Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-8857

Elytron, unable to use FIPS BC for https

    XMLWordPrintable

Details

    • Bug
    • Resolution: Cannot Reproduce
    • Major
    • None
    • None
    • None
    • None

    Description

      • configured java to use BouncyCastleFipsProvider
        java.security
        security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
security.provider.2=sun.security.provider.Sun
security.provider.3=sun.security.rsa.SunRsaSign
security.provider.4=sun.security.ec.SunEC
security.provider.5=com.sun.net.ssl.internal.ssl.Provider BCFIPS
security.provider.6=com.sun.crypto.provider.SunJCE
security.provider.7=sun.security.jgss.SunProvider
security.provider.8=com.sun.security.sasl.Provider
security.provider.9=org.jcp.xml.dsig.internal.dom.XMLDSigRI
security.provider.10=sun.security.smartcardio.SunPCSC
      • Generate BCFKS keystore 
        keytool -genkeypair -alias appserver -keyalg RSA -keysize 2048 -keypass password -keystore "keystore.bcfks" -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath bc-fips-1.0.0.jar -storetype BCFKS -storepass password -dname "CN=appserver,OU=Sales,O=Systems Inc,L=Raleigh,ST=NC,C=US" -validity 730 -v
      • Configure Undertow to use BCFKS keystore 
        /subsystem=elytron/key-store=bcfks_keystore:add(path=keystore.bcfks,relative-to=jboss.server.config.dir, type="BCFKS", credential-reference={clear-text=password})
/subsystem=elytron/key-managers=bcfks_keymanager:add(key-store=bcfks_keystore,credential-reference={clear-text=password}, algorithm=SunX509)
/subsystem=elytron/server-ssl-context=bcfks_ssl_context:add(key-managers=bcfks_keymanager, protocols=[TLSv1.1], cipher-suite-filter="TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_anon_WITH_AES_128_CBC_SHA,TLS_ECDH_anon_WITH_AES_256_CBC_SHA")
/subsystem=undertow/server=default-server/https-listener=https:undefine-attribute(name=security-realm)
/subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=ssl-context, value=bcfks_ssl_context)
      • Access https://localhost:8443 Exception occures: No default SecureRandom specified and one requested - use CryptoServicesRegistrar.setSecureRandom().
      14:18:48,958 INFO  [stdout] (default I/O-6) Using