BCFIPS Approved Mode default value clarification

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

BCFIPS Approved Mode default value clarification

Ioannis Kakavas
Hi folk,

Reading through [1] and [2], I get the impression that when a JVM is running with Security Manager enabled and no permission has been explicitly set for unapprovedModeEnabled, all threads should start with approved only mode.

More specifically [1] mentions:

"If the underlying JVM is running with a Java Security Manager installed the module will
be running in approved mode with secret and private key export disabled."

and [2] mentions:

"CryptoServicesRegistrar calculates the default mode of operation based on the granting of permission    org.bouncycastle.crypto.CryptoServicesPermission “unapprovedModeEnabled”;
If this permission is granted by the security manager, then the JVM will start threads in a default of unapproved mode. If this permission is not granted by the security manager, then the JVM will start threads in the approved mode only."

My test setup is openjdk-8 with only
security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider

enabled, and a vanilla java.policy file ( which doesn't contain  any grants for org.bouncycastle.crypto.CryptoServicesPermission “unapprovedModeEnabled”; ) .


Running the following with security manager enabled

import org.bouncycastle.crypto.CryptoServicesRegistrar;
import java.security.Provider;
import java.security.Security;

public class Main {

    public static void main(String[] args) {
        if (null != System.getSecurityManager()){
            System.out.println("Running with security manager");
        }
        Provider[] providers = Security.getProviders();
        for (Provider p: providers){
            System.out.println("Enabled Security Provider: "+p.getName());
        }
        System.out.println("Is in approved only mode: "+CryptoServicesRegistrar.isInApprovedOnlyMode());
        CryptoServicesRegistrar.setApprovedOnlyMode(true);
        System.out.println("Is in approved only mode: "+CryptoServicesRegistrar.isInApprovedOnlyMode());
    }
}


I get

Running with security manager
Enabled Security Provider: BCFIPS
Is in approved only mode: false
Is in approved only mode: true


This seems to indicate that JVM starts with unapproved mode allowed, and I need to explicitly set it to approved only mode with CryptoServicesRegistrar.setApprovedOnlyMode(true);


Is there an issue with the test setup or with my understanding of the default value of approved only mode ?  


Best Regards
Ioannis


[1]https://bouncycastle.org/fips/BCSecurityPolicy.pdf - Section 1.2
[2] https://downloads.bouncycastle.org/fips-java/BC-FJA-UserGuide-1.0.0.pdf Appendix B 2.1


​​



Reply | Threaded
Open this post in threaded view
|

Re: BCFIPS Approved Mode default value clarification

David Hook-3

I think there might be a problem with what is in the policy file.

Regards,

David

On 11/06/18 22:52, Ioannis Kakavas wrote:

> Hi folk,
>
> Reading through [1] and [2], I get the impression that when a JVM is running with Security Manager enabled and no permission has been explicitly set for unapprovedModeEnabled, all threads should start with approved only mode.
>
> More specifically [1] mentions:
>
> "If the underlying JVM is running with a Java Security Manager installed the module will
> be running in approved mode with secret and private key export disabled."
>
> and [2] mentions:
>
> "CryptoServicesRegistrar calculates the default mode of operation based on the granting of permission    org.bouncycastle.crypto.CryptoServicesPermission “unapprovedModeEnabled”;
> If this permission is granted by the security manager, then the JVM will start threads in a default of unapproved mode. If this permission is not granted by the security manager, then the JVM will start threads in the approved mode only."
>
> My test setup is openjdk-8 with only
> security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
>
> enabled, and a vanilla java.policy file ( which doesn't contain  any grants for org.bouncycastle.crypto.CryptoServicesPermission “unapprovedModeEnabled”; ) .
>
>
> Running the following with security manager enabled
>
> import org.bouncycastle.crypto.CryptoServicesRegistrar;
> import java.security.Provider;
> import java.security.Security;
>
> public class Main {
>
>     public static void main(String[] args) {
>         if (null != System.getSecurityManager()){
>             System.out.println("Running with security manager");
>         }
>         Provider[] providers = Security.getProviders();
>         for (Provider p: providers){
>             System.out.println("Enabled Security Provider: "+p.getName());
>         }
>         System.out.println("Is in approved only mode: "+CryptoServicesRegistrar.isInApprovedOnlyMode());
>         CryptoServicesRegistrar.setApprovedOnlyMode(true);
>         System.out.println("Is in approved only mode: "+CryptoServicesRegistrar.isInApprovedOnlyMode());
>     }
> }
>
>
> I get
>
> Running with security manager
> Enabled Security Provider: BCFIPS
> Is in approved only mode: false
> Is in approved only mode: true
>
>
> This seems to indicate that JVM starts with unapproved mode allowed, and I need to explicitly set it to approved only mode with CryptoServicesRegistrar.setApprovedOnlyMode(true);
>
>
> Is there an issue with the test setup or with my understanding of the default value of approved only mode ?  
>
>
> Best Regards
> Ioannis
>
>
> [1]https://bouncycastle.org/fips/BCSecurityPolicy.pdf - Section 1.2
> [2] https://downloads.bouncycastle.org/fips-java/BC-FJA-UserGuide-1.0.0.pdf Appendix B 2.1
>
>
> ​​
>
>
>
>


Reply | Threaded
Open this post in threaded view
|

Re: BCFIPS Approved Mode default value clarification

Ioannis Kakavas
Thanks for the answer and the pointer David, you were absolutely right.

A leftover (pretty permissive) grant

grant codeBase "file:/path/to/my/ext/*" {
          permission java.security.AllPermission;
};

was the culprit. Sorry for the noise.

//Ioannis

​​

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐

On June 14, 2018 3:02 PM, David Hook <[hidden email]> wrote:

> ​​
>
> I think there might be a problem with what is in the policy file.
>
> Regards,
>
> David
>
> On 11/06/18 22:52, Ioannis Kakavas wrote:
>
> > Hi folk,
> >
> > Reading through [1] and [2], I get the impression that when a JVM is running with Security Manager enabled and no permission has been explicitly set for unapprovedModeEnabled, all threads should start with approved only mode.
> >
> > More specifically [1] mentions:
> >
> > "If the underlying JVM is running with a Java Security Manager installed the module will
> >
> > be running in approved mode with secret and private key export disabled."
> >
> > and [2] mentions:
> >
> > "CryptoServicesRegistrar calculates the default mode of operation based on the granting of permission org.bouncycastle.crypto.CryptoServicesPermission “unapprovedModeEnabled”;
> >
> > If this permission is granted by the security manager, then the JVM will start threads in a default of unapproved mode. If this permission is not granted by the security manager, then the JVM will start threads in the approved mode only."
> >
> > My test setup is openjdk-8 with only
> >
> > security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
> >
> > enabled, and a vanilla java.policy file ( which doesn't contain any grants for org.bouncycastle.crypto.CryptoServicesPermission “unapprovedModeEnabled”; ) .
> >
> > Running the following with security manager enabled
> >
> > import org.bouncycastle.crypto.CryptoServicesRegistrar;
> >
> > import java.security.Provider;
> >
> > import java.security.Security;
> >
> > public class Main {
> >
> >     public static void main(String[] args) {
> >         if (null != System.getSecurityManager()){
> >             System.out.println("Running with security manager");
> >         }
> >         Provider[] providers = Security.getProviders();
> >         for (Provider p: providers){
> >             System.out.println("Enabled Security Provider: "+p.getName());
> >         }
> >         System.out.println("Is in approved only mode: "+CryptoServicesRegistrar.isInApprovedOnlyMode());
> >         CryptoServicesRegistrar.setApprovedOnlyMode(true);
> >         System.out.println("Is in approved only mode: "+CryptoServicesRegistrar.isInApprovedOnlyMode());
> >     }
> >    
> >
> > }
> >
> > I get
> >
> > Running with security manager
> >
> > Enabled Security Provider: BCFIPS
> >
> > Is in approved only mode: false
> >
> > Is in approved only mode: true
> >
> > This seems to indicate that JVM starts with unapproved mode allowed, and I need to explicitly set it to approved only mode with CryptoServicesRegistrar.setApprovedOnlyMode(true);
> >
> > Is there an issue with the test setup or with my understanding of the default value of approved only mode ?
> >
> > Best Regards
> >
> > Ioannis
> >
> > [1]https://bouncycastle.org/fips/BCSecurityPolicy.pdf - Section 1.2
> >
> > [2] https://downloads.bouncycastle.org/fips-java/BC-FJA-UserGuide-1.0.0.pdf Appendix B 2.1