Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-11259

Regression in DR19, Unable to create TLS in FIPS mode

XMLWordPrintable

      In DR19 there was introduced DelegatingKeyManager [1], which is used by default. That breaks FIPS TLS on Oracle/OpenJDK java, because only JSSE keymanagers are permitted in FIPS mode [2]

      SSLContextImpl.java
      	// In FIPS mode, require that one of SunJSSE's own keymanagers
      	// is used. Otherwise, we cannot be sure that only keys from
      	// the FIPS token are used.
      	if ((km instanceof X509KeyManagerImpl) || (km instanceof SunX509KeyManagerImpl)) {
      		return (X509ExtendedKeyManager)km;
      	} else {
      		// throw exception, we don't want to silently use the
      		// dummy keymanager without telling the user.
      		throw new KeyManagementException ("FIPS mode: only SunJSSE KeyManagers may be used");
      	}
      

      Note, in my opinion it will be not enough to restrict reload operation only to file-based keystores. From my point of view reload would be also valid operation on PKCS11 module.
      But more importantly there also exists file based FIPS keystore type - BCFKS (Bouncy Castle FIPS).

      [1] https://github.com/wildfly/wildfly-core/commit/de41fa268cca32cebb13e21d850614802bd8d434
      [2] http://grepcode.com/file/repository.grepcode.com/java/root/jdk/openjdk/8u40-b25/sun/security/ssl/SSLContextImpl.java#158

            darran.lofthouse@redhat.com Darran Lofthouse
            mchoma@redhat.com Martin Choma
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: