Availability and configuration of BCFIPS/BCJSSE Provider for JDK11

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Availability and configuration of BCFIPS/BCJSSE Provider for JDK11

Ioannis Kakavas
Hi there folk,


Would you mind sharing your plans if any, regarding the availability of the BouncyCastleFipsProvider for JDK11 ?

I can see in the roadmap [1] that 1.0.2 which is the next release, is tested against JDK11, but I'm wondering if you plan to release the provider in a way that can be installed and used with JDK11 as there doesn't seem to currently be a way.


- >JDK9 removed the extension mechanism by which external jars could be placed in jre/lib/ext. This has been one of the common ways to configure the BouncyCastleFipsProvider statically. Would you plan to release the Provider as a module instead? Granted, this can be easily overcome by adding the bc-fips jar in the classpath of the application.

- Also, with JDK9 the ability to pass extra parameters to the Security Providers on load time was removed as well. (Related issue that refers to the behavior change: [2]). This, however, is the only available way to configure SunJSSE or BCJSSE to use the BCFIPS provider, and as such put the JSSE provider in FIPS Mode [3]. Would you plan to release a BCJSSE Procider that is pre-configured in FIPS mode?


Best Regards
Ioannis

[1] https://www.bouncycastle.org/fips_java_roadmap.html
[2] https://bugs.openjdk.java.net/browse/JDK-8217907
[3] https://downloads.bouncycastle.org/fips-java/BC-FJA-(D)TLSUserGuide-1.0.7.pdf


Reply | Threaded
Open this post in threaded view
|

Re: Availability and configuration of BCFIPS/BCJSSE Provider for JDK11

Ioannis Kakavas
> -   Also, with JDK9 the ability to pass extra parameters to the Security Providers on load time was removed as well. (Related issue that refers to the behavior change: [2]). This, however, is the only available way to configure SunJSSE or BCJSSE to use the BCFIPS provider, and as such put the JSSE provider in FIPS Mode [3]. Would you plan to release a BCJSSE Procider that is pre-configured in FIPS mode?

To be clear, trying to load BouncyCastleJsseProvider with a parameter is not possible because Provider throws an UnsupportedOperationException and BCJSSE is not loaded at all ( see stack trace below )
Another option to releasing BCJSSE preconfigured in FIPS mode, would be to override and implement

public Provider configure(String configArg)

in BouncyCastleJsseProvider as the default implementation in Provider is what throws the unsupported operation exception after JDK 9


2> ProviderConfig: Loading legacy provider: org.bouncycastle.jsse.provider.BouncyCastleJsseProvider
  2> ProviderConfig: Error loading provider org.bouncycastle.jsse.provider.BouncyCastleJsseProvider('fips:BCFIPS')
  2> java.lang.UnsupportedOperationException: configure is not supported
  2>    at java.base/java.security.Provider.configure(Provider.java:294)
  2>    at java.base/sun.security.jca.ProviderConfig$3.run(ProviderConfig.java:247)
  2>    at java.base/sun.security.jca.ProviderConfig$3.run(ProviderConfig.java:238)
  2>    at java.base/java.security.AccessController.doPrivileged(Native Method)
  2>    at java.base/sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:238)
  2>    at java.base/sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:218)
  2>    at java.base/sun.security.jca.ProviderList.getProvider(ProviderList.java:266)
  2>    at java.base/sun.security.jca.ProviderList.getIndex(ProviderList.java:296)
  2>    at java.base/sun.security.jca.ProviderList.getProviderConfig(ProviderList.java:280)
  2>    at java.base/sun.security.jca.ProviderList.getProvider(ProviderList.java:286)
  2>    at java.base/sun.security.jca.GetInstance.getService(GetInstance.java:81)
  2>    at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:206)
  2>    at java.base/java.security.Security.getImpl(Security.java:701)
  2>    at java.base/java.security.MessageDigest.getInstance(MessageDigest.java:242)
  2>    at java.base/sun.security.provider.SecureRandom.init(SecureRandom.java:102)
  2>    at java.base/sun.security.provider.SecureRandom.<init>(SecureRandom.java:79)
  2>    at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$CoreSecureRandom.<init>(Unknown Source)
  2>    at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$2.run(Unknown Source)
  2>    at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$2.run(Unknown Source)
  2>    at java.base/java.security.AccessController.doPrivileged(Native Method)
  2>    at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider.getDefaultEntropySource(Unknown Source)
  2>    at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider.getDefaultSecureRandom(Unknown Source)
  2>    at org.bouncycastle.jcajce.provider.ProvRandom$1.createInstance(Unknown Source)
  2>    at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$BcService.newInstance(Unknown Source)
  2>    at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:236)
  2>    at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:164)
  2>    at java.base/java.security.SecureRandom.getInstance(SecureRandom.java:364)
  2>    at java.base/java.security.SecureRandom.getDefaultPRNG(SecureRandom.java:272)
  2>    at java.base/java.security.SecureRandom.<init>(SecureRandom.java:218)
  2>    at java.base/java.io.File$TempDirectory.<clinit>(File.java:1916)
  2>    at java.base/java.io.File.createTempFile(File.java:2076)
  2>    at com.sun.jna.Native.extractFromResourcePath(Native.java:1059)
  2>    at com.sun.jna.Native.loadNativeDispatchLibraryFromClasspath(Native.java:937)
  2>    at com.sun.jna.Native.loadNativeDispatchLibrary(Native.java:922)
  2>    at com.sun.jna.Native.<clinit>(Native.java:190)
  2>    at java.base/java.lang.Class.forName0(Native Method)
  2>    at java.base/java.lang.Class.forName(Class.java:315)


‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Tuesday, April 16, 2019 12:28 PM, Ioannis Kakavas <[hidden email]> wrote:

> Hi there folk,
>
> Would you mind sharing your plans if any, regarding the availability of the BouncyCastleFipsProvider for JDK11 ?
>
> I can see in the roadmap [1] that 1.0.2 which is the next release, is tested against JDK11, but I'm wondering if you plan to release the provider in a way that can be installed and used with JDK11 as there doesn't seem to currently be a way.
>
> -   > JDK9 removed the extension mechanism by which external jars could be placed in jre/lib/ext. This has been one of the common ways to configure the BouncyCastleFipsProvider statically. Would you plan to release the Provider as a module instead? Granted, this can be easily overcome by adding the bc-fips jar in the classpath of the application.
>
>
> -   Also, with JDK9 the ability to pass extra parameters to the Security Providers on load time was removed as well. (Related issue that refers to the behavior change: [2]). This, however, is the only available way to configure SunJSSE or BCJSSE to use the BCFIPS provider, and as such put the JSSE provider in FIPS Mode [3]. Would you plan to release a BCJSSE Procider that is pre-configured in FIPS mode?
>
>     Best Regards
>     Ioannis
>
>     [1] https://www.bouncycastle.org/fips_java_roadmap.html
>     [2] https://bugs.openjdk.java.net/browse/JDK-8217907
>     [3] https://downloads.bouncycastle.org/fips-java/BC-FJA-(D)TLSUserGuide-1.0.7.pdf
>



Reply | Threaded
Open this post in threaded view
|

Re: Availability and configuration of BCFIPS/BCJSSE Provider for JDK11

David Hook-3

Hmmm. Actually the stack trace below indicates an error in the
construction of the default DRBG for the BCFIPS provider. I think
something else might be going on here.

Regards,

David

On 22/4/19 7:26 pm, Ioannis Kakavas wrote:

>> -   Also, with JDK9 the ability to pass extra parameters to the Security Providers on load time was removed as well. (Related issue that refers to the behavior change: [2]). This, however, is the only available way to configure SunJSSE or BCJSSE to use the BCFIPS provider, and as such put the JSSE provider in FIPS Mode [3]. Would you plan to release a BCJSSE Procider that is pre-configured in FIPS mode?
> To be clear, trying to load BouncyCastleJsseProvider with a parameter is not possible because Provider throws an UnsupportedOperationException and BCJSSE is not loaded at all ( see stack trace below )
> Another option to releasing BCJSSE preconfigured in FIPS mode, would be to override and implement
>
> public Provider configure(String configArg)
>
> in BouncyCastleJsseProvider as the default implementation in Provider is what throws the unsupported operation exception after JDK 9
>
>
> 2> ProviderConfig: Loading legacy provider: org.bouncycastle.jsse.provider.BouncyCastleJsseProvider
>   2> ProviderConfig: Error loading provider org.bouncycastle.jsse.provider.BouncyCastleJsseProvider('fips:BCFIPS')
>   2> java.lang.UnsupportedOperationException: configure is not supported
>   2>    at java.base/java.security.Provider.configure(Provider.java:294)
>   2>    at java.base/sun.security.jca.ProviderConfig$3.run(ProviderConfig.java:247)
>   2>    at java.base/sun.security.jca.ProviderConfig$3.run(ProviderConfig.java:238)
>   2>    at java.base/java.security.AccessController.doPrivileged(Native Method)
>   2>    at java.base/sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:238)
>   2>    at java.base/sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:218)
>   2>    at java.base/sun.security.jca.ProviderList.getProvider(ProviderList.java:266)
>   2>    at java.base/sun.security.jca.ProviderList.getIndex(ProviderList.java:296)
>   2>    at java.base/sun.security.jca.ProviderList.getProviderConfig(ProviderList.java:280)
>   2>    at java.base/sun.security.jca.ProviderList.getProvider(ProviderList.java:286)
>   2>    at java.base/sun.security.jca.GetInstance.getService(GetInstance.java:81)
>   2>    at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:206)
>   2>    at java.base/java.security.Security.getImpl(Security.java:701)
>   2>    at java.base/java.security.MessageDigest.getInstance(MessageDigest.java:242)
>   2>    at java.base/sun.security.provider.SecureRandom.init(SecureRandom.java:102)
>   2>    at java.base/sun.security.provider.SecureRandom.<init>(SecureRandom.java:79)
>   2>    at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$CoreSecureRandom.<init>(Unknown Source)
>   2>    at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$2.run(Unknown Source)
>   2>    at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$2.run(Unknown Source)
>   2>    at java.base/java.security.AccessController.doPrivileged(Native Method)
>   2>    at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider.getDefaultEntropySource(Unknown Source)
>   2>    at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider.getDefaultSecureRandom(Unknown Source)
>   2>    at org.bouncycastle.jcajce.provider.ProvRandom$1.createInstance(Unknown Source)
>   2>    at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$BcService.newInstance(Unknown Source)
>   2>    at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:236)
>   2>    at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:164)
>   2>    at java.base/java.security.SecureRandom.getInstance(SecureRandom.java:364)
>   2>    at java.base/java.security.SecureRandom.getDefaultPRNG(SecureRandom.java:272)
>   2>    at java.base/java.security.SecureRandom.<init>(SecureRandom.java:218)
>   2>    at java.base/java.io.File$TempDirectory.<clinit>(File.java:1916)
>   2>    at java.base/java.io.File.createTempFile(File.java:2076)
>   2>    at com.sun.jna.Native.extractFromResourcePath(Native.java:1059)
>   2>    at com.sun.jna.Native.loadNativeDispatchLibraryFromClasspath(Native.java:937)
>   2>    at com.sun.jna.Native.loadNativeDispatchLibrary(Native.java:922)
>   2>    at com.sun.jna.Native.<clinit>(Native.java:190)
>   2>    at java.base/java.lang.Class.forName0(Native Method)
>   2>    at java.base/java.lang.Class.forName(Class.java:315)
>
>
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> On Tuesday, April 16, 2019 12:28 PM, Ioannis Kakavas <[hidden email]> wrote:
>
>> Hi there folk,
>>
>> Would you mind sharing your plans if any, regarding the availability of the BouncyCastleFipsProvider for JDK11 ?
>>
>> I can see in the roadmap [1] that 1.0.2 which is the next release, is tested against JDK11, but I'm wondering if you plan to release the provider in a way that can be installed and used with JDK11 as there doesn't seem to currently be a way.
>>
>> -   > JDK9 removed the extension mechanism by which external jars could be placed in jre/lib/ext. This has been one of the common ways to configure the BouncyCastleFipsProvider statically. Would you plan to release the Provider as a module instead? Granted, this can be easily overcome by adding the bc-fips jar in the classpath of the application.
>>
>>
>> -   Also, with JDK9 the ability to pass extra parameters to the Security Providers on load time was removed as well. (Related issue that refers to the behavior change: [2]). This, however, is the only available way to configure SunJSSE or BCJSSE to use the BCFIPS provider, and as such put the JSSE provider in FIPS Mode [3]. Would you plan to release a BCJSSE Procider that is pre-configured in FIPS mode?
>>
>>     Best Regards
>>     Ioannis
>>
>>     [1] https://www.bouncycastle.org/fips_java_roadmap.html
>>     [2] https://bugs.openjdk.java.net/browse/JDK-8217907
>>     [3] https://downloads.bouncycastle.org/fips-java/BC-FJA-(D)TLSUserGuide-1.0.7.pdf
>>
>
>
>



Reply | Threaded
Open this post in threaded view
|

Re: Availability and configuration of BCFIPS/BCJSSE Provider for JDK11

Ioannis Kakavas
Thanks for the feedback David,

That might have been a red herring, the following is simpler and easier to reproduce but highlights the same issue:

Using bc-fips-1.0.1 and bctls-fips-1.0.7, simply iterating through the available providers

import java.security.Provider;
import java.security.Security;

public class TestBCJSSE {

    public static void main(String[] args){
        Provider[] list = Security.getProviders();
        for (Provider p : list){
            System.out.println(p.getName());
        }
    }
}

with the security properties set to

security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS
security.provider.3=SUN

and a policy of

grant {
     permission java.security.SecurityPermission "putProviderProperty.BCFIPS";
     permission java.security.SecurityPermission "putProviderProperty.BCJSSE";
     permission org.bouncycastle.crypto.CryptoServicesPermission "exportPrivateKey";
     permission org.bouncycastle.crypto.CryptoServicesPermission "exportSecretKey";
     permission java.lang.RuntimePermission "getProtectionDomain";
     permission java.util.PropertyPermission "java.runtime.name", "read";
     permission org.bouncycastle.crypto.CryptoServicesPermission "tlsAlgorithmsEnabled";
     permission java.lang.RuntimePermission "accessClassInPackage.sun.security.internal.spec";
     permission java.lang.RuntimePermission "accessDeclaredMembers";
};

I can reproducible failures to load BCJSSE with the following output from JCA debug

/usr/lib/jvm/jdk-11-fips/bin/java -Djava.security.manager -Djavax.net.ssl.keyStorePassword=password -Djavax.net.ssl.trustStorePassword=password -Djava.security.debug=JCA -Dfile.encoding=UTF-8 -classpath /path/to/bc-fips-debug-1.0.1.jar:path/to/bctls-fips-1.0.7.jar TestBCJSSE


ProviderList: provider configuration: [org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider, org.bouncycastle.jsse.provider.BouncyCastleJsseProvider('fips:BCFIPS'), SUN]
ProviderList: config configuration: null
ProviderList: Loading all providers
java.lang.Exception: Debug Info. Call trace:
        at java.base/sun.security.jca.ProviderList.loadAll(ProviderList.java:311)
        at java.base/sun.security.jca.ProviderList.removeInvalid(ProviderList.java:332)
        at java.base/sun.security.jca.Providers.getFullProviderList(Providers.java:173)
        at java.base/java.security.Security.getProviders(Security.java:455)
        at TestBCJSSE.main(TestBCJSSE.java:7)
ProviderConfig: Loading provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
ProviderConfig: Attempt to load org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider using SL
ProviderConfig: Found SL Provider named JdkSASL
ProviderConfig: Found SL Provider named SunPCSC
ProviderConfig: Found SL Provider named SunJGSS
ProviderConfig: Found SL Provider named XMLDSig
ProviderConfig: Found SL Provider named SunEC
ProviderConfig: Found SL Provider named SunPKCS11
ProviderConfig: Found SL Provider named SunSASL
ProviderConfig: Found SL Provider named JdkLDAP
ProviderList: ThreadLocal providers: [SUN, SunRsaSign, SunEC]
ProviderList: Disabling ThreadLocal providers
ProviderList: ThreadLocal providers: [SUN, SunRsaSign, SunEC]
ProviderList: Disabling ThreadLocal providers
ProviderList: ThreadLocal providers: [SUN, SunRsaSign, SunEC]
ProviderList: Disabling ThreadLocal providers
ProviderList: ThreadLocal providers: [SUN, SunRsaSign, SunEC]
ProviderList: Disabling ThreadLocal providers
ProviderList: ThreadLocal providers: [SUN, SunRsaSign, SunEC]
ProviderList: Disabling ThreadLocal providers
ProviderList: ThreadLocal providers: [SUN, SunRsaSign, SunEC]
ProviderList: Disabling ThreadLocal providers
ProviderList: ThreadLocal providers: [SUN, SunRsaSign, SunEC]
ProviderList: Disabling ThreadLocal providers
ProviderList: ThreadLocal providers: [SUN, SunRsaSign, SunEC]
ProviderList: Disabling ThreadLocal providers
ProviderList: ThreadLocal providers: [SUN, SunRsaSign, SunEC]
ProviderList: Disabling ThreadLocal providers
ProviderList: ThreadLocal providers: [SUN, SunRsaSign, SunEC]
ProviderList: Disabling ThreadLocal providers
ProviderList: ThreadLocal providers: [SUN, SunRsaSign, SunEC]
ProviderList: Disabling ThreadLocal providers
ProviderList: ThreadLocal providers: [SUN, SunRsaSign, SunEC]
ProviderList: Disabling ThreadLocal providers
ProviderConfig: Found SL Provider named BCJSSE
ProviderConfig: Loading legacy provider: org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
ProviderList: ThreadLocal providers: [SUN, SunRsaSign, SunEC]
ProviderList: Disabling ThreadLocal providers
ProviderList: ThreadLocal providers: [SUN, SunRsaSign, SunEC]
ProviderList: Disabling ThreadLocal providers
ProviderList: ThreadLocal providers: [SUN, SunRsaSign, SunEC]
ProviderList: Disabling ThreadLocal providers
ProviderList: ThreadLocal providers: [SUN, SunRsaSign, SunEC]
ProviderList: Disabling ThreadLocal providers
ProviderConfig: Loaded provider BCFIPS
ProviderConfig: Loading provider org.bouncycastle.jsse.provider.BouncyCastleJsseProvider('fips:BCFIPS')
ProviderConfig: Attempt to load org.bouncycastle.jsse.provider.BouncyCastleJsseProvider using SL
ProviderConfig: Found SL Provider named JdkSASL
ProviderConfig: Found SL Provider named SunPCSC
ProviderConfig: Found SL Provider named SunJGSS
ProviderConfig: Found SL Provider named XMLDSig
ProviderConfig: Found SL Provider named SunEC
ProviderConfig: Found SL Provider named SunPKCS11
ProviderConfig: Found SL Provider named SunSASL
ProviderConfig: Found SL Provider named JdkLDAP
ProviderConfig: Found SL Provider named BCJSSE
ProviderConfig: Loading legacy provider: org.bouncycastle.jsse.provider.BouncyCastleJsseProvider
ProviderConfig: Error loading provider org.bouncycastle.jsse.provider.BouncyCastleJsseProvider('fips:BCFIPS')
java.lang.UnsupportedOperationException: configure is not supported
        at java.base/java.security.Provider.configure(Provider.java:294)
        at java.base/sun.security.jca.ProviderConfig$3.run(ProviderConfig.java:247)
        at java.base/sun.security.jca.ProviderConfig$3.run(ProviderConfig.java:238)
        at java.base/java.security.AccessController.doPrivileged(Native Method)
        at java.base/sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:238)
        at java.base/sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:218)
        at java.base/sun.security.jca.ProviderList.loadAll(ProviderList.java:315)
        at java.base/sun.security.jca.ProviderList.removeInvalid(ProviderList.java:332)
        at java.base/sun.security.jca.Providers.getFullProviderList(Providers.java:173)
        at java.base/java.security.Security.getProviders(Security.java:455)
        at TestBCJSSE.main(TestBCJSSE.java:7)
BCFIPS
SUN


which makes sense looking at

https://hg.openjdk.java.net/jdk/jdk11/file/1ddf9a99e4ad/src/java.base/share/classes/java/security/Provider.java#l294


Removing the fips:BCFIPS parameter, allows for BCJSSE to be loaded and usable, but - unfortunately - not in FIPS approved mode.


Hope this helps,
Ioannis

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Monday, April 22, 2019 1:10 PM, David Hook <[hidden email]> wrote:

>
>
> Hmmm. Actually the stack trace below indicates an error in the
> construction of the default DRBG for the BCFIPS provider. I think
> something else might be going on here.
>
> Regards,
>
> David
>
> On 22/4/19 7:26 pm, Ioannis Kakavas wrote:
>
> > > -   Also, with JDK9 the ability to pass extra parameters to the Security Providers on load time was removed as well. (Related issue that refers to the behavior change: [2]). This, however, is the only available way to configure SunJSSE or BCJSSE to use the BCFIPS provider, and as such put the JSSE provider in FIPS Mode [3]. Would you plan to release a BCJSSE Procider that is pre-configured in FIPS mode?
> > >     To be clear, trying to load BouncyCastleJsseProvider with a parameter is not possible because Provider throws an UnsupportedOperationException and BCJSSE is not loaded at all ( see stack trace below )
> > >     Another option to releasing BCJSSE preconfigured in FIPS mode, would be to override and implement
> > >
> >
> > public Provider configure(String configArg)
> > in BouncyCastleJsseProvider as the default implementation in Provider is what throws the unsupported operation exception after JDK 9
> > 2> ProviderConfig: Loading legacy provider: org.bouncycastle.jsse.provider.BouncyCastleJsseProvider
> > 2> ProviderConfig: Error loading provider org.bouncycastle.jsse.provider.BouncyCastleJsseProvider('fips:BCFIPS')
> > 2> java.lang.UnsupportedOperationException: configure is not supported
> > 2> at java.base/java.security.Provider.configure(Provider.java:294)
> > 2> at java.base/sun.security.jca.ProviderConfig$3.run(ProviderConfig.java:247)
> > 2> at java.base/sun.security.jca.ProviderConfig$3.run(ProviderConfig.java:238)
> > 2> at java.base/java.security.AccessController.doPrivileged(Native Method)
> > 2> at java.base/sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:238)
> > 2> at java.base/sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:218)
> > 2> at java.base/sun.security.jca.ProviderList.getProvider(ProviderList.java:266)
> > 2> at java.base/sun.security.jca.ProviderList.getIndex(ProviderList.java:296)
> > 2> at java.base/sun.security.jca.ProviderList.getProviderConfig(ProviderList.java:280)
> > 2> at java.base/sun.security.jca.ProviderList.getProvider(ProviderList.java:286)
> > 2> at java.base/sun.security.jca.GetInstance.getService(GetInstance.java:81)
> > 2> at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:206)
> > 2> at java.base/java.security.Security.getImpl(Security.java:701)
> > 2> at java.base/java.security.MessageDigest.getInstance(MessageDigest.java:242)
> > 2> at java.base/sun.security.provider.SecureRandom.init(SecureRandom.java:102)
> > 2> at java.base/sun.security.provider.SecureRandom.<init>(SecureRandom.java:79)
> > 2> at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$CoreSecureRandom.<init>(Unknown Source)
> > 2> at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$2.run(Unknown Source)
> > 2> at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$2.run(Unknown Source)
> > 2> at java.base/java.security.AccessController.doPrivileged(Native Method)
> > 2> at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider.getDefaultEntropySource(Unknown Source)
> > 2> at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider.getDefaultSecureRandom(Unknown Source)
> > 2> at org.bouncycastle.jcajce.provider.ProvRandom$1.createInstance(Unknown Source)
> > 2> at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$BcService.newInstance(Unknown Source)
> > 2> at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:236)
> > 2> at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:164)
> > 2> at java.base/java.security.SecureRandom.getInstance(SecureRandom.java:364)
> > 2> at java.base/java.security.SecureRandom.getDefaultPRNG(SecureRandom.java:272)
> > 2> at java.base/java.security.SecureRandom.<init>(SecureRandom.java:218)
> > 2> at java.base/java.io.File$TempDirectory.<clinit>(File.java:1916)
> > 2> at java.base/java.io.File.createTempFile(File.java:2076)
> > 2> at com.sun.jna.Native.extractFromResourcePath(Native.java:1059)
> > 2> at com.sun.jna.Native.loadNativeDispatchLibraryFromClasspath(Native.java:937)
> > 2> at com.sun.jna.Native.loadNativeDispatchLibrary(Native.java:922)
> > 2> at com.sun.jna.Native.<clinit>(Native.java:190)
> > 2> at java.base/java.lang.Class.forName0(Native Method)
> > 2> at java.base/java.lang.Class.forName(Class.java:315)
> > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> > On Tuesday, April 16, 2019 12:28 PM, Ioannis Kakavas [hidden email] wrote:
> >
> > > Hi there folk,
> > > Would you mind sharing your plans if any, regarding the availability of the BouncyCastleFipsProvider for JDK11 ?
> > > I can see in the roadmap [1] that 1.0.2 which is the next release, is tested against JDK11, but I'm wondering if you plan to release the provider in a way that can be installed and used with JDK11 as there doesn't seem to currently be a way.
> > >
> > > -   > JDK9 removed the extension mechanism by which external jars could be placed in jre/lib/ext. This has been one of the common ways to configure the BouncyCastleFipsProvider statically. Would you plan to release the Provider as a module instead? Granted, this can be easily overcome by adding the bc-fips jar in the classpath of the application.
> > >
> > > -   Also, with JDK9 the ability to pass extra parameters to the Security Providers on load time was removed as well. (Related issue that refers to the behavior change: [2]). This, however, is the only available way to configure SunJSSE or BCJSSE to use the BCFIPS provider, and as such put the JSSE provider in FIPS Mode [3]. Would you plan to release a BCJSSE Procider that is pre-configured in FIPS mode?
> > >     Best Regards
> > >     Ioannis
> > >     [1] https://www.bouncycastle.org/fips_java_roadmap.html
> > >     [2] https://bugs.openjdk.java.net/browse/JDK-8217907
> > >     [3] https://downloads.bouncycastle.org/fips-java/BC-FJA-(D)TLSUserGuide-1.0.7.pdf
> > >



Reply | Threaded
Open this post in threaded view
|

Re: Availability and configuration of BCFIPS/BCJSSE Provider for JDK11

David Hook-3

Yes, this is definitely now broken.

As you suggest, I guess the original reflection based code has been
cleaned up as part of the cleanup of code relating to the old FIPS mode
from the Sun JSSE. Although I'm not sure when.

As far as I can tell fixing it just requires the addition of:

    // for Java 11
    public Provider configure(String configArg)
    {
        return new BouncyCastleJsseProvider(configArg);
    }

To the provider class.

I've pushed an update to the core JSSE API which should appear on github
shortly.

Regards,

David
On 22/4/19 9:20 pm, Ioannis Kakavas wrote:

> Thanks for the feedback David,
>
> That might have been a red herring, the following is simpler and easier to reproduce but highlights the same issue:
>
> Using bc-fips-1.0.1 and bctls-fips-1.0.7, simply iterating through the available providers
>
> import java.security.Provider;
> import java.security.Security;
>
> public class TestBCJSSE {
>
>     public static void main(String[] args){
>         Provider[] list = Security.getProviders();
>         for (Provider p : list){
>             System.out.println(p.getName());
>         }
>     }
> }
>
> with the security properties set to
>
> security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
> security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS
> security.provider.3=SUN
>
> and a policy of
>
> grant {
>      permission java.security.SecurityPermission "putProviderProperty.BCFIPS";
>      permission java.security.SecurityPermission "putProviderProperty.BCJSSE";
>      permission org.bouncycastle.crypto.CryptoServicesPermission "exportPrivateKey";
>      permission org.bouncycastle.crypto.CryptoServicesPermission "exportSecretKey";
>      permission java.lang.RuntimePermission "getProtectionDomain";
>      permission java.util.PropertyPermission "java.runtime.name", "read";
>      permission org.bouncycastle.crypto.CryptoServicesPermission "tlsAlgorithmsEnabled";
>      permission java.lang.RuntimePermission "accessClassInPackage.sun.security.internal.spec";
>      permission java.lang.RuntimePermission "accessDeclaredMembers";
> };
>
> I can reproducible failures to load BCJSSE with the following output from JCA debug
>
> /usr/lib/jvm/jdk-11-fips/bin/java -Djava.security.manager -Djavax.net.ssl.keyStorePassword=password -Djavax.net.ssl.trustStorePassword=password -Djava.security.debug=JCA -Dfile.encoding=UTF-8 -classpath /path/to/bc-fips-debug-1.0.1.jar:path/to/bctls-fips-1.0.7.jar TestBCJSSE
>
>
> ProviderList: provider configuration: [org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider, org.bouncycastle.jsse.provider.BouncyCastleJsseProvider('fips:BCFIPS'), SUN]
> ProviderList: config configuration: null
> ProviderList: Loading all providers
> java.lang.Exception: Debug Info. Call trace:
> at java.base/sun.security.jca.ProviderList.loadAll(ProviderList.java:311)
> at java.base/sun.security.jca.ProviderList.removeInvalid(ProviderList.java:332)
> at java.base/sun.security.jca.Providers.getFullProviderList(Providers.java:173)
> at java.base/java.security.Security.getProviders(Security.java:455)
> at TestBCJSSE.main(TestBCJSSE.java:7)
> ProviderConfig: Loading provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
> ProviderConfig: Attempt to load org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider using SL
> ProviderConfig: Found SL Provider named JdkSASL
> ProviderConfig: Found SL Provider named SunPCSC
> ProviderConfig: Found SL Provider named SunJGSS
> ProviderConfig: Found SL Provider named XMLDSig
> ProviderConfig: Found SL Provider named SunEC
> ProviderConfig: Found SL Provider named SunPKCS11
> ProviderConfig: Found SL Provider named SunSASL
> ProviderConfig: Found SL Provider named JdkLDAP
> ProviderList: ThreadLocal providers: [SUN, SunRsaSign, SunEC]
> ProviderList: Disabling ThreadLocal providers
> ProviderList: ThreadLocal providers: [SUN, SunRsaSign, SunEC]
> ProviderList: Disabling ThreadLocal providers
> ProviderList: ThreadLocal providers: [SUN, SunRsaSign, SunEC]
> ProviderList: Disabling ThreadLocal providers
> ProviderList: ThreadLocal providers: [SUN, SunRsaSign, SunEC]
> ProviderList: Disabling ThreadLocal providers
> ProviderList: ThreadLocal providers: [SUN, SunRsaSign, SunEC]
> ProviderList: Disabling ThreadLocal providers
> ProviderList: ThreadLocal providers: [SUN, SunRsaSign, SunEC]
> ProviderList: Disabling ThreadLocal providers
> ProviderList: ThreadLocal providers: [SUN, SunRsaSign, SunEC]
> ProviderList: Disabling ThreadLocal providers
> ProviderList: ThreadLocal providers: [SUN, SunRsaSign, SunEC]
> ProviderList: Disabling ThreadLocal providers
> ProviderList: ThreadLocal providers: [SUN, SunRsaSign, SunEC]
> ProviderList: Disabling ThreadLocal providers
> ProviderList: ThreadLocal providers: [SUN, SunRsaSign, SunEC]
> ProviderList: Disabling ThreadLocal providers
> ProviderList: ThreadLocal providers: [SUN, SunRsaSign, SunEC]
> ProviderList: Disabling ThreadLocal providers
> ProviderList: ThreadLocal providers: [SUN, SunRsaSign, SunEC]
> ProviderList: Disabling ThreadLocal providers
> ProviderConfig: Found SL Provider named BCJSSE
> ProviderConfig: Loading legacy provider: org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
> ProviderList: ThreadLocal providers: [SUN, SunRsaSign, SunEC]
> ProviderList: Disabling ThreadLocal providers
> ProviderList: ThreadLocal providers: [SUN, SunRsaSign, SunEC]
> ProviderList: Disabling ThreadLocal providers
> ProviderList: ThreadLocal providers: [SUN, SunRsaSign, SunEC]
> ProviderList: Disabling ThreadLocal providers
> ProviderList: ThreadLocal providers: [SUN, SunRsaSign, SunEC]
> ProviderList: Disabling ThreadLocal providers
> ProviderConfig: Loaded provider BCFIPS
> ProviderConfig: Loading provider org.bouncycastle.jsse.provider.BouncyCastleJsseProvider('fips:BCFIPS')
> ProviderConfig: Attempt to load org.bouncycastle.jsse.provider.BouncyCastleJsseProvider using SL
> ProviderConfig: Found SL Provider named JdkSASL
> ProviderConfig: Found SL Provider named SunPCSC
> ProviderConfig: Found SL Provider named SunJGSS
> ProviderConfig: Found SL Provider named XMLDSig
> ProviderConfig: Found SL Provider named SunEC
> ProviderConfig: Found SL Provider named SunPKCS11
> ProviderConfig: Found SL Provider named SunSASL
> ProviderConfig: Found SL Provider named JdkLDAP
> ProviderConfig: Found SL Provider named BCJSSE
> ProviderConfig: Loading legacy provider: org.bouncycastle.jsse.provider.BouncyCastleJsseProvider
> ProviderConfig: Error loading provider org.bouncycastle.jsse.provider.BouncyCastleJsseProvider('fips:BCFIPS')
> java.lang.UnsupportedOperationException: configure is not supported
> at java.base/java.security.Provider.configure(Provider.java:294)
> at java.base/sun.security.jca.ProviderConfig$3.run(ProviderConfig.java:247)
> at java.base/sun.security.jca.ProviderConfig$3.run(ProviderConfig.java:238)
> at java.base/java.security.AccessController.doPrivileged(Native Method)
> at java.base/sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:238)
> at java.base/sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:218)
> at java.base/sun.security.jca.ProviderList.loadAll(ProviderList.java:315)
> at java.base/sun.security.jca.ProviderList.removeInvalid(ProviderList.java:332)
> at java.base/sun.security.jca.Providers.getFullProviderList(Providers.java:173)
> at java.base/java.security.Security.getProviders(Security.java:455)
> at TestBCJSSE.main(TestBCJSSE.java:7)
> BCFIPS
> SUN
>
>
> which makes sense looking at
>
> https://hg.openjdk.java.net/jdk/jdk11/file/1ddf9a99e4ad/src/java.base/share/classes/java/security/Provider.java#l294
>
>
> Removing the fips:BCFIPS parameter, allows for BCJSSE to be loaded and usable, but - unfortunately - not in FIPS approved mode.
>
>
> Hope this helps,
> Ioannis
>
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> On Monday, April 22, 2019 1:10 PM, David Hook <[hidden email]> wrote:
>
>>
>> Hmmm. Actually the stack trace below indicates an error in the
>> construction of the default DRBG for the BCFIPS provider. I think
>> something else might be going on here.
>>
>> Regards,
>>
>> David
>>
>> On 22/4/19 7:26 pm, Ioannis Kakavas wrote:
>>
>>>> -   Also, with JDK9 the ability to pass extra parameters to the Security Providers on load time was removed as well. (Related issue that refers to the behavior change: [2]). This, however, is the only available way to configure SunJSSE or BCJSSE to use the BCFIPS provider, and as such put the JSSE provider in FIPS Mode [3]. Would you plan to release a BCJSSE Procider that is pre-configured in FIPS mode?
>>>>     To be clear, trying to load BouncyCastleJsseProvider with a parameter is not possible because Provider throws an UnsupportedOperationException and BCJSSE is not loaded at all ( see stack trace below )
>>>>     Another option to releasing BCJSSE preconfigured in FIPS mode, would be to override and implement
>>>>
>>> public Provider configure(String configArg)
>>> in BouncyCastleJsseProvider as the default implementation in Provider is what throws the unsupported operation exception after JDK 9
>>> 2> ProviderConfig: Loading legacy provider: org.bouncycastle.jsse.provider.BouncyCastleJsseProvider
>>> 2> ProviderConfig: Error loading provider org.bouncycastle.jsse.provider.BouncyCastleJsseProvider('fips:BCFIPS')
>>> 2> java.lang.UnsupportedOperationException: configure is not supported
>>> 2> at java.base/java.security.Provider.configure(Provider.java:294)
>>> 2> at java.base/sun.security.jca.ProviderConfig$3.run(ProviderConfig.java:247)
>>> 2> at java.base/sun.security.jca.ProviderConfig$3.run(ProviderConfig.java:238)
>>> 2> at java.base/java.security.AccessController.doPrivileged(Native Method)
>>> 2> at java.base/sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:238)
>>> 2> at java.base/sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:218)
>>> 2> at java.base/sun.security.jca.ProviderList.getProvider(ProviderList.java:266)
>>> 2> at java.base/sun.security.jca.ProviderList.getIndex(ProviderList.java:296)
>>> 2> at java.base/sun.security.jca.ProviderList.getProviderConfig(ProviderList.java:280)
>>> 2> at java.base/sun.security.jca.ProviderList.getProvider(ProviderList.java:286)
>>> 2> at java.base/sun.security.jca.GetInstance.getService(GetInstance.java:81)
>>> 2> at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:206)
>>> 2> at java.base/java.security.Security.getImpl(Security.java:701)
>>> 2> at java.base/java.security.MessageDigest.getInstance(MessageDigest.java:242)
>>> 2> at java.base/sun.security.provider.SecureRandom.init(SecureRandom.java:102)
>>> 2> at java.base/sun.security.provider.SecureRandom.<init>(SecureRandom.java:79)
>>> 2> at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$CoreSecureRandom.<init>(Unknown Source)
>>> 2> at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$2.run(Unknown Source)
>>> 2> at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$2.run(Unknown Source)
>>> 2> at java.base/java.security.AccessController.doPrivileged(Native Method)
>>> 2> at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider.getDefaultEntropySource(Unknown Source)
>>> 2> at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider.getDefaultSecureRandom(Unknown Source)
>>> 2> at org.bouncycastle.jcajce.provider.ProvRandom$1.createInstance(Unknown Source)
>>> 2> at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$BcService.newInstance(Unknown Source)
>>> 2> at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:236)
>>> 2> at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:164)
>>> 2> at java.base/java.security.SecureRandom.getInstance(SecureRandom.java:364)
>>> 2> at java.base/java.security.SecureRandom.getDefaultPRNG(SecureRandom.java:272)
>>> 2> at java.base/java.security.SecureRandom.<init>(SecureRandom.java:218)
>>> 2> at java.base/java.io.File$TempDirectory.<clinit>(File.java:1916)
>>> 2> at java.base/java.io.File.createTempFile(File.java:2076)
>>> 2> at com.sun.jna.Native.extractFromResourcePath(Native.java:1059)
>>> 2> at com.sun.jna.Native.loadNativeDispatchLibraryFromClasspath(Native.java:937)
>>> 2> at com.sun.jna.Native.loadNativeDispatchLibrary(Native.java:922)
>>> 2> at com.sun.jna.Native.<clinit>(Native.java:190)
>>> 2> at java.base/java.lang.Class.forName0(Native Method)
>>> 2> at java.base/java.lang.Class.forName(Class.java:315)
>>> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
>>> On Tuesday, April 16, 2019 12:28 PM, Ioannis Kakavas [hidden email] wrote:
>>>
>>>> Hi there folk,
>>>> Would you mind sharing your plans if any, regarding the availability of the BouncyCastleFipsProvider for JDK11 ?
>>>> I can see in the roadmap [1] that 1.0.2 which is the next release, is tested against JDK11, but I'm wondering if you plan to release the provider in a way that can be installed and used with JDK11 as there doesn't seem to currently be a way.
>>>>
>>>> -   > JDK9 removed the extension mechanism by which external jars could be placed in jre/lib/ext. This has been one of the common ways to configure the BouncyCastleFipsProvider statically. Would you plan to release the Provider as a module instead? Granted, this can be easily overcome by adding the bc-fips jar in the classpath of the application.
>>>>
>>>> -   Also, with JDK9 the ability to pass extra parameters to the Security Providers on load time was removed as well. (Related issue that refers to the behavior change: [2]). This, however, is the only available way to configure SunJSSE or BCJSSE to use the BCFIPS provider, and as such put the JSSE provider in FIPS Mode [3]. Would you plan to release a BCJSSE Procider that is pre-configured in FIPS mode?
>>>>     Best Regards
>>>>     Ioannis
>>>>     [1] https://www.bouncycastle.org/fips_java_roadmap.html
>>>>     [2] https://bugs.openjdk.java.net/browse/JDK-8217907
>>>>     [3] https://downloads.bouncycastle.org/fips-java/BC-FJA-(D)TLSUserGuide-1.0.7.pdf
>>>>
>
>
>