[jboss-jira] [JBoss JIRA] (ELY-1639) FIPS PKCS11 Client side: only SunJSSE KeyManagers may be used

Martin Choma (JIRA) issues at jboss.org
Fri Aug 17 08:44:01 EDT 2018 

    [ https://issues.jboss.org/browse/ELY-1639?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13620733#comment-13620733 ] 

Martin Choma edited comment on ELY-1639 at 8/17/18 8:43 AM:
------------------------------------------------------------

I can confirm I am able to perform 2-way SSL  handshake in FIPS mode using PKCS11 with {{<key-store-ssl-certificate algorithm="SunX509" key-store-name="keystore"/>}}

But when I try to use alias attribute I get

{code}
14:41:49,973 ERROR [org.jboss.as.cli.impl.CliLauncher] Error processing CLI: java.lang.ExceptionInInitializerError
        at org.wildfly.security.auth.client.AuthenticationContext.lambda$static$0(AuthenticationContext.java:54)
        at org.wildfly.common.context.ContextManager.getPrivileged(ContextManager.java:286)
        at org.wildfly.security.auth.client.AuthenticationContext.captureCurrent(AuthenticationContext.java:86)
        at org.jboss.as.cli.impl.CLIModelControllerClient.<init>(CLIModelControllerClient.java:146)
        at org.jboss.as.cli.impl.ModelControllerClientFactory$2.getClient(ModelControllerClientFactory.java:85)
        at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1222)
        at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1203)
        at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1198)
        at org.jboss.as.cli.impl.CliLauncher.initCommandContext(CliLauncher.java:328)
        at org.jboss.as.cli.impl.CliLauncher.main(CliLauncher.java:291)
        at org.jboss.as.cli.CommandLineMain.main(CommandLineMain.java:45)
        at org.jboss.modules.Module.run(Module.java:352)
        at org.jboss.modules.Module.run(Module.java:320)
        at org.jboss.modules.Main.main(Main.java:593)
Caused by: org.wildfly.security.auth.client.InvalidAuthenticationConfigurationException: org.wildfly.client.config.ConfigXMLParseException: ELY01167: Specifying alias is allowed only when used built-in KeyManager
        at file:///home/mchoma/git-repo/tests-security/fips/target/CliClientTestCase/cli-test-wildfly-config-835240841338108754.xml:13:17
        at org.wildfly.security.auth.client.DefaultAuthenticationContextProvider.lambda$static$0(DefaultAuthenticationContextProvider.java:40)
        at java.security.AccessController.doPrivileged(Native Method)
        at org.wildfly.security.auth.client.DefaultAuthenticationContextProvider.<clinit>(DefaultAuthenticationContextProvider.java:36)
        ... 14 more
Caused by: org.wildfly.client.config.ConfigXMLParseException: ELY01167: Specifying alias is allowed only when used built-in KeyManager
        at file:///home/mchoma/git-repo/tests-security/fips/target/CliClientTestCase/cli-test-wildfly-config-835240841338108754.xml:13:17
        at org.wildfly.security.auth.client.ElytronXmlParser.parseKeyStoreSslCertificate(ElytronXmlParser.java:750)
        at org.wildfly.security.auth.client.ElytronXmlParser.parseSslContextType(ElytronXmlParser.java:446)
        at org.wildfly.security.auth.client.ElytronXmlParser.parseSslContextsType(ElytronXmlParser.java:402)
        at org.wildfly.security.auth.client.ElytronXmlParser.parseAuthenticationClientType(ElytronXmlParser.java:315)
        at org.wildfly.security.auth.client.ElytronXmlParser.parseAuthenticationClientConfiguration(ElytronXmlParser.java:236)
        at org.wildfly.security.auth.client.ElytronXmlParser.parseAuthenticationClientConfiguration(ElytronXmlParser.java:197)
        at org.wildfly.security.auth.client.DefaultAuthenticationContextProvider.lambda$static$0(DefaultAuthenticationContextProvider.java:38)
        ... 16 more
{code}




was (Author: mchoma):
I can confirm I am able to perform 2-way SSL  handshake in FIPS mode using PKCS11 with {{<key-store-ssl-certificate algorithm="SunX509" key-store-name="keystore"/>}}

> FIPS PKCS11 Client side: only SunJSSE KeyManagers may be used
> -------------------------------------------------------------
>
>                 Key: ELY-1639
>                 URL: https://issues.jboss.org/browse/ELY-1639
>             Project: WildFly Elytron
>          Issue Type: Bug
>          Components: SSL
>            Reporter: Martin Choma
>            Assignee: Jan Kalina
>            Priority: Blocker
>         Attachments: cli-wildfly-config.xml
>
>
> Fix of ELY-1622 introduced regression. It is not possible to do 1 way ssl (no key-store-ssl-certificate in wildfly-config.xml) with exception 
> {code}
> 14:13:56,143 ERROR [org.jboss.as.cli.impl.CliLauncher] Error processing CLI: org.jboss.as.cli.CliInitializationException: Failed to connect to the controller
>         at org.jboss.as.cli.impl.CliLauncher.initCommandContext(CliLauncher.java:330)
>         at org.jboss.as.cli.impl.CliLauncher.main(CliLauncher.java:291)
>         at org.jboss.as.cli.CommandLineMain.main(CommandLineMain.java:45)
>         at org.jboss.modules.Module.run(Module.java:352)
>         at org.jboss.modules.Module.run(Module.java:320)
>         at org.jboss.modules.Main.main(Main.java:593)
> Caused by: org.jboss.as.cli.CommandLineException: Failed to resolve host 'localhost'
>         at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1256)
>         at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1203)
>         at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1198)
>         at org.jboss.as.cli.impl.CliLauncher.initCommandContext(CliLauncher.java:328)
>         ... 5 more
> Caused by: java.io.IOException: Failed to obtain SSLContext
>         at org.jboss.as.cli.impl.CLIModelControllerClient.<init>(CLIModelControllerClient.java:156)
>         at org.jboss.as.cli.impl.ModelControllerClientFactory$2.getClient(ModelControllerClientFactory.java:85)
>         at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1222)
>         ... 8 more
> Caused by: java.security.KeyManagementException: FIPS mode: only SunJSSE KeyManagers may be used
>         at sun.security.ssl.SSLContextImpl.chooseKeyManager(SSLContextImpl.java:149)
>         at sun.security.ssl.SSLContextImpl.engineInit(SSLContextImpl.java:66)
>         at javax.net.ssl.SSLContext.init(SSLContext.java:282)
>         at org.wildfly.security.ssl.SSLContextBuilder.lambda$build$0(SSLContextBuilder.java:372)
>         at org.wildfly.security.OneTimeSecurityFactory.create(OneTimeSecurityFactory.java:53)
>         at org.wildfly.security.auth.client.AuthenticationContextConfigurationClient.getSSLContext(AuthenticationContextConfigurationClient.java:221)
>         at org.wildfly.security.auth.client.AuthenticationContextConfigurationClient.getSSLContext(AuthenticationContextConfigurationClient.java:208)
>         at org.jboss.as.cli.impl.CLIModelControllerClient.<init>(CLIModelControllerClient.java:153)
>         ... 10 more
>  {code}
> It is because after fix Fix of ELY-1622 custom keymanager is used. But it is forbidden by jdk FIPS PKCS11.



--
This message was sent by Atlassian JIRA
(v7.5.0#75005)

More information about the jboss-jira mailing list