Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Workaround unknown SecureRandom strong algorithm with OpenJDK17 & RHEL & BCFIPS provider when run in FIPS-enabled environment #40665

Merged
merged 1 commit into from
May 15, 2024
Merged

Workaround unknown SecureRandom strong algorithm with OpenJDK17 & RHEL & BCFIPS provider when run in FIPS-enabled environment #40665

merged 1 commit into from
May 15, 2024

Conversation

michalvavrik
Copy link
Member

@michalvavrik michalvavrik commented May 15, 2024
edited
Loading

fixes: #40659

When run on RHEL8 with Open JDK 17 with BCFIPS provider the SecureRandom strong algorithm is NativePRNGBlocking:SUN,DRBG:SUN, algorithms that are not available.
Keycloak works around that by just initializing default SecureRandom with known strong algorithms (PKCS11:SunPKCS11-NSS-FIPS) and removing them, but that means that when Vert.x loads keystores during the HTTP Server startup (when users can't provide their fixes, before app starts) and org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider#getCoreSecureRandom is invoked while getInstanceStrong throws exception, it leads to initializing org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider.CoreSecureRandom#CoreSecureRandom with sun.security.provider.SecureRandom() and following exception is thrown BouncyCastleFipsProvider$CoreSecureRandom (in unnamed module @0x621a387f) cannot access class sun.security.provider.SecureRandom.

I've tried both using reflection to invoke org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider#getDefaultSecureRandom and initialize initialize SecureRandom instance via Java API, but BCFIPS require this strong algorithm later as well. I think we need to keep it in place.

My thinking (AKA selected code lines from KC) is that if NoSuchAlgorithmException is thrown, that won't change until user code is run on app startup (extensions could do something sooner). Which is too late, and if they want to change the strong algorithm, they can change what we set as well.

Tested only in JVM as native mode is not working #37500.

@quarkus-bot quarkus-bot
Copy link

quarkus-bot bot commented May 15, 2024
edited by github-actions bot
Loading

Status for workflow Quarkus CI

This is the status report for running Quarkus CI on commit da0a2cd.

✅ The latest workflow run for the pull request has completed successfully.

It should be safe to merge provided you have a look at the other checks in the summary.

You can consult the Develocity build scans.

@michalvavrik michalvavrik requested a review from sberyozkin May 15, 2024 19:16
sberyozkin
sberyozkin approved these changes May 15, 2024
View reviewed changes
Copy link
Member

@sberyozkin sberyozkin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've read the description of the problem in the BC project, this fix/workaround LGTM, same as in Keycloak, thanks @michalvavrik

@sberyozkin sberyozkin merged commit 92eeae9 into quarkusio:main May 15, 2024
31 checks passed
@quarkus-bot quarkus-bot bot added this to the 3.12 - main milestone May 15, 2024
@michalvavrik michalvavrik deleted the feature/bcfipsjsseprovider-fix branch May 15, 2024 22:55
@sberyozkin sberyozkin mentioned this pull request May 16, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sberyozkin sberyozkin sberyozkin approved these changes

Assignees
No one assigned
Labels
area/security kind/bugfix
Projects
None yet
Milestone
3.12.0.CR1
Development

Successfully merging this pull request may close these issues.

BouncyCastle BCFIPS provider fails with OpenJDK 17 and RHEL8 in FIPS-enabled environment
2 participants
@michalvavrik @sberyozkin