Skip to content

feat: Support for keyrings with ICSF keys #4354

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 34 commits into from
Oct 29, 2025
Merged

feat: Support for keyrings with ICSF keys #4354

merged 34 commits into from
Oct 29, 2025

Conversation

@arxioly
Copy link
Contributor

@arxioly arxioly commented Oct 22, 2025
edited by pablocarle
Loading

Description

Linked to #3974

  • Use library jose4j https://github.com/ere-health/jose4j for signing JWTs (PATs, SAF-provider JWTs and LTPA-based JWTs). This library is a pure JCA implementation and works with ICSF hardware keys.
  • Update startup procedure to override java security cryptography providers, including hybrid (default) and IBMJCACCA providers.
  • First steps in attempting to unify libraries used in JWT handling in the project. With this PR there are a total of three libraries still used (JJWT, Jose4j and nimbus JOSE JWT)

Type of change

  • feat: New feature (non-breaking change which adds functionality)

Checklist:

  • My code follows the style guidelines of this project
  • PR title conforms to commit message guideline ## Commit Message Structure Guideline
  • I have commented my code, particularly in hard-to-understand areas. In JS I did provide JSDoc
  • I have made corresponding changes to the documentation
  • My changes generate no new warnings
  • I have added tests that prove my fix is effective or that my feature works
  • New and existing unit tests pass locally with my changes
  • The java tests in the area I was working on leverage @nested annotations
  • Any dependent changes have been merged and published in downstream modules

Pablo Carle and others added 22 commits October 10, 2025 12:11
add josejwt
06a1d45 
Signed-off-by: Pablo Carle <pablo.carle@broadcom.com>
update poc
2ced5c9 
Signed-off-by: Pablo Carle <pablo.carle@broadcom.com>
@arxioly
update claims and jws setup
0292adf 
Signed-off-by: Elena Kubantseva <elena.kubantseva@broadcom.com>
wip, compiles using nimbus for parsing and jose4j for signing
c07ce99 
Signed-off-by: Pablo Carle <pablo.carle@broadcom.com>
test for nimbus signing
3461a55 
Signed-off-by: Pablo Carle <pablo.carle@broadcom.com>
fix test compile issues
c045085 
Signed-off-by: Pablo Carle <pablo.carle@broadcom.com>
fix checkstyle
ab98725 
Signed-off-by: Pablo Carle <pablo.carle@broadcom.com>
fix test classpath
cc61763 
Signed-off-by: Pablo Carle <pablo.carle@broadcom.com>
fix few tests
c1a8a31 
Signed-off-by: Pablo Carle <pablo.carle@broadcom.com>
fix checkstyle
ab310cd 
Signed-off-by: Pablo Carle <pablo.carle@broadcom.com>
fix some jwk tests
6daddd8 
Signed-off-by: Pablo Carle <pablo.carle@broadcom.com>
fix authenticationservice test
04936d2 
Signed-off-by: Pablo Carle <pablo.carle@broadcom.com>
Merge remote-tracking branch 'origin/v3.x.x' into reboot/jwt-hw-poc
e058e96
fix couple test
ccc1d9d 
Signed-off-by: Pablo Carle <pablo.carle@broadcom.com>
@nxhafa
adding custom jvm security provider list
319cfc3 
Signed-off-by: nxhafa <nxhafa11@gmail.com>
@nxhafa
update start.sh to override jvm security providers
10e1451 
Signed-off-by: nxhafa <nxhafa11@gmail.com>
@nxhafa
temporary disable tests for zaas
09d59d4 
Signed-off-by: nxhafa <nxhafa11@gmail.com>
@nxhafa
temporary disable tests for 'publish pax from branch' github action
675e10f 
Signed-off-by: nxhafa <nxhafa11@gmail.com>
@arxioly
fix some tests
1f3f10a 
Signed-off-by: Elena Kubantseva <elena.kubantseva@broadcom.com>
@nxhafa
remove temporary change in 'publish snapshot from branch' github action
0860731 
Signed-off-by: nxhafa <nxhafa11@gmail.com>
@arxioly
fix last tests
e4b669a 
Signed-off-by: Elena Kubantseva <elena.kubantseva@broadcom.com>
@nxhafa
do not run AcceptanceTests in parallel
32d7aba 
Signed-off-by: nxhafa <nxhafa11@gmail.com>
@arxioly
Merge branch 'refs/heads/v3.x.x' into reboot/jwt-hw-poc
6fb3dcf 
# Conflicts:
#	apiml-package/src/main/resources/bin/start.sh
@github-actions github-actions bot added the Sensitive Sensitive change that requires peer review label Oct 22, 2025
arxioly and others added 2 commits October 22, 2025 18:38
@arxioly
restore changes form master
70fd031 
Signed-off-by: Elena Kubantseva <elena.kubantseva@broadcom.com>
@pablocarle
Merge branch 'v3.x.x' into reboot/jwt-hw-poc
0adbb9f
pablocarle
pablocarle reviewed Oct 24, 2025
View reviewed changes
Pablo Carle and others added 8 commits October 24, 2025 16:55
add exception checks
bdbda2d 
Signed-off-by: Pablo Carle <pablo.carle@broadcom.com>
add missing checks
6d11ec1 
Signed-off-by: Pablo Carle <pablo.carle@broadcom.com>
fix sonar issues
47c69a6 
Signed-off-by: Pablo Carle <pablo.carle@broadcom.com>
fix unit test
7d1a116 
Signed-off-by: Pablo Carle <pablo.carle@broadcom.com>
move jwtutilstest to apiml security common
de8236a 
Signed-off-by: Pablo Carle <pablo.carle@broadcom.com>
fix couple issues sonar
f4dfd89 
Signed-off-by: Pablo Carle <pablo.carle@broadcom.com>
@nxhafa
add env variable for overriding java security providers
afa2d40 
Signed-off-by: nxhafa <nxhafa11@gmail.com>
@pablocarle
Merge branch 'v3.x.x' into reboot/jwt-hw-poc
c7a45e9
@EvaJavornicka EvaJavornicka moved this from New to In Progress in API Mediation Layer Backlog Management Oct 29, 2025
@sonarqubecloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
6 New issues
0 Accepted issues

Measures
0 Security Hotspots
84.6% Coverage on New Code
2.2% Duplication on New Code

See analysis details on SonarQube Cloud

@arxioly arxioly merged commit eeb3ade into v3.x.x Oct 29, 2025
38 checks passed
@arxioly arxioly deleted the reboot/jwt-hw-poc branch October 29, 2025 14:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nxhafa nxhafa nxhafa left review comments

@pablocarle pablocarle pablocarle approved these changes

Assignees

No one assigned

Labels

Sensitive Sensitive change that requires peer review size/XXL

Projects

API Mediation Layer Backlog Management
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@arxioly @pablocarle @nxhafa