[JBoss JIRA] (ELY-1622) BC FIPS with CLI: SunX509 KeyManagerFactory not available
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/ELY-1622?page=com.atlassian.jira.plugin.s... ]
Darran Lofthouse commented on ELY-1622:
---------------------------------------
All the ConfiguredSSLContextSpi is is a wrapper around a real SSLContext so the validation will still be performed.
The reason we use a wrapper is so we can ensure protocols and cipher suites can be configured from a central location rather than relying on each caller of the SSLContext APIs to control those independently.
> BC FIPS with CLI: SunX509 KeyManagerFactory not available
> ---------------------------------------------------------
>
> Key: ELY-1622
> URL: https://issues.jboss.org/browse/ELY-1622
> Project: WildFly Elytron
> Issue Type: Bug
> Components: SSL
> Affects Versions: 1.5.1.Final
> Reporter: Martin Choma
> Assignee: Farah Juma
> Priority: Blocker
> Attachments: cli-test-wildfly-config.xml, jboss-cli.log, truststore.bcfks
>
>
> I am trying to connect from jboss-cli.sh to EAP server. To reproduce the problem it is enough BC FIPS is used only on client side.
> {code:java|titlejboss-cli.log}
> 11:50:25,147 ERROR [org.jboss.as.cli.impl.CliLauncher] Error processing CLI: org.jboss.as.cli.CliInitializationException: Failed to connect to the controller
> at org.jboss.as.cli.impl.CliLauncher.initCommandContext(CliLauncher.java:330)
> at org.jboss.as.cli.impl.CliLauncher.main(CliLauncher.java:291)
> at org.jboss.as.cli.CommandLineMain.main(CommandLineMain.java:45)
> at org.jboss.modules.Module.run(Module.java:352)
> at org.jboss.modules.Module.run(Module.java:320)
> at org.jboss.modules.Main.main(Main.java:593)
> Caused by: org.jboss.as.cli.CommandLineException: Failed to resolve host 'localhost'
> at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1256)
> at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1203)
> at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1198)
> at org.jboss.as.cli.impl.CliLauncher.initCommandContext(CliLauncher.java:328)
> ... 5 more
> Caused by: java.io.IOException: Failed to obtain SSLContext
> at org.jboss.as.cli.impl.CLIModelControllerClient.<init>(CLIModelControllerClient.java:156)
> at org.jboss.as.cli.impl.ModelControllerClientFactory$2.getClient(ModelControllerClientFactory.java:85)
> at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1222)
> ... 8 more
> Caused by: java.security.KeyManagementException: java.security.NoSuchAlgorithmException: SunX509 KeyManagerFactory not available
> at org.bouncycastle.jsse.provider.ProvSSLContextSpi.selectKeyManager(ProvSSLContextSpi.java:589)
> at org.bouncycastle.jsse.provider.ProvSSLContextSpi.engineInit(ProvSSLContextSpi.java:531)
> at javax.net.ssl.SSLContext.init(SSLContext.java:282)
> at org.wildfly.security.ssl.SSLContextBuilder.lambda$build$0(SSLContextBuilder.java:372)
> at org.wildfly.security.OneTimeSecurityFactory.create(OneTimeSecurityFactory.java:53)
> at org.wildfly.security.auth.client.AuthenticationContextConfigurationClient.getSSLContext(AuthenticationContextConfigurationClient.java:221)
> at org.wildfly.security.auth.client.AuthenticationContextConfigurationClient.getSSLContext(AuthenticationContextConfigurationClient.java:208)
> at org.jboss.as.cli.impl.CLIModelControllerClient.<init>(CLIModelControllerClient.java:153)
> ... 10 more
> Caused by: java.security.NoSuchAlgorithmException: SunX509 KeyManagerFactory not available
> at sun.security.jca.GetInstance.getInstance(GetInstance.java:159)
> at javax.net.ssl.KeyManagerFactory.getInstance(KeyManagerFactory.java:137)
> at org.bouncycastle.jsse.provider.ProvSSLContextSpi.selectKeyManager(ProvSSLContextSpi.java:583)
> ... 17 more
> {code}
> When I use non-FIPS java with CLI I can make it work. It does occure also when connecting to default unsecured port 9990.
> When I use BCFKS truststore on server side, e.g. in 2-way http communication it works.
> I believe problem is I cant configure algorithm for keymanager on client side in wildfly-config.xml. (At least I don't see how could I do so).
> BC provider does not know SunX509 arlgorithm, rather X509, X.509 or PKIX could be used.
