[jboss-jira] [JBoss JIRA] (WFCORE-2907) Regression, Unable to create TLS in FIPS mode

Regression, Unable to create TLS in FIPS mode --------------------------------------------- Key: WFCORE-2907 URL: https://issues.jboss.org/browse/WFCORE-2907 Project: WildFly Core Issue Type: Bug Components: Security Affects Versions: 3.0.0.Beta23 Reporter: Darran Lofthouse Assignee: Darran Lofthouse Priority: Blocker Labels: eap7.1-rfe-failure Fix For: 3.0.0.Beta24 In DR19 there was introduced DelegatingKeyManager [1], which is used by default. That breaks FIPS TLS on Oracle/OpenJDK java, because only JSSE keymanagers are permitted in FIPS mode [2] {code:java|title=SSLContextImpl.java} // In FIPS mode, require that one of SunJSSE's own keymanagers // is used. Otherwise, we cannot be sure that only keys from // the FIPS token are used. if ((km instanceof X509KeyManagerImpl) || (km instanceof SunX509KeyManagerImpl)) { return (X509ExtendedKeyManager)km; } else { // throw exception, we don't want to silently use the // dummy keymanager without telling the user. throw new KeyManagementException ("FIPS mode: only SunJSSE KeyManagers may be used"); } {code} Note, in my opinion it will be not enough to restrict reload operation only to file-based keystores. From my point of view reload would be also valid operation on PKCS11 module. But more importantly there also exists file based FIPS keystore type - BCFKS (Bouncy Castle FIPS). [1] https://github.com/wildfly/wildfly-core/commit/de41fa268cca32cebb13e21d85... [2] http://grepcode.com/file/repository.grepcode.com/java/root/jdk/openjdk/8u...