From 40757e7b4a5e2ec36367411bf8bee6d0a6f41334 Mon Sep 17 00:00:00 2001
From: Francisco Javier Fernandez Gonzalez <fjfernandez@cloudbees.com>
Date: Mon, 14 Oct 2024 11:28:41 +0200
Subject: [PATCH] Missing non-compliant algorithms in FIPS mode to filter

---
 .../plugins/oic/OicAlgorithmValidatorFIPS140.java      | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/src/main/java/org/jenkinsci/plugins/oic/OicAlgorithmValidatorFIPS140.java b/src/main/java/org/jenkinsci/plugins/oic/OicAlgorithmValidatorFIPS140.java
index 9b6f212d..d398c042 100644
--- a/src/main/java/org/jenkinsci/plugins/oic/OicAlgorithmValidatorFIPS140.java
+++ b/src/main/java/org/jenkinsci/plugins/oic/OicAlgorithmValidatorFIPS140.java
@@ -9,7 +9,6 @@
 import com.nimbusds.jose.crypto.RSASSASigner;
 import com.nimbusds.jose.crypto.impl.AESCryptoProvider;
 import com.nimbusds.jose.crypto.impl.ContentCryptoProvider;
-import com.nimbusds.jose.crypto.impl.ECDHCryptoProvider;
 import com.nimbusds.jose.crypto.impl.PasswordBasedCryptoProvider;
 import com.nimbusds.jose.crypto.impl.RSACryptoProvider;
 import edu.umd.cs.findbugs.annotations.NonNull;
@@ -39,14 +38,17 @@ public class OicAlgorithmValidatorFIPS140 {
         // Init compliant JWE algorithms
         JWESupportedAlgorithms.addAll(AESCryptoProvider.SUPPORTED_ALGORITHMS);
         JWESupportedAlgorithms.addAll(RSACryptoProvider.SUPPORTED_ALGORITHMS);
+        JWESupportedAlgorithms.addAll(PasswordBasedCryptoProvider.SUPPORTED_ALGORITHMS);
         // RSA1_5 is deprecated and not a compliant algorithm.
+        // ECDH seems to use its own key derivation function (ConcatKDF) and so not compliant. Not adding
+        // ECDHCryptoProvider.SUPPORTED_ALGORITHMS
         JWESupportedAlgorithms.remove(JWEAlgorithm.RSA1_5);
-        JWESupportedAlgorithms.addAll(ECDHCryptoProvider.SUPPORTED_ALGORITHMS);
-        JWESupportedAlgorithms.addAll(PasswordBasedCryptoProvider.SUPPORTED_ALGORITHMS);
 
-        // Init complaint EncryptionMethods
+        // Init complaint EncryptionMethods and remove non-compliant algorithms
         supportedEncryptionMethod.addAll(ContentCryptoProvider.SUPPORTED_ENCRYPTION_METHODS);
         supportedEncryptionMethod.remove(EncryptionMethod.XC20P);
+        supportedEncryptionMethod.remove(EncryptionMethod.A128CBC_HS256_DEPRECATED);
+        supportedEncryptionMethod.remove(EncryptionMethod.A256CBC_HS512_DEPRECATED);
     }
 
     /**