[jboss-jira] [JBoss JIRA] (ELY-1622) BC FIPS with CLI: SunX509 KeyManagerFactory not available

Martin Choma (JIRA) issues at jboss.org
Fri Aug 3 04:04:00 EDT 2018 

    [ https://issues.jboss.org/browse/ELY-1622?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13614374#comment-13614374 ] 

Martin Choma commented on ELY-1622:
-----------------------------------

Thank you Farah for investigation of the problem and pushing it further.

Using custom KeyManager impl. in FIPS mode seems very suspicious to me. Our implementation is not FIPS certified and keymanager is handling private keys. So I would say this is "cryptographically significant".
Now I would say it is correct we use KeyManager from jdk when no private key is configured. (But why we need create one then btw.?)
I think problem here is we are using custom implementation KeyManager with no option to configure BC FIPS one.

Note, I still dont understand why we do not get here jdk error "FIPS mode: only SunJSSE KeyManagers may be used" [1]. Are we using custom implementation of SSLContextSpi on client side? . Seems to me yes (ConfiguredSSLContextSpi,AbstractDelegatingSSLContextSpi)

Note, this is only about client side. Server side use properly KeyManager and SSLContext from jdk.

[1] https://issues.jboss.org/browse/JBEAP-11447

CC: [~rlucente-se-jboss] please add yourself as watcher to this issue. Seems discussion here is getting important.

> BC FIPS with CLI: SunX509 KeyManagerFactory not available
> ---------------------------------------------------------
>
>                 Key: ELY-1622
>                 URL: https://issues.jboss.org/browse/ELY-1622
>             Project: WildFly Elytron
>          Issue Type: Bug
>          Components: SSL
>    Affects Versions: 1.5.1.Final
>            Reporter: Martin Choma
>            Assignee: Farah Juma
>            Priority: Blocker
>         Attachments: cli-test-wildfly-config.xml, jboss-cli.log, truststore.bcfks
>
>
> I am trying to connect from jboss-cli.sh to EAP server. To reproduce the problem it is enough BC FIPS is used only on client side.
> {code:java|titlejboss-cli.log}
> 11:50:25,147 ERROR [org.jboss.as.cli.impl.CliLauncher] Error processing CLI: org.jboss.as.cli.CliInitializationException: Failed to connect to the controller
>         at org.jboss.as.cli.impl.CliLauncher.initCommandContext(CliLauncher.java:330)
>         at org.jboss.as.cli.impl.CliLauncher.main(CliLauncher.java:291)
>         at org.jboss.as.cli.CommandLineMain.main(CommandLineMain.java:45)
>         at org.jboss.modules.Module.run(Module.java:352)
>         at org.jboss.modules.Module.run(Module.java:320)
>         at org.jboss.modules.Main.main(Main.java:593)
> Caused by: org.jboss.as.cli.CommandLineException: Failed to resolve host 'localhost'
>         at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1256)
>         at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1203)
>         at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1198)
>         at org.jboss.as.cli.impl.CliLauncher.initCommandContext(CliLauncher.java:328)
>         ... 5 more
> Caused by: java.io.IOException: Failed to obtain SSLContext
>         at org.jboss.as.cli.impl.CLIModelControllerClient.<init>(CLIModelControllerClient.java:156)
>         at org.jboss.as.cli.impl.ModelControllerClientFactory$2.getClient(ModelControllerClientFactory.java:85)
>         at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1222)
>         ... 8 more
> Caused by: java.security.KeyManagementException: java.security.NoSuchAlgorithmException: SunX509 KeyManagerFactory not available
>         at org.bouncycastle.jsse.provider.ProvSSLContextSpi.selectKeyManager(ProvSSLContextSpi.java:589)
>         at org.bouncycastle.jsse.provider.ProvSSLContextSpi.engineInit(ProvSSLContextSpi.java:531)
>         at javax.net.ssl.SSLContext.init(SSLContext.java:282)
>         at org.wildfly.security.ssl.SSLContextBuilder.lambda$build$0(SSLContextBuilder.java:372)
>         at org.wildfly.security.OneTimeSecurityFactory.create(OneTimeSecurityFactory.java:53)
>         at org.wildfly.security.auth.client.AuthenticationContextConfigurationClient.getSSLContext(AuthenticationContextConfigurationClient.java:221)
>         at org.wildfly.security.auth.client.AuthenticationContextConfigurationClient.getSSLContext(AuthenticationContextConfigurationClient.java:208)
>         at org.jboss.as.cli.impl.CLIModelControllerClient.<init>(CLIModelControllerClient.java:153)
>         ... 10 more
> Caused by: java.security.NoSuchAlgorithmException: SunX509 KeyManagerFactory not available
>         at sun.security.jca.GetInstance.getInstance(GetInstance.java:159)
>         at javax.net.ssl.KeyManagerFactory.getInstance(KeyManagerFactory.java:137)
>         at org.bouncycastle.jsse.provider.ProvSSLContextSpi.selectKeyManager(ProvSSLContextSpi.java:583)
>         ... 17 more
> {code}
> When I use non-FIPS java with CLI I can make it work. It does occure also when connecting to default unsecured port 9990.
> When I use BCFKS truststore on server side, e.g. in 2-way http communication it works.
> I believe problem is I cant configure algorithm for keymanager on client side in wildfly-config.xml. (At least I don't see how could I do so).
> BC provider does not know SunX509 arlgorithm, rather X509, X.509 or PKIX could be used.



--
This message was sent by Atlassian JIRA
(v7.5.0#75005)

More information about the jboss-jira mailing list