[jboss-jira] [JBoss JIRA] (WFCORE-2907) Regression, Unable to create TLS in FIPS mode
Darran Lofthouse (JIRA)
issues at jboss.org
Fri Jun 2 09:05:01 EDT 2017
[ https://issues.jboss.org/browse/WFCORE-2907?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Darran Lofthouse updated WFCORE-2907:
-------------------------------------
Fix Version/s: 3.0.0.Beta24
> Regression, Unable to create TLS in FIPS mode
> ---------------------------------------------
>
> Key: WFCORE-2907
> URL: https://issues.jboss.org/browse/WFCORE-2907
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Affects Versions: 3.0.0.Beta23
> Reporter: Darran Lofthouse
> Assignee: Darran Lofthouse
> Priority: Blocker
> Labels: eap7.1-rfe-failure
> Fix For: 3.0.0.Beta24
>
>
> In DR19 there was introduced DelegatingKeyManager [1], which is used by default. That breaks FIPS TLS on Oracle/OpenJDK java, because only JSSE keymanagers are permitted in FIPS mode [2]
> {code:java|title=SSLContextImpl.java}
> // In FIPS mode, require that one of SunJSSE's own keymanagers
> // is used. Otherwise, we cannot be sure that only keys from
> // the FIPS token are used.
> if ((km instanceof X509KeyManagerImpl) || (km instanceof SunX509KeyManagerImpl)) {
> return (X509ExtendedKeyManager)km;
> } else {
> // throw exception, we don't want to silently use the
> // dummy keymanager without telling the user.
> throw new KeyManagementException ("FIPS mode: only SunJSSE KeyManagers may be used");
> }
> {code}
> Note, in my opinion it will be not enough to restrict reload operation only to file-based keystores. From my point of view reload would be also valid operation on PKCS11 module.
> But more importantly there also exists file based FIPS keystore type - BCFKS (Bouncy Castle FIPS).
> [1] https://github.com/wildfly/wildfly-core/commit/de41fa268cca32cebb13e21d850614802bd8d434
> [2] http://grepcode.com/file/repository.grepcode.com/java/root/jdk/openjdk/8u40-b25/sun/security/ssl/SSLContextImpl.java#158
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
More information about the jboss-jira
mailing list