Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BCSecurityProvider doesn't work with BC FIPS #665

Closed
pboyd04 opened this issue Aug 27, 2021 · 5 comments
Closed

BCSecurityProvider doesn't work with BC FIPS #665

pboyd04 opened this issue Aug 27, 2021 · 5 comments

Comments

@pboyd04
Copy link
Contributor

pboyd04 commented Aug 27, 2021
edited
Loading

When using the BC FIPS library the BCSecurityProvider throws an exception related to the fact that BCFIPS doesn't have org.bouncycastle.crypto.Digest. The BCSecurityProvider also doesn't seem to have the code to work around FIPS lacking MD4 functionality.

Exception in thread "main" java.lang.NoClassDefFoundError: org/bouncycastle/crypto/Digest
        at com.hierynomus.security.bc.BCMessageDigest.<clinit>(BCMessageDigest.java:32)
        at com.hierynomus.security.bc.BCSecurityProvider.getDigest(BCSecurityProvider.java:33)
        at com.hierynomus.smbj.connection.SMBProtocolNegotiator.calculatePreauthHashValue(SMBProtocolNegotiator.java:174)
        at com.hierynomus.smbj.connection.SMBProtocolNegotiator.handlePreAuthNegotiateContext(SMBProtocolNegotiator.java:163)
        at com.hierynomus.smbj.connection.SMBProtocolNegotiator.initializeNegotiationContext(SMBProtocolNegotiator.java:104)
        at com.hierynomus.smbj.connection.SMBProtocolNegotiator.negotiateDialect(SMBProtocolNegotiator.java:82)
        at com.hierynomus.smbj.connection.Connection.connect(Connection.java:137)
        at com.hierynomus.smbj.SMBClient.getEstablishedOrConnect(SMBClient.java:108)
        at com.hierynomus.smbj.SMBClient.connect(SMBClient.java:79)
        at com.pboyd.App.main(App.java:50)
Caused by: java.lang.ClassNotFoundException: org.bouncycastle.crypto.Digest
        at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:581)
        at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:178)
        at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:522)```
@pboyd04
Copy link
Contributor Author

pboyd04 commented Aug 27, 2021

Resolving this then results in an exception about CipherParameters which BCFIPS also doesn't have....

Exception in thread "main" java.lang.NoClassDefFoundError: org/bouncycastle/crypto/CipherParameters
        at com.hierynomus.security.bc.BCSecurityProvider.getMac(BCSecurityProvider.java:45)
        at com.hierynomus.ntlm.functions.NtlmFunctions.hmac_md5(NtlmFunctions.java:121)
        at com.hierynomus.ntlm.functions.NtlmFunctions.NTOWFv2(NtlmFunctions.java:65)
        at com.hierynomus.smbj.auth.NtlmAuthenticator.authenticate(NtlmAuthenticator.java:96)
        at com.hierynomus.smbj.connection.SMBSessionBuilder.processAuthenticationToken(SMBSessionBuilder.java:178)
        at com.hierynomus.smbj.connection.SMBSessionBuilder.setupSession(SMBSessionBuilder.java:141)
        at com.hierynomus.smbj.connection.SMBSessionBuilder.establish(SMBSessionBuilder.java:109)
        at com.hierynomus.smbj.connection.Connection.authenticate(Connection.java:202)
        at com.pboyd.App.main(App.java:52)
Caused by: java.lang.ClassNotFoundException: org.bouncycastle.crypto.CipherParameters
        at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:581)
        at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:178)
        at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:522)

@rokkakasu
Copy link

Hi @pboyd04 ,

if you are using SMBJ 0.11.1 and JDK 11 and getting this exception then try to add below dependency.

com.hierynomus smbj 0.11.1 org.bouncycastle bcprov-jdk15on org.bouncycastle bcprov-jdk15on 1.65

Thanks,
R Ramarajan.

@rokkakasu
Copy link

<dependency> <groupId>com.hierynomus</groupId> <artifactId>smbj</artifactId> <version>${version.smbj}</version> <exclusions> <!-- Already provided by camel-core --> <exclusion> <groupId>org.slf4j</groupId> <artifactId>slf4j-api</artifactId> </exclusion> <exclusion> <groupId>org.bouncycastle</groupId> <artifactId>bcprov-jdk15on</artifactId> </exclusion> </exclusions> </dependency> <dependency> <groupId>org.bouncycastle</groupId> <artifactId>bcprov-jdk15on</artifactId> <version>1.65</version> </dependency>

@pboyd04
Copy link
Contributor Author

pboyd04 commented Aug 30, 2021

@vrr6, that undoes bouncy castle running in FIPS mode. FIPS is needed for any application purchased or used by the US federal government and BC does provide a FIPS module, but it doesn't have some of the same behavior as the standard BC module (because certain algorithms aren't allowed in this mode and such).

hierynomus pushed a commit that referenced this issue May 8, 2023
@pboyd04 @hierynomus
Fix #665: Allow JCE KDF to work (#666)
f6d8d6d 
* Fix #665: Allow JCE KDF to work

* Add header

* Add KDF unit test
hierynomus added a commit that referenced this issue Jul 3, 2023
@hierynomus @nddipiazza
@ndimitry @pboyd04 @hannosgit @exceptionfactory @cpacejo @kardashov @laeubi
Split off from 0.10.0 without the reworked authentication fixes (#762)
c81367c 
* Ignore VSCode

* Add NtStatus.STATUS_UNSUCCESSFUL

* Add NtStatus.STATUS_INSUFF_SERVER_RESOURCES (#611)

* Add NtStatus.STATUS_IO_REPARSE_TAG_NOT_HANDLED (#514)

* Update gradle build

* Update release plugin

* Release version: 0.11.0

* Fix signing task dependency

* Release version: 0.11.1

* Use BCSecurityProvider by default for SMB3 compatibility (Fixes #638)

* Ensure DFS Path Referral times out after transactTimeout (Fixes #578)

* Only add DFSPathResolver if both client and server support DFS (#640)

* Only add DFSPathResolver if both client and server support DFS

* Fix indentation problems

* Fix incorrectly reformatted javadoc

* Format using java formatter

* One more indentation fix

* Upgrade Bouncy Castle to 1.68 to fix vulnerability report (#641)

* address issue #604 - stop closing the dfs share connection immediately. (#609)

* stop closing the dfs share connection immediately.

* Add explanatory comment

Co-authored-by: Jeroen van Erp <jeroen@hierynomus.com>

* Add support for unregistering server from serverlist (Fixes #644) (#647)

* Add support for unregistering server from serverlist (Fixes #644)

* Fix indentation

* Reducing logging for smb3 (#650)

For each smb3 packet there's an info log message which produces a tremendous amount of output.
I would suggest to reduce log level to debug (or trace; similarly as in one of the other packet reciever classes).

* Consolidate SMBv1 error messages

* Upgrade BouncyCastle to 1.69

* Release version: 0.11.2

* Ensure artifact is signed

* Release version: 0.11.3

* Fix #665: Allow JCE KDF to work (#666)

* Fix #665: Allow JCE KDF to work

* Add header

* Add KDF unit test

* Use correct maxPayloadSize for encrypted packets (Fixes #668) (#683)

* Read fileId as long (#693)

* Read fileId of FileIdBothDirectoryInformation into a long
* Read fileId of FileIdFullDirectoryInformation into a long

* File the issue that nested folder creation throw NAME EXIST error. (#685)

* File the issue that nested folder creation throw NAME EXIST error.

* formatting

* Updated build status badges (#684)

- Added GitHub badge for Build SMBJ
- Corrected Codacy badge link
- Removed bintray badge link
- Removed Travis CI badge and configuration
- Removed Java profiler link
- Removed CircleCI configuration
- Removed unused github-ci configuration

* Use AceSize field when reading ACEs (#696)

Fixes issue seen in the wild where unnecessary padding at the end of an ACE
confused Smbj (but not Windows).

* Ensure that enough bytes are cached from InputStream to get a correct bytesLeft count for SMB2Write (fixes #669)

* GzipOutputStream integration test

* Ensure that enough bytes are cached from InputStream to get a correct bytesLeft count for SMB2Write

Co-authored-by: Stanislav Kardashov <skardashov@spins.com>
Co-authored-by: Jeroen van Erp <jeroen@hierynomus.com>

* Add GH workflow for publishing

* Update dependencies and build file

* Rename test class to *Spec

* Release version: 0.11.5

* Use the hostname part of the TargetHint for DFS step 9 (fixes \#419) (#722)

* Slightly reduce the locking in Connection.send and DirectTcpTransport (fixes \#732)

* Fixed indentation

* Converting bytes written to long (Fixes #740)

Signed-off-by: Jeroen van Erp <jeroen@hierynomus.com>

* Upgrading gradle to 8.0.2

Signed-off-by: Jeroen van Erp <jeroen@hierynomus.com>

* Add Implementation manifest attributes (Fixes #743)

* Revert accidental comment of integration docker tasks

* Do not send SMB2EncryptionCapabilities NegotiationContext is !isEncry… (#752)

* Do not send SMB2EncryptionCapabilities NegotiationContext is !isEncryptionSupported (Fixes #747)

* Add test for SMB2EncryptionCapabilities

* Add preliminary changelog for new release

* Ensure we call flip() on Buffer to avoid Java8 problems (Fixes #705)

Signed-off-by: Jeroen van Erp <jeroen@hierynomus.com>

* Ensure path is set for rmdir to prevent accidents (Fixes #756)

Signed-off-by: Jeroen van Erp <jeroen@hierynomus.com>

* Add support for reading / writing NIO ByteBuffers (#759)

* Add support for reading / writing NIO ByteBuffers

Currently one can transfer data using streams or array, but it would be
great to have the opportunity to use NIO buffers.

This adds two new method to the File class that accept a NIO ByteBuffer.

* Implemented ByteBuffer write using ByteChunkProvider

Signed-off-by: Jeroen van Erp <jeroen@hierynomus.com>

---------

Signed-off-by: Jeroen van Erp <jeroen@hierynomus.com>
Co-authored-by: Christoph Läubrich <christoph@laeubi-soft.de>
Co-authored-by: Jeroen van Erp <jeroen@hierynomus.com>

* Fix some sonatype warnings

* resolve conflict with master

* Ignore non-semver tags for release workflow

* Small warning cleanup

Signed-off-by: Jeroen van Erp <jeroen@hierynomus.com>

* Setup ConnectionContext and AuthenticationContext for NTLM improvements

Signed-off-by: Jeroen van Erp <jeroen@hierynomus.com>

* Refactor TargetInfo/AvPairs

* Added null check and rename field

* Refactor NtlmFunctions

* Change hierarchy of Ntlm messages

Signed-off-by: Jeroen van Erp <jeroen@hierynomus.com>

* Next step of NTLM refactor

* NtlmNegotiate sends Domain/Workstation/Version fields

* Filter negotiateflags and use clientTargetInfo

* Rework keys in NtlmAuthenticator

Signed-off-by: Jeroen van Erp <jeroen@hierynomus.com>

* Change to structure of NtlmAuthenticate

Signed-off-by: Jeroen van Erp <jeroen@hierynomus.com>

* Added last changes

Required to put withIntegrity = false still, due to missing mechListMIC

Signed-off-by: Jeroen van Erp <jeroen@hierynomus.com>

---------

Signed-off-by: Jeroen van Erp <jeroen@hierynomus.com>
Co-authored-by: Nicholas DiPiazza <nicholas.dipiazza@lucidworks.com>
Co-authored-by: ndimitry <18209884+ndimitry@users.noreply.github.com>
Co-authored-by: Patrick Boyd <pboyd04@gmail.com>
Co-authored-by: Hannes <65758037+hannosgit@users.noreply.github.com>
Co-authored-by: pyzhou <pyzhou@talend.com>
Co-authored-by: exceptionfactory <exceptionfactory@apache.org>
Co-authored-by: Chris Pacejo <chris@pacejo.net>
Co-authored-by: Stanislav Kardashov <stanislav.kardashov@gmail.com>
Co-authored-by: Stanislav Kardashov <skardashov@spins.com>
Co-authored-by: Christoph Läubrich <mail@laeubi-soft.de>
Co-authored-by: Christoph Läubrich <christoph@laeubi-soft.de>
@SheldonWang3000
Copy link

Hello @pboyd04,

I'm also trying to connect to a fips compliant smb share here. I tried to import bc-fips and saw the same exception you did. I see there is a PR you created about JceSecurityProvider. I tried and it helped to get rid of the exception above. But it still cannot allow me to connect to the smb share. Here is my sample code

Security.addProvider(new BouncyCastleFipsProvider());
System.setProperty("crypto.policy", "limited");

SmbConfig.Builder smbConfig = SmbConfig.builder()
    .withDialects(SMB2Dialect.SMB_3_1_1)
    .withSecurityProvider(new JceSecurityProvider())
    .withEncryptData(true)
    .withSigningRequired(true);

    
SMBClient client = new SMBClient(smbConfig.build());

try (Connection connection = client.connect("<smb address>")) {

  String username = "<ad user>";
  String password = "<password>";
  AuthenticationContext authContext = new AuthenticationContext(username, password.toCharArray(), "<ad domain>");

  // Create session
  Session session = connection.authenticate(authContext);

  DiskShare share = (DiskShare) session.connectShare("smbshare1");

  // Now you can interact with the share
  System.out.println("Connected to share successfully!");

} catch (IOException e) {
  e.printStackTrace();
}

And it always get STATUS_LOGON_FAILURE even though smbclient command works with the same address/user/password. Could you or anyone else here give me any advice about this issue?

Appreciate it!

Sheldon

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@pboyd04 @SheldonWang3000 @rokkakasu