Loading...

Details

Type: Bug
Resolution: Duplicate
Priority: Major
Fix Version/s: None
Affects Version/s: 26.0.1.Final
Component/s: Security
Labels:
None

Steps to Reproduce:
Hide

1. Configure JDK 11:

Add the following to java.security (located in $JAVA_HOME/conf/security/java.security):

security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider

security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS

Move all other providers down 2 positions

2. Download bc-fips and bctls jar from bouncycastle.org

3. Start server using this JDK, connect to it using CLI, execute:

module add --name=org.bouncycastle.fips --resources=/path/to/bc-fips.jar:/path/to/bctls-fips.jar

/subsystem=elytron/provider-loader=bc:add(module=org.bouncycastle.fips)

/subsystem=elytron:write-attribute(name=initial-providers,value=bc)

reload

4. Create BCFKS keystore and add keypar and secret:

keytool -genkeypair -alias appserver -keyalg RSA -keysize 2048 -keypass password -keystore /tmp/testKeystore.bcfks -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath ~/Downloads/bc-fips-1.0.2.3.jar -storetype BCFKS -storepass password -dname "CN=testserver,OU=TESTOU,O=TESTO,L=TESTL,ST=TESTCZ,C=TESTCZ" -validity 730 -v

keytool -genseckey -alias bc-secret-key -keyalg AES -keysize 128 -keypass password -keystore /tmp/testKeystore.bcfks -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath ~/Downloads/bc-fips-1.0.2.3.jar -storetype BCFKS -storepass password -v

5. When I try to create credential store using keytool:

./elytron-tool.sh credential-store -c -a "secret-key" -x "password" -p "password" -l /tmp/testKeystore.bcfks -u "keyStoreType=BCFKS;external=true;keyAlias=bc-secret-key;externalPath=/tmp/testExternalPath" --debug

I get

Exception encountered executing the command: org.wildfly.security.credential.store.CredentialStoreException: ELY09514: Unable to initialize credential store at org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.getKeyStoreInstance(KeyStoreCredentialStore.java:955) at org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.setupExternalStorage(KeyStoreCredentialStore.java:964) at org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.load(KeyStoreCredentialStore.java:843) at org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.initialize(KeyStoreCredentialStore.java:223) at org.wildfly.security.credential.store.CredentialStore.initialize(CredentialStore.java:160) at org.wildfly.security.tool.CredentialStoreCommand.execute(CredentialStoreCommand.java:404) at org.wildfly.security.tool.ElytronTool.main(ElytronTool.java:84) at org.jboss.modules.Module.run(Module.java:353) at org.jboss.modules.Module.run(Module.java:321) at org.jboss.modules.Main.main(Main.java:617) Caused by: java.security.KeyStoreException: BCFKS not found at java.security.KeyStore.getInstance(KeyStore.java:851) at org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.getKeyStoreInstance(KeyStoreCredentialStore.java:951) ... 9 more Caused by: java.security.NoSuchAlgorithmException: BCFKS KeyStore not available at sun.security.jca.GetInstance.getInstance(GetInstance.java:159) at java.security.Security.getImpl(Security.java:697) at java.security.KeyStore.getInstance(KeyStore.java:848) ... 10 more
Show
1. Configure JDK 11: Add the following to java.security (located in $JAVA_HOME/conf/security/java.security): security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS Move all other providers down 2 positions 2. Download bc-fips and bctls jar from bouncycastle.org 3. Start server using this JDK, connect to it using CLI, execute: module add --name=org.bouncycastle.fips --resources=/path/to/bc-fips.jar:/path/to/bctls-fips.jar /subsystem=elytron/provider-loader=bc:add(module=org.bouncycastle.fips) /subsystem=elytron:write-attribute(name=initial-providers,value=bc) reload 4. Create BCFKS keystore and add keypar and secret: keytool -genkeypair -alias appserver -keyalg RSA -keysize 2048 -keypass password -keystore /tmp/testKeystore.bcfks -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath ~/Downloads/bc-fips-1.0.2.3.jar -storetype BCFKS -storepass password -dname "CN=testserver,OU=TESTOU,O=TESTO,L=TESTL,ST=TESTCZ,C=TESTCZ" -validity 730 -v keytool -genseckey -alias bc-secret-key -keyalg AES -keysize 128 -keypass password -keystore /tmp/testKeystore.bcfks -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath ~/Downloads/bc-fips-1.0.2.3.jar -storetype BCFKS -storepass password -v 5. When I try to create credential store using keytool: ./elytron-tool.sh credential-store -c -a "secret-key" -x "password" -p "password" -l /tmp/testKeystore.bcfks -u "keyStoreType=BCFKS;external= true ;keyAlias=bc-secret-key;externalPath=/tmp/testExternalPath" --debug I get Exception encountered executing the command: org.wildfly.security.credential.store.CredentialStoreException: ELY09514: Unable to initialize credential store at org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.getKeyStoreInstance(KeyStoreCredentialStore.java:955) at org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.setupExternalStorage(KeyStoreCredentialStore.java:964) at org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.load(KeyStoreCredentialStore.java:843) at org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.initialize(KeyStoreCredentialStore.java:223) at org.wildfly.security.credential.store.CredentialStore.initialize(CredentialStore.java:160) at org.wildfly.security.tool.CredentialStoreCommand.execute(CredentialStoreCommand.java:404) at org.wildfly.security.tool.ElytronTool.main(ElytronTool.java:84) at org.jboss.modules.Module.run(Module.java:353) at org.jboss.modules.Module.run(Module.java:321) at org.jboss.modules.Main.main(Main.java:617) Caused by: java.security.KeyStoreException: BCFKS not found at java.security.KeyStore.getInstance(KeyStore.java:851) at org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.getKeyStoreInstance(KeyStoreCredentialStore.java:951) ... 9 more Caused by: java.security.NoSuchAlgorithmException: BCFKS KeyStore not available at sun.security.jca.GetInstance.getInstance(GetInstance.java:159) at java.security.Security.getImpl(Security.java:697) at java.security.KeyStore.getInstance(KeyStore.java:848) ... 10 more
Workaround Description:
Hide

Edit elytron-tool.sh:

at the end of the script, where elytron-tool module is executed, after the module path add

-add-provider "org.bouncycastle.fips"

So it looks like this:

eval \"$JAVA\" $JAVA_OPTS \ -jar \""$JBOSS_HOME"/jboss-modules.jar\" \ -mp \""${JBOSS_MODULEPATH}"\" \ -add-provider "org.bouncycastle.fips" \ org.wildfly.security.elytron-tool \ '{"$0"}"$@"'

Note that the same issue and workaround can be observed with other scripts, for example with jboss-cli.sh
Show
Edit elytron-tool.sh: at the end of the script, where elytron-tool module is executed, after the module path add -add-provider "org.bouncycastle.fips" So it looks like this: eval \ "$JAVA\" $JAVA_OPTS \ -jar \ ""$JBOSS_HOME" /jboss-modules.jar\" \ -mp \ ""${JBOSS_MODULEPATH}" \" \ -add-provider "org.bouncycastle.fips" \ org.wildfly.security.elytron-tool \ '{ "$0" } "$@" ' Note that the same issue and workaround can be observed with other scripts, for example with jboss-cli.sh

Description

Unable to use scripts in bin directory with Bouncy Castle provider without editing script.

Attachments

Issue Links

is cloned by

JBEAP-23417 Unable to use bin scripts with Bouncy Castle security provider on JDK11

Closed

Unable to use bin scripts with Bouncy Castle security provider on JDK11

Details

Description

Attachments

Issue Links

Activity

People

Dates