Merge pull request OpenLiberty#14 from utle/FIPSwork-audit

Move messageDigest getInstance to CryptoUtil

dev/com.ibm.ws.kernel.service/src/com/ibm/ws/common/crypto/CryptoUtils.java

@@ -313,12 +313,30 @@ public static MessageDigest getMessageDigest(String algorithm) throws NoSuchAlgo
     public static MessageDigest getMessageDigestForLTPA() {
         MessageDigest md1 = null;
         try {
-            if (fipsEnabled && isOpenJCEPlusFIPSAvailable()) {
-                md1 = MessageDigest.getInstance(MESSAGE_DIGEST_ALGORITHM_SHA256,
-                                                OPENJCE_PLUS_FIPS_NAME);
-            } else if (fipsEnabled && isIBMJCEPlusFIPSAvailable()) {
-                md1 = MessageDigest.getInstance(MESSAGE_DIGEST_ALGORITHM_SHA256,
-                                                IBMJCE_PLUS_FIPS_NAME);
+//            if (fipsEnabled && isOpenJCEPlusFIPSAvailable()) {
+//                md1 = MessageDigest.getInstance(MESSAGE_DIGEST_ALGORITHM_SHA256,
+//                                                OPENJCE_PLUS_FIPS_NAME);
+//            } else if (fipsEnabled && isIBMJCEPlusFIPSAvailable()) {
+//                md1 = MessageDigest.getInstance(MESSAGE_DIGEST_ALGORITHM_SHA256,
+//                                                IBMJCE_PLUS_FIPS_NAME);
+//            } else if (isOpenJCEPlusAvailable()) {
+//                md1 = MessageDigest.getInstance(MESSAGE_DIGEST_ALGORITHM_SHA,
+//                                                OPENJCE_PLUS_NAME);
+//            } else if (isIBMJCEAvailable()) {
+//                md1 = MessageDigest.getInstance(MESSAGE_DIGEST_ALGORITHM_SHA,
+//                                                IBMJCE_NAME);
+//            } else {
+//                md1 = MessageDigest.getInstance(MESSAGE_DIGEST_ALGORITHM_SHA);
+//            }
+
+            if (fipsEnabled) {
+                if (isSemeruFips()) {
+                    md1 = MessageDigest.getInstance(MESSAGE_DIGEST_ALGORITHM_SHA256,
+                                                    OPENJCE_PLUS_FIPS_NAME);
+                } else {
+                    md1 = MessageDigest.getInstance(MESSAGE_DIGEST_ALGORITHM_SHA256,
+                                                    IBMJCE_PLUS_FIPS_NAME);
+                }
             } else if (isOpenJCEPlusAvailable()) {
                 md1 = MessageDigest.getInstance(MESSAGE_DIGEST_ALGORITHM_SHA,
                                                 OPENJCE_PLUS_NAME);

dev/com.ibm.ws.security.token.ltpa/src/com/ibm/ws/security/token/ltpa/internal/LTPAToken2.java

@@ -66,22 +66,31 @@ public class LTPAToken2 implements Token, Serializable {
 
     static {
         MessageDigest m1 = null, m2 = null;
-        try {
-            if (fipsEnabled && CryptoUtils.isOpenJCEPlusFIPSAvailable()) {
-                m1 = MessageDigest.getInstance(CryptoUtils.MESSAGE_DIGEST_ALGORITHM_SHA256, CryptoUtils.OPENJCE_PLUS_FIPS_NAME);
-                m2 = MessageDigest.getInstance(CryptoUtils.MESSAGE_DIGEST_ALGORITHM_SHA256, CryptoUtils.OPENJCE_PLUS_FIPS_NAME);
-            } else if (fipsEnabled && CryptoUtils.isIBMJCEPlusFIPSAvailable()) {
-                m1 = MessageDigest.getInstance(CryptoUtils.MESSAGE_DIGEST_ALGORITHM_SHA256, CryptoUtils.IBMJCE_PLUS_FIPS_NAME);
-                m2 = MessageDigest.getInstance(CryptoUtils.MESSAGE_DIGEST_ALGORITHM_SHA256, CryptoUtils.IBMJCE_PLUS_FIPS_NAME);
-            } else {
-                m1 = MessageDigest.getInstance(CryptoUtils.MESSAGE_DIGEST_ALGORITHM_SHA);
-                m2 = MessageDigest.getInstance(CryptoUtils.MESSAGE_DIGEST_ALGORITHM_SHA);
-            }
-        } catch (Exception e) {
-            if (TraceComponent.isAnyTracingEnabled() && tc.isEventEnabled()) {
-                Tr.event(tc, "Failed to initialize MessageDigest for SHA algorithm: " + e);
-            }
-        }
+//        try {
+//            if (fipsEnabled && CryptoUtils.isOpenJCEPlusFIPSAvailable()) {
+//                m1 = MessageDigest.getInstance(CryptoUtils.MESSAGE_DIGEST_ALGORITHM_SHA256, CryptoUtils.OPENJCE_PLUS_FIPS_NAME);
+//                m2 = MessageDigest.getInstance(CryptoUtils.MESSAGE_DIGEST_ALGORITHM_SHA256, CryptoUtils.OPENJCE_PLUS_FIPS_NAME);
+//            } else if (fipsEnabled && CryptoUtils.isIBMJCEPlusFIPSAvailable()) {
+//                m1 = MessageDigest.getInstance(CryptoUtils.MESSAGE_DIGEST_ALGORITHM_SHA256, CryptoUtils.IBMJCE_PLUS_FIPS_NAME);
+//                m2 = MessageDigest.getInstance(CryptoUtils.MESSAGE_DIGEST_ALGORITHM_SHA256, CryptoUtils.IBMJCE_PLUS_FIPS_NAME);
+//            } else if (CryptoUtils.isOpenJCEPlusAvailable()) {
+//                m1 = MessageDigest.getInstance(CryptoUtils.MESSAGE_DIGEST_ALGORITHM_SHA, CryptoUtils.OPENJCE_PLUS_NAME);
+//                m2 = MessageDigest.getInstance(CryptoUtils.MESSAGE_DIGEST_ALGORITHM_SHA, CryptoUtils.OPENJCE_PLUS_NAME);
+//            } else if (CryptoUtils.isIBMJCEAvailable()) {
+//                m1 = MessageDigest.getInstance(CryptoUtils.MESSAGE_DIGEST_ALGORITHM_SHA, CryptoUtils.IBMJCE_NAME);
+//                m2 = MessageDigest.getInstance(CryptoUtils.MESSAGE_DIGEST_ALGORITHM_SHA, CryptoUtils.IBMJCE_NAME);
+//            } else {
+//                m1 = MessageDigest.getInstance(CryptoUtils.MESSAGE_DIGEST_ALGORITHM_SHA);
+//                m2 = MessageDigest.getInstance(CryptoUtils.MESSAGE_DIGEST_ALGORITHM_SHA);
+//            }
+//        } catch (Exception e) {
+//            if (TraceComponent.isAnyTracingEnabled() && tc.isEventEnabled()) {
+//                Tr.event(tc, "Error creating digest; " + e);
+//            }
+//        }
+        m1 = CryptoUtils.getMessageDigestForLTPA();
+        m2 = CryptoUtils.getMessageDigestForLTPA();
+
         md1JCE = m1;
         md2JCE = m2;
         lockObj1 = new Object();