[JBoss JIRA] (WFCORE-4007) elytron.KeyStoresTestCase fails on IBM jdk
by Farah Juma (JIRA)
[ https://issues.jboss.org/browse/WFCORE-4007?page=com.atlassian.jira.plugi... ]
Farah Juma resolved WFCORE-4007.
--------------------------------
Fix Version/s: 6.0.0.Alpha6
Resolution: Done
> elytron.KeyStoresTestCase fails on IBM jdk
> ------------------------------------------
>
> Key: WFCORE-4007
> URL: https://issues.jboss.org/browse/WFCORE-4007
> Project: WildFly Core
> Issue Type: Bug
> Components: Security, Test Suite
> Environment: {noformat}
> $ java -version
> java version "1.8.0_171"
> Java(TM) SE Runtime Environment (build 8.0.5.17 - pxa6480sr5fp17-20180627_01(SR5 FP17))
> IBM J9 VM (build 2.9, JRE 1.8.0 Linux amd64-64-Bit Compressed References 20180626_390413 (JIT enabled, AOT enabled)
> OpenJ9 - 5cdc604
> OMR - a24bc01
> IBM - 21870d6)
> JCL - 20180619_01 based on Oracle jdk8u171-b11
> $ git rev-parse --short HEAD
> a8059b6232
> {noformat}
> Reporter: Petr Kremensky
> Assignee: Farah Juma
> Fix For: 6.0.0.Alpha6
>
>
> org.wildfly.extension.elytron.KeyStoresTestCase from elytron module of wildfly-core fails on IBM jdk.
> *reproduce*
> {noformat}
> $ mvn test -Dtest=KeyStoresTestCase -pl elytron
> ...
> [INFO] Running org.wildfly.extension.elytron.KeyStoresTestCase
> [ERROR] Tests run: 27, Failures: 2, Errors: 0, Skipped: 0, Time elapsed: 23.836 s <<< FAILURE! - in org.wildfly.extension.elytron.KeyStoresTestCase
> [ERROR] testObtainCertificateWithECPublicKey(org.wildfly.extension.elytron.KeyStoresTestCase) Time elapsed: 2.263 s <<< FAILURE!
> java.lang.AssertionError:
> {
> "outcome" : "failed",
> "failure-description" : "WFLYCTL0158: Operation handler failed: java.lang.RuntimeException: org.wildfly.security.x500.cert.acme.AcmeException: ELY10049: Unable to download certificate chain from ACME server",
> "rolled-back" : true
> }
> at org.wildfly.extension.elytron.KeyStoresTestCase.assertSuccess(KeyStoresTestCase.java:170)
> at org.wildfly.extension.elytron.KeyStoresTestCase.obtainCertificate(KeyStoresTestCase.java:1043)
> at org.wildfly.extension.elytron.KeyStoresTestCase.testObtainCertificateWithECPublicKey(KeyStoresTestCase.java:1004)
> [ERROR] testObtainCertificateWithKeySize(org.wildfly.extension.elytron.KeyStoresTestCase) Time elapsed: 2.87 s <<< FAILURE!
> java.lang.AssertionError:
> {
> "outcome" : "failed",
> "failure-description" : "WFLYCTL0158: Operation handler failed: java.lang.RuntimeException: org.wildfly.security.x500.cert.acme.AcmeException: ELY10049: Unable to download certificate chain from ACME server",
> "rolled-back" : true
> }
> at org.wildfly.extension.elytron.KeyStoresTestCase.assertSuccess(KeyStoresTestCase.java:170)
> at org.wildfly.extension.elytron.KeyStoresTestCase.obtainCertificate(KeyStoresTestCase.java:1043)
> at org.wildfly.extension.elytron.KeyStoresTestCase.testObtainCertificateWithKeySize(KeyStoresTestCase.java:990)
> [INFO]
> [INFO] Results:
> [INFO]
> [ERROR] Failures:
> [ERROR] KeyStoresTestCase.testObtainCertificateWithECPublicKey:1004->obtainCertificate:1043->assertSuccess:170 {
> "outcome" : "failed",
> "failure-description" : "WFLYCTL0158: Operation handler failed: java.lang.RuntimeException: org.wildfly.security.x500.cert.acme.AcmeException: ELY10049: Unable to download certificate chain from ACME server",
> "rolled-back" : true
> }
> [ERROR] KeyStoresTestCase.testObtainCertificateWithKeySize:990->obtainCertificate:1043->assertSuccess:170 {
> "outcome" : "failed",
> "failure-description" : "WFLYCTL0158: Operation handler failed: java.lang.RuntimeException: org.wildfly.security.x500.cert.acme.AcmeException: ELY10049: Unable to download certificate chain from ACME server",
> "rolled-back" : true
> }
> [INFO]
> [ERROR] Tests run: 27, Failures: 2, Errors: 0, Skipped: 0
> {noformat}
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
7 years, 11 months
[JBoss JIRA] (ELY-1639) FIPS PKCS11 Client side: only SunJSSE KeyManagers may be used
by Martin Choma (JIRA)
Martin Choma created ELY-1639:
---------------------------------
Summary: FIPS PKCS11 Client side: only SunJSSE KeyManagers may be used
Key: ELY-1639
URL: https://issues.jboss.org/browse/ELY-1639
Project: WildFly Elytron
Issue Type: Bug
Components: SSL
Reporter: Martin Choma
Priority: Blocker
Fix of ELY-1622 introduced regression. It is not possible to do 1 way ssl (no key-store-ssl-certificate in wildfly-config.xml) with exception
{code}
14:13:56,143 ERROR [org.jboss.as.cli.impl.CliLauncher] Error processing CLI: org.jboss.as.cli.CliInitializationException: Failed to connect to the controller
at org.jboss.as.cli.impl.CliLauncher.initCommandContext(CliLauncher.java:330)
at org.jboss.as.cli.impl.CliLauncher.main(CliLauncher.java:291)
at org.jboss.as.cli.CommandLineMain.main(CommandLineMain.java:45)
at org.jboss.modules.Module.run(Module.java:352)
at org.jboss.modules.Module.run(Module.java:320)
at org.jboss.modules.Main.main(Main.java:593)
Caused by: org.jboss.as.cli.CommandLineException: Failed to resolve host 'localhost'
at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1256)
at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1203)
at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1198)
at org.jboss.as.cli.impl.CliLauncher.initCommandContext(CliLauncher.java:328)
... 5 more
Caused by: java.io.IOException: Failed to obtain SSLContext
at org.jboss.as.cli.impl.CLIModelControllerClient.<init>(CLIModelControllerClient.java:156)
at org.jboss.as.cli.impl.ModelControllerClientFactory$2.getClient(ModelControllerClientFactory.java:85)
at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1222)
... 8 more
Caused by: java.security.KeyManagementException: FIPS mode: only SunJSSE KeyManagers may be used
at sun.security.ssl.SSLContextImpl.chooseKeyManager(SSLContextImpl.java:149)
at sun.security.ssl.SSLContextImpl.engineInit(SSLContextImpl.java:66)
at javax.net.ssl.SSLContext.init(SSLContext.java:282)
at org.wildfly.security.ssl.SSLContextBuilder.lambda$build$0(SSLContextBuilder.java:372)
at org.wildfly.security.OneTimeSecurityFactory.create(OneTimeSecurityFactory.java:53)
at org.wildfly.security.auth.client.AuthenticationContextConfigurationClient.getSSLContext(AuthenticationContextConfigurationClient.java:221)
at org.wildfly.security.auth.client.AuthenticationContextConfigurationClient.getSSLContext(AuthenticationContextConfigurationClient.java:208)
at org.jboss.as.cli.impl.CLIModelControllerClient.<init>(CLIModelControllerClient.java:153)
... 10 more
{code}
It is because after fix Fix of ELY-1622 custom keymanager is used. But it is forbidden by jdk FIPS PKCS11.
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
7 years, 11 months
[JBoss JIRA] (ELY-1639) FIPS PKCS11 Client side: only SunJSSE KeyManagers may be used
by Martin Choma (JIRA)
[ https://issues.jboss.org/browse/ELY-1639?page=com.atlassian.jira.plugin.s... ]
Martin Choma reassigned ELY-1639:
---------------------------------
Assignee: Farah Juma
> FIPS PKCS11 Client side: only SunJSSE KeyManagers may be used
> -------------------------------------------------------------
>
> Key: ELY-1639
> URL: https://issues.jboss.org/browse/ELY-1639
> Project: WildFly Elytron
> Issue Type: Bug
> Components: SSL
> Reporter: Martin Choma
> Assignee: Farah Juma
> Priority: Blocker
>
> Fix of ELY-1622 introduced regression. It is not possible to do 1 way ssl (no key-store-ssl-certificate in wildfly-config.xml) with exception
> {code}
> 14:13:56,143 ERROR [org.jboss.as.cli.impl.CliLauncher] Error processing CLI: org.jboss.as.cli.CliInitializationException: Failed to connect to the controller
> at org.jboss.as.cli.impl.CliLauncher.initCommandContext(CliLauncher.java:330)
> at org.jboss.as.cli.impl.CliLauncher.main(CliLauncher.java:291)
> at org.jboss.as.cli.CommandLineMain.main(CommandLineMain.java:45)
> at org.jboss.modules.Module.run(Module.java:352)
> at org.jboss.modules.Module.run(Module.java:320)
> at org.jboss.modules.Main.main(Main.java:593)
> Caused by: org.jboss.as.cli.CommandLineException: Failed to resolve host 'localhost'
> at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1256)
> at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1203)
> at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1198)
> at org.jboss.as.cli.impl.CliLauncher.initCommandContext(CliLauncher.java:328)
> ... 5 more
> Caused by: java.io.IOException: Failed to obtain SSLContext
> at org.jboss.as.cli.impl.CLIModelControllerClient.<init>(CLIModelControllerClient.java:156)
> at org.jboss.as.cli.impl.ModelControllerClientFactory$2.getClient(ModelControllerClientFactory.java:85)
> at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1222)
> ... 8 more
> Caused by: java.security.KeyManagementException: FIPS mode: only SunJSSE KeyManagers may be used
> at sun.security.ssl.SSLContextImpl.chooseKeyManager(SSLContextImpl.java:149)
> at sun.security.ssl.SSLContextImpl.engineInit(SSLContextImpl.java:66)
> at javax.net.ssl.SSLContext.init(SSLContext.java:282)
> at org.wildfly.security.ssl.SSLContextBuilder.lambda$build$0(SSLContextBuilder.java:372)
> at org.wildfly.security.OneTimeSecurityFactory.create(OneTimeSecurityFactory.java:53)
> at org.wildfly.security.auth.client.AuthenticationContextConfigurationClient.getSSLContext(AuthenticationContextConfigurationClient.java:221)
> at org.wildfly.security.auth.client.AuthenticationContextConfigurationClient.getSSLContext(AuthenticationContextConfigurationClient.java:208)
> at org.jboss.as.cli.impl.CLIModelControllerClient.<init>(CLIModelControllerClient.java:153)
> ... 10 more
> {code}
> It is because after fix Fix of ELY-1622 custom keymanager is used. But it is forbidden by jdk FIPS PKCS11.
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
7 years, 11 months
[JBoss JIRA] (ELY-1622) BC FIPS with CLI: SunX509 KeyManagerFactory not available
by Martin Choma (JIRA)
[ https://issues.jboss.org/browse/ELY-1622?page=com.atlassian.jira.plugin.s... ]
Martin Choma edited comment on ELY-1622 at 8/13/18 8:28 AM:
------------------------------------------------------------
I have tried PKCS11 on client side with Elytron 1.5.3.Final (it means containing fix). And result is expecting. Using custom keymanager implementation leads to. {{KeyManagementException: FIPS mode: only SunJSSE KeyManagers may be used}} So effectively after this fix we are not able to use PKCS11 way on client side with WildFly Elytron Client approach. This is regression. I will create separate issue for this problem and link it with this JIRA wit causes relation.
was (Author: mchoma):
I have tried PKCS11 on client side with Elytron 1.5.3.Final (it means containing fix). And result is expecting. Using custom keymanager implementation leads to. {{KeyManagementException: FIPS mode: only SunJSSE KeyManagers may be used}} So effectively we are not able to use PKCS11 way on client side with WildFly Elytron Client approach. I will create separate issue for this problem and link it with this JIRA wit follows up relation.
> BC FIPS with CLI: SunX509 KeyManagerFactory not available
> ---------------------------------------------------------
>
> Key: ELY-1622
> URL: https://issues.jboss.org/browse/ELY-1622
> Project: WildFly Elytron
> Issue Type: Bug
> Components: SSL
> Affects Versions: 1.5.1.Final
> Reporter: Martin Choma
> Assignee: Farah Juma
> Priority: Blocker
> Fix For: 1.5.2.Final
>
> Attachments: cli-test-wildfly-config.xml, jboss-cli.log, truststore.bcfks
>
>
> I am trying to connect from jboss-cli.sh to EAP server. To reproduce the problem it is enough BC FIPS is used only on client side.
> {code:java|titlejboss-cli.log}
> 11:50:25,147 ERROR [org.jboss.as.cli.impl.CliLauncher] Error processing CLI: org.jboss.as.cli.CliInitializationException: Failed to connect to the controller
> at org.jboss.as.cli.impl.CliLauncher.initCommandContext(CliLauncher.java:330)
> at org.jboss.as.cli.impl.CliLauncher.main(CliLauncher.java:291)
> at org.jboss.as.cli.CommandLineMain.main(CommandLineMain.java:45)
> at org.jboss.modules.Module.run(Module.java:352)
> at org.jboss.modules.Module.run(Module.java:320)
> at org.jboss.modules.Main.main(Main.java:593)
> Caused by: org.jboss.as.cli.CommandLineException: Failed to resolve host 'localhost'
> at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1256)
> at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1203)
> at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1198)
> at org.jboss.as.cli.impl.CliLauncher.initCommandContext(CliLauncher.java:328)
> ... 5 more
> Caused by: java.io.IOException: Failed to obtain SSLContext
> at org.jboss.as.cli.impl.CLIModelControllerClient.<init>(CLIModelControllerClient.java:156)
> at org.jboss.as.cli.impl.ModelControllerClientFactory$2.getClient(ModelControllerClientFactory.java:85)
> at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1222)
> ... 8 more
> Caused by: java.security.KeyManagementException: java.security.NoSuchAlgorithmException: SunX509 KeyManagerFactory not available
> at org.bouncycastle.jsse.provider.ProvSSLContextSpi.selectKeyManager(ProvSSLContextSpi.java:589)
> at org.bouncycastle.jsse.provider.ProvSSLContextSpi.engineInit(ProvSSLContextSpi.java:531)
> at javax.net.ssl.SSLContext.init(SSLContext.java:282)
> at org.wildfly.security.ssl.SSLContextBuilder.lambda$build$0(SSLContextBuilder.java:372)
> at org.wildfly.security.OneTimeSecurityFactory.create(OneTimeSecurityFactory.java:53)
> at org.wildfly.security.auth.client.AuthenticationContextConfigurationClient.getSSLContext(AuthenticationContextConfigurationClient.java:221)
> at org.wildfly.security.auth.client.AuthenticationContextConfigurationClient.getSSLContext(AuthenticationContextConfigurationClient.java:208)
> at org.jboss.as.cli.impl.CLIModelControllerClient.<init>(CLIModelControllerClient.java:153)
> ... 10 more
> Caused by: java.security.NoSuchAlgorithmException: SunX509 KeyManagerFactory not available
> at sun.security.jca.GetInstance.getInstance(GetInstance.java:159)
> at javax.net.ssl.KeyManagerFactory.getInstance(KeyManagerFactory.java:137)
> at org.bouncycastle.jsse.provider.ProvSSLContextSpi.selectKeyManager(ProvSSLContextSpi.java:583)
> ... 17 more
> {code}
> When I use non-FIPS java with CLI I can make it work. It does occure also when connecting to default unsecured port 9990.
> When I use BCFKS truststore on server side, e.g. in 2-way http communication it works.
> I believe problem is I cant configure algorithm for keymanager on client side in wildfly-config.xml. (At least I don't see how could I do so).
> BC provider does not know SunX509 arlgorithm, rather X509, X.509 or PKIX could be used.
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
7 years, 11 months
[JBoss JIRA] (ELY-1622) BC FIPS with CLI: SunX509 KeyManagerFactory not available
by Martin Choma (JIRA)
[ https://issues.jboss.org/browse/ELY-1622?page=com.atlassian.jira.plugin.s... ]
Martin Choma commented on ELY-1622:
-----------------------------------
I have tried PKCS11 on client side with Elytron 1.5.3.Final (it means containing fix). And result is expecting. Using custom keymanager implementation leads to. {{KeyManagementException: FIPS mode: only SunJSSE KeyManagers may be used}} So effectively we are not able to use PKCS11 way on client side with WildFly Elytron Client approach. I will create separate issue for this problem and link it with this JIRA wit follows up relation.
> BC FIPS with CLI: SunX509 KeyManagerFactory not available
> ---------------------------------------------------------
>
> Key: ELY-1622
> URL: https://issues.jboss.org/browse/ELY-1622
> Project: WildFly Elytron
> Issue Type: Bug
> Components: SSL
> Affects Versions: 1.5.1.Final
> Reporter: Martin Choma
> Assignee: Farah Juma
> Priority: Blocker
> Fix For: 1.5.2.Final
>
> Attachments: cli-test-wildfly-config.xml, jboss-cli.log, truststore.bcfks
>
>
> I am trying to connect from jboss-cli.sh to EAP server. To reproduce the problem it is enough BC FIPS is used only on client side.
> {code:java|titlejboss-cli.log}
> 11:50:25,147 ERROR [org.jboss.as.cli.impl.CliLauncher] Error processing CLI: org.jboss.as.cli.CliInitializationException: Failed to connect to the controller
> at org.jboss.as.cli.impl.CliLauncher.initCommandContext(CliLauncher.java:330)
> at org.jboss.as.cli.impl.CliLauncher.main(CliLauncher.java:291)
> at org.jboss.as.cli.CommandLineMain.main(CommandLineMain.java:45)
> at org.jboss.modules.Module.run(Module.java:352)
> at org.jboss.modules.Module.run(Module.java:320)
> at org.jboss.modules.Main.main(Main.java:593)
> Caused by: org.jboss.as.cli.CommandLineException: Failed to resolve host 'localhost'
> at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1256)
> at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1203)
> at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1198)
> at org.jboss.as.cli.impl.CliLauncher.initCommandContext(CliLauncher.java:328)
> ... 5 more
> Caused by: java.io.IOException: Failed to obtain SSLContext
> at org.jboss.as.cli.impl.CLIModelControllerClient.<init>(CLIModelControllerClient.java:156)
> at org.jboss.as.cli.impl.ModelControllerClientFactory$2.getClient(ModelControllerClientFactory.java:85)
> at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1222)
> ... 8 more
> Caused by: java.security.KeyManagementException: java.security.NoSuchAlgorithmException: SunX509 KeyManagerFactory not available
> at org.bouncycastle.jsse.provider.ProvSSLContextSpi.selectKeyManager(ProvSSLContextSpi.java:589)
> at org.bouncycastle.jsse.provider.ProvSSLContextSpi.engineInit(ProvSSLContextSpi.java:531)
> at javax.net.ssl.SSLContext.init(SSLContext.java:282)
> at org.wildfly.security.ssl.SSLContextBuilder.lambda$build$0(SSLContextBuilder.java:372)
> at org.wildfly.security.OneTimeSecurityFactory.create(OneTimeSecurityFactory.java:53)
> at org.wildfly.security.auth.client.AuthenticationContextConfigurationClient.getSSLContext(AuthenticationContextConfigurationClient.java:221)
> at org.wildfly.security.auth.client.AuthenticationContextConfigurationClient.getSSLContext(AuthenticationContextConfigurationClient.java:208)
> at org.jboss.as.cli.impl.CLIModelControllerClient.<init>(CLIModelControllerClient.java:153)
> ... 10 more
> Caused by: java.security.NoSuchAlgorithmException: SunX509 KeyManagerFactory not available
> at sun.security.jca.GetInstance.getInstance(GetInstance.java:159)
> at javax.net.ssl.KeyManagerFactory.getInstance(KeyManagerFactory.java:137)
> at org.bouncycastle.jsse.provider.ProvSSLContextSpi.selectKeyManager(ProvSSLContextSpi.java:583)
> ... 17 more
> {code}
> When I use non-FIPS java with CLI I can make it work. It does occure also when connecting to default unsecured port 9990.
> When I use BCFKS truststore on server side, e.g. in 2-way http communication it works.
> I believe problem is I cant configure algorithm for keymanager on client side in wildfly-config.xml. (At least I don't see how could I do so).
> BC provider does not know SunX509 arlgorithm, rather X509, X.509 or PKIX could be used.
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
7 years, 11 months