validate that only FIPS is used in core RSA algorithm

BrightSpots · Nov 9, 2023 · 56a0f93 · 56a0f93
1 parent 08904cc
commit 56a0f93
Showing 1 changed file with 28 additions and 2 deletions.
diff --git a/src/main/java/network/brightspots/rcv/SecuritySignatureValidation.java b/src/main/java/network/brightspots/rcv/SecuritySignatureValidation.java
@@ -174,17 +174,43 @@ private static void ensureSignatureMatches(HartSignature hartSignature, RsaKeyVa
  throw new VerificationDidNotRunException("Invalid Key: " + e.getMessage());
  }
 
- // Canonicalize the XML
+ // Canonicalize the XML before removing providers,
+ // since this uses the XMLDSig provider.
  byte[] canonicalizedBytes = canonicalizeXml(hartSignature.signedInfo);
 
- // Verify the signature
+ // Verify the signature, ensuring FIPS compliance
+ removeNonFipsProvidersAndRunRsa(signature, canonicalizedBytes, signatureBytes);
+ }
+
+ private static void removeNonFipsProvidersAndRunRsa(
+ Signature signature,
+ byte[] canonicalizedBytes,
+ byte[] signatureBytes)
+ throws VerificationDidNotRunException, VerificationSignatureDidNotMatchException {
+ java.security.Provider[] providers = java.security.Security.getProviders();
+
  try {
+ // Step 1: Remove all non-FIPS providers
+ for (java.security.Provider provider : providers) {
+ if (!provider.getName().equals("BCFIPS")) {
+ java.security.Security.removeProvider(provider.getName());
+ }
+ }
+
+ // Step 2: Run the core RSA algorithm
  signature.update(canonicalizedBytes);
  if (!signature.verify(signatureBytes)) {
  throw new VerificationSignatureDidNotMatchException("Signature did not match.");
  }
  } catch (SignatureException e) {
  throw new VerificationDidNotRunException("Signature failure: %s" + e.getMessage());
+ } finally {
+ // Step 3: Replace the non-FIPS providers
+ for (java.security.Provider provider : providers) {
+ if (!provider.getName().equals("BCFIPS")) {
+ java.security.Security.addProvider(provider);
+ }
+ }
  }
  }