PostgresSQL JDBC with SSL fails using BouncyCastle FIPS

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

PostgresSQL JDBC with SSL fails using BouncyCastle FIPS

Santiago Alejandro Agüero
Hi,

I have isolated the following small program which is failing with BoncyCastle FIPS but *not* with regular BouncyCastle.


public class PSQLTest {
    public static void main(String[] args) throws SQLException {
        Security.addProvider(new BouncyCastleFipsProvider());
        Security.addProvider(new BouncyCastleJsseProvider("fips:BCFIPS"));
        Security.addProvider(new Sun());

        String crt = "/home/saguero/tmp/psql-ssl/tie_server.crt";
        String der = "/home/saguero/tmp/psql-ssl/tie_server.der";
        String ca = "/home/saguero/tmp/psql-ssl/tie_server_ca.crt";
        String ssl = "sslmode=verify-full&sslcert=" + crt + "&sslkey=" + der + "&sslrootcert=" + ca;

        String url = "jdbc:postgresql://10.218.68.52/dbname?user=username&" + ssl;

        Connection connection = DriverManager.getConnection(url);
        connection.close();
    }
}


The exception  is "Attempt to sign/verify with RSA modulus already used for encrypt/decrypt."

Stacktrace:

Jan 18, 2018 2:58:24 PM org.bouncycastle.jsse.provider.ProvTlsClient notifyAlertRaised
WARNING: Client raised fatal(2) internal_error(80) alert: Failed to read record
org.bouncycastle.crypto.IllegalKeyException: Attempt to sign/verify with RSA modulus already used for encrypt/decrypt.
at org.bouncycastle.crypto.fips.FipsRSA$SignatureOperatorFactory.createSigner(Unknown Source)
at org.bouncycastle.crypto.fips.FipsRSA$SignatureOperatorFactory.createSigner(Unknown Source)
at org.bouncycastle.jcajce.provider.BaseSignature.engineInitSign(Unknown Source)
at java.security.Signature$Delegate.engineInitSign(Signature.java:1183)
at java.security.Signature.initSign(Signature.java:550)
at org.bouncycastle.tls.crypto.impl.jcajce.JcaTlsRSASigner.getRawSigner(Unknown Source)
at org.bouncycastle.tls.crypto.impl.jcajce.JcaTlsRSASigner.generateRawSignature(Unknown Source)
at org.bouncycastle.tls.DefaultTlsCredentialedSigner.generateRawSignature(Unknown Source)
at org.bouncycastle.tls.TlsUtils.generateCertificateVerify(Unknown Source)
at org.bouncycastle.tls.TlsClientProtocol.handleHandshakeMessage(Unknown Source)
at org.bouncycastle.tls.TlsProtocol.processHandshakeQueue(Unknown Source)
at org.bouncycastle.tls.TlsProtocol.processRecord(Unknown Source)
at org.bouncycastle.tls.RecordStream.readRecord(Unknown Source)
at org.bouncycastle.tls.TlsProtocol.safeReadRecord(Unknown Source)
at org.bouncycastle.tls.TlsProtocol.blockForHandshake(Unknown Source)
at org.bouncycastle.tls.TlsClientProtocol.connect(Unknown Source)
at org.bouncycastle.jsse.provider.ProvSSLSocketWrap.startHandshake(Unknown Source)
at org.postgresql.ssl.jdbc4.AbstractJdbc4MakeSSL.convert(AbstractJdbc4MakeSSL.java:119)
at org.postgresql.core.v3.ConnectionFactoryImpl.enableSSL(ConnectionFactoryImpl.java:339)
at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:133)
at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:65)
at org.postgresql.jdbc2.AbstractJdbc2Connection.<init>(AbstractJdbc2Connection.java:156)
at org.postgresql.jdbc3.AbstractJdbc3Connection.<init>(AbstractJdbc3Connection.java:35)
at org.postgresql.jdbc3g.AbstractJdbc3gConnection.<init>(AbstractJdbc3gConnection.java:22)
at org.postgresql.jdbc4.AbstractJdbc4Connection.<init>(AbstractJdbc4Connection.java:47)
at org.postgresql.jdbc4.Jdbc4Connection.<init>(Jdbc4Connection.java:30)
at org.postgresql.Driver.makeConnection(Driver.java:414)
at org.postgresql.Driver.connect(Driver.java:282)
at java.sql.DriverManager.getConnection(DriverManager.java:664)
at java.sql.DriverManager.getConnection(DriverManager.java:270)
at PSQLTest2.main(PSQLTest2.java:32)

Exception in thread "main" org.postgresql.util.PSQLException: SSL error: internal_error(80)
at org.postgresql.ssl.jdbc4.AbstractJdbc4MakeSSL.convert(AbstractJdbc4MakeSSL.java:126)
at org.postgresql.core.v3.ConnectionFactoryImpl.enableSSL(ConnectionFactoryImpl.java:339)
at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:133)
at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:65)
at org.postgresql.jdbc2.AbstractJdbc2Connection.<init>(AbstractJdbc2Connection.java:156)
at org.postgresql.jdbc3.AbstractJdbc3Connection.<init>(AbstractJdbc3Connection.java:35)
at org.postgresql.jdbc3g.AbstractJdbc3gConnection.<init>(AbstractJdbc3gConnection.java:22)
at org.postgresql.jdbc4.AbstractJdbc4Connection.<init>(AbstractJdbc4Connection.java:47)
at org.postgresql.jdbc4.Jdbc4Connection.<init>(Jdbc4Connection.java:30)
at org.postgresql.Driver.makeConnection(Driver.java:414)
at org.postgresql.Driver.connect(Driver.java:282)
at java.sql.DriverManager.getConnection(DriverManager.java:664)
at java.sql.DriverManager.getConnection(DriverManager.java:270)
at PSQLTest2.main(PSQLTest2.java:32)
Caused by: org.bouncycastle.tls.TlsFatalAlert: internal_error(80)
at org.bouncycastle.tls.TlsProtocol.safeReadRecord(Unknown Source)
at org.bouncycastle.tls.TlsProtocol.blockForHandshake(Unknown Source)
at org.bouncycastle.tls.TlsClientProtocol.connect(Unknown Source)
at org.bouncycastle.jsse.provider.ProvSSLSocketWrap.startHandshake(Unknown Source)
at org.postgresql.ssl.jdbc4.AbstractJdbc4MakeSSL.convert(AbstractJdbc4MakeSSL.java:119)
... 13 more
Caused by: org.bouncycastle.crypto.IllegalKeyException: Attempt to sign/verify with RSA modulus already used for encrypt/decrypt.
at org.bouncycastle.crypto.fips.FipsRSA$SignatureOperatorFactory.createSigner(Unknown Source)
at org.bouncycastle.crypto.fips.FipsRSA$SignatureOperatorFactory.createSigner(Unknown Source)
at org.bouncycastle.jcajce.provider.BaseSignature.engineInitSign(Unknown Source)
at java.security.Signature$Delegate.engineInitSign(Signature.java:1183)
at java.security.Signature.initSign(Signature.java:550)
at org.bouncycastle.tls.crypto.impl.jcajce.JcaTlsRSASigner.getRawSigner(Unknown Source)
at org.bouncycastle.tls.crypto.impl.jcajce.JcaTlsRSASigner.generateRawSignature(Unknown Source)
at org.bouncycastle.tls.DefaultTlsCredentialedSigner.generateRawSignature(Unknown Source)
at org.bouncycastle.tls.TlsUtils.generateCertificateVerify(Unknown Source)
at org.bouncycastle.tls.TlsClientProtocol.handleHandshakeMessage(Unknown Source)
at org.bouncycastle.tls.TlsProtocol.processHandshakeQueue(Unknown Source)
at org.bouncycastle.tls.TlsProtocol.processRecord(Unknown Source)
at org.bouncycastle.tls.RecordStream.readRecord(Unknown Source)
... 18 more



--
Santiago Alejandro Agüero
[hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: PostgresSQL JDBC with SSL fails using BouncyCastle FIPS

David Hook-3

This is due to RSA key re-use. There is a system property for overriding this behavior, org.bouncycastle.rsa.allow_multi_use documented in the user guide. Ideally you would remove the cause of the reuse though.

