Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JDK17 + org.bouncycastle:bctls-fips throw a security unamed module exception #25516

Closed
pjgg opened this issue May 11, 2022 · 7 comments
Closed

JDK17 + org.bouncycastle:bctls-fips throw a security unamed module exception #25516

pjgg opened this issue May 11, 2022 · 7 comments
Labels
area/securepipeline issues related to ensure Quarkus can be used in a secure pipeline setups like FIPS or similar area/security kind/bug Something isn't working

Comments

@pjgg
Copy link
Contributor

pjgg commented May 11, 2022
edited
Loading

Describe the bug

Quarkus 2.7.5.Final

When I make a rest query with VertxClient using BouncyCastleJsseFips certificates, I am getting the following error:

Caused by: java.lang.IllegalAccessError: class org.bouncycastle.jcajce.provider.ProvSunTLSKDF$TLSExtendedMasterSecretGenerator$1 (in unnamed module @0x5274766b) cannot access class sun.security.internal.spec.TlsMasterSecretParameterSpec (in module java.base) because module java.base does not export sun.security.internal.spec to unnamed module @0x5274766b

Works as expected with Open JDK11:

openjdk version "11.0.14" 2022-01-18
OpenJDK Runtime Environment Temurin-11.0.14+9 (build 11.0.14+9)
OpenJDK 64-Bit Server VM Temurin-11.0.14+9 (build 11.0.14+9, mixed mode)

Reproducer: https://github.com/quarkus-qe/quarkus-test-suite/pull/638/files#diff-bd95ff6a40ed24d38581c32ca8cb864a206ac0c255386e4a289f499a2c642c2fR30

cmd: mvn clean verify -Dall-modules -pl security/bouncycastle-fips -Dit.test=BouncyCastleFipsJsseIT#verifyBouncyCastleFipsAndJsseProviderAvailability

Output of java -version

openjdk version "17.0.1" 2021-10-19 OpenJDK Runtime Environment Temurin-17.0.1+12 (build 17.0.1+12) OpenJDK 64-Bit Server VM Temurin-17.0.1+12 (build 17.0.1+12, mixed mode, sharing)
@pjgg pjgg added the kind/bug Something isn't working label May 11, 2022
@quarkus-bot quarkus-bot bot added area/securepipeline issues related to ensure Quarkus can be used in a secure pipeline setups like FIPS or similar area/security labels May 11, 2022
@quarkus-bot
Copy link

quarkus-bot bot commented May 11, 2022

/cc @Karm, @jerboaa, @sberyozkin

@pjgg pjgg changed the title JDK17 + org.bouncycastle:bctls-fips throw s security unamed module exception JDK17 + org.bouncycastle:bctls-fips throw a security unamed module exception May 11, 2022
@pjgg pjgg mentioned this issue May 11, 2022
Merged
3 tasks
@sberyozkin
Copy link
Member

Also CC @zakkak

@sberyozkin
Copy link
Member

sberyozkin commented May 11, 2022
edited
Loading

@pjgg Hi, but integration-tests/bouncycastle-tls-fips is passing on JDK 17 (in JVM mode)...

@pjgg
Copy link
Contributor Author

pjgg commented May 12, 2022

The coverage that we did is strongly inspired by Quarkus IT, but we have added the following line to our test:
Security.insertProviderAt(new BouncyCastleFipsProvider(), 1);

PR_Ref:
https://github.com/quarkus-qe/quarkus-test-suite/pull/638/files#diff-bd95ff6a40ed24d38581c32ca8cb864a206ac0c255386e4a289f499a2c642c2fR49

With this line, we force BouncyCastle as a security provider. In our scenario, without this line we got the following error:

09:24:24,555 Failed to initialize a channel. Closing: [id: 0x6e06a777]: io.vertx.core.VertxException: java.security.KeyStoreException: BCFKS not found
        at io.vertx.core.net.impl.SSLHelper.createContext(SSLHelper.java:289)
        at io.vertx.core.net.impl.SSLHelper.getContext(SSLHelper.java:469)
        at io.vertx.core.net.impl.SSLHelper.createEngine(SSLHelper.java:505)
        at io.vertx.core.net.impl.ChannelProvider.initSSL(ChannelProvider.java:110)
        at io.vertx.core.net.impl.ChannelProvider.access$200(ChannelProvider.java:42)
        at io.vertx.core.net.impl.ChannelProvider$2.initChannel(ChannelProvider.java:151)
        at io.netty.channel.ChannelInitializer.initChannel(ChannelInitializer.java:129)
        at io.netty.channel.ChannelInitializer.handlerAdded(ChannelInitializer.java:112)
        at io.netty.channel.AbstractChannelHandlerContext.callHandlerAdded(AbstractChannelHandlerContext.java:938)
        at io.netty.channel.DefaultChannelPipeline.callHandlerAdded0(DefaultChannelPipeline.java:609)
        at io.netty.channel.DefaultChannelPipeline.access$100(DefaultChannelPipeline.java:46)
        at io.netty.channel.DefaultChannelPipeline$PendingHandlerAddedTask.execute(DefaultChannelPipeline.java:1463)
        at io.netty.channel.DefaultChannelPipeline.callHandlerAddedForAllHandlers(DefaultChannelPipeline.java:1115)
        at io.netty.channel.DefaultChannelPipeline.invokeHandlerAddedIfNeeded(DefaultChannelPipeline.java:650)
        at io.netty.channel.AbstractChannel$AbstractUnsafe.register0(AbstractChannel.java:514)
        at io.netty.channel.AbstractChannel$AbstractUnsafe.register(AbstractChannel.java:480)
        at io.netty.channel.SingleThreadEventLoop.register(SingleThreadEventLoop.java:87)
        at io.netty.channel.SingleThreadEventLoop.register(SingleThreadEventLoop.java:81)
        at io.netty.bootstrap.AbstractBootstrap.initAndRegister(AbstractBootstrap.java:323)
        at io.netty.bootstrap.Bootstrap.doResolveAndConnect(Bootstrap.java:155)
        at io.netty.bootstrap.Bootstrap.connect(Bootstrap.java:139)
        at io.vertx.core.net.impl.ChannelProvider.handleConnect(ChannelProvider.java:154)
        at io.vertx.core.net.impl.ChannelProvider.connect(ChannelProvider.java:104)
        at io.vertx.core.net.impl.ChannelProvider.connect(ChannelProvider.java:90)
        at io.vertx.core.net.impl.NetClientImpl.connectInternal(NetClientImpl.java:247)
        at io.vertx.core.net.impl.NetClientImpl.lambda$connectInternal$5(NetClientImpl.java:267)
        at io.netty.util.concurrent.AbstractEventExecutor.safeExecute(AbstractEventExecutor.java:164)
        at io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:469)
        at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:503)
        at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:986)
        at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
        at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
        at java.base/java.lang.Thread.run(Thread.java:833)
Caused by: java.security.KeyStoreException: BCFKS not found
        at java.base/java.security.KeyStore.getInstance(KeyStore.java:871)
        at io.vertx.core.net.impl.KeyStoreHelper.loadKeyStore(KeyStoreHelper.java:210)
        at io.vertx.core.net.KeyStoreOptionsBase.getHelper(KeyStoreOptionsBase.java:187)
        at io.vertx.core.net.KeyStoreOptionsBase.getKeyManagerFactory(KeyStoreOptionsBase.java:205)
        at io.vertx.core.net.impl.SSLHelper.getKeyMgrFactory(SSLHelper.java:294)
        at io.vertx.core.net.impl.SSLHelper.createContext(SSLHelper.java:239)
        ... 32 more
Caused by: java.security.NoSuchAlgorithmException: BCFKS KeyStore not available
        at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:159)
        at java.base/java.security.Security.getImpl(Security.java:701)
        at java.base/java.security.KeyStore.getInstance(KeyStore.java:868)
        ... 37 more

@sberyozkin
Copy link
Member

sberyozkin commented May 12, 2022
edited
Loading

@pjgg I think this test is not correctly setup. The test should not deal with adding the providers, see https://github.com/quarkusio/quarkus/tree/main/integration-tests/bouncycastle-fips-jsse. BC FIPS on its own is not sufficient.

@sberyozkin
Copy link
Member

@pjgg BC FIPS TLS and BC FIPS providers should be added by Quarkus - if the test does it then it is not a Quarkus issue that a BC related problem occurs so please update the tests. BC FIPS TLS native issue is here: #14139

@pjgg
Copy link
Contributor Author

pjgg commented May 12, 2022

Thank you @sberyozkin you are right. I confirm that is working as expected when you are running your test with @QuarkusTest

TD: https://github.com/quarkus-qe/quarkus-test-suite/pull/638/files#diff-c69fb23355257bfc5616b07d21360f579d59d2db81c28767efb5c5d1319dc47fR40

@pjgg pjgg closed this as completed May 12, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/securepipeline issues related to ensure Quarkus can be used in a secure pipeline setups like FIPS or similar area/security kind/bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sberyozkin @pjgg