.runtime.SecurityProviderUtils.loadProvider;
 import static io.quarkus.security.runtime.SecurityProviderUtils.loadProviderWithParams;
 
+import java.security.NoSuchAlgorithmException;
 import java.security.Provider;
+import java.security.SecureRandom;
+import java.security.Security;
+
+import org.jboss.logging.Logger;
 
 import io.quarkus.runtime.annotations.Recorder;
 
 @Recorder
 public class SecurityProviderRecorder {
+
+    private static final Logger LOG = Logger.getLogger(SecurityProviderRecorder.class);
+
     public void addBouncyCastleProvider(boolean inFipsMode) {
         final String providerName = inFipsMode ? SecurityProviderUtils.BOUNCYCASTLE_FIPS_PROVIDER_CLASS_NAME
                 : SecurityProviderUtils.BOUNCYCASTLE_PROVIDER_CLASS_NAME;
         addProvider(loadProvider(providerName));
+        if (inFipsMode) {
+            setSecureRandomStrongAlgorithmIfNecessary();
+        }
     }
 
     public void addBouncyCastleJsseProvider() {
@@ -33,5 +44,23 @@ public void addBouncyCastleFipsJsseProvider() {
         Provider bcJsse = loadProviderWithParams(SecurityProviderUtils.BOUNCYCASTLE_JSSE_PROVIDER_CLASS_NAME,
                 new Class[] { boolean.class, Provider.class }, new Object[] { true, bc });
         insertProvider(bcJsse, sunIndex + 1);
+        setSecureRandomStrongAlgorithmIfNecessary();
+    }
+
+    private void setSecureRandomStrongAlgorithmIfNecessary() {
+        try {
+            // workaround for the issue on OpenJDK 17 & RHEL8 & FIPS
+            // see https://github.com/bcgit/bc-java/issues/1285#issuecomment-2068958587
+            // we can remove this when OpenJDK 17 support is dropped or if it starts working on newer versions of RHEL8+
+            SecureRandom.getInstanceStrong();
+        } catch (NoSuchAlgorithmException e) {
+            SecureRandom secRandom = new SecureRandom();
+            String origStrongAlgorithms = Security.getProperty("securerandom.strongAlgorithms");
+            String usedAlgorithm = secRandom.getAlgorithm() + ":" + secRandom.getProvider().getName();
+            String strongAlgorithms = origStrongAlgorithms == null ? usedAlgorithm : usedAlgorithm + "," + origStrongAlgorithms;
+            LOG.debugf("Strong SecureRandom algorithm '%s' is not available. "
+                    + "Using fallback algorithm '%s'.", origStrongAlgorithms, usedAlgorithm);
+            Security.setProperty("securerandom.strongAlgorithms", strongAlgorithms);
+        }
     }
 }