JDK8 SunJSSE with BCFIPS - TLS v1.3 handshake failure due to unavailable signature scheme.

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

JDK8 SunJSSE with BCFIPS - TLS v1.3 handshake failure due to unavailable signature scheme.

Ioannis Kakavas
Since TLSv1.3 was backported in JDK8 in the latest update (u272), we started seeing TLS1.3 handshake failures in our tests on JDK 8 with SunJSSE in FIPS mode using BCFIPS. The server side is failing the handshake with a `No available authentication scheme` error, as it doesn't support any of the algorithms the client sends in it's `signature_algorithms` extension.

The reason seems to be that:

1. TLSv1.3 dictates the use of RSASSA-PSS ( https://tools.ietf.org/html/rfc8446#section-4.4.3 )

    > In addition, the signature algorithm MUST be compatible with the key
    > in the sender's end-entity certificate.  RSA signatures MUST use an
    > RSASSA-PSS algorithm, regardless of whether RSASSA-PKCS1-v1_5
    > algorithms appear in "signature_algorithms".  The SHA-1 algorithm
    > MUST NOT be used in any signatures of CertificateVerify messages.

2. The way that `SignatureScheme` attempts to load the Signature algorithm implementation from the security provider doesn't work with BCFIPS.

   In short, `SignatureSheme` calls `JsseJce.getSignature("RSASSA-PSS");` which ends up calling `getService(String type, String algorithm)` in `BouncyCastleFipsProvider` with type `Signature` and algorithm `RSASSA-PSS` ).
   The serviceMap in BCFIPS contains RSASSA-PSS services [1] but the naming used is different and thus they cannot be picked up and getService() returns null which causes a `java.security.NoSuchAlgorithmException: no such algorithm: RSASSA-PSS for provider BCFIPS`


In previous JDK8 versions with TLSv1.2, this is not an issue because RSASSA-PSS is not mandated and RSA_PKCS1_SHAX is used which can be loaded from BCFIPS.

I can share a minimal reproduction if it helps but this should be trivially reproducible with adoptopenjdk8u272

Any thoughts on whether this is an issue with the BouncyCastleFipsProvider or the JDK code ?


Best Regards
Ioannis





Additional Information:

- JSSE Warning that RSASSA-PSS ( same for SHA384 and SHA512 ) is not supported by the security provider, that is logged both in the client and the server:

```
javax.net.ssl|WARNING|14|Thread-2|2020-11-02 12:59:30.755 EET|Logger.java:765|RSASSA-PSS signature with SHA-256 is not supported by the underlying providers (
"throwable" : {
  java.security.NoSuchAlgorithmException: no such algorithm: RSASSA-PSS for provider BCFIPS
  at sun.security.jca.GetInstance.getService(GetInstance.java:101)
  at sun.security.jca.GetInstance.getInstance(GetInstance.java:218)
  at java.security.Signature.getInstance(Signature.java:435)
  at sun.security.ssl.JsseJce.getSignature(JsseJce.java:249)
  at sun.security.ssl.SignatureScheme$SigAlgParamSpec.<init>(SignatureScheme.java:200)
  at sun.security.ssl.SignatureScheme$SigAlgParamSpec.<clinit>(SignatureScheme.java:185)
  at sun.security.ssl.SignatureScheme.<clinit>(SignatureScheme.java:79)
  at sun.security.ssl.SignatureAlgorithmsExtension$SignatureSchemesSpec.toString(SignatureAlgorithmsExtension.java:133)
  at sun.security.ssl.SignatureAlgorithmsExtension$SignatureSchemesStringizer.toString(SignatureAlgorithmsExtension.java:150)
  at sun.security.ssl.SSLExtension.toString(SSLExtension.java:618)
  at sun.security.ssl.SSLExtensions.toString(SSLExtensions.java:349)
  at sun.security.ssl.ClientHello$ClientHelloMessage.toString(ClientHello.java:306)
  at sun.security.ssl.SSLLogger$SSLSimpleFormatter.formatObject(SSLLogger.java:591)
  at sun.security.ssl.SSLLogger$SSLSimpleFormatter.formatParameters(SSLLogger.java:425)
  at sun.security.ssl.SSLLogger$SSLSimpleFormatter.access$000(SSLLogger.java:249)
  at sun.security.ssl.SSLLogger.log(SSLLogger.java:189)
  at sun.security.ssl.SSLLogger.fine(SSLLogger.java:171)
  at sun.security.ssl.ClientHello$ClientHelloConsumer.consume(ClientHello.java:689)
  at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:377)
  at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
  at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:422)
  at sun.security.ssl.TransportContext.dispatch(TransportContext.java:182)
  at sun.security.ssl.SSLTransport.decode(SSLTransport.java:149)
  at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1143)
  at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1054)
  at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:394)
  at sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:708)
  at sun.security.ssl.SSLSocketImpl.access$100(SSLSocketImpl.java:72)
  at sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:961)
  at sun.nio.cs.StreamEncoder.writeBytes(StreamEncoder.java:221)
  at sun.nio.cs.StreamEncoder.implFlushBuffer(StreamEncoder.java:291)
  at sun.nio.cs.StreamEncoder.implFlush(StreamEncoder.java:295)
  at sun.nio.cs.StreamEncoder.flush(StreamEncoder.java:141)
  at java.io.OutputStreamWriter.flush(OutputStreamWriter.java:229)
  at java.io.BufferedWriter.flush(BufferedWriter.java:254)
  at java.io.PrintWriter.flush(PrintWriter.java:320)
  at MyServer.run(MyServer.java:40)
  at java.lang.Thread.run(Thread.java:748)}

```


- TLS handshake up to the point of failure from the perspective of the server:

```
javax.net.ssl|FINE|14|Thread-2|2020-11-02 12:59:30.761 EET|Logger.java:765|Consuming ClientHello handshake message (
"ClientHello": {
  "client version"      : "TLSv1.2",
  "random"              : "02 4F 20 11 41 B2 E7 8B 44 B8 C8 E4 09 F6 59 D7 E1 F3 80 B1 F9 46 A7 96 8C 37 01 29 A1 A8 E5 DC",
  "session id"          : "73 E2 6F 7C B6 E8 F9 02 8B A2 92 42 A6 07 0C 9C 4E F7 FF 67 6A 40 A7 11 49 7F C8 A4 68 EE 0D E0",
  "cipher suites"       : "[TLS_AES_128_GCM_SHA256(0x1301), TLS_AES_256_GCM_SHA384(0x1302), TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C), TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B), TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030), TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D), TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384(0xC02E), TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384(0xC032), TLS_DHE_RSA_WITH_AES_256_GCM_SHA384(0x009F), TLS_DHE_DSS_WITH_AES_256_GCM_SHA384(0x00A3), TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F), TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256(0xC02D), TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256(0xC031), TLS_DHE_RSA_WITH_AES_128_GCM_SHA256(0x009E), TLS_DHE_DSS_WITH_AES_128_GCM_SHA256(0x00A2), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384(0xC024), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384(0xC028), TLS_RSA_WITH_AES_256_CBC_SHA256(0x003D), TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384(0xC026), TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384(0xC02A), TLS_DHE_RSA_WITH_AES_256_CBC_SHA256(0x006B), TLS_DHE_DSS_WITH_AES_256_CBC_SHA256(0x006A), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA(0xC00A), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014), TLS_RSA_WITH_AES_256_CBC_SHA(0x0035), TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA(0xC005), TLS_ECDH_RSA_WITH_AES_256_CBC_SHA(0xC00F), TLS_DHE_RSA_WITH_AES_256_CBC_SHA(0x0039), TLS_DHE_DSS_WITH_AES_256_CBC_SHA(0x0038), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(0xC023), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(0xC027), TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C), TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256(0xC025), TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256(0xC029), TLS_DHE_RSA_WITH_AES_128_CBC_SHA256(0x0067), TLS_DHE_DSS_WITH_AES_128_CBC_SHA256(0x0040), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA(0xC009), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013), TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA(0xC004), TLS_ECDH_RSA_WITH_AES_128_CBC_SHA(0xC00E), TLS_DHE_RSA_WITH_AES_128_CBC_SHA(0x0033), TLS_DHE_DSS_WITH_AES_128_CBC_SHA(0x0032), TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]",
  "compression methods" : "00",
  "extensions"          : [
    "supported_groups (10)": {
      "versions": [secp256r1, secp384r1, secp521r1, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192]
    },
    "ec_point_formats (11)": {
      "formats": [uncompressed]
    },
    "signature_algorithms (13)": {
      "signature schemes": [ed25519, ed448, ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
