Uploaded image for project: 'Quarkus'
  1. Quarkus
  2. QUARKUS-2036

Support bouncyCastle libs + Infinispan + FIPS

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • 3.8.NEXT
    • 2.7.5.ER1, 2.7.5.ER2, 2.7.5.ER3
    • team/eng

      Infinispan: 12.1 / 14
      Quarkus: 2.7.5.Final
      Java 11 / 17

      Seems that bouncy castle lib is not supported until Infinispan 14.0. But If I move on to infinispan 14 and configure Quarkus in order to use BCFIPSJSSE then I got the following error:

      13:51:46,057 INFO [app] Caused by: java.security.KeyStoreException: BCFKS not found
13:51:46,057 INFO [app] at java.base/java.security.KeyStore.getInstance(KeyStore.java:871)
13:51:46,057 INFO [app] at org.infinispan.commons.util.SslContextFactory.getTrustManagerFactory(SslContextFactory.java:172)
13:51:46,057 INFO [app] at org.infinispan.client.hotrod.impl.transport.netty.ChannelInitializer.initSsl(ChannelInitializer.java:154)
13:51:46,057 INFO [app] ... 20 more
13:51:46,057 INFO [app] Caused by: java.security.NoSuchAlgorithmException: BCFKS KeyStore not available
13:51:46,057 INFO [app] at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:159)
13:51:46,057 INFO [app] at java.base/java.security.Security.getImpl(Security.java:701)
13:51:46,057 INFO [app] at java.base/java.security.KeyStore.getInstance(KeyStore.java:868){{}}

      My infisnispan configuration looks like the following one:

      1. # Infinispan
quarkus.infinispan-client.trust-store=src/main/resources/server.jks
quarkus.infinispan-client.trust-store-password=password
quarkus.infinispan-client.trust-store-type=BCFKS

quarkus.infinispan-client.server-list=localhost:11222
quarkus.infinispan-client.use-auth=true

      In my opinion, I am missing some configurations that we already have in orders modules, something like quarkus.infinispan-client.trust-store-provider=BCFIPS

      Reproducer

      git clone git@github.com:quarkus-qe/quarkus-test-suite.git
git checkout feat/infisnipan_fips_reproducer

      Scenario

      mvn clean verify -Dall-modules -pl messaging/infinispan-grpc-kafka -Dit.test=InfinispanKafkaIT

      I am not sure if BCFIPS is supported and if does then, I am not sure how to use it. Should I add quarkus-security extension ?, and If I am able to set BCFIPS as a provider I understand that then later I will not need any JVM security custom configuration, isn't it? (on quarkus.http.ssl is not need it)

            karestig@redhat.com Katia Aresti
            rhn-support-pagonzal Pablo Gonzalez Granados (Inactive)
            Michal Vavrik Michal Vavrik
            Votes:
            0 Vote for this issue
            Watchers:
            11 Start watching this issue

              Created:
              Updated: