Skip to content

Documentation should BouncyCastle FIPS doesn't work in native only in FIPS-enabled environment with Mandrel 23.1 #43935

New issue
Jump to bottom
New issue
Jump to bottom
Open
Open
Documentation should BouncyCastle FIPS doesn't work in native only in FIPS-enabled environment with Mandrel 23.1#43935
Labels
area/documentationarea/native-imagearea/securepipelineissues related to ensure Quarkus can be used in a secure pipeline setups like FIPS or similararea/securitykind/bugSomething isn't working
@michalvavrik

Description

@michalvavrik
michalvavrik
opened on Oct 17, 2024

Describe the bug

(this is more of suggestion for docs improvement, but I am opening it as a bug in case I misunderstood situation)

I am using BouncyCastle FIPS in native mode. It "works" when FIPS are not enabled, but when I run my application with registry.access.redhat.com/quarkus/mandrel-for-jdk-21-rhel8:23.1 inside FIPS-enabled environment, both Security.getProvider("BCFIPS") and Security.getProviders() are failing with UnsupportedFeatureError. They do not fail with RH OpenJDK 21 when FIPS is enabled. I asked @jerboaa and IIUC this is expected behavior. However I am opening this ticket because https://quarkus.io/guides/security-customization#bouncy-castle-fips says that native is supported and I think users like me can expect that BCFIPS will work in FIPS-enabled env.

Expected behavior

I think documentation should mention this fact.

Actual behavior

Exception for Security.getProviders():

12:25:07,778 INFO  [app] Caused by: com.oracle.svm.core.jdk.UnsupportedFeatureError: Cannot load new security provider at runtime: BCFIPS.
12:25:07,778 INFO  [app] 	at org.graalvm.nativeimage.builder/com.oracle.svm.core.util.VMError.unsupportedFeature(VMError.java:121)
12:25:07,779 INFO  [app] 	at java.base@21.0.4/sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:645)
12:25:07,779 INFO  [app] 	at java.base@21.0.4/sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:225)
12:25:07,779 INFO  [app] 	at org.graalvm.nativeimage.builder/com.oracle.svm.core.jdk.SunPKCS11ProviderAccessors.reinitialize(SecuritySubstitutions.java:712)
12:25:07,779 INFO  [app] 	at org.graalvm.nativeimage.builder/com.oracle.svm.core.jdk.SunPKCS11ProviderAccessors.getProvider(SecuritySubstitutions.java:665)
12:25:07,779 INFO  [app] 	at java.base@21.0.4/sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:165)
12:25:07,779 INFO  [app] 	at java.base@21.0.4/sun.security.jca.ProviderList.getProvider(ProviderList.java:271)
12:25:07,779 INFO  [app] 	at java.base@21.0.4/sun.security.jca.ProviderList.getIndex(ProviderList.java:301)
12:25:07,779 INFO  [app] 	at java.base@21.0.4/sun.security.jca.ProviderList.getProviderConfig(ProviderList.java:285)
12:25:07,779 INFO  [app] 	at java.base@21.0.4/sun.security.jca.ProviderList.getProvider(ProviderList.java:291)
12:25:07,779 INFO  [app] 	at java.base@21.0.4/sun.security.jca.GetInstance.getService(GetInstance.java:81)
12:25:07,780 INFO  [app] 	at java.base@21.0.4/sun.security.jca.GetInstance.getInstance(GetInstance.java:206)
12:25:07,780 INFO  [app] 	at java.base@21.0.4/java.security.Signature.getInstance(Signature.java:403)
12:25:07,780 INFO  [app] 	at io.quarkus.ts.security.bouncycastle.fips.BouncyCastleFipsEndpoint.checkSHA256withRSAandMGF1(BouncyCastleFipsEndpoint.java:24)

How to Reproduce?

Steps to reproduce behavior in FIPS-enabled environment:

git clone https://github.com/quarkus-qe/quarkus-test-suite
cd quarkus-test-suite/security/bouncycastle-fips/bcfips
mvn clean verify -Dit.test=BouncyCastleFipsIT -Dnative -Dquarkus.native.container-build=true -Dquarkus.native.native-image-xmx=5g -Dquarkus.native.builder-image=registry.access.redhat.com/quarkus/mandrel-for-jdk-21-rhel8:23.1 -Dquarkus-plugin.version=3.15.1.redhat-00002 -Dquarkus.platform.version=3.15.1.redhat-00002 -Dquarkus.platform.artifact-id=quarkus-bom -Dquarkus.platform.group-id=com.redhat.quarkus.platform

(I'll probably disable it in native in FIPS so maybe uncomment that disable annotation when I add it).

Output of uname -a or ver

RHEL 8.9

Output of java -version

OpenJDK Runtime Environment (Red_Hat-21.0.4.0.7-1) (build 21.0.4+7-LTS)

Mandrel or GraalVM version (if different from Java)

registry.access.redhat.com/quarkus/mandrel-for-jdk-21-rhel8:23.1

Quarkus version or git rev

3.15.1

Build tool (ie. output of mvnw --version or gradlew --version)

Apache Maven 3.8.6 (84538c9988a25aec085021c365c560670ad80f63)

Additional information

No response

Activity

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Assignees

No one assigned

    Labels

    area/documentationarea/native-imagearea/securepipelineissues related to ensure Quarkus can be used in a secure pipeline setups like FIPS or similararea/securitykind/bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions