[jboss-jira] [JBoss JIRA] (ELY-1622) BC FIPS with CLI: SunX509 KeyManagerFactory not available

Martin Choma (JIRA) issues at jboss.org
Fri Aug 3 08:27:01 EDT 2018 

    [ https://issues.jboss.org/browse/ELY-1622?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13614562#comment-13614562 ] 

Martin Choma commented on ELY-1622:
-----------------------------------

You are right.

I have tried to use key-store-ssl-certificate in wildfly-config.xml which effectively mean  ConfigurationKeyManager is used in SSLContext and it does not complain. Its because BC TLS ProvSSLContextSpi is used, which seems does not have such strong enforcement like Sun SSLContext implementation.

[~rlucente-se-jboss] is it correct to assume if certified BC TLS ProvSSLContextSpi does not prohibit custom keymanagers we can use one on client side?


> BC FIPS with CLI: SunX509 KeyManagerFactory not available
> ---------------------------------------------------------
>
>                 Key: ELY-1622
>                 URL: https://issues.jboss.org/browse/ELY-1622
>             Project: WildFly Elytron
>          Issue Type: Bug
>          Components: SSL
>    Affects Versions: 1.5.1.Final
>            Reporter: Martin Choma
>            Assignee: Farah Juma
>            Priority: Blocker
>         Attachments: cli-test-wildfly-config.xml, jboss-cli.log, truststore.bcfks
>
>
> I am trying to connect from jboss-cli.sh to EAP server. To reproduce the problem it is enough BC FIPS is used only on client side.
> {code:java|titlejboss-cli.log}
> 11:50:25,147 ERROR [org.jboss.as.cli.impl.CliLauncher] Error processing CLI: org.jboss.as.cli.CliInitializationException: Failed to connect to the controller
>         at org.jboss.as.cli.impl.CliLauncher.initCommandContext(CliLauncher.java:330)
>         at org.jboss.as.cli.impl.CliLauncher.main(CliLauncher.java:291)
>         at org.jboss.as.cli.CommandLineMain.main(CommandLineMain.java:45)
>         at org.jboss.modules.Module.run(Module.java:352)
>         at org.jboss.modules.Module.run(Module.java:320)
>         at org.jboss.modules.Main.main(Main.java:593)
> Caused by: org.jboss.as.cli.CommandLineException: Failed to resolve host 'localhost'
>         at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1256)
>         at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1203)
>         at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1198)
>         at org.jboss.as.cli.impl.CliLauncher.initCommandContext(CliLauncher.java:328)
>         ... 5 more
> Caused by: java.io.IOException: Failed to obtain SSLContext
>         at org.jboss.as.cli.impl.CLIModelControllerClient.<init>(CLIModelControllerClient.java:156)
>         at org.jboss.as.cli.impl.ModelControllerClientFactory$2.getClient(ModelControllerClientFactory.java:85)
>         at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1222)
>         ... 8 more
> Caused by: java.security.KeyManagementException: java.security.NoSuchAlgorithmException: SunX509 KeyManagerFactory not available
>         at org.bouncycastle.jsse.provider.ProvSSLContextSpi.selectKeyManager(ProvSSLContextSpi.java:589)
>         at org.bouncycastle.jsse.provider.ProvSSLContextSpi.engineInit(ProvSSLContextSpi.java:531)
>         at javax.net.ssl.SSLContext.init(SSLContext.java:282)
>         at org.wildfly.security.ssl.SSLContextBuilder.lambda$build$0(SSLContextBuilder.java:372)
>         at org.wildfly.security.OneTimeSecurityFactory.create(OneTimeSecurityFactory.java:53)
>         at org.wildfly.security.auth.client.AuthenticationContextConfigurationClient.getSSLContext(AuthenticationContextConfigurationClient.java:221)
>         at org.wildfly.security.auth.client.AuthenticationContextConfigurationClient.getSSLContext(AuthenticationContextConfigurationClient.java:208)
>         at org.jboss.as.cli.impl.CLIModelControllerClient.<init>(CLIModelControllerClient.java:153)
>         ... 10 more
> Caused by: java.security.NoSuchAlgorithmException: SunX509 KeyManagerFactory not available
>         at sun.security.jca.GetInstance.getInstance(GetInstance.java:159)
>         at javax.net.ssl.KeyManagerFactory.getInstance(KeyManagerFactory.java:137)
>         at org.bouncycastle.jsse.provider.ProvSSLContextSpi.selectKeyManager(ProvSSLContextSpi.java:583)
>         ... 17 more
> {code}
> When I use non-FIPS java with CLI I can make it work. It does occure also when connecting to default unsecured port 9990.
> When I use BCFKS truststore on server side, e.g. in 2-way http communication it works.
> I believe problem is I cant configure algorithm for keymanager on client side in wildfly-config.xml. (At least I don't see how could I do so).
> BC provider does not know SunX509 arlgorithm, rather X509, X.509 or PKIX could be used.



--
This message was sent by Atlassian JIRA
(v7.5.0#75005)

More information about the jboss-jira mailing list