Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-1998

IllegalStateException: unable to create JcaTlsCrypto: DEFAULT SecureRandom not available when configuring BC FIPS on JDK 11

    XMLWordPrintable

Details

    • Bug
    • Resolution: Not a Bug
    • Major
    • None
    • None
    • SSL
    • None

    Description

      The below steps require ELY-1982 bugfix to work.

      Configure security providers in java.security file:

      security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider
security.provider.3=SUN

      Add the bc-fips.jar and bctls-fips-1.0.10.jar to the CLASSPATH and generate keystore in JBOSS_HOME/standalone/configuration folder:

      keytool -genkeypair -alias appserver -keyalg RSA -keysize 2048 -keypass password -keystore "fips.keystore" -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath $CLASSPATH -storetype BCFKS -storepass password -dname "CN=testserver,OU=TESTOU,O=TESTO,L=TESTL,ST=TESTCZ,C=TESTCZ" -validity 730 -v

      Try to configure `server-ssl-context`:

      module add --name=org.bouncycastle.fips --resources=/path/to/bc-fips-1.0.2.jar:/path/to/bctls-fips-1.0.10.jar

/subsystem=elytron/provider-loader=bc:add(module=org.bouncycastle.fips)

/subsystem=elytron/key-store=fipsKS:add(path=fips.keystore, relative-to=jboss.server.config.dir, credential-reference={clear-text=password}, type="BCFKS", providers=bc)

/subsystem=elytron/key-manager=fipsKM:add(key-store=fipsKS, algorithm="X509", credential-reference={clear-text=password}, providers=bc)

/subsystem=elytron/server-ssl-context=fipsSSC:add(key-manager=fipsKM, protocols=["TLSv1.2"], providers=bc)

      The last command results in:

      {
    "outcome" => "failed",
    "failure-description" => {"WFLYCTL0080: Failed services" => {"org.wildfly.security.ssl-context.fipsSSC" => "Failed to start service
    Caused by: java.lang.IllegalStateException: unable to create JcaTlsCrypto: DEFAULT SecureRandom not available
    Caused by: java.security.NoSuchAlgorithmException: DEFAULT SecureRandom not available"}},
    "rolled-back" => true
}

      The exception is happening on this line . This exception can be avoided by either using new SecureRandom() instead of null during initialization of sslContext, or by configuring securerandom with using CryptoServicesRegistrar.setSecureRandom(new SecureRandom()); in code beforehand (this would require bc dependency).

      I tried to configure secure random statically by setting securerandom.strongAlgorithms=DEFAULT:BCFIPS in java.security or by trying to pass secure random as parameter to constructor with 

      security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider "C:DEFRND[SHA512];ENABLE{ALL};"

      but neither had any effect. I did not find how to configure this statically for Java 11 in BC documentation.

      We could pass new instance of SecureRandom when initializing sslContext (if bouncycastle is used), or set secureRandom beforehand, or catch this exception and then use `new SecureRandom()`. But should we force the users to use SecureRandom set in the code by us? If users want to use Bouncycastle they should configure the secure random themselves since it is needed by the provider?

      Attachments

        Activity

          People

            dvilkola@redhat.com Diana Krepinska
            dvilkola@redhat.com Diana Krepinska
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: