Fix issue #3104 (#3182)

Reset securerandom.strongAlgorithms

Reorg setup of BouncyCastleFipsProvider

Author: strehle

server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/IdentityZoneConfig.java

@@ -1,5 +1,6 @@
 package org.cloudfoundry.identity.uaa.provider.saml;
 
+import lombok.extern.slf4j.Slf4j;
 import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider;
 import org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder;
 import org.cloudfoundry.identity.uaa.zone.IdentityZoneProvisioning;
@@ -11,10 +12,20 @@
 import java.security.Security;
 
 @Configuration
+@Slf4j
 public class IdentityZoneConfig {
 
     @Bean
     public BouncyCastleFipsProvider setUpBouncyCastle() {
+        // Ensure non blocking random if system property java.security.egd is set
+        if (System.getProperty("java.security.egd", "/random").endsWith("/urandom") &&
+                !Security.getProperty("securerandom.strongAlgorithms").contains("NativePRNGNonBlocking")) {
+            String originalStrongAlgorithm = Security.getProperty("securerandom.strongAlgorithms");
+            log.info("Current securerandom.strongAlgorithms: {}", originalStrongAlgorithm);
+            String newStrongAlgorithm = "NativePRNGNonBlocking:SUN," + originalStrongAlgorithm;
+            log.info("New securerandom.strongAlgorithms: {}", newStrongAlgorithm);
+            Security.setProperty("securerandom.strongAlgorithms", newStrongAlgorithm);
+        }
         BouncyCastleFipsProvider provider = new BouncyCastleFipsProvider();
         Security.addProvider(provider);
         return provider;

server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/SamlKeyManagerFactory.java

@@ -14,12 +14,10 @@
 package org.cloudfoundry.identity.uaa.provider.saml;
 
 import lombok.extern.slf4j.Slf4j;
-import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider;
 import org.cloudfoundry.identity.uaa.saml.SamlKey;
 import org.cloudfoundry.identity.uaa.util.KeyWithCert;
 import org.cloudfoundry.identity.uaa.zone.SamlConfig;
 
-import java.security.Security;
 import java.security.cert.CertificateException;
 import java.util.ArrayList;
 import java.util.Collections;
@@ -54,10 +52,6 @@ public SamlKeyManager getKeyManager(SamlConfig config) {
 
     abstract static class BaseSamlKeyManagerImpl implements SamlKeyManager {
 
-        static {
-            Security.addProvider(new BouncyCastleFipsProvider());
-        }
-
         protected List<KeyWithCert> convertList(List<SamlKey> samlKeys) {
             List<KeyWithCert> result = new ArrayList<>();
             for (SamlKey k : samlKeys) {

server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/SamlRelyingPartyRegistrationRepositoryConfig.java

@@ -8,6 +8,7 @@
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.DependsOn;
 import org.springframework.security.saml2.Saml2Exception;
 import org.springframework.security.saml2.provider.service.registration.InMemoryRelyingPartyRegistrationRepository;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
@@ -42,6 +43,7 @@ public SamlRelyingPartyRegistrationRepositoryConfig(@Qualifier("samlEntityID") S
     }
 
     @Autowired
+    @DependsOn({"setUpBouncyCastle"})
     @Bean
     RelyingPartyRegistrationRepository relyingPartyRegistrationRepository(SamlIdentityProviderConfigurator samlIdentityProviderConfigurator) {
         SamlKeyManagerFactory.SamlConfigPropsSamlKeyManagerImpl samlKeyManager = new SamlKeyManagerFactory.SamlConfigPropsSamlKeyManagerImpl(samlConfigProps);