Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bouncy Castle and Bouncy Castle FIPS Native test failures: Cannot load new security provider at runtime: BC / BCFIPS #23967

Open
2 tasks
Karm opened this issue Feb 25, 2022 · 12 comments
Open
2 tasks

Bouncy Castle and Bouncy Castle FIPS Native test failures: Cannot load new security provider at runtime: BC / BCFIPS #23967

Karm opened this issue Feb 25, 2022 · 12 comments
Assignees
@Karm
Labels
area/securepipeline issues related to ensure Quarkus can be used in a secure pipeline setups like FIPS or similar area/security kind/bug Something isn't working

Comments

@Karm
Copy link
Member

Karm commented Feb 25, 2022
edited
Loading

Describe the bug

Bouncy Castle and Bouncy Castle FIPS tests work fine with FIPS aware HotSpot, but those tests fail to start with FIPS aware native-image.

[INFO] Quarkus - Integration Tests - Bouncy Castle ........ SUCCESS [ 18.434 s]
[INFO] Quarkus - Integration Tests - Bouncy Castle FIPS ... SUCCESS [ 13.958 s]

Notes from Severin:

Bouncy Castle provider isn't supported in FIPS mode. The RHEL certified FIPS provider via OpenJDK is NSS, thus BC
cannot be used (without recertification). The same would be true for BCFIPS.

TODO:

  • Check what is going on in HotSpot mode and how come it seems to pass.
  • These components should be probably documented as FIPS incompatible in this setup...?

Bouncy Castle native

Caused by: com.oracle.svm.core.jdk.UnsupportedFeatureError: Cannot load new security provider at runtime: BC.

Full log: gh-q-23967-bc.txt

Bouncy Castle FIPS native

Caused by: com.oracle.svm.core.jdk.UnsupportedFeatureError: Cannot load new security provider at runtime: BCFIPS.

Full log: gh-q-23967-bcfips.txt

BC JSSE and BC FIPS JSSE

HotSpot:

[INFO] Quarkus - Integration Tests - Bouncy Castle FIPS JSSE SUCCESS [ 15.017 s]
Stat: OK

[INFO] Quarkus - Integration Tests - Bouncy Castle JSSE ... FAILURE [  7.559 s]
Stat: Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_SESSION_READ_ONLY

Native:

[INFO] Quarkus - Integration Tests - Bouncy Castle FIPS JSSE FAILURE [01:10 min]
Stat: Error: Detected an instance of Random/SplittableRandom class in the image heap.

Full log: gh-q-23967-bcfipsjsse.txt

[INFO] Quarkus - Integration Tests - Bouncy Castle JSSE ... FAILURE [  4.739 s]
Stat: Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_SESSION_READ_ONLY

Expected behavior

Tests pass the same with FIPS aware HotSpot and FIPS aware native-image.

Actual behavior

Tests fail with FIPS aware native-image.

How to Reproduce?

On a FIPS enforcing system, using FIPS aware native-image:

./mvnw clean install -Dquickly -pl '!devtools/gradle,!devtools/gradle/gradle-model,!devtools/gradle/gradle-extension-plugin,!devtools/gradle/gradle-application-plugin,!integration-tests/gradle'
./mvnw verify -f integration-tests/pom.xml --fail-at-end --batch-mode -Dno-format -DfailIfNoTests=false -Dnative -pl bouncycastle,bouncycastle-fips

Output of uname -a or ver

Linux rhel9fips 5.14.0-63.el9.x86_64

Output of java -version

Red Hat build of OpenJDK 64-Bit Server VM 18.9 (build 11.0.14.1+1-LTS, mixed mode)

GraalVM version (if different from Java)

No response

Quarkus version or git rev

95cc838

Build tool (ie. output of mvnw --version or gradlew --version)

No response

Additional information

No response
@Karm Karm added the kind/bug Something isn't working label Feb 25, 2022
@Karm Karm self-assigned this Feb 25, 2022
@quarkus-bot
Copy link

quarkus-bot bot commented Feb 25, 2022

/cc @jerboaa, @sberyozkin

@quarkus-bot quarkus-bot bot added area/securepipeline issues related to ensure Quarkus can be used in a secure pipeline setups like FIPS or similar area/security labels Feb 25, 2022
@jerboaa
Copy link
Contributor

jerboaa commented Feb 25, 2022

Note that OpenJDK itself cannot prevent application users from using third-party crypto providers when being used on a FIPS enabled system and Security.addProvider() API is being used. That seems to be the case here for JVM mode.

@sberyozkin
Copy link
Member

This PR should be fixing it, #23527

@sberyozkin sberyozkin mentioned this issue Feb 25, 2022
Merged
@sberyozkin
Copy link
Member

Though I'm not 100% sure. Perhaps the right fix would be to disable BC tests on the FIPS enabled system if it is required there that only Sun FIPS provider code is used. Lets see what happens after #23527 is merged

@Karm
Copy link
Member Author

Karm commented Feb 25, 2022

@sberyozkin I will try with your branch now...

@Karm
Copy link
Member Author

Karm commented Feb 25, 2022

@sberyozkin

sberyozkin/bc_keypair_ecdsa_xdh

Native

With FIPS enabled native-image on a FIPS enforcing system:

Quarkus - Integration Tests - Bouncy Castle ......... FAILURE [02:44 min]
    Caused by: com.oracle.svm.core.jdk.UnsupportedFeatureError: Cannot load new security provider at runtime: BC.
Quarkus - Integration Tests - Bouncy Castle FIPS .... FAILURE [02:23 min]
    Caused by: com.oracle.svm.core.jdk.UnsupportedFeatureError: Cannot load new security provider at runtime: BCFIPS.
Quarkus - Integration Tests - Bouncy Castle FIPS JSSE FAILURE [02:10 min]
    Test setup fail: @Inject is not supported in @NativeImageTest and @QuarkusIntegrationTest tests. Offending field is io.quarkus.it.bouncycastle.BouncyCastleFipsJsseTestCase.vertx
Quarkus - Integration Tests - Bouncy Castle JSSE .... FAILURE [  5.658 s]
    Non NSSDB keystore: Caused by: java.security.KeyStoreException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_SESSION_READ_ONLY

So it's the same as before except for Bouncy Castle FIPS JSSE where Detected an instance of Random/SplittableRandom class in the image heap.
was replaced by @Inject is not supported in @NativeImageTest and @QuarkusIntegrationTest tests. The test needs to be refactored.

HotSpot

With FIPS aware HotSpot on a FIPS enforcing system:

[INFO] Quarkus - Integration Tests - Bouncy Castle ......... SUCCESS [ 13.403 s]
[INFO] Quarkus - Integration Tests - Bouncy Castle FIPS .... SUCCESS [  9.029 s]
[INFO] Quarkus - Integration Tests - Bouncy Castle FIPS JSSE SUCCESS [  7.975 s]
[INFO] Quarkus - Integration Tests - Bouncy Castle JSSE .... FAILURE [  4.380 s]
  Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_SESSION_READ_ONLY

Seems the same, which is fine IMHO as the test couldn't work with the keystore as it does now and be compatible at the same time IMHO...

@sberyozkin
Copy link
Member

@Karm Thanks.

Quarkus - Integration Tests - Bouncy Castle FIPS JSSE FAILURE [02:10 min] Test setup fail: @Inject is not supported in @NativeImageTest and @QuarkusIntegrationTest tests.

Yes, we've seen it with @zakkak. That native test does not work in native even without FIPS enabled so we spotted it while trying to fix it - however, I'll my PR in any case to avoid this inject issue.

But not sure what is the cause of Cannot load new security provider at runtime at the moment

@sberyozkin
Copy link
Member

@Karm I fixed the Vertx issue with the BC FIPS JSSE test. And I've added a couple of guards to avoid doing duplicate addProvider/insertProvider - these are supposed to be idempotent but perhaps there are stricter checks in the FIPS enabled system, so now I have there:

if (Security.getProvider(provider.getName) == null) {
    Security.addProvider(provider);
}

Can you please retry with my branch ?

@sberyozkin
Copy link
Member

sberyozkin commented May 12, 2022
edited
Loading

Hi @Karm @pjgg Can you please try these 4 BC integration tests against the latest Quarkus, 2.8.3.Final or 2.9.0.Final, in native/JVM ?

@Karm according to your results all but BC JSSE tests failed in JVM mode. but BC FIPS JSSE passes. So the fact it is RHEL FIPS, does not affect it BC FIPS JSSE, as well as BC and BC FIPS.

But all of these tests fail in native. BC FIPS JSSE does not work in native anyway. But I'd like to see what happens to the other 3 tests. BC JSSE is expected to fail since it does not read from a PKCS11 store as you said. but BC and BC FIPS might pass, give it a try please.

@sberyozkin
Copy link
Member

That said, I wonder, does it make sense to start loading BouncyCastle providers on RHEL FIPS systems ? I.e, is is areal issue that BC providers can't be loaded ?

@jerboaa
Copy link
Contributor

jerboaa commented May 16, 2022
edited
Loading

That said, I wonder, does it make sense to start loading BouncyCastle providers on RHEL FIPS systems?

IMO, no. It's either of those two providers (exclusively). FIPS compliance is what matters, so you don't need both at the same time. At least I cannot think of a use-case which would need it.

@sberyozkin
Copy link
Member

sberyozkin commented May 23, 2022
edited
Loading

@jerboaa Hi Severin, thanks, makes sense to me as well. I think I'll close this issue with a minor update to the BouncyCastle doc section clarifying such providers are unlikely to work on RHEL FIPS

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Karm Karm

Labels
area/securepipeline issues related to ensure Quarkus can be used in a secure pipeline setups like FIPS or similar area/security kind/bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jerboaa @sberyozkin @Karm