[jboss-jira] [JBoss JIRA] (ELY-1639) FIPS PKCS11 Client side: only SunJSSE KeyManagers may be used

Martin Choma (JIRA) issues at jboss.org
Mon Aug 20 01:10:00 EDT 2018 

    [ https://issues.jboss.org/browse/ELY-1639?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13621163#comment-13621163 ] 

Martin Choma commented on ELY-1639:
-----------------------------------

I can confirm I am able to perform 2-way SSL handshake in FIPS mode using PKCS11 with <key-store-ssl-certificate algorithm="SunX509" key-store-name="keystore" alias="alias"/>

But when I try without alias attribute I get 
{code}
06:51:53,993 ERROR [org.jboss.as.cli.impl.CliLauncher] Error processing CLI: java.lang.ExceptionInInitializerError
        at org.wildfly.security.auth.client.AuthenticationContext.lambda$static$0(AuthenticationContext.java:54)
        at org.wildfly.common.context.ContextManager.getPrivileged(ContextManager.java:286)
        at org.wildfly.security.auth.client.AuthenticationContext.captureCurrent(AuthenticationContext.java:86)
        at org.jboss.as.cli.impl.CLIModelControllerClient.<init>(CLIModelControllerClient.java:146)
        at org.jboss.as.cli.impl.ModelControllerClientFactory$2.getClient(ModelControllerClientFactory.java:85)
        at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1222)
        at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1203)
        at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1198)
        at org.jboss.as.cli.impl.CliLauncher.initCommandContext(CliLauncher.java:328)
        at org.jboss.as.cli.impl.CliLauncher.main(CliLauncher.java:291)
        at org.jboss.as.cli.CommandLineMain.main(CommandLineMain.java:45)
        at org.jboss.modules.Module.run(Module.java:352)
        at org.jboss.modules.Module.run(Module.java:320)
        at org.jboss.modules.Main.main(Main.java:593)
Caused by: org.wildfly.security.auth.client.InvalidAuthenticationConfigurationException: org.wildfly.client.config.ConfigXMLParseException: ELY02034: Alias must be specified if more than one entry exist in keystore
        at file:///home/mchoma/git-repo/tests-security/fips/target/CliClientTestCase/cli-test-wildfly-config-1967146079974109944.xml:13:17
        at org.wildfly.security.auth.client.DefaultAuthenticationContextProvider.lambda$static$0(DefaultAuthenticationContextProvider.java:40)
        at java.security.AccessController.doPrivileged(Native Method)
        at org.wildfly.security.auth.client.DefaultAuthenticationContextProvider.<clinit>(DefaultAuthenticationContextProvider.java:36)
        ... 14 more
Caused by: org.wildfly.client.config.ConfigXMLParseException: ELY02034: Alias must be specified if more than one entry exist in keystore
        at file:///home/mchoma/git-repo/tests-security/fips/target/CliClientTestCase/cli-test-wildfly-config-1967146079974109944.xml:13:17
        at org.wildfly.security.auth.client.ElytronXmlParser.lambda$parseKeyStoreSslCertificate$13(ElytronXmlParser.java:817)
        at org.wildfly.security.auth.client.ElytronXmlParser.lambda$parseSslContextType$10(ElytronXmlParser.java:520)
        at org.wildfly.security.auth.client.ElytronXmlParser.lambda$parseSslContextRuleType$14(ElytronXmlParser.java:900)
        at org.wildfly.security.auth.client.ElytronXmlParser.lambda$parseRulesType$16(ElytronXmlParser.java:938)
        at org.wildfly.security.auth.client.ElytronXmlParser.parseAuthenticationClientType(ElytronXmlParser.java:364)
        at org.wildfly.security.auth.client.ElytronXmlParser.parseAuthenticationClientConfiguration(ElytronXmlParser.java:239)
        at org.wildfly.security.auth.client.ElytronXmlParser.parseAuthenticationClientConfiguration(ElytronXmlParser.java:200)
        at org.wildfly.security.auth.client.DefaultAuthenticationContextProvider.lambda$static$0(DefaultAuthenticationContextProvider.java:38)
        ... 16 more
{code}

My PKCS11 keystore contains one private key and one secret key for external credential store. During previous precheck it was working ok. So was new check added? AFAICT it wasnt in ConfigurationKeyManager neither. So it is breaking backward compatibility. Could alias be optional and choosing key is left on impelementation?

{code}
                        if (keyStore.size() > 1) {
                            throw xmlLog.missingAlias(location);
                        }
{code}

> FIPS PKCS11 Client side: only SunJSSE KeyManagers may be used
> -------------------------------------------------------------
>
>                 Key: ELY-1639
>                 URL: https://issues.jboss.org/browse/ELY-1639
>             Project: WildFly Elytron
>          Issue Type: Bug
>          Components: SSL
>            Reporter: Martin Choma
>            Assignee: Jan Kalina
>            Priority: Blocker
>         Attachments: cli-wildfly-config.xml
>
>
> Fix of ELY-1622 introduced regression. It is not possible to do 1 way ssl (no key-store-ssl-certificate in wildfly-config.xml) with exception 
> {code}
> 14:13:56,143 ERROR [org.jboss.as.cli.impl.CliLauncher] Error processing CLI: org.jboss.as.cli.CliInitializationException: Failed to connect to the controller
>         at org.jboss.as.cli.impl.CliLauncher.initCommandContext(CliLauncher.java:330)
>         at org.jboss.as.cli.impl.CliLauncher.main(CliLauncher.java:291)
>         at org.jboss.as.cli.CommandLineMain.main(CommandLineMain.java:45)
>         at org.jboss.modules.Module.run(Module.java:352)
>         at org.jboss.modules.Module.run(Module.java:320)
>         at org.jboss.modules.Main.main(Main.java:593)
> Caused by: org.jboss.as.cli.CommandLineException: Failed to resolve host 'localhost'
>         at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1256)
>         at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1203)
>         at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1198)
>         at org.jboss.as.cli.impl.CliLauncher.initCommandContext(CliLauncher.java:328)
>         ... 5 more
> Caused by: java.io.IOException: Failed to obtain SSLContext
>         at org.jboss.as.cli.impl.CLIModelControllerClient.<init>(CLIModelControllerClient.java:156)
>         at org.jboss.as.cli.impl.ModelControllerClientFactory$2.getClient(ModelControllerClientFactory.java:85)
>         at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1222)
>         ... 8 more
> Caused by: java.security.KeyManagementException: FIPS mode: only SunJSSE KeyManagers may be used
>         at sun.security.ssl.SSLContextImpl.chooseKeyManager(SSLContextImpl.java:149)
>         at sun.security.ssl.SSLContextImpl.engineInit(SSLContextImpl.java:66)
>         at javax.net.ssl.SSLContext.init(SSLContext.java:282)
>         at org.wildfly.security.ssl.SSLContextBuilder.lambda$build$0(SSLContextBuilder.java:372)
>         at org.wildfly.security.OneTimeSecurityFactory.create(OneTimeSecurityFactory.java:53)
>         at org.wildfly.security.auth.client.AuthenticationContextConfigurationClient.getSSLContext(AuthenticationContextConfigurationClient.java:221)
>         at org.wildfly.security.auth.client.AuthenticationContextConfigurationClient.getSSLContext(AuthenticationContextConfigurationClient.java:208)
>         at org.jboss.as.cli.impl.CLIModelControllerClient.<init>(CLIModelControllerClient.java:153)
>         ... 10 more
>  {code}
> It is because after fix Fix of ELY-1622 custom keymanager is used. But it is forbidden by jdk FIPS PKCS11.



--
This message was sent by Atlassian JIRA
(v7.5.0#75005)

More information about the jboss-jira mailing list