Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-1369

FIPS mode, Elytron HTTP DIGEST authentication mechanism not fips compliant

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: 1.2.0.Beta3
    • Fix Version/s: 1.2.0.Beta11
    • Component/s: HTTP
    • Labels:
      None

      Description

      Elytron HTTP DIGEST authentication comply to rfc2617 - which means MD5 is used by default (it means it is hardcode, with no way to configure another hash algorithm). But MD5 could make troubles in fips environment [5].

      DigestAuthenticationMechanism.java
              String algorithm = convertToken(ALGORITHM, responseTokens.get(ALGORITHM));
              if (MD5.equals(algorithm) == false) {
                  throw log.mechUnsupportedAlgorithm(getMechanismName(), algorithm);
              }
      

      There exists proposed rfc7616 which makes algorithm configurable, work on new DIGEST features are covered by [1]. dlofthouse is it planned for [1] to target 7.1?

      [1] https://issues.jboss.org/browse/ELY-286
      [2] https://developer.jboss.org/wiki/ElytronHTTPDigestNonceHandling-Design
      [3] https://tools.ietf.org/html/rfc2617
      [4] https://tools.ietf.org/html/rfc7616
      [5] https://access.redhat.com/support/cases/#/case/01761455

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              jkalina@redhat.com Jan Kalina (Inactive)
              Reporter:
              jkalina@redhat.com Jan Kalina (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: