Uploaded image for project: 'Red Hat build of Keycloak'
  1. Red Hat build of Keycloak
  2. RHBK-1773

creating short admin password in BCFIPS approved mode gives "Internal server error" page

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Minor Minor
    • None
    • 24.0.5
    • team/core-clients
    • None
    • False
    • Hide

      None

      Show
      None
    • False

      If you try to create a new admin console password with a password under 14 characters you get an "Internal Server Error" page and the following in the logs:

      Caused by: org.bouncycastle.crypto.fips.FipsUnapprovedOperationError: password must be at least 112 bits
          at org.bouncycastle.crypto.fips.FipsPBKD$Parameters.<init>(Unknown Source)
          at org.bouncycastle.crypto.fips.FipsPBKD$Parameters.<init>(Unknown Source)
          at org.bouncycastle.crypto.fips.FipsPBKD$ParametersBuilder.using(Unknown Source)
          at org.bouncycastle.jcajce.provider.ProvPBEPBKDF2$BasePBKDF2.engineGenerateSecret(Unknown Source)
          at java.base/javax.crypto.SecretKeyFactory.generateSecret(SecretKeyFactory.java:333)
          at org.keycloak.credential.hash.Pbkdf2PasswordHashProvider.encodedCredential(Pbkdf2PasswordHashProvider.java:118)
          at org.keycloak.credential.hash.Pbkdf2PasswordHashProvider.encodedCredential(Pbkdf2PasswordHashProvider.java:81)
          at org.keycloak.credential.PasswordCredentialProvider.createCredential(PasswordCredentialProvider.java:68)
          ... 29 more

      There's two issues with this throwing an Internal Server Error:

        - requires customer to read low level log message to attempt to understand a user input issue

        - this is a bad experience on the first user interaction with out product

       

       

      This is the same issue reported by Marek here: https://github.com/keycloak/keycloak/issues/14314 which was reported fixed.

      Steps:

      • Setup Postgresql and FIPS as described in docs.
      • Start Keycloak with BCFIPS in the approved mode with command:
           bin/kc.sh start --fips-mode=strict --features=fips
      • Then go to http://localhost:8080 and try to create user admin with password admin
      • Get error page:

      We are sorry...
      An internal server error has occurred

      and in logs:

      Caused by: org.bouncycastle.crypto.fips.FipsUnapprovedOperationError: password must be at least 112 bits
          at org.bouncycastle.crypto.fips.FipsPBKD$Parameters.<init>(Unknown Source)
          at org.bouncycastle.crypto.fips.FipsPBKD$Parameters.<init>(Unknown Source)
          at org.bouncycastle.crypto.fips.FipsPBKD$ParametersBuilder.using(Unknown Source)
          at org.bouncycastle.jcajce.provider.ProvPBEPBKDF2$BasePBKDF2.engineGenerateSecret(Unknown Source)

       

       

              Unassigned Unassigned
              abstractj Bruno Oliveira da Silva
              Chris Dolphy
              Keycloak Core Clients
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: