Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-9969

JDK9 + FIPS BC, unable to configure

    XMLWordPrintable

Details

    • Bug
    • Resolution: Unresolved
    • Major
    • None
    • 12.0.0.Final
    • Security
    • None

    Description

      • Configure BouncyCastleFipsProvider in java
        ${jdk9_home}/conf/security/java.security
        security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
security.provider.2=SUN
security.provider.3=SunRsaSign
security.provider.4=SunEC
security.provider.5=SunJSSE BCFIPS
security.provider.6=SunJCE
security.provider.7=SunJGSS
security.provider.8=SunSASL
security.provider.9=XMLDSig
security.provider.10=SunPCSC
security.provider.11=JdkLDAP
security.provider.12=JdkSASL
security.provider.13=SunPKCS11
      • Configure additional logging 
        /subsystem=logging/console-handler=CONSOLE:write-attribute(name=level, value=ALL)
/subsystem=logging/logger=org.wildfly.extension.elytron:add(level=ALL)
      • Run CLI command usink BCFKS key store type
        /subsystem=elytron/key-store=bcfks_keystore:add(path=keystore.bcfks,relative-to=jboss.server.config.dir, type="BCFKS", credential-reference={clear-text=password})
      • For some reason BouncyCastleFipsProvider is not listed among providers returned by Security.getProviders() and therefore BCFKS can't be resolved 
        =========================================================================

  JBoss Bootstrap Environment

  JBOSS_HOME: /home/mchoma/eap/7.2.0.EL12.CR1/jboss-eap-7.2

  JAVA: /opt/java/jdk-9.0.1_bcfips/bin/java

  JAVA_OPTS:  -server -Xms1303m -Xmx1303m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -cp /home/mchoma/.m2/repository/org/bouncycastle/fips/bc-fips/1.0.0/bc-fips-1.0.0.jar -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true -agentlib:jdwp=transport=dt_socket,address=8787,server=y,suspend=n

=========================================================================
...
09:20:16,630 TRACE [org.wildfly.extension.elytron] (MSC service thread 1-3) No provider identified for name [null] and algorithm [BCFKS] between [SUN version 9, ApacheXMLDSig version 2.11, SunRsaSign version 9, SunEC version 9, SunJSSE version 9, SunJCE version 9, SunJGSS version 9, SunSASL version 9, XMLDSig version 9, SunPCSC version 9, JdkLDAP version 9, JdkSASL version 9, SunPKCS11 version 9, SunDeploy-MozillaJSS version 1.5, WildFlyElytron version 1.0, TLSP version 1.0, openssl version 1.0]
09:20:16,632 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-3) MSC000001: Failed to start service org.wildfly.security.key-store.bcfks_keystore: org.jboss.msc.service.StartException in service org.wildfly.security.key-store.bcfks_keystore: WFLYELY00004: Unable to start the service.
	at org.wildfly.extension.elytron@4.0.0.CR1-redhat-1-20180228//org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:148)
	at org.jboss.msc@1.3.2.Final-redhat-1//org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1714)
	at org.jboss.msc@1.3.2.Final-redhat-1//org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1693)
	at org.jboss.msc@1.3.2.Final-redhat-1//org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1540)
	at org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
	at org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
	at org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
	at org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
	at java.base/java.lang.Thread.run(Thread.java:844)
Caused by: org.jboss.msc.service.StartException in anonymous service: WFLYELY00012: No suitable provider found for type 'BCFKS'
	at org.wildfly.extension.elytron@4.0.0.CR1-redhat-1-20180228//org.wildfly.extension.elytron.KeyStoreService.resolveProvider(KeyStoreService.java:156)
	at org.wildfly.extension.elytron@4.0.0.CR1-redhat-1-20180228//org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:110)
	... 8 more
      • With same java I can run succesfully this java code
        TestBCLoaded.java
        import java.security.*;

public class TestBCLoaded {
    public static void main(String[] args) {
        Provider p = Security.getProvider("org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider");
        if (p==null){
                System.out.println("Not Loaded: org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider");
        }

        p = Security.getProvider("BouncyCastleFipsProvider");
        if (p==null){
                System.out.println("Not Loaded: BouncyCastleFipsProvider");
        }

        p = Security.getProvider("BCFIPS");
        if (p==null){
                System.out.println("Not Loaded: BCFIPS");
        } else {
           System.out.println("Provider name is " + p.getName());
           System.out.println("Provider version # is " + p.getVersion());
           System.out.println("Provider info is " + p.getInfo());
        }

    }
}

        [mchoma@localhost jdk9Test]$ java -cp .:/home/mchoma/.m2/repository/org/bouncycastle/fips/bc-fips/1.0.0/bc-fips-1.0.0.jar TestBCLoaded 
Not Loaded: org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
Not Loaded: BouncyCastleFipsProvider
Provider name is BCFIPS
Provider version # is 0.9
Provider info is BouncyCastle Security Provider (FIPS edition) v0.90

      Attachments

        Issue Links

          is related to

          Enhancement - An enhancement to or refactoring of existing functionality that is not configurable by an end user (typically a change made by an internal team that affects users) MODULES-349 Allow modules to "provide" services in their module.xml

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Resolved

          Activity

            People

              Unassigned Unassigned
              mchoma@redhat.com Martin Choma
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated: