[keycloak-user] Keycloak FIPS PKI Problems

Christophe Webb cwebb12 at cox.net
Tue Mar 26 11:16:21 EDT 2019 

I am running keycloak in a docker container. We are using PKI as one of the authentication methods for our applications. I followed the instructions for keycloak(X.509 Client Certificate User Authentication) to set this up, and everything seems to work. Next, we needed to update keycloak to be FIPS compliant. For this, we are using the bouncy castle FIPS provider(bc-fips-1.0.1.jar). I have set up the java.security file to make the bouncy castle fips provider the default. This all works correctly as well.

However, once I update the java.security file to use "com.sun.net.ssl.internal.ssl.Provider BCFIPS", PKI no longer works. Regular SSL with out a client certificate provided works just fine, and we can log in with username and password, but we need PKI.
I have updated the keycloak standalone.xml with the following:
<server-identities>
   <ssl>
     <keystore provider="BCFKS" path="keystore.bcfks" relative-to="jboss.server.config.dir" keystore-password="<password>" alias="keycloak" key-password="<password>"/>
   </ssl>
</server-identities>
<authentication>
   <truststore provider="BCFKS" path="truststore.bcfks" relative-to="jboss.server.config.dir" keystore-password="<password>"/>
   <local default-user="$local" allowed-users="*" skip-group-loading="true"/>
   <properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
</authentication>

I took the JKS files for the keystore and truststore that I was using before and imported them to BCFKS files using this basic command:
keytool -importkeystore -srckeystore keystore.jks -srcstoretype JKS -srcstorepass <password> -destkeystore keystore.bcfks -deststoretype BCFKS -deststorepass <password> -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath /path/to/jar/bc-fips-1.0.1.jar

I also updated the JAVA_OPTS to include -Djavax.net.debug=ssl. In the output, I can see that my certificate is provided, and it looks correct.

In the log output after the client certificate is logged, I see the the following log statements.

14:38:30,927 INFO [stdout] (default task-1) default task-1, fatal error: 46: General SSLEngine problem
14:38:30,927 INFO [stdout] (default task-1) sun.security.validator.ValidatorException: No trusted certificate found
14:38:30,927 INFO [stdout] (default task-1) %% Invalidated: [Session-2, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
14:38:30,927 INFO [stdout] (default task-1) default task-1, SEND TLSv1.2 ALERT: fatal, description = certificate_unknown
14:38:30,927 INFO [stdout] (default task-1) default task-1, WRITE: TLSv1.2 Alert, length = 2
14:38:30,928 INFO [stdout] (default I/O-2) default I/O-2, fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeException: General SSLEngine problem
14:38:30,928 INFO [stdout] (default I/O-2) default I/O-2, called closeInbound()
14:38:30,928 INFO [stdout] (default I/O-2) default I/O-2, fatal: engine already closed. Rethrowing javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?
14:38:30,928 INFO [stdout] (default I/O-2) default I/O-2, called closeOutbound()
14:38:30,928 INFO [stdout] (default I/O-2) default I/O-2, closeOutboundInternal()

More information about the keycloak-user mailing list