[
https://issues.jboss.org/browse/ELY-1622?page=com.atlassian.jira.plugin.s...
]
Martin Choma edited comment on ELY-1622 at 8/3/18 4:07 AM:
-----------------------------------------------------------
Thank you Farah for investigation of the problem and pushing it further.
Using custom KeyManager impl. in FIPS mode seems very suspicious to me. Our implementation
is not FIPS certified and keymanager is handling private keys. So I would say this is
"cryptographically significant". Now I would say it is correct we use KeyManager
from jdk when no private key is configured. (But why we need create one then btw.?) I
think problem here is we are using custom implementation KeyManager with no option to
configure BC FIPS one.
Note, I still dont understand why we do not get here jdk error "FIPS mode: only
SunJSSE KeyManagers may be used" [1]. Are we using custom implementation of
SSLContextSpi on client side? . Seems to me yes
(ConfiguredSSLContextSpi,AbstractDelegatingSSLContextSpi)
Note, this is only about client side. Server side use properly KeyManager and SSLContext
from jdk.
CC: [~rlucente-se-jboss] please add yourself as watcher to this issue. Seems discussion
here is getting important.
[1]
https://issues.jboss.org/browse/JBEAP-11447
was (Author: mchoma):
Thank you Farah for investigation of the problem and pushing it further.
Using custom KeyManager impl. in FIPS mode seems very suspicious to me. Our implementation
is not FIPS certified and keymanager is handling private keys. So I would say this is
"cryptographically significant".
Now I would say it is correct we use KeyManager from jdk when no private key is
configured. (But why we need create one then btw.?)
I think problem here is we are using custom implementation KeyManager with no option to
configure BC FIPS one.
Note, I still dont understand why we do not get here jdk error "FIPS mode: only
SunJSSE KeyManagers may be used" [1]. Are we using custom implementation of
SSLContextSpi on client side? . Seems to me yes
(ConfiguredSSLContextSpi,AbstractDelegatingSSLContextSpi)
Note, this is only about client side. Server side use properly KeyManager and SSLContext
from jdk.
[1]
https://issues.jboss.org/browse/JBEAP-11447
CC: [~rlucente-se-jboss] please add yourself as watcher to this issue. Seems discussion
here is getting important.
BC FIPS with CLI: SunX509 KeyManagerFactory not available
---------------------------------------------------------
Key: ELY-1622
URL:
https://issues.jboss.org/browse/ELY-1622
Project: WildFly Elytron
Issue Type: Bug
Components: SSL
Affects Versions: 1.5.1.Final
Reporter: Martin Choma
Assignee: Farah Juma
Priority: Blocker
Attachments: cli-test-wildfly-config.xml, jboss-cli.log, truststore.bcfks
I am trying to connect from jboss-cli.sh to EAP server. To reproduce the problem it is
enough BC FIPS is used only on client side.
{code:java|titlejboss-cli.log}
11:50:25,147 ERROR [org.jboss.as.cli.impl.CliLauncher] Error processing CLI:
org.jboss.as.cli.CliInitializationException: Failed to connect to the controller
at org.jboss.as.cli.impl.CliLauncher.initCommandContext(CliLauncher.java:330)
at org.jboss.as.cli.impl.CliLauncher.main(CliLauncher.java:291)
at org.jboss.as.cli.CommandLineMain.main(CommandLineMain.java:45)
at org.jboss.modules.Module.run(Module.java:352)
at org.jboss.modules.Module.run(Module.java:320)
at org.jboss.modules.Main.main(Main.java:593)
Caused by: org.jboss.as.cli.CommandLineException: Failed to resolve host
'localhost'
at
org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1256)
at
org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1203)
at
org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1198)
at org.jboss.as.cli.impl.CliLauncher.initCommandContext(CliLauncher.java:328)
... 5 more
Caused by: java.io.IOException: Failed to obtain SSLContext
at
org.jboss.as.cli.impl.CLIModelControllerClient.<init>(CLIModelControllerClient.java:156)
at
org.jboss.as.cli.impl.ModelControllerClientFactory$2.getClient(ModelControllerClientFactory.java:85)
at
org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1222)
... 8 more
Caused by: java.security.KeyManagementException: java.security.NoSuchAlgorithmException:
SunX509 KeyManagerFactory not available
at
org.bouncycastle.jsse.provider.ProvSSLContextSpi.selectKeyManager(ProvSSLContextSpi.java:589)
at
org.bouncycastle.jsse.provider.ProvSSLContextSpi.engineInit(ProvSSLContextSpi.java:531)
at javax.net.ssl.SSLContext.init(SSLContext.java:282)
at
org.wildfly.security.ssl.SSLContextBuilder.lambda$build$0(SSLContextBuilder.java:372)
at
org.wildfly.security.OneTimeSecurityFactory.create(OneTimeSecurityFactory.java:53)
at
org.wildfly.security.auth.client.AuthenticationContextConfigurationClient.getSSLContext(AuthenticationContextConfigurationClient.java:221)
at
org.wildfly.security.auth.client.AuthenticationContextConfigurationClient.getSSLContext(AuthenticationContextConfigurationClient.java:208)
at
org.jboss.as.cli.impl.CLIModelControllerClient.<init>(CLIModelControllerClient.java:153)
... 10 more
Caused by: java.security.NoSuchAlgorithmException: SunX509 KeyManagerFactory not
available
at sun.security.jca.GetInstance.getInstance(GetInstance.java:159)
at javax.net.ssl.KeyManagerFactory.getInstance(KeyManagerFactory.java:137)
at
org.bouncycastle.jsse.provider.ProvSSLContextSpi.selectKeyManager(ProvSSLContextSpi.java:583)
... 17 more
{code}
When I use non-FIPS java with CLI I can make it work. It does occure also when connecting
to default unsecured port 9990.
When I use BCFKS truststore on server side, e.g. in 2-way http communication it works.
I believe problem is I cant configure algorithm for keymanager on client side in
wildfly-config.xml. (At least I don't see how could I do so).
BC provider does not know SunX509 arlgorithm, rather X509, X.509 or PKIX could be used.
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)