fix: [Connectivity] Change (almost) all JKS usage to PKCS12

cloudplatform/cloudplatform-connectivity/src/main/java/com/sap/cloud/sdk/cloudplatform/connectivity/KeyStoreReader.java

@@ -53,7 +53,7 @@ static KeyStore createKeyStore(
             Try.of(() -> loadCertificates(certReader)).getOrElseThrow(e -> new DestinationAccessException(MSG_CERT, e));
         final PrivateKey privateKey =
             Try.of(() -> loadKey(keyReader, password)).getOrElseThrow(e -> new DestinationAccessException(MSG_KEY, e));
-        final KeyStore keyStore = KeyStore.getInstance("JKS");
+        final KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
         keyStore.load(null);
         keyStore.setKeyEntry(alias, privateKey, password, clientCertificates);
         return keyStore;
@@ -65,7 +65,7 @@ static Certificate[] loadCertificates( @Nonnull final Reader certReader )
             IOException
     {
         final List<Certificate> certs = new ArrayList<>();
-        final CertificateFactory factory = CertificateFactory.getInstance("X509");
+        final CertificateFactory factory = CertificateFactory.getInstance("X.509");
 
         try( PEMParser pemParser = new PEMParser(certReader) ) {
             PemObject object;

cloudplatform/cloudplatform-connectivity/src/test/java/com/sap/cloud/sdk/cloudplatform/connectivity/DefaultHttpDestinationTest.java

@@ -155,11 +155,11 @@ void testEqualsWithKeyStore()
         final KeyPair keyPair = DestinationKeyStoreComparatorTest.generateKeyPair();
         final Certificate cert = DestinationKeyStoreComparatorTest.generateCertificate(keyPair, "a");
 
-        final KeyStore keystore1 = KeyStore.getInstance("JKS");
+        final KeyStore keystore1 = KeyStore.getInstance(KeyStore.getDefaultType());
         keystore1.load(null);
         keystore1.setKeyEntry("a", keyPair.getPrivate(), new char[0], new Certificate[] { cert });
 
-        final KeyStore keystore2 = KeyStore.getInstance("JKS");
+        final KeyStore keystore2 = KeyStore.getInstance(KeyStore.getDefaultType());
         keystore2.load(null);
         keystore2.setKeyEntry("a", keyPair.getPrivate(), new char[0], new Certificate[] { cert });
 
@@ -171,7 +171,7 @@ void testEqualsWithKeyStore()
         assertThat(dest1).hasSameHashCodeAs(dest2);
 
         // check for destination with empty key-store
-        final KeyStore keystore3 = KeyStore.getInstance("JKS");
+        final KeyStore keystore3 = KeyStore.getInstance(KeyStore.getDefaultType());
         keystore3.load(null);
 
         final DefaultHttpDestination dest3 = DefaultHttpDestination.builder(VALID_URI).keyStore(keystore3).build();

cloudplatform/connectivity-apache-httpclient4/src/test/java/com/sap/cloud/sdk/cloudplatform/connectivity/ClientCertificateAuthenticationLocalTest.java

@@ -39,7 +39,7 @@
 class ClientCertificateAuthenticationLocalTest
 {
     private static final String CCA_PASSWORD = "cca-password";
-    private static final String JKS_PATH =
+    private static final String PKCS_PATH =
         "src/test/resources/" + ClientCertificateAuthenticationLocalTest.class.getSimpleName() + "/client-cert.pkcs12";
 
     @BeforeEach
@@ -127,9 +127,9 @@ private static WireMockConfiguration buildWireMockConfiguration()
             .httpDisabled(true)
             .dynamicHttpsPort()
             .needClientAuth(true)
-            .trustStorePath(JKS_PATH)
+            .trustStorePath(PKCS_PATH)
             .trustStorePassword(CCA_PASSWORD)
-            .trustStoreType("JKS");
+            .trustStoreType("PKCS12");
     }
 
     private static KeyStore getClientKeyStore()
@@ -139,7 +139,7 @@ private static KeyStore getClientKeyStore()
             NoSuchAlgorithmException
     {
         final KeyStore keyStore = KeyStore.getInstance("PKCS12");
-        keyStore.load(new FileInputStream(JKS_PATH), CCA_PASSWORD.toCharArray());
+        keyStore.load(new FileInputStream(PKCS_PATH), CCA_PASSWORD.toCharArray());
         return keyStore;
     }
 }

cloudplatform/connectivity-apache-httpclient4/src/test/java/com/sap/cloud/sdk/cloudplatform/connectivity/KeyStoreReaderTest.java

@@ -31,7 +31,7 @@ void testPem()
         final FileReader certs = new FileReader(CRT_PATH), key = new FileReader(KEY_PATH);
         final KeyStore createdKeystore = createKeyStore(ALIAS, PASS, certs, key);
 
-        assertThat(createdKeystore.getType()).isEqualTo("JKS");
+        assertThat(createdKeystore.getType()).isEqualTo(KeyStore.getDefaultType());
         assertThat(createdKeystore.getProvider()).isNotNull();
 
         assertThat(createdKeystore.getCertificateChain(ALIAS)).hasSize(1);

cloudplatform/connectivity-fips-sample/pom.xml

@@ -0,0 +1,144 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+	<modelVersion>4.0.0</modelVersion>
+	<parent>
+		<groupId>com.sap.cloud.sdk.cloudplatform</groupId>
+		<artifactId>cloudplatform-parent</artifactId>
+		<version>5.31.0-SNAPSHOT</version>
+	</parent>
+	<artifactId>connectivity-fips-sample</artifactId>
+	<name>Connectivity - FIPS Sample</name>
+	<description>Non-released sample module that runs connectivity tests under the FIPS-approved Bouncy Castle provider.</description>
+	<url>https://sap.github.io/cloud-sdk/docs/java/getting-started</url>
+	<organization>
+		<name>SAP SE</name>
+		<url>https://www.sap.com</url>
+	</organization>
+	<licenses>
+		<license>
+			<name>The Apache Software License, Version 2.0</name>
+			<url>https://www.apache.org/licenses/LICENSE-2.0.txt</url>
+		</license>
+	</licenses>
+	<developers>
+		<developer>
+			<name>SAP</name>
+			<email>cloudsdk@sap.com</email>
+			<organization>SAP SE</organization>
+			<organizationUrl>https://www.sap.com</organizationUrl>
+		</developer>
+	</developers>
+	<properties>
+		<bc-fips.version>2.1.2</bc-fips.version>
+		<bcpkix-fips.version>2.1.9</bcpkix-fips.version>
+	</properties>
+	<dependencies>
+		<dependency>
+			<groupId>com.sap.cloud.sdk.cloudplatform</groupId>
+			<artifactId>cloudplatform-connectivity</artifactId>
+			<exclusions>
+				<exclusion>
+					<groupId>org.bouncycastle</groupId>
+					<artifactId>bcprov-jdk18on</artifactId>
+				</exclusion>
+				<exclusion>
+					<groupId>org.bouncycastle</groupId>
+					<artifactId>bcpkix-jdk18on</artifactId>
+				</exclusion>
+			</exclusions>
+			<scope>test</scope>
+		</dependency>
+		<dependency>
+			<groupId>org.bouncycastle</groupId>
+			<artifactId>bc-fips</artifactId>
+			<version>${bc-fips.version}</version>
+			<scope>test</scope>
+		</dependency>
+		<dependency>
+			<groupId>org.bouncycastle</groupId>
+			<artifactId>bcpkix-fips</artifactId>
+			<version>${bcpkix-fips.version}</version>
+			<scope>test</scope>
+		</dependency>
+		<dependency>
+			<groupId>org.projectlombok</groupId>
+			<artifactId>lombok</artifactId>
+			<scope>provided</scope>
+		</dependency>
+		<dependency>
+			<groupId>org.junit.jupiter</groupId>
+			<artifactId>junit-jupiter-api</artifactId>
+			<scope>test</scope>
+		</dependency>
+		<dependency>
+			<groupId>org.assertj</groupId>
+			<artifactId>assertj-core</artifactId>
+			<scope>test</scope>
+		</dependency>
+	</dependencies>
+	<build>
+		<plugins>
+			<plugin>
+				<groupId>org.apache.maven.plugins</groupId>
+				<artifactId>maven-surefire-plugin</artifactId>
+				<configuration>
+					<argLine>${argLine} -Dorg.bouncycastle.fips.approved_only=true
+					</argLine>
+				</configuration>
+			</plugin>
+			<plugin>
+				<groupId>org.apache.maven.plugins</groupId>
+				<artifactId>maven-dependency-plugin</artifactId>
+				<configuration>
+					<ignoredUnusedDeclaredDependencies combine.children="append">
+						<ignoredUnusedDeclaredDependency>org.bouncycastle:bc-fips</ignoredUnusedDeclaredDependency>
+						<ignoredUnusedDeclaredDependency>org.bouncycastle:bcpkix-fips</ignoredUnusedDeclaredDependency>
+						<ignoredUnusedDeclaredDependency>com.sap.cloud.sdk.cloudplatform:cloudplatform-connectivity</ignoredUnusedDeclaredDependency>
+					</ignoredUnusedDeclaredDependencies>
+				</configuration>
+			</plugin>
+			<plugin>
+				<groupId>org.apache.maven.plugins</groupId>
+				<artifactId>maven-checkstyle-plugin</artifactId>
+				<configuration><skip>true</skip></configuration>
+			</plugin>
+			<plugin>
+				<groupId>org.apache.maven.plugins</groupId>
+				<artifactId>maven-pmd-plugin</artifactId>
+				<configuration><skip>true</skip></configuration>
+			</plugin>
+			<plugin>
+				<groupId>org.apache.maven.plugins</groupId>
+				<artifactId>maven-javadoc-plugin</artifactId>
+				<configuration><skip>true</skip></configuration>
+			</plugin>
+			<plugin>
+				<groupId>org.jacoco</groupId>
+				<artifactId>jacoco-maven-plugin</artifactId>
+				<configuration><skip>true</skip></configuration>
+			</plugin>
+		</plugins>
+	</build>
+	<profiles>
+		<profile>
+			<id>release</id>
+			<activation>
+				<property><name>release</name></property>
+			</activation>
+			<build>
+				<plugins>
+					<plugin>
+						<groupId>org.sonatype.central</groupId>
+						<artifactId>central-publishing-maven-plugin</artifactId>
+						<executions>
+							<execution>
+								<id>injected-central-publishing</id>
+								<phase />
+							</execution>
+						</executions>
+					</plugin>
+				</plugins>
+			</build>
+		</profile>
+	</profiles>
+</project>

cloudplatform/connectivity-fips-sample/src/test/java/com/sap/cloud/sdk/cloudplatform/connectivity/FipsProviderTest.java

@@ -0,0 +1,78 @@
+package com.sap.cloud.sdk.cloudplatform.connectivity;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatThrownBy;
+
+import java.io.FileReader;
+import java.security.KeyStore;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.security.Security;
+
+import org.bouncycastle.crypto.CryptoServicesRegistrar;
+import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider;
+import org.junit.jupiter.api.AfterAll;
+import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.Test;
+
+import lombok.SneakyThrows;
+
+/**
+ * Tests the behavior of {@link KeyStoreReader} when operating in FIPS-approved mode with BouncyCastle FIPS provider.
+ */
+class FipsProviderTest
+{
+    private static final String RES = "src/test/resources/certificates";
+    private static final String CRT_PATH = RES + "/client-cert.crt";
+    private static final String KEY_PATH = RES + "/client-cert.key";
+    private static final String ALIAS = "client-cert";
+    private static final char[] EMPTY_PASSWORD = new char[0];
+
+    @AfterAll
+    static void removeBouncyCastleFips()
+    {
+        Security.removeProvider("BCFIPS");
+    }
+
+    @BeforeAll
+    static void registerBouncyCastleFips()
+    {
+        Security.insertProviderAt(new BouncyCastleFipsProvider(), 1);
+
+        assertThat(Security.getProvider("BCFIPS"))
+            .describedAs("BC FIPS provider must be registered as a JCA provider")
+            .isNotNull();
+
+        assertThat(CryptoServicesRegistrar.isInApprovedOnlyMode())
+            .describedAs("BC FIPS must be in approved-only mode. ")
+            .isTrue();
+    }
+
+    @Test
+    @SneakyThrows
+    void testDefaultKeystoreTypeIsP12()
+    {
+        final KeyStore keyStore =
+            KeyStoreReader.createKeyStore(ALIAS, EMPTY_PASSWORD, new FileReader(CRT_PATH), new FileReader(KEY_PATH));
+
+        assertThat(keyStore.getType()).isEqualToIgnoringCase("PKCS12");
+    }
+
+    @Test
+    @SneakyThrows
+    void testKeystoreTypeOverrideToBCFKS()
+    {
+        Security.setProperty("keystore.type", "BCFKS");
+
+        final KeyStore keyStore = KeyStore.getInstance("BCFKS");
+        assertThat(keyStore.getType()).isEqualTo("BCFKS");
+    }
+
+    @Test
+    void testMD5IsRejectedInApprovedOnlyMode()
+    {
+        assertThatThrownBy(() -> MessageDigest.getInstance("MD5", "BCFIPS"))
+            .isInstanceOf(NoSuchAlgorithmException.class);
+
+    }
+}

cloudplatform/connectivity-fips-sample/src/test/resources/README.md

@@ -0,0 +1,18 @@
+# Credentials
+
+The credential files are required for running the FIPS provider tests.
+
+## Generate Client Credentials
+
+Run the following commands from `cloudplatform/connectivity-fips-sample/src/test/resources/`:
+
+```bash
+# Create the directory
+mkdir -p certificates
+
+# Generate the key and certificate using Docker (alpine/openssl)
+docker run --rm -v "$(pwd)/certificates:/certs" alpine/openssl \
+ req -x509 -newkey rsa:2048 -nodes \
+ -keyout /certs/client-cert.key \
+ -out /certs/client-cert.crt \
+ -days 3650 -subj "/CN=localhost"

cloudplatform/connectivity-fips-sample/src/test/resources/certificates/client-cert.crt

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDCTCCAfGgAwIBAgIUBERZ7w9qG2je5O6o+Nn+ssaZYOQwDQYJKoZIhvcNAQEL
+BQAwFDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTI2MDYwODEzMjQzNVoXDTM2MDYw
+NTEzMjQzNVowFDESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAsXImnalCNo7Jk4EyD1aqWJgrzVXYALVKm8kq5E+azFpv
+3XB8QQBUXfJJNdkY1uNni6cd+twTzAhdBK+ygTsBkDbMz/r0oniLlLmGTG7L5aCW
+asYVa+HTesi0EunlGDzFbRSuwy/IdfvK2uaU0VeGoyt7Zr0OWg72mPwGPQRvPcEI
+ZljEkgajhiHeEGM9hlCTZnpx9Aye3C/4yek4734QK+ZYqvW/1mYJ08EwDudQUy8n
+rrXhAg7/ppS9v2480fAGI7WonRt4y+sAlaET8YkxNXCRPygwTDaGfQ/yjvXfK37B
+yiEl8qDMFU/WVjEBlet8wLT2/A7qxzjow0UWtsPWWQIDAQABo1MwUTAdBgNVHQ4E
+FgQUEfT0MvVXq56A21bschMDKdUqg7UwHwYDVR0jBBgwFoAUEfT0MvVXq56A21bs
+chMDKdUqg7UwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAQI0R
+I+x9f2zfQThxkRsF5NoQCqgtaGckcsqk1ADcDLqQWck/j9CE3xMLPYcDKgwURG5s
+/yHUJhv+9/S2uQ/0Xl32GF8fl45av3yUz1aPW6T1JsHWD6/thUtoxvuZr5W1rn/1
+UdYvVnNutLGp1PQWbjxmdH2sZwmDZ/2ovKNCEwnmzOi3Jft7xnu94SyTZqVYnJt0
+rQw5NwrjxspPsJQx/2Rd7EEeg4b/LQEQrEIhchNPzGyLK14mF4nk/ImZ5unkNePt
+kgy6ysoQWHBf+N+184c9B3+qFZAItWOGvBx9z0jS9eQELWT7MBsJ4s2Lufku73kn
+V2gbQ/izbQlQpKduuw==
+-----END CERTIFICATE-----

cloudplatform/connectivity-fips-sample/src/test/resources/certificates/client-cert.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCxciadqUI2jsmT
+gTIPVqpYmCvNVdgAtUqbySrkT5rMWm/dcHxBAFRd8kk12RjW42eLpx363BPMCF0E
+r7KBOwGQNszP+vSieIuUuYZMbsvloJZqxhVr4dN6yLQS6eUYPMVtFK7DL8h1+8ra
+5pTRV4ajK3tmvQ5aDvaY/AY9BG89wQhmWMSSBqOGId4QYz2GUJNmenH0DJ7cL/jJ
+6TjvfhAr5liq9b/WZgnTwTAO51BTLyeuteECDv+mlL2/bjzR8AYjtaidG3jL6wCV
+oRPxiTE1cJE/KDBMNoZ9D/KO9d8rfsHKISXyoMwVT9ZWMQGV63zAtPb8DurHOOjD
+RRa2w9ZZAgMBAAECggEAA0Y7+C97YqOtNzpBwOQJ2KtWLj/Qmz1n1wrAmTNELqks
+j0WCxXWgGOuzoM6/ape0/XAOruZeEdHFsE8drXd38T/8SjTd9sbgAdU6k9vSNLaL
+Oq/VDVyUGRvtrBECLTmnMFAauXdUQk5se9rtZr+FYyrA6DBs518x+w4Lf2y+22uA
+lj5MD+rXxwGPz3doVmNNfX3pxrswuwD3yAu4E9A3vFSth1OF/4Li4Y2rFVLUELtw
+8halPQAlBu2lmawCD8J68cUCIzlVu9OBPtinrjGxuAvj6lhEmkuakwvkSxFeOZwB
+ZvtC0RIGM6mOzwqTWy1dJ35Le3f2qLYT3tO7zIguUQKBgQDdyV8nyu3Y1odRA/Rd
+y36Xidm7YySwnyF/GZMVM0Cm2iKFGoo0Ym0gK6HdLPr5dxQlziXwJXh2dROt43//
+ABuHRQLyRAi79aGJS7Zehk0NSqxzNcPevXNELGI9TQkm0T0UQZu2Mbq0ciQGKBxu
+WNvsshzzr2UQ8RVRJdZA1De3BwKBgQDM0bWqtCK8Lp1XfF6LhY0kDiXOs/uFD0FB
+ToBzbbZPPII7tpVRy9jLXO2DXEwCj3AsdIwhxAWYWUy75J9EpI41JmY+D4SQRzTq
+y6GiwHcmFr0RtYZpSdmnpWVPTbWwqoH1KCJEyA8sKrOd0BSh06EiFKM8yYjxHs2q
+VYsRqmJPnwKBgQDFwlpDvDHLCLdN6Q3LWLk/XF62NRgxGSOgFmjNHY9Hd/gR4XFc
+dmtBpUZGVmZPbPudHi077d11Gr36boHiGfFx83pGFZ4II2TvbIBn1q777BrK/CT0
+Bs+x+TV73aYMY8RnvHygv8TwQ1qV1sxLJJatfsBMFZgzvBQ68FcUJWasnwKBgQCk
+An2lfu+dnvoxdw7CTKQzrfyKY8dRymBnqjPjuoPVOU/T/yXcxQ4J8pTiroLTPgcG
+IiGgXDZaw49VmgILVnXli6UtpwFxAwQVzA/XoqUGZAjsaF6EazWWMDRK56BJIpBE
+PuoKB+VWaa9A/MG4wB10i/AXGg7FffQUpMFi2Pw2YwKBgHRt+tnkw3gvUSWQ4E/z
+/g525QMFP3xTadIT7qzif+LSMqtip3vVbC+sBAJQ+GChNq8MFnr72H/siOwmODS2
+hWaN/7EQCuxo6bzs9QYIgMa5qkBaQIO5RQWsbj8jcUGKXuGTxbWNkR2+tHzLYxeG
+p/Hb2ZSw9PU5Q7fHpaU9wjEo
+-----END PRIVATE KEY-----

cloudplatform/connectivity-oauth/src/test/java/com/sap/cloud/sdk/cloudplatform/connectivity/HttpClient5OAuth2TokenServiceTest.java

@@ -658,7 +658,7 @@ private static <T> HttpClientResponseHandler<T> anyHttpClientResponseHandler()
     private static KeyStore createEmptyKeyStore()
         throws Exception
     {
-        final KeyStore keyStore = KeyStore.getInstance("JKS");
+        final KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
         keyStore.load(null, null);
         return keyStore;
     }

cloudplatform/connectivity-oauth/src/test/java/com/sap/cloud/sdk/cloudplatform/connectivity/OAuth2IntegrationTest.java

@@ -177,7 +177,7 @@ void testIasFlowWithZeroTrustAndSubscriberTenant()
             IOException,
             NoSuchAlgorithmException
     {
-        final KeyStore ks = KeyStore.getInstance("JKS");
+        final KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
         ks.load(null, null);
         final ClientIdentity identity = new SecurityLibWorkarounds.ZtisClientIdentity("myClientId", () -> ks);