JiriOndrusek commented on code in PR #6241:
URL: https://github.com/apache/camel-quarkus/pull/6241#discussion_r1668624956
##########
extensions-support/bouncycastle/deployment/src/main/java/org/apache/camel/quarkus/support/bouncycastle/deployment/BouncyCastleSupportProcessor.java:
##########
@@ -54,23 +70,45 @@ ReflectiveClassBuildItem
registerForReflection(CombinedIndexBuildItem combinedIn
return ReflectiveClassBuildItem.builder(dtos).build();
}
- @BuildStep
- IndexDependencyBuildItem registerBCDependencyForIndex() {
- return new IndexDependencyBuildItem("org.bouncycastle",
"bcprov-jdk18on");
- }
-
- @BuildStep
+ @BuildStep(onlyIfNot = FipsProviderConfigured.class)
void
secureRandomConfiguration(BuildProducer<RuntimeReinitializedClassBuildItem>
reinitialized) {
reinitialized.produce(new
RuntimeReinitializedClassBuildItem("java.security.SecureRandom"));
}
- @BuildStep
- @Record(ExecutionTime.STATIC_INIT)
- public void
registerBouncyCastleProvider(List<CipherTransformationBuildItem>
cipherTransformations,
- BouncyCastleRecorder recorder,
- ShutdownContextBuildItem shutdownContextBuildItem) {
- List<String> allCipherTransformations = cipherTransformations.stream()
- .flatMap(c ->
c.getCipherTransformations().stream()).collect(Collectors.toList());
- recorder.registerBouncyCastleProvider(allCipherTransformations,
shutdownContextBuildItem);
+ @BuildStep(onlyIf = FipsProviderConfigured.class)
+ void excludeBc(BuildProducer<ExcludeDependencyBuildItem>
excludeDependencies) {
+ //exclude BC in FIPS environment
+ excludeDependencies.produce(new
ExcludeDependencyBuildItem("org.bouncycastle", "bcpkix-jdk18on"));
+ excludeDependencies.produce(new
ExcludeDependencyBuildItem("org.bouncycastle", "bcbcprov-jdk18on"));
+ excludeDependencies.produce(new
ExcludeDependencyBuildItem("org.bouncycastle", "bcutil-jdk18on"));
+ }
+
+ /**
+ * Indicates whether FIPS provider is registered via quarkus.security.
+ */
+ static final class FipsProviderConfigured implements BooleanSupplier {
+ SecurityConfig securityConfig;
+
+ @Override
+ public boolean getAsBoolean() {
+ return
securityConfig.securityProviders().orElse(Collections.emptySet()).stream()
+ .filter(p ->
p.toLowerCase().contains("fips")).findAny().isPresent();
Review Comment:
fixed
##########
docs/modules/ROOT/pages/reference/extensions/crypto.adoc:
##########
@@ -45,6 +45,51 @@ ifeval::[{doc-show-user-guide-link} == true]
Check the xref:user-guide/index.adoc[User guide] for more information about
writing Camel Quarkus applications.
endif::[]
+[id="extensions-crypto-usage"]
+== Usage
+[id="extensions-crypto-usage-fips"]
+=== FIPS
+
+When running `crypto` extension on FIPS enabled system the BC-FIPS has to be
utilized.
+
+* Exclude all `bc*` dependencies. Example:
+```
+ <exclusions>
Review Comment:
fixed
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
