[
https://issues.jboss.org/browse/ELY-1622?page=com.atlassian.jira.plugin.s...
]
Martin Choma commented on ELY-1622:
-----------------------------------
What I am worried about is that on clien side it seems we use custom SSLContext
implementation as well - ConfiguredSSLContextSpi. Correct me if I am wrong please. So we
avoid standard jsse SSLContext enforcement. Otherwise I dont know how it is possible we
get over check "FIPS mode: only SunJSSE KeyManagers may be used" with client
side custom ConfigurationKeyManager implementation.
{code:java|title=SSLContextImpl.java}
// In FIPS mode, require that one of SunJSSE's own keymanagers
// is used. Otherwise, we cannot be sure that only keys from
// the FIPS token are used.
if ((km instanceof X509KeyManagerImpl) || (km instanceof SunX509KeyManagerImpl)) {
return (X509ExtendedKeyManager)km;
} else {
// throw exception, we don't want to silently use the
// dummy keymanager without telling the user.
throw new KeyManagementException ("FIPS mode: only SunJSSE KeyManagers may be
used");
}
{code}
No we do not have PKCS#11 keystore on client side test (I will look into it after my
PTO). But we have learned before with OpenSSL issue that pulling private key from PKCS#11
is not possible [1]. If we are pulling this way private key in custom KeyManager
implementation that will be problem as well.
[1]
https://issues.jboss.org/browse/JBEAP-10396?focusedCommentId=13395133&...
BC FIPS with CLI: SunX509 KeyManagerFactory not available
---------------------------------------------------------
Key: ELY-1622
URL:
https://issues.jboss.org/browse/ELY-1622
Project: WildFly Elytron
Issue Type: Bug
Components: SSL
Affects Versions: 1.5.1.Final
Reporter: Martin Choma
Assignee: Farah Juma
Priority: Blocker
Attachments: cli-test-wildfly-config.xml, jboss-cli.log, truststore.bcfks
I am trying to connect from jboss-cli.sh to EAP server. To reproduce the problem it is
enough BC FIPS is used only on client side.
{code:java|titlejboss-cli.log}
11:50:25,147 ERROR [org.jboss.as.cli.impl.CliLauncher] Error processing CLI:
org.jboss.as.cli.CliInitializationException: Failed to connect to the controller
at org.jboss.as.cli.impl.CliLauncher.initCommandContext(CliLauncher.java:330)
at org.jboss.as.cli.impl.CliLauncher.main(CliLauncher.java:291)
at org.jboss.as.cli.CommandLineMain.main(CommandLineMain.java:45)
at org.jboss.modules.Module.run(Module.java:352)
at org.jboss.modules.Module.run(Module.java:320)
at org.jboss.modules.Main.main(Main.java:593)
Caused by: org.jboss.as.cli.CommandLineException: Failed to resolve host
'localhost'
at
org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1256)
at
org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1203)
at
org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1198)
at org.jboss.as.cli.impl.CliLauncher.initCommandContext(CliLauncher.java:328)
... 5 more
Caused by: java.io.IOException: Failed to obtain SSLContext
at
org.jboss.as.cli.impl.CLIModelControllerClient.<init>(CLIModelControllerClient.java:156)
at
org.jboss.as.cli.impl.ModelControllerClientFactory$2.getClient(ModelControllerClientFactory.java:85)
at
org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1222)
... 8 more
Caused by: java.security.KeyManagementException: java.security.NoSuchAlgorithmException:
SunX509 KeyManagerFactory not available
at
org.bouncycastle.jsse.provider.ProvSSLContextSpi.selectKeyManager(ProvSSLContextSpi.java:589)
at
org.bouncycastle.jsse.provider.ProvSSLContextSpi.engineInit(ProvSSLContextSpi.java:531)
at javax.net.ssl.SSLContext.init(SSLContext.java:282)
at
org.wildfly.security.ssl.SSLContextBuilder.lambda$build$0(SSLContextBuilder.java:372)
at
org.wildfly.security.OneTimeSecurityFactory.create(OneTimeSecurityFactory.java:53)
at
org.wildfly.security.auth.client.AuthenticationContextConfigurationClient.getSSLContext(AuthenticationContextConfigurationClient.java:221)
at
org.wildfly.security.auth.client.AuthenticationContextConfigurationClient.getSSLContext(AuthenticationContextConfigurationClient.java:208)
at
org.jboss.as.cli.impl.CLIModelControllerClient.<init>(CLIModelControllerClient.java:153)
... 10 more
Caused by: java.security.NoSuchAlgorithmException: SunX509 KeyManagerFactory not
available
at sun.security.jca.GetInstance.getInstance(GetInstance.java:159)
at javax.net.ssl.KeyManagerFactory.getInstance(KeyManagerFactory.java:137)
at
org.bouncycastle.jsse.provider.ProvSSLContextSpi.selectKeyManager(ProvSSLContextSpi.java:583)
... 17 more
{code}
When I use non-FIPS java with CLI I can make it work. It does occure also when connecting
to default unsecured port 9990.
When I use BCFKS truststore on server side, e.g. in 2-way http communication it works.
I believe problem is I cant configure algorithm for keymanager on client side in
wildfly-config.xml. (At least I don't see how could I do so).
BC provider does not know SunX509 arlgorithm, rather X509, X.509 or PKIX could be used.
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)