    },
    "signature_algorithms_cert (50)": {
      "signature schemes": [ed25519, ed448, ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
    },
    "extended_master_secret (23)": {
      <empty>
    },
    "supported_versions (43)": {
      "versions": [TLSv1.3, TLSv1.2, TLSv1.1, TLSv1]
    },
    "psk_key_exchange_modes (45)": {
      "ke_modes": [psk_dhe_ke]
    },
    "key_share (51)": {
      "client_shares": [
        {
          "named group": secp256r1
          "key_exchange": {
            0000: 04 C0 11 77 46 61 80 69   8D A9 36 93 A2 4D BD F7  ...wFa.i..6..M..
            0010: 3B 5F A3 20 7E F1 C7 22   16 84 E9 A7 4C 47 53 48  ;_. ..."....LGSH
            0020: 28 ED D0 D3 6B D4 55 9C   B7 47 3A 28 32 A5 C6 EF  (...k.U..G:(2...
            0030: EB B6 45 07 AB B5 57 DA   AA C9 34 9F AA 3A F6 2D  ..E...W...4..:.-
            0040: 22
          }
        },
      ]
    }
  ]
}
)
javax.net.ssl|FINE|14|Thread-2|2020-11-02 12:59:30.761 EET|Logger.java:765|Consumed extension: supported_versions
javax.net.ssl|FINE|14|Thread-2|2020-11-02 12:59:30.761 EET|Logger.java:765|Negotiated protocol version: TLSv1.3
javax.net.ssl|FINE|14|Thread-2|2020-11-02 12:59:30.762 EET|Logger.java:765|Consumed extension: psk_key_exchange_modes
javax.net.ssl|FINE|14|Thread-2|2020-11-02 12:59:30.762 EET|Logger.java:765|Handling pre_shared_key absence.
javax.net.ssl|FINE|14|Thread-2|2020-11-02 12:59:30.762 EET|Logger.java:765|Ignore unavailable extension: server_name
javax.net.ssl|FINE|14|Thread-2|2020-11-02 12:59:30.762 EET|Logger.java:765|Ignore unavailable extension: max_fragment_length
javax.net.ssl|FINE|14|Thread-2|2020-11-02 12:59:30.762 EET|Logger.java:765|Ignore unavailable extension: status_request
javax.net.ssl|FINE|14|Thread-2|2020-11-02 12:59:30.763 EET|Logger.java:765|Consumed extension: supported_groups
javax.net.ssl|FINE|14|Thread-2|2020-11-02 12:59:30.763 EET|Logger.java:765|Ignore unsupported extension: ec_point_formats
javax.net.ssl|FINE|14|Thread-2|2020-11-02 12:59:30.763 EET|Logger.java:765|Consumed extension: signature_algorithms
javax.net.ssl|FINE|14|Thread-2|2020-11-02 12:59:30.763 EET|Logger.java:765|Consumed extension: signature_algorithms_cert
javax.net.ssl|FINE|14|Thread-2|2020-11-02 12:59:30.763 EET|Logger.java:765|Ignore unsupported extension: status_request_v2
javax.net.ssl|FINE|14|Thread-2|2020-11-02 12:59:30.763 EET|Logger.java:765|Ignore unsupported extension: extended_master_secret
javax.net.ssl|FINE|14|Thread-2|2020-11-02 12:59:30.763 EET|Logger.java:765|Ignore unavailable extension: cookie
javax.net.ssl|FINE|14|Thread-2|2020-11-02 12:59:30.765 EET|Logger.java:765|Consumed extension: key_share
javax.net.ssl|FINE|14|Thread-2|2020-11-02 12:59:30.765 EET|Logger.java:765|Ignore unsupported extension: renegotiation_info
javax.net.ssl|FINE|14|Thread-2|2020-11-02 12:59:30.765 EET|Logger.java:765|Ignore unavailable extension: server_name
javax.net.ssl|FINE|14|Thread-2|2020-11-02 12:59:30.766 EET|Logger.java:765|Ignore unavailable extension: max_fragment_length
javax.net.ssl|FINE|14|Thread-2|2020-11-02 12:59:30.766 EET|Logger.java:765|Ignore unavailable extension: status_request
javax.net.ssl|WARNING|14|Thread-2|2020-11-02 12:59:30.766 EET|Logger.java:765|Ignore impact of unsupported extension: supported_groups
