From 8bbe06b5dc9d63344df33e4c2fc7936e3bf283e0 Mon Sep 17 00:00:00 2001
From: strehle <markus.strehle@sap.com>
Date: Sat, 7 Dec 2024 09:16:00 +0100
Subject: [PATCH] Fix issue #3104

Reset securerandom.strongAlgorithms

Reorg setup of BouncyCastleFipsProvider
---
 .../uaa/provider/saml/IdentityZoneConfig.java         | 11 +++++++++++
 .../uaa/provider/saml/SamlKeyManagerFactory.java      |  6 ------
 .../SamlRelyingPartyRegistrationRepositoryConfig.java |  2 ++
 3 files changed, 13 insertions(+), 6 deletions(-)

diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/IdentityZoneConfig.java b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/IdentityZoneConfig.java
index 634b2fbb5a7..deab425a817 100644
--- a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/IdentityZoneConfig.java
+++ b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/IdentityZoneConfig.java
@@ -1,5 +1,6 @@
 package org.cloudfoundry.identity.uaa.provider.saml;
 
+import lombok.extern.slf4j.Slf4j;
 import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider;
 import org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder;
 import org.cloudfoundry.identity.uaa.zone.IdentityZoneProvisioning;
@@ -11,10 +12,20 @@
 import java.security.Security;
 
 @Configuration
+@Slf4j
 public class IdentityZoneConfig {
 
     @Bean
     public BouncyCastleFipsProvider setUpBouncyCastle() {
+        // Ensure non blocking random if system property java.security.egd is set
+        if (System.getProperty("java.security.egd", "/random").endsWith("/urandom") &&
+                !Security.getProperty("securerandom.strongAlgorithms").contains("NativePRNGNonBlocking")) {
+            String originalStrongAlgorithm = Security.getProperty("securerandom.strongAlgorithms");
+            log.info("Current securerandom.strongAlgorithms: {}", originalStrongAlgorithm);
+            String newStrongAlgorithm = "NativePRNGNonBlocking:SUN," + originalStrongAlgorithm;
+            log.info("New securerandom.strongAlgorithms: {}", newStrongAlgorithm);
+            Security.setProperty("securerandom.strongAlgorithms", newStrongAlgorithm);
+        }
         BouncyCastleFipsProvider provider = new BouncyCastleFipsProvider();
         Security.addProvider(provider);
         return provider;
diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/SamlKeyManagerFactory.java b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/SamlKeyManagerFactory.java
index 62a3cc25d18..470847e9c84 100644
--- a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/SamlKeyManagerFactory.java
+++ b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/SamlKeyManagerFactory.java
@@ -14,12 +14,10 @@
 package org.cloudfoundry.identity.uaa.provider.saml;
 
 import lombok.extern.slf4j.Slf4j;
-import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider;
 import org.cloudfoundry.identity.uaa.saml.SamlKey;
 import org.cloudfoundry.identity.uaa.util.KeyWithCert;
 import org.cloudfoundry.identity.uaa.zone.SamlConfig;
 
-import java.security.Security;
 import java.security.cert.CertificateException;
 import java.util.ArrayList;
 import java.util.Collections;
@@ -54,10 +52,6 @@ public SamlKeyManager getKeyManager(SamlConfig config) {
 
     abstract static class BaseSamlKeyManagerImpl implements SamlKeyManager {
 
-        static {
-            Security.addProvider(new BouncyCastleFipsProvider());
-        }
-
         protected List<KeyWithCert> convertList(List<SamlKey> samlKeys) {
             List<KeyWithCert> result = new ArrayList<>();
             for (SamlKey k : samlKeys) {
diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/SamlRelyingPartyRegistrationRepositoryConfig.java b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/SamlRelyingPartyRegistrationRepositoryConfig.java
index a2999e239f1..df625693041 100644
--- a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/SamlRelyingPartyRegistrationRepositoryConfig.java
+++ b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/SamlRelyingPartyRegistrationRepositoryConfig.java
@@ -8,6 +8,7 @@
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.DependsOn;
 import org.springframework.security.saml2.Saml2Exception;
 import org.springframework.security.saml2.provider.service.registration.InMemoryRelyingPartyRegistrationRepository;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
@@ -42,6 +43,7 @@ public SamlRelyingPartyRegistrationRepositoryConfig(@Qualifier("samlEntityID") S
     }
 
     @Autowired
+    @DependsOn({"setUpBouncyCastle"})
     @Bean
     RelyingPartyRegistrationRepository relyingPartyRegistrationRepository(SamlIdentityProviderConfigurator samlIdentityProviderConfigurator) {
         SamlKeyManagerFactory.SamlConfigPropsSamlKeyManagerImpl samlKeyManager = new SamlKeyManagerFactory.SamlConfigPropsSamlKeyManagerImpl(samlConfigProps);