Loading...

Linking RHIVOS CVEs to...

Migration: Automation ...

SWIFT: POC Conversion

Sync from "Extern...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Undefined
Fix Version/s: None
Affects Version/s: rhel-8.4.0
Component/s: java-1.8.0-openjdk
Labels:
- MigratedToJIRA

Regression:
None
Severity:
Low
Epic Link:
FIPSIssuesNeedingTriage

AssignedTeam:
rhel-sst-java

Story Points:
None
Blocked:
False
Ready:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
None
Sprint:
None

Preliminary Testing:
None
Test Coverage:
None

Release Note Type:
If docs needed, set a value

Experience:
Architecture:

Unspecified
Bugzilla Bug:
RHBZ: 2051628

PX Impact Score:
PX Priority Data:
PX Review Complete:
SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None
Internal Target Milestone numeric:
57,005

With FIPS enabled, the example code below returns the following exception:

$ java -Djava.security.auth.login.config=./gssapi_jaas.conf -Djava.security.krb5.conf=/etc/krb5.conf -jar sasl.jar
Callback called
Setting username
Callback called
Setting password
Authentication attempt failed javax.security.auth.loging.LogInException: java.lang.IllegalArgumentException: EncryptionKey: Key bytes cannot be null!
       at sun.security.krb5.EncryptionKey.<init>(EncryptionKey.java:208)
...

Sample code:

1. main method:

LoginContext lc = null;
        try {
            lc = new LoginContext(ServerSasl.class.getName(), new MyHandler());
            lc.login();
        } catch (LoginException le) {
            System.err.println("Authentication attempt failed" + le);
            System.exit(-1);
        }

        Subject.doAs(lc.getSubject(), new JndiAction(args));

2. javax.security.auth.callback.CallbackHandler implementation

    public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
        for (int i = 0; i < callbacks.length; i++) {
            if (callbacks[i] instanceof NameCallback) {
                NameCallback cb = (NameCallback)callbacks[i];
                cb.setName("ADuser realm");
            } else if (callbacks[i] instanceof PasswordCallback) {
                PasswordCallback cb = (PasswordCallback)callbacks[i];
                String pw = "AD user password";
                char[] passwd = new char[pw.length()];
                pw.getChars(0, passwd.length, passwd, 0);
                cb.setPassword(passwd);
            } else {
                throw new UnsupportedCallbackException(callbacks[i]);
            }
        }
    }

3. java.security.PrivilegedAction implementation

    ...

    private static void performJndiOperation(String[] args) {
        Hashtable env = new Hashtable();
        env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
        env.put(Context.PROVIDER_URL, "ldap://ldap-server:636");
        env.put(Context.SECURITY_PROTOCOL, "ssl");
        env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
        env.put(Context.SECURITY_PRINCIPAL, "ADuser");
        env.put(Context.SECURITY_CREDENTIALS, "ADuser password".getBytes());

        try {
            DirContext ctx = new InitialDirContext(env);

            //Sample query
            System.out.println(ctx.getAttributes("ldap://ldap-server:636", new String[]{"supportedSASLMechanisms"}));

            ctx.close();
        } catch (NamingException e) {
            e.printStackTrace();
        }
    }

depends on

JDK-8330842 Support AES CBC with Ciphertext Stealing (CTS) in SunPKCS11

external trackers

Red Hat Customer Portal 03076860

Red Hat Issue Tracker RHELPLAN-111381

Assignee:: Martin Balao

Reporter:: Michael Millson

Developer:: Martin Balao

QA Contact:: David Kutalek

Votes:: 0 Vote for this issue

Watchers:: 9 Start watching this issue

Created:: 2023/09/12 10:33 PM

Updated:: 2025/10/10 10:44 AM

Stale Date:: 2025/03/15

Details

Description

Sample code:

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates

Hide