javax.net.ssl|WARNING|14|Thread-2|2020-11-02 12:59:30.766 EET|Logger.java:765|Unsupported signature scheme: dsa_sha256
javax.net.ssl|WARNING|14|Thread-2|2020-11-02 12:59:30.766 EET|Logger.java:765|Unsupported signature scheme: ecdsa_sha224
javax.net.ssl|WARNING|14|Thread-2|2020-11-02 12:59:30.766 EET|Logger.java:765|Unsupported signature scheme: rsa_sha224
javax.net.ssl|WARNING|14|Thread-2|2020-11-02 12:59:30.766 EET|Logger.java:765|Unsupported signature scheme: dsa_sha224
javax.net.ssl|WARNING|14|Thread-2|2020-11-02 12:59:30.766 EET|Logger.java:765|Unsupported signature scheme: dsa_sha1
javax.net.ssl|FINE|14|Thread-2|2020-11-02 12:59:30.766 EET|Logger.java:765|Populated with extension: signature_algorithms
javax.net.ssl|WARNING|14|Thread-2|2020-11-02 12:59:30.767 EET|Logger.java:765|Unsupported signature scheme: dsa_sha256
javax.net.ssl|WARNING|14|Thread-2|2020-11-02 12:59:30.767 EET|Logger.java:765|Unsupported signature scheme: ecdsa_sha224
javax.net.ssl|WARNING|14|Thread-2|2020-11-02 12:59:30.767 EET|Logger.java:765|Unsupported signature scheme: rsa_sha224
javax.net.ssl|WARNING|14|Thread-2|2020-11-02 12:59:30.767 EET|Logger.java:765|Unsupported signature scheme: dsa_sha224
javax.net.ssl|WARNING|14|Thread-2|2020-11-02 12:59:30.767 EET|Logger.java:765|Unsupported signature scheme: dsa_sha1
javax.net.ssl|FINE|14|Thread-2|2020-11-02 12:59:30.767 EET|Logger.java:765|Populated with extension: signature_algorithms_cert
javax.net.ssl|FINE|14|Thread-2|2020-11-02 12:59:30.767 EET|Logger.java:765|Ignore unavailable extension: application_layer_protocol_negotiation
javax.net.ssl|WARNING|14|Thread-2|2020-11-02 12:59:30.768 EET|Logger.java:765|Ignore impact of unsupported extension: supported_versions
javax.net.ssl|FINE|14|Thread-2|2020-11-02 12:59:30.768 EET|Logger.java:765|Ignore unavailable extension: cookie
javax.net.ssl|WARNING|14|Thread-2|2020-11-02 12:59:30.768 EET|Logger.java:765|Ignore impact of unsupported extension: psk_key_exchange_modes
javax.net.ssl|WARNING|14|Thread-2|2020-11-02 12:59:30.768 EET|Logger.java:765|Ignore impact of unsupported extension: key_share
javax.net.ssl|FINE|14|Thread-2|2020-11-02 12:59:30.768 EET|Logger.java:765|Ignore unavailable extension: pre_shared_key
javax.net.ssl|FINE|14|Thread-2|2020-11-02 12:59:30.768 EET|Logger.java:765|use cipher suite TLS_AES_128_GCM_SHA256
javax.net.ssl|FINE|14|Thread-2|2020-11-02 12:59:30.784 EET|Logger.java:765|Ignore, context unavailable extension: pre_shared_key
javax.net.ssl|FINE|14|Thread-2|2020-11-02 12:59:30.785 EET|Logger.java:765|Produced ServerHello handshake message (
"ServerHello": {
  "server version"      : "TLSv1.2",
  "random"              : "E8 22 21 A6 BC 91 FE DF C7 6F 8B 16 89 F9 D2 EB 16 59 90 BD 66 17 84 64 9A F9 BA 46 E0 A9 71 EB",
  "session id"          : "73 E2 6F 7C B6 E8 F9 02 8B A2 92 42 A6 07 0C 9C 4E F7 FF 67 6A 40 A7 11 49 7F C8 A4 68 EE 0D E0",
  "cipher suite"        : "TLS_AES_128_GCM_SHA256(0x1301)",
  "compression methods" : "00",
  "extensions"          : [
    "supported_versions (43)": {
      "selected version": [TLSv1.3]
    },
    "key_share (51)": {
      "server_share": {
        "named group": secp256r1
        "key_exchange": {
          0000: 04 9E 90 49 1C 9B 96 87   CF 1F 9D AA A5 49 BB 61  ...I.........I.a
          0010: A6 A8 48 5A DC A2 47 F6   33 EF D4 19 8E 47 CF 6A  ..HZ..G.3....G.j
          0020: 5F 64 F7 46 21 12 99 20   48 9C CC C9 FF 77 06 DE  _d.F!.. H....w..
          0030: D2 77 3F 03 C1 5B C1 F4   62 EB 31 94 D3 17 16 5A  .w?..[..b.1....Z
          0040: F2
        }
      },
    }
  ]
}
)
javax.net.ssl|FINE|14|Thread-2|2020-11-02 12:59:30.797 EET|Logger.java:765|KeyLimit read side: algorithm = AES/GCM/NOPADDING:KEYUPDATE
countdown value = 0
javax.net.ssl|FINE|14|Thread-2|2020-11-02 12:59:30.798 EET|Logger.java:765|KeyLimit write side: algorithm = AES/GCM/NOPADDING:KEYUPDATE
countdown value = 0
javax.net.ssl|ALL|14|Thread-2|2020-11-02 12:59:30.799 EET|Logger.java:765|Ignore unavailable extension: server_name
javax.net.ssl|FINE|14|Thread-2|2020-11-02 12:59:30.799 EET|Logger.java:765|Ignore, context unavailable extension: server_name
javax.net.ssl|ALL|14|Thread-2|2020-11-02 12:59:30.800 EET|Logger.java:765|Ignore unavailable max_fragment_length extension
javax.net.ssl|FINE|14|Thread-2|2020-11-02 12:59:30.800 EET|Logger.java:765|Ignore, context unavailable extension: max_fragment_length
javax.net.ssl|FINE|14|Thread-2|2020-11-02 12:59:30.801 EET|Logger.java:765|Ignore unavailable extension: application_layer_protocol_negotiation
javax.net.ssl|FINE|14|Thread-2|2020-11-02 12:59:30.801 EET|Logger.java:765|Ignore, context unavailable extension: application_layer_protocol_negotiation
javax.net.ssl|FINE|14|Thread-2|2020-11-02 12:59:30.801 EET|Logger.java:765|Produced EncryptedExtensions message (
"EncryptedExtensions": [
  "supported_groups (10)": {
    "versions": [secp256r1, secp384r1, secp521r1, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192]
  }
]
)
javax.net.ssl|WARNING|14|Thread-2|2020-11-02 12:59:30.804 EET|Logger.java:765|Unsupported authentication scheme: ed25519
javax.net.ssl|WARNING|14|Thread-2|2020-11-02 12:59:30.804 EET|Logger.java:765|Unsupported authentication scheme: ed448
javax.net.ssl|ALL|14|Thread-2|2020-11-02 12:59:30.804 EET|Logger.java:765|No X.509 cert selected for EC
javax.net.ssl|WARNING|14|Thread-2|2020-11-02 12:59:30.805 EET|Logger.java:765|Unavailable authentication scheme: ecdsa_secp256r1_sha256
javax.net.ssl|ALL|14|Thread-2|2020-11-02 12:59:30.805 EET|Logger.java:765|No X.509 cert selected for EC
javax.net.ssl|WARNING|14|Thread-2|2020-11-02 12:59:30.805 EET|Logger.java:765|Unavailable authentication scheme: ecdsa_secp384r1_sha384
javax.net.ssl|ALL|14|Thread-2|2020-11-02 12:59:30.805 EET|Logger.java:765|No X.509 cert selected for EC
javax.net.ssl|WARNING|14|Thread-2|2020-11-02 12:59:30.805 EET|Logger.java:765|Unavailable authentication scheme: ecdsa_secp521r1_sha512
javax.net.ssl|WARNING|14|Thread-2|2020-11-02 12:59:30.805 EET|Logger.java:765|Unable to produce CertificateVerify for signature scheme: rsa_pkcs1_sha256
javax.net.ssl|WARNING|14|Thread-2|2020-11-02 12:59:30.807 EET|Logger.java:765|Unsupported authentication scheme: rsa_pkcs1_sha384
javax.net.ssl|WARNING|14|Thread-2|2020-11-02 12:59:30.807 EET|Logger.java:765|Unsupported authentication scheme: rsa_pkcs1_sha512
javax.net.ssl|ALL|14|Thread-2|2020-11-02 12:59:30.807 EET|Logger.java:765|No X.509 cert selected for EC
javax.net.ssl|WARNING|14|Thread-2|2020-11-02 12:59:30.807 EET|Logger.java:765|Unavailable authentication scheme: ecdsa_sha1
javax.net.ssl|WARNING|14|Thread-2|2020-11-02 12:59:30.807 EET|Logger.java:765|Unsupported authentication scheme: rsa_pkcs1_sha1
javax.net.ssl|WARNING|14|Thread-2|2020-11-02 12:59:30.807 EET|Logger.java:765|No available authentication scheme
javax.net.ssl|SEVERE|14|Thread-2|2020-11-02 12:59:30.808 EET|Logger.java:765|Fatal (HANDSHAKE_FAILURE): No available authentication scheme (
"throwable" : {
  javax.net.ssl.SSLHandshakeException: No available authentication scheme
  at sun.security.ssl.Alert.createSSLException(Alert.java:131)
  at sun.security.ssl.Alert.createSSLException(Alert.java:117)
  at sun.security.ssl.TransportContext.fatal(TransportContext.java:311)
  at sun.security.ssl.TransportContext.fatal(TransportContext.java:267)
  at sun.security.ssl.TransportContext.fatal(TransportContext.java:258)
  at sun.security.ssl.CertificateMessage$T13CertificateProducer.onProduceCertificate(CertificateMessage.java:972)
  at sun.security.ssl.CertificateMessage$T13CertificateProducer.produce(CertificateMessage.java:961)
  at sun.security.ssl.SSLHandshake.produce(SSLHandshake.java:421)
  at sun.security.ssl.ClientHello$T13ClientHelloConsumer.goServerHello(ClientHello.java:1152)
  at sun.security.ssl.ClientHello$T13ClientHelloConsumer.consume(ClientHello.java:1088)
  at sun.security.ssl.ClientHello$ClientHelloConsumer.onClientHello(ClientHello.java:725)
  at sun.security.ssl.ClientHello$ClientHelloConsumer.consume(ClientHello.java:693)
  at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:377)
  at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
  at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:422)
  at sun.security.ssl.TransportContext.dispatch(TransportContext.java:182)
  at sun.security.ssl.SSLTransport.decode(SSLTransport.java:149)
  at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1143)
  at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1054)
  at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:394)
  at sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:708)
  at sun.security.ssl.SSLSocketImpl.access$100(SSLSocketImpl.java:72)
  at sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:961)
  at sun.nio.cs.StreamEncoder.writeBytes(StreamEncoder.java:221)
  at sun.nio.cs.StreamEncoder.implFlushBuffer(StreamEncoder.java:291)
  at sun.nio.cs.StreamEncoder.implFlush(StreamEncoder.java:295)
  at sun.nio.cs.StreamEncoder.flush(StreamEncoder.java:141)
  at java.io.OutputStreamWriter.flush(OutputStreamWriter.java:229)
  at java.io.BufferedWriter.flush(BufferedWriter.java:254)
  at java.io.PrintWriter.flush(PrintWriter.java:320)
  at MyServer.run(MyServer.java:40)
  at java.lang.Thread.run(Thread.java:748)}

)
javax.net.ssl|FINE|14|Thread-2|2020-11-02 12:59:30.808 EET|Logger.java:765|close the underlying socket
javax.net.ssl|FINE|14|Thread-2|2020-11-02 12:59:30.808 EET|Logger.java:765|close the SSL connection (initiative)
java.net.SocketException: Connection or outbound has closed
        at sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:967)
        at java.io.OutputStream.write(OutputStream.java:75)
        at MyServer.run(MyServer.java:41)
        at java.lang.Thread.run(Thread.java:748)
```





[1] The list seems to be [Signature.SHA1WITHRSA/ISO9796-2PSS, Signature.RIPEMD128WITHRSA/ISO9796-2PSS, Signature.SHA3-256WITHRSA/PSS, Signature.SHA3-384WITHRSA/PSS, Signature.SHA224WITHRSA/PSS, Signature.SHA512(256)WITHRSA/ISO9796-2PSS, Signature.SHA512(224)WITHRSA/ISO9796-2PSS, Signature.SHA512(256)WITHRSA/PSS, Signature.SHA512WITHRSA/PSS, Signature.SHA512(224)WITHRSA/PSS, Signature.SHA384WITHRSA/ISO9796-2PSS, Signature.SHA384WITHRSA/PSS, Signature.SHA3-512WITHRSA/PSS, Signature.SHA256WITHRSA/PSS, Signature.SHA1WITHRSA/PSS, Signature.SHA256WITHRSA/ISO9796-2PSS, Signature.SHA3-224WITHRSA/PSS, Signature.RIPEMD160WITHRSA/ISO9796-2PSS, Signature.PSS, Signature.SHA512WITHRSA/ISO9796-2PSS, Signature.SHA224WITHRSA/ISO9796-2PSS]







Reply | Threaded
Open this post in threaded view
|

Re: JDK8 SunJSSE with BCFIPS - TLS v1.3 handshake failure due to unavailable signature scheme.

Peter Dettman-3
Hi Ioannis,

Presumably it's just a matter of us providing the correct algorithm
names (aliases) that the implementations is looking for. e.g. if the
openjdk code was asking using the OID:
PKCSObjectIdentifiers.id_RSASSA_PSS then I think the current fips jar
would have that already. However there may well be other issues to do
with key factories, et. al. after this first issue anyway. There's no
substitute for actually running the code and trapping all the errors.

Unfortunately the BCFIPS jar takes a long time to update, so we can't
respond immediately to new developments. I think in this case we are
only a short way off the next version's code freeze, so we probably have
a good opportunity to update these entries.

We already found a few of these for bc-java I think, as we have been
working on TLS 1.3 support in our BCJSSE provider and trying to stay
compatible with the names used by SunJSSE. However it is quite difficult
to exhaustively capture all the needed algorithm names, so any help
compiling lists of such things would go a long way. Otherwise it's a
long time between BCFIPS releases.

Regards,
Pete Dettman


On 2/11/20 6:43 pm, Ioannis Kakavas wrote:
> Since TLSv1.3 was backported in JDK8 in the latest update (u272), we started seeing TLS1.3 handshake failures in our tests on JDK 8 with SunJSSE in FIPS mode using BCFIPS. The server side is failing the handshake with a `No available authentication scheme` error, as it doesn't support any of the algorithms the client sends in it's `signature_algorithms` extension.

> 2. The way that `SignatureScheme` attempts to load the Signature algorithm implementation from the security provider doesn't work with BCFIPS.
>
>    In short, `SignatureSheme` calls `JsseJce.getSignature("RSASSA-PSS");` which ends up calling `getService(String type, String algorithm)` in `BouncyCastleFipsProvider` with type `Signature` and algorithm `RSASSA-PSS` ).
>    The serviceMap in BCFIPS contains RSASSA-PSS services [1] but the naming used is different and thus they cannot be picked up and getService() returns null which causes a `java.security.NoSuchAlgorithmException: no such algorithm: RSASSA-PSS for provider BCFIPS`

> Any thoughts on whether this is an issue with the BouncyCastleFipsProvider or the JDK code ?

Reply | Threaded
Open this post in threaded view
|

Re: JDK8 SunJSSE with BCFIPS - TLS v1.3 handshake failure due to unavailable signature scheme.

Ioannis Kakavas
Hi Pete,

Thanks for the quick reply here.

> I think in this case we are only a short way off the next version's code freeze, so we probably have a good opportunity to update these entries.

I guess we are talking 1.0.3 , right?


> However it is quite difficult
> to exhaustively capture all the needed algorithm names, so any help
> compiling lists of such things would go a long way.

Happy to help out if we can. Anything in particular you are interested in/haven't looked at yet?

//Ioannis


‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Monday, November 2, 2020 3:22 PM, Peter Dettman <[hidden email]> wrote:

> Hi Ioannis,
>
> Presumably it's just a matter of us providing the correct algorithm
> names (aliases) that the implementations is looking for. e.g. if the
> openjdk code was asking using the OID:
> PKCSObjectIdentifiers.id_RSASSA_PSS then I think the current fips jar
> would have that already. However there may well be other issues to do
> with key factories, et. al. after this first issue anyway. There's no
> substitute for actually running the code and trapping all the errors.
>
> Unfortunately the BCFIPS jar takes a long time to update, so we can't
> respond immediately to new developments. I think in this case we are
> only a short way off the next version's code freeze, so we probably have
> a good opportunity to update these entries.
>
> We already found a few of these for bc-java I think, as we have been
> working on TLS 1.3 support in our BCJSSE provider and trying to stay
> compatible with the names used by SunJSSE. However it is quite difficult
> to exhaustively capture all the needed algorithm names, so any help
> compiling lists of such things would go a long way. Otherwise it's a
> long time between BCFIPS releases.
>
> Regards,
> Pete Dettman
>
> On 2/11/20 6:43 pm, Ioannis Kakavas wrote:
>
> > Since TLSv1.3 was backported in JDK8 in the latest update (u272), we started seeing TLS1.3 handshake failures in our tests on JDK 8 with SunJSSE in FIPS mode using BCFIPS. The server side is failing the handshake with a `No available authentication scheme` error, as it doesn't support any of the algorithms the client sends in it's `signature_algorithms` extension.
>
> > 2.  The way that `SignatureScheme` attempts to load the Signature algorithm implementation from the security provider doesn't work with BCFIPS.
> >     In short, `SignatureSheme` calls `JsseJce.getSignature("RSASSA-PSS");` which ends up calling `getService(String type, String algorithm)` in `BouncyCastleFipsProvider` with type `Signature` and algorithm `RSASSA-PSS` ).
> >     The serviceMap in BCFIPS contains RSASSA-PSS services [1] but the naming used is different and thus they cannot be picked up and getService() returns null which causes a `java.security.NoSuchAlgorithmException: no such algorithm: RSASSA-PSS for provider BCFIPS`
> >
>
> > Any thoughts on whether this is an issue with the BouncyCastleFipsProvider or the JDK code ?