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
7 years, 11 months
[JBoss JIRA] (ELY-1622) BC FIPS with CLI: SunX509 KeyManagerFactory not available
by Martin Choma (JIRA)
[ https://issues.jboss.org/browse/ELY-1622?page=com.atlassian.jira.plugin.s... ]
Martin Choma commented on ELY-1622:
-----------------------------------
What I am worried about is that on clien side it seems we use custom SSLContext implementation as well - ConfiguredSSLContextSpi. Correct me if I am wrong please. So we avoid standard jsse SSLContext enforcement. Otherwise I dont know how it is possible we get over check "FIPS mode: only SunJSSE KeyManagers may be used" with client side custom ConfigurationKeyManager implementation.
{code:java|title=SSLContextImpl.java}
// In FIPS mode, require that one of SunJSSE's own keymanagers
// is used. Otherwise, we cannot be sure that only keys from
// the FIPS token are used.
if ((km instanceof X509KeyManagerImpl) || (km instanceof SunX509KeyManagerImpl)) {
return (X509ExtendedKeyManager)km;
} else {
// throw exception, we don't want to silently use the
// dummy keymanager without telling the user.
throw new KeyManagementException ("FIPS mode: only SunJSSE KeyManagers may be used");
}
{code}
No we do not have PKCS#11 keystore on client side test (I will look into it after my PTO). But we have learned before with OpenSSL issue that pulling private key from PKCS#11 is not possible [1]. If we are pulling this way private key in custom KeyManager implementation that will be problem as well.
[1] https://issues.jboss.org/browse/JBEAP-10396?focusedCommentId=13395133&pag...
> BC FIPS with CLI: SunX509 KeyManagerFactory not available
> ---------------------------------------------------------
>
> Key: ELY-1622
> URL: https://issues.jboss.org/browse/ELY-1622
> Project: WildFly Elytron
> Issue Type: Bug
> Components: SSL
> Affects Versions: 1.5.1.Final
> Reporter: Martin Choma
> Assignee: Farah Juma
> Priority: Blocker
> Attachments: cli-test-wildfly-config.xml, jboss-cli.log, truststore.bcfks
>
>
> I am trying to connect from jboss-cli.sh to EAP server. To reproduce the problem it is enough BC FIPS is used only on client side.
> {code:java|titlejboss-cli.log}
> 11:50:25,147 ERROR [org.jboss.as.cli.impl.CliLauncher] Error processing CLI: org.jboss.as.cli.CliInitializationException: Failed to connect to the controller
> at org.jboss.as.cli.impl.CliLauncher.initCommandContext(CliLauncher.java:330)
> at org.jboss.as.cli.impl.CliLauncher.main(CliLauncher.java:291)
> at org.jboss.as.cli.CommandLineMain.main(CommandLineMain.java:45)
> at org.jboss.modules.Module.run(Module.java:352)
> at org.jboss.modules.Module.run(Module.java:320)
> at org.jboss.modules.Main.main(Main.java:593)
> Caused by: org.jboss.as.cli.CommandLineException: Failed to resolve host 'localhost'
> at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1256)
> at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1203)
> at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1198)
> at org.jboss.as.cli.impl.CliLauncher.initCommandContext(CliLauncher.java:328)
> ... 5 more
> Caused by: java.io.IOException: Failed to obtain SSLContext
> at org.jboss.as.cli.impl.CLIModelControllerClient.<init>(CLIModelControllerClient.java:156)
> at org.jboss.as.cli.impl.ModelControllerClientFactory$2.getClient(ModelControllerClientFactory.java:85)
> at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1222)
> ... 8 more
> Caused by: java.security.KeyManagementException: java.security.NoSuchAlgorithmException: SunX509 KeyManagerFactory not available
> at org.bouncycastle.jsse.provider.ProvSSLContextSpi.selectKeyManager(ProvSSLContextSpi.java:589)
> at org.bouncycastle.jsse.provider.ProvSSLContextSpi.engineInit(ProvSSLContextSpi.java:531)
> at javax.net.ssl.SSLContext.init(SSLContext.java:282)
> at org.wildfly.security.ssl.SSLContextBuilder.lambda$build$0(SSLContextBuilder.java:372)
> at org.wildfly.security.OneTimeSecurityFactory.create(OneTimeSecurityFactory.java:53)
> at org.wildfly.security.auth.client.AuthenticationContextConfigurationClient.getSSLContext(AuthenticationContextConfigurationClient.java:221)
> at org.wildfly.security.auth.client.AuthenticationContextConfigurationClient.getSSLContext(AuthenticationContextConfigurationClient.java:208)
> at org.jboss.as.cli.impl.CLIModelControllerClient.<init>(CLIModelControllerClient.java:153)
> ... 10 more
> Caused by: java.security.NoSuchAlgorithmException: SunX509 KeyManagerFactory not available
> at sun.security.jca.GetInstance.getInstance(GetInstance.java:159)
> at javax.net.ssl.KeyManagerFactory.getInstance(KeyManagerFactory.java:137)
> at org.bouncycastle.jsse.provider.ProvSSLContextSpi.selectKeyManager(ProvSSLContextSpi.java:583)
> ... 17 more
> {code}
> When I use non-FIPS java with CLI I can make it work. It does occure also when connecting to default unsecured port 9990.
> When I use BCFKS truststore on server side, e.g. in 2-way http communication it works.
> I believe problem is I cant configure algorithm for keymanager on client side in wildfly-config.xml. (At least I don't see how could I do so).
> BC provider does not know SunX509 arlgorithm, rather X509, X.509 or PKIX could be used.
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
7 years, 11 months
[JBoss JIRA] (DROOLS-2765) [DMN Designer] Exception in read only session
by Michael Anstis (JIRA)
[ https://issues.jboss.org/browse/DROOLS-2765?page=com.atlassian.jira.plugi... ]
Michael Anstis commented on DROOLS-2765:
----------------------------------------
[~jomarko] I followed the steps to reproduce with {{drools-wb-webapp}} (and PR https://github.com/kiegroup/kie-wb-common/pull/2003 built into {{kie-wb-common}}) and everything works as expected . Let's wait for the WAR before retesting...
> [DMN Designer] Exception in read only session
> ---------------------------------------------
>
> Key: DROOLS-2765
> URL: https://issues.jboss.org/browse/DROOLS-2765
> Project: Drools
> Issue Type: Bug
> Components: DMN Editor
> Affects Versions: 7.9.0.Final
> Reporter: Jozef Marko
> Assignee: Michael Anstis
> Labels: drools-tools
> Attachments: Screenshot from 2018-07-19 13-32-53.png
>
>
> There occurs a {{JavaScriptException}} if user enters a read only session during an expression editor is shown.
> h3. Acceptance test
> # Prepare 3 files, each having multiple versions stored
> # Open first, do not changes
> # Open second (don't close first by close button, just hide), do some changes do not close
> # Open third (don't close first and second by close button, just hide), do changes and save, swith to older version, do not restore
> # Switch to second file, select older version, restore
> # Switch to first, select older version, do not restore, select again the latest
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
7 years, 11 months
[JBoss JIRA] (DROOLS-2829) [DMN Designer] Expression header cell is not updated from properties panel
by Michael Anstis (JIRA)
[ https://issues.jboss.org/browse/DROOLS-2829?page=com.atlassian.jira.plugi... ]
Michael Anstis commented on DROOLS-2829:
----------------------------------------
[~jomarko] I cannot replicate with {{drools-wb-webapp}}. Let's wait for the WAR.....
> [DMN Designer] Expression header cell is not updated from properties panel
> --------------------------------------------------------------------------
>
> Key: DROOLS-2829
> URL: https://issues.jboss.org/browse/DROOLS-2829
> Project: Drools
> Issue Type: Bug
> Components: DMN Editor
> Affects Versions: 7.10.0.Final
> Reporter: Jozef Marko
> Assignee: Michael Anstis
> Priority: Optional
> Labels: drools-tools
>
> Decision and BKM elements holds some expression inside. This expression can be edited via expression grid editor. The expression grid editor shows the name of the parent element in its header cell. The problem is that this header cell is not updated if the element name is updated form the properties panel while expression grid editor is opened.
> Spotted during DROOLS-2755 review. Not sure if it is related.
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
7 years, 11 months
[JBoss JIRA] (ELY-1622) BC FIPS with CLI: SunX509 KeyManagerFactory not available
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/ELY-1622?page=com.atlassian.jira.plugin.s... ]
Darran Lofthouse commented on ELY-1622:
---------------------------------------
I think the change suggested by [~fjuma] does make sense here, the underlying problem is that we initialise an SSLContext with one so it falls back to the default initialisation.
At this stage I don't think we do need to be worried about the KeyStore implementation from the "cryptographicaly significant" perspective - initialisation of the SSLContext is a location that already contains FIPS enforcement and they have already undertaken the exercise of identifying which of these components must be from a certified provider and which are not required to be.
But related to this, do we have PKCS#11 tests for client side where the client is using a key and certificate from a PKCS#11 KeyStore? I am suspicious as to if we can even pull the entry from the KeyStore to the custom impl in this way - that in itself may justify adding support for a directly configured KeyManager to wrap the KeyStore directly.
> BC FIPS with CLI: SunX509 KeyManagerFactory not available
> ---------------------------------------------------------
>
> Key: ELY-1622
> URL: https://issues.jboss.org/browse/ELY-1622
> Project: WildFly Elytron
> Issue Type: Bug
> Components: SSL
> Affects Versions: 1.5.1.Final
> Reporter: Martin Choma
> Assignee: Farah Juma
> Priority: Blocker
> Attachments: cli-test-wildfly-config.xml, jboss-cli.log, truststore.bcfks
>
>
> I am trying to connect from jboss-cli.sh to EAP server. To reproduce the problem it is enough BC FIPS is used only on client side.
> {code:java|titlejboss-cli.log}
> 11:50:25,147 ERROR [org.jboss.as.cli.impl.CliLauncher] Error processing CLI: org.jboss.as.cli.CliInitializationException: Failed to connect to the controller
> at org.jboss.as.cli.impl.CliLauncher.initCommandContext(CliLauncher.java:330)
> at org.jboss.as.cli.impl.CliLauncher.main(CliLauncher.java:291)
> at org.jboss.as.cli.CommandLineMain.main(CommandLineMain.java:45)
> at org.jboss.modules.Module.run(Module.java:352)
> at org.jboss.modules.Module.run(Module.java:320)
> at org.jboss.modules.Main.main(Main.java:593)
> Caused by: org.jboss.as.cli.CommandLineException: Failed to resolve host 'localhost'
> at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1256)
> at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1203)
> at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1198)
> at org.jboss.as.cli.impl.CliLauncher.initCommandContext(CliLauncher.java:328)
> ... 5 more
> Caused by: java.io.IOException: Failed to obtain SSLContext
> at org.jboss.as.cli.impl.CLIModelControllerClient.<init>(CLIModelControllerClient.java:156)
> at org.jboss.as.cli.impl.ModelControllerClientFactory$2.getClient(ModelControllerClientFactory.java:85)
> at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1222)
> ... 8 more
> Caused by: java.security.KeyManagementException: java.security.NoSuchAlgorithmException: SunX509 KeyManagerFactory not available
> at org.bouncycastle.jsse.provider.ProvSSLContextSpi.selectKeyManager(ProvSSLContextSpi.java:589)
> at org.bouncycastle.jsse.provider.ProvSSLContextSpi.engineInit(ProvSSLContextSpi.java:531)
> at javax.net.ssl.SSLContext.init(SSLContext.java:282)
> at org.wildfly.security.ssl.SSLContextBuilder.lambda$build$0(SSLContextBuilder.java:372)
> at org.wildfly.security.OneTimeSecurityFactory.create(OneTimeSecurityFactory.java:53)
> at org.wildfly.security.auth.client.AuthenticationContextConfigurationClient.getSSLContext(AuthenticationContextConfigurationClient.java:221)
> at org.wildfly.security.auth.client.AuthenticationContextConfigurationClient.getSSLContext(AuthenticationContextConfigurationClient.java:208)
> at org.jboss.as.cli.impl.CLIModelControllerClient.<init>(CLIModelControllerClient.java:153)
> ... 10 more
> Caused by: java.security.NoSuchAlgorithmException: SunX509 KeyManagerFactory not available
> at sun.security.jca.GetInstance.getInstance(GetInstance.java:159)
> at javax.net.ssl.KeyManagerFactory.getInstance(KeyManagerFactory.java:137)
> at org.bouncycastle.jsse.provider.ProvSSLContextSpi.selectKeyManager(ProvSSLContextSpi.java:583)
> ... 17 more
> {code}
> When I use non-FIPS java with CLI I can make it work. It does occure also when connecting to default unsecured port 9990.
> When I use BCFKS truststore on server side, e.g. in 2-way http communication it works.
> I believe problem is I cant configure algorithm for keymanager on client side in wildfly-config.xml. (At least I don't see how could I do so).
> BC provider does not know SunX509 arlgorithm, rather X509, X.509 or PKIX could be used.
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
7 years, 11 months