Regards,

David
 
On 19/01/18 05:01, Santiago Alejandro Agüero wrote:
Hi,

I have isolated the following small program which is failing with BoncyCastle FIPS but *not* with regular BouncyCastle.


public class PSQLTest {
    public static void main(String[] args) throws SQLException {
        Security.addProvider(new BouncyCastleFipsProvider());
        Security.addProvider(new BouncyCastleJsseProvider("fips:BCFIPS"));
        Security.addProvider(new Sun());

        String crt = "/home/saguero/tmp/psql-ssl/tie_server.crt";
        String der = "/home/saguero/tmp/psql-ssl/tie_server.der";
        String ca = "/home/saguero/tmp/psql-ssl/tie_server_ca.crt";
        String ssl = "sslmode=verify-full&sslcert=" + crt + "&sslkey=" + der + "&sslrootcert=" + ca;

        String url = "jdbc:postgresql://10.218.68.52/dbname?user=username&" + ssl;

        Connection connection = DriverManager.getConnection(url);
        connection.close();
    }
}


The exception  is "Attempt to sign/verify with RSA modulus already used for encrypt/decrypt."

Stacktrace:

Jan 18, 2018 2:58:24 PM org.bouncycastle.jsse.provider.ProvTlsClient notifyAlertRaised
WARNING: Client raised fatal(2) internal_error(80) alert: Failed to read record
org.bouncycastle.crypto.IllegalKeyException: Attempt to sign/verify with RSA modulus already used for encrypt/decrypt.
at org.bouncycastle.crypto.fips.FipsRSA$SignatureOperatorFactory.createSigner(Unknown Source)
at org.bouncycastle.crypto.fips.FipsRSA$SignatureOperatorFactory.createSigner(Unknown Source)
at org.bouncycastle.jcajce.provider.BaseSignature.engineInitSign(Unknown Source)
at java.security.Signature$Delegate.engineInitSign(Signature.java:1183)
at java.security.Signature.initSign(Signature.java:550)
at org.bouncycastle.tls.crypto.impl.jcajce.JcaTlsRSASigner.getRawSigner(Unknown Source)
at org.bouncycastle.tls.crypto.impl.jcajce.JcaTlsRSASigner.generateRawSignature(Unknown Source)
at org.bouncycastle.tls.DefaultTlsCredentialedSigner.generateRawSignature(Unknown Source)
at org.bouncycastle.tls.TlsUtils.generateCertificateVerify(Unknown Source)
at org.bouncycastle.tls.TlsClientProtocol.handleHandshakeMessage(Unknown Source)
at org.bouncycastle.tls.TlsProtocol.processHandshakeQueue(Unknown Source)
at org.bouncycastle.tls.TlsProtocol.processRecord(Unknown Source)
at org.bouncycastle.tls.RecordStream.readRecord(Unknown Source)
at org.bouncycastle.tls.TlsProtocol.safeReadRecord(Unknown Source)
at org.bouncycastle.tls.TlsProtocol.blockForHandshake(Unknown Source)
at org.bouncycastle.tls.TlsClientProtocol.connect(Unknown Source)
at org.bouncycastle.jsse.provider.ProvSSLSocketWrap.startHandshake(Unknown Source)
at org.postgresql.ssl.jdbc4.AbstractJdbc4MakeSSL.convert(AbstractJdbc4MakeSSL.java:119)
at org.postgresql.core.v3.ConnectionFactoryImpl.enableSSL(ConnectionFactoryImpl.java:339)
at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:133)
at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:65)
at org.postgresql.jdbc2.AbstractJdbc2Connection.<init>(AbstractJdbc2Connection.java:156)
at org.postgresql.jdbc3.AbstractJdbc3Connection.<init>(AbstractJdbc3Connection.java:35)
at org.postgresql.jdbc3g.AbstractJdbc3gConnection.<init>(AbstractJdbc3gConnection.java:22)
at org.postgresql.jdbc4.AbstractJdbc4Connection.<init>(AbstractJdbc4Connection.java:47)
at org.postgresql.jdbc4.Jdbc4Connection.<init>(Jdbc4Connection.java:30)
at org.postgresql.Driver.makeConnection(Driver.java:414)
at org.postgresql.Driver.connect(Driver.java:282)
at java.sql.DriverManager.getConnection(DriverManager.java:664)
at java.sql.DriverManager.getConnection(DriverManager.java:270)
at PSQLTest2.main(PSQLTest2.java:32)

