Update bouncycastle fips java version to 1.0.2.4

DEVSIX-7962

Author: AnhelinaM

bouncy-castle-fips-adapter/pom.xml

@@ -11,7 +11,7 @@
   <url>https://itextpdf.com/</url>
 
   <properties>
-    <bouncycastleFips.version>1.0.2.3</bouncycastleFips.version>
+    <bouncycastleFips.version>1.0.2.4</bouncycastleFips.version>
     <bouncycastlePkixFips.version>1.0.6</bouncycastlePkixFips.version>
     <sonar.coverage.exclusions>**/*</sonar.coverage.exclusions>
     <sonar.cpd.exclusions>**/*</sonar.cpd.exclusions>

bouncy-castle-fips-adapter/src/main/java/com/itextpdf/bouncycastlefips/BouncyCastleFipsFactory.java

@@ -112,6 +112,7 @@ This file is part of the iText (R) project.
 import com.itextpdf.bouncycastlefips.cms.jcajce.JcaSimpleSignerInfoVerifierBuilderBCFips;
 import com.itextpdf.bouncycastlefips.cms.jcajce.JceKeyAgreeEnvelopedRecipientBCFips;
 import com.itextpdf.bouncycastlefips.cms.jcajce.JceKeyTransEnvelopedRecipientBCFips;
+import com.itextpdf.bouncycastlefips.crypto.fips.FipsUnapprovedOperationErrorBCFips;
 import com.itextpdf.bouncycastlefips.openssl.PEMParserBCFips;
 import com.itextpdf.bouncycastlefips.openssl.jcajce.JcaPEMKeyConverterBCFips;
 import com.itextpdf.bouncycastlefips.openssl.jcajce.JceOpenSSLPKCS8DecryptorProviderBuilderBCFips;
@@ -310,6 +311,7 @@ This file is part of the iText (R) project.
 import org.bouncycastle.cms.jcajce.JceKeyAgreeEnvelopedRecipient;
 import org.bouncycastle.cms.jcajce.JceKeyTransEnvelopedRecipient;
 import org.bouncycastle.crypto.CryptoServicesRegistrar;
+import org.bouncycastle.crypto.fips.FipsUnapprovedOperationError;
 import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider;
 import org.bouncycastle.openssl.PEMParser;
 import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;
@@ -1741,7 +1743,11 @@ public byte[] createCipherBytes(X509Certificate x509certificate, byte[] abyte0,
         } catch (NoSuchAlgorithmException ignored) {
             cipher = Cipher.getInstance("RSA", PROVIDER);
         }
-        cipher.init(Cipher.WRAP_MODE, x509certificate.getPublicKey());
+        try {
+            cipher.init(Cipher.WRAP_MODE, x509certificate.getPublicKey());
+        } catch (FipsUnapprovedOperationError e) {
+            throw new FipsUnapprovedOperationErrorBCFips(e);
+        }
         return cipher.wrap(new SecretKeySpec(abyte0, "AES"));
     }
 

bouncy-castle-fips-adapter/src/main/java/com/itextpdf/bouncycastlefips/crypto/fips/FipsUnapprovedOperationErrorBCFips.java

@@ -0,0 +1,92 @@
+/*
+    This file is part of the iText (R) project.
+    Copyright (c) 1998-2024 Apryse Group NV
+    Authors: Apryse Software.
+
+    This program is offered under a commercial and under the AGPL license.
+    For commercial licensing, contact us at https://itextpdf.com/sales.  For AGPL licensing, see below.
+
+    AGPL licensing:
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU Affero General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU Affero General Public License for more details.
+
+    You should have received a copy of the GNU Affero General Public License
+    along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+package com.itextpdf.bouncycastlefips.crypto.fips;
+
+import com.itextpdf.commons.bouncycastle.crypto.fips.AbstractFipsUnapprovedOperationError;
+import org.bouncycastle.crypto.fips.FipsUnapprovedOperationError;
+
+import java.util.Objects;
+
+/**
+ * Wrapper class for {@link FipsUnapprovedOperationError}.
+ */
+public class FipsUnapprovedOperationErrorBCFips extends AbstractFipsUnapprovedOperationError {
+    private final FipsUnapprovedOperationError error;
+
+    /**
+     * Creates new wrapper instance for {@link FipsUnapprovedOperationError}.
+     *
+     * @param error {@link FipsUnapprovedOperationError} to be wrapped
+     */
+    public FipsUnapprovedOperationErrorBCFips(FipsUnapprovedOperationError error) {
+        this.error = error;
+    }
+
+    /**
+     * Gets actual org.bouncycastle object being wrapped.
+     *
+     * @return wrapped {@link FipsUnapprovedOperationError}.
+     */
+    public FipsUnapprovedOperationError getError() {
+        return error;
+    }
+
+    /**
+     * Indicates whether some other object is "equal to" this one. Compares wrapped objects.
+     */
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        }
+        if (o == null || getClass() != o.getClass()) {
+            return false;
+        }
+        FipsUnapprovedOperationErrorBCFips that = (FipsUnapprovedOperationErrorBCFips) o;
+        return Objects.equals(error, that.error);
+    }
+
+    /**
+     * Returns a hash code value based on the wrapped object.
+     */
+    @Override
+    public int hashCode() {
+        return Objects.hash(error);
+    }
+
+    /**
+     * Delegates {@code toString} method call to the wrapped object.
+     */
+    @Override
+    public String toString() {
+        return error.toString();
+    }
+
+    /**
+     * Delegates {@code getMessage} method call to the wrapped exception.
+     */
+    @Override
+    public String getMessage() {
+        return error.getMessage();
+    }
+}

commons/pom.xml

@@ -12,6 +12,7 @@
 
   <properties>
     <jackson.core.version>2.16.1</jackson.core.version>
+    <sonar.coverage.exclusions>**/com/itextpdf/commons/bouncycastle/**</sonar.coverage.exclusions>
   </properties>
 
   <dependencies>

commons/src/main/java/com/itextpdf/commons/bouncycastle/crypto/fips/AbstractFipsUnapprovedOperationError.java

@@ -0,0 +1,30 @@
+/*
+    This file is part of the iText (R) project.
+    Copyright (c) 1998-2024 Apryse Group NV
+    Authors: Apryse Software.
+
+    This program is offered under a commercial and under the AGPL license.
+    For commercial licensing, contact us at https://itextpdf.com/sales.  For AGPL licensing, see below.
+
+    AGPL licensing:
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU Affero General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU Affero General Public License for more details.
+
+    You should have received a copy of the GNU Affero General Public License
+    along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+package com.itextpdf.commons.bouncycastle.crypto.fips;
+
+/**
+ * This class represents the wrapper for FipsUnapprovedOperationError used in bouncy-castle FIPS implementation.
+ * That wrapper provides the ability to switch between bouncy-castle and bouncy-castle FIPS implementations.
+ */
+public abstract class AbstractFipsUnapprovedOperationError extends Error {
+}

kernel/src/test/java/com/itextpdf/kernel/crypto/PdfEncryptingTest.java

@@ -23,6 +23,7 @@ This file is part of the iText (R) project.
 package com.itextpdf.kernel.crypto;
 
 import com.itextpdf.bouncycastleconnector.BouncyCastleFactoryCreator;
+import com.itextpdf.commons.bouncycastle.crypto.fips.AbstractFipsUnapprovedOperationError;
 import com.itextpdf.commons.utils.Base64;
 import com.itextpdf.commons.utils.MessageFormatUtil;
 import com.itextpdf.io.font.constants.StandardFonts;
@@ -119,7 +120,13 @@ public void encryptWithPasswordAes256Pdf2() throws IOException, InterruptedExcep
     @Test
     @LogMessages(messages = @LogMessage(messageTemplate = KernelLogMessageConstant.MD5_IS_NOT_FIPS_COMPLIANT), ignore = true)
     public void encryptWithCertificateAes256Rsa() throws GeneralSecurityException, IOException, InterruptedException {
-        encryptWithCertificate("encryptWithCertificateAes256Rsa.pdf", "SHA256withRSA.crt");
+        if (BouncyCastleFactoryCreator.getFactory().isInApprovedOnlyMode()) {
+            // RSA PKCS1.5 encryption disallowed
+            Assert.assertThrows(AbstractFipsUnapprovedOperationError.class,
+                    () -> encryptWithCertificate("encryptWithCertificateAes256Rsa.pdf", "SHA256withRSA.crt"));
+        } else {
+            encryptWithCertificate("encryptWithCertificateAes256Rsa.pdf", "SHA256withRSA.crt");
+        }
     }
 
     @Test

kernel/src/test/java/com/itextpdf/kernel/crypto/PdfEncryptionManuallyPortedTest.java

@@ -24,6 +24,7 @@ This file is part of the iText (R) project.
 
 import com.itextpdf.bouncycastleconnector.BouncyCastleFactoryCreator;
 import com.itextpdf.commons.bouncycastle.IBouncyCastleFactory;
+import com.itextpdf.commons.bouncycastle.crypto.fips.AbstractFipsUnapprovedOperationError;
 import com.itextpdf.commons.bouncycastle.operator.AbstractOperatorCreationException;
 import com.itextpdf.commons.bouncycastle.pkcs.AbstractPKCSException;
 import com.itextpdf.io.font.constants.StandardFonts;
@@ -116,7 +117,13 @@ public void encryptWithCertificateStandard128() throws IOException, InterruptedE
             AbstractPKCSException, AbstractOperatorCreationException {
         String filename = "encryptWithCertificateStandard128.pdf";
         int encryptionType = EncryptionConstants.STANDARD_ENCRYPTION_128;
-        encryptWithCertificate(filename, encryptionType, CompressionConstants.DEFAULT_COMPRESSION);
+        if (FACTORY.isInApprovedOnlyMode()) {
+            // RSA PKCS1.5 encryption disallowed
+            Assert.assertThrows(AbstractFipsUnapprovedOperationError.class,
+                    () -> encryptWithCertificate(filename, encryptionType, CompressionConstants.DEFAULT_COMPRESSION));
+        } else {
+            encryptWithCertificate(filename, encryptionType, CompressionConstants.DEFAULT_COMPRESSION);
+        }
     }
 
     @Test
@@ -126,7 +133,13 @@ public void encryptWithCertificateStandard40() throws IOException, InterruptedEx
             AbstractPKCSException, AbstractOperatorCreationException {
         String filename = "encryptWithCertificateStandard40.pdf";
         int encryptionType = EncryptionConstants.STANDARD_ENCRYPTION_40;
-        encryptWithCertificate(filename, encryptionType, CompressionConstants.DEFAULT_COMPRESSION);
+        if (FACTORY.isInApprovedOnlyMode()) {
+            // RSA PKCS1.5 encryption disallowed
+            Assert.assertThrows(AbstractFipsUnapprovedOperationError.class,
+                    () -> encryptWithCertificate(filename, encryptionType, CompressionConstants.DEFAULT_COMPRESSION));
+        } else {
+            encryptWithCertificate(filename, encryptionType, CompressionConstants.DEFAULT_COMPRESSION);
+        }
     }
 
     @Test
@@ -136,7 +149,13 @@ public void encryptWithCertificateStandard128NoCompression() throws IOException,
             GeneralSecurityException, AbstractPKCSException, AbstractOperatorCreationException {
         String filename = "encryptWithCertificateStandard128NoCompression.pdf";
         int encryptionType = EncryptionConstants.STANDARD_ENCRYPTION_128;
-        encryptWithCertificate(filename, encryptionType, CompressionConstants.NO_COMPRESSION);
+        if (FACTORY.isInApprovedOnlyMode()) {
+            // RSA PKCS1.5 encryption disallowed
+            Assert.assertThrows(AbstractFipsUnapprovedOperationError.class,
+                    () -> encryptWithCertificate(filename, encryptionType, CompressionConstants.NO_COMPRESSION));
+        } else {
+            encryptWithCertificate(filename, encryptionType, CompressionConstants.NO_COMPRESSION);
+        }
     }
 
     @Test
@@ -146,7 +165,13 @@ public void encryptWithCertificateStandard40NoCompression() throws IOException,
             GeneralSecurityException, AbstractPKCSException, AbstractOperatorCreationException {
         String filename = "encryptWithCertificateStandard40NoCompression.pdf";
         int encryptionType = EncryptionConstants.STANDARD_ENCRYPTION_40;
-        encryptWithCertificate(filename, encryptionType, CompressionConstants.NO_COMPRESSION);
+        if (FACTORY.isInApprovedOnlyMode()) {
+            // RSA PKCS1.5 encryption disallowed
+            Assert.assertThrows(AbstractFipsUnapprovedOperationError.class,
+                    () -> encryptWithCertificate(filename, encryptionType, CompressionConstants.NO_COMPRESSION));
+        } else {
+            encryptWithCertificate(filename, encryptionType, CompressionConstants.NO_COMPRESSION);
+        }
     }
 
     @Test
@@ -156,7 +181,13 @@ public void encryptWithCertificateAes128() throws IOException, InterruptedExcept
             AbstractPKCSException, AbstractOperatorCreationException {
         String filename = "encryptWithCertificateAes128.pdf";
         int encryptionType = EncryptionConstants.ENCRYPTION_AES_128;
-        encryptWithCertificate(filename, encryptionType, CompressionConstants.DEFAULT_COMPRESSION);
+        if (FACTORY.isInApprovedOnlyMode()) {
+            // RSA PKCS1.5 encryption disallowed
+            Assert.assertThrows(AbstractFipsUnapprovedOperationError.class,
+                    () -> encryptWithCertificate(filename, encryptionType, CompressionConstants.DEFAULT_COMPRESSION));
+        } else {
+            encryptWithCertificate(filename, encryptionType, CompressionConstants.DEFAULT_COMPRESSION);
+        }
     }
 
     @Test
@@ -166,7 +197,13 @@ public void encryptWithCertificateAes256() throws IOException, InterruptedExcept
             AbstractPKCSException, AbstractOperatorCreationException {
         String filename = "encryptWithCertificateAes256.pdf";
         int encryptionType = EncryptionConstants.ENCRYPTION_AES_256;
-        encryptWithCertificate(filename, encryptionType, CompressionConstants.DEFAULT_COMPRESSION);
+        if (FACTORY.isInApprovedOnlyMode()) {
+            // RSA PKCS1.5 encryption disallowed
+            Assert.assertThrows(AbstractFipsUnapprovedOperationError.class,
+                    () -> encryptWithCertificate(filename, encryptionType, CompressionConstants.DEFAULT_COMPRESSION));
+        } else {
+            encryptWithCertificate(filename, encryptionType, CompressionConstants.DEFAULT_COMPRESSION);
+        }
     }
 
     @Test
@@ -176,7 +213,13 @@ public void encryptWithCertificateAes128NoCompression() throws IOException, Inte
             GeneralSecurityException, AbstractPKCSException, AbstractOperatorCreationException {
         String filename = "encryptWithCertificateAes128NoCompression.pdf";
         int encryptionType = EncryptionConstants.ENCRYPTION_AES_128;
-        encryptWithCertificate(filename, encryptionType, CompressionConstants.NO_COMPRESSION);
+        if (FACTORY.isInApprovedOnlyMode()) {
+            // RSA PKCS1.5 encryption disallowed
+            Assert.assertThrows(AbstractFipsUnapprovedOperationError.class,
+                    () -> encryptWithCertificate(filename, encryptionType, CompressionConstants.NO_COMPRESSION));
+        } else {
+            encryptWithCertificate(filename, encryptionType, CompressionConstants.NO_COMPRESSION);
+        }
     }
 
     @Test
@@ -186,7 +229,13 @@ public void encryptWithCertificateAes256NoCompression() throws IOException, Inte
             GeneralSecurityException, AbstractPKCSException, AbstractOperatorCreationException {
         String filename = "encryptWithCertificateAes256NoCompression.pdf";
         int encryptionType = EncryptionConstants.ENCRYPTION_AES_256;
-        encryptWithCertificate(filename, encryptionType, CompressionConstants.NO_COMPRESSION);
+        if (FACTORY.isInApprovedOnlyMode()) {
+            // RSA PKCS1.5 encryption disallowed
+            Assert.assertThrows(AbstractFipsUnapprovedOperationError.class,
+                    () -> encryptWithCertificate(filename, encryptionType, CompressionConstants.NO_COMPRESSION));
+        } else {
+            encryptWithCertificate(filename, encryptionType, CompressionConstants.NO_COMPRESSION);
+        }
     }
 
     @Test

sharpenConfiguration.xml

@@ -337,6 +337,10 @@
                 <file path="com/itextpdf/commons/bouncycastle/tsp/ITimeStampToken.java"/>
                 <file path="com/itextpdf/commons/bouncycastle/tsp/ITimeStampTokenGenerator.java"/>
             </fileset>
+            <fileset reason="These classes are used only in Java.">
+                <file path="com/itextpdf/commons/bouncycastle/crypto/fips/AbstractFipsUnapprovedOperationError.java"/>
+                <file path="com/itextpdf/bouncycastlefips/crypto/fips/FipsUnapprovedOperationErrorBCFips.java"/>
+            </fileset>
             <!-- kernel -->
             <file path="com/itextpdf/kernel/pdf/CountOutputStream.java"/>
             <file path="com/itextpdf/kernel/crypto/securityhandler/EncryptionUtils.java"/>