Exception in thread "main" org.postgresql.util.PSQLException: SSL error: internal_error(80)
at org.postgresql.ssl.jdbc4.AbstractJdbc4MakeSSL.convert(AbstractJdbc4MakeSSL.java:126)
at org.postgresql.core.v3.ConnectionFactoryImpl.enableSSL(ConnectionFactoryImpl.java:339)
at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:133)
at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:65)
at org.postgresql.jdbc2.AbstractJdbc2Connection.<init>(AbstractJdbc2Connection.java:156)
at org.postgresql.jdbc3.AbstractJdbc3Connection.<init>(AbstractJdbc3Connection.java:35)
at org.postgresql.jdbc3g.AbstractJdbc3gConnection.<init>(AbstractJdbc3gConnection.java:22)
at org.postgresql.jdbc4.AbstractJdbc4Connection.<init>(AbstractJdbc4Connection.java:47)
at org.postgresql.jdbc4.Jdbc4Connection.<init>(Jdbc4Connection.java:30)
at org.postgresql.Driver.makeConnection(Driver.java:414)
at org.postgresql.Driver.connect(Driver.java:282)
at java.sql.DriverManager.getConnection(DriverManager.java:664)
at java.sql.DriverManager.getConnection(DriverManager.java:270)
at PSQLTest2.main(PSQLTest2.java:32)
Caused by: org.bouncycastle.tls.TlsFatalAlert: internal_error(80)
at org.bouncycastle.tls.TlsProtocol.safeReadRecord(Unknown Source)
at org.bouncycastle.tls.TlsProtocol.blockForHandshake(Unknown Source)
at org.bouncycastle.tls.TlsClientProtocol.connect(Unknown Source)
at org.bouncycastle.jsse.provider.ProvSSLSocketWrap.startHandshake(Unknown Source)
at org.postgresql.ssl.jdbc4.AbstractJdbc4MakeSSL.convert(AbstractJdbc4MakeSSL.java:119)
... 13 more
Caused by: org.bouncycastle.crypto.IllegalKeyException: Attempt to sign/verify with RSA modulus already used for encrypt/decrypt.
at org.bouncycastle.crypto.fips.FipsRSA$SignatureOperatorFactory.createSigner(Unknown Source)
at org.bouncycastle.crypto.fips.FipsRSA$SignatureOperatorFactory.createSigner(Unknown Source)
at org.bouncycastle.jcajce.provider.BaseSignature.engineInitSign(Unknown Source)
at java.security.Signature$Delegate.engineInitSign(Signature.java:1183)
at java.security.Signature.initSign(Signature.java:550)
at org.bouncycastle.tls.crypto.impl.jcajce.JcaTlsRSASigner.getRawSigner(Unknown Source)
at org.bouncycastle.tls.crypto.impl.jcajce.JcaTlsRSASigner.generateRawSignature(Unknown Source)
at org.bouncycastle.tls.DefaultTlsCredentialedSigner.generateRawSignature(Unknown Source)
at org.bouncycastle.tls.TlsUtils.generateCertificateVerify(Unknown Source)
at org.bouncycastle.tls.TlsClientProtocol.handleHandshakeMessage(Unknown Source)
at org.bouncycastle.tls.TlsProtocol.processHandshakeQueue(Unknown Source)
at org.bouncycastle.tls.TlsProtocol.processRecord(Unknown Source)
at org.bouncycastle.tls.RecordStream.readRecord(Unknown Source)
... 18 more



--
Santiago Alejandro Agüero
[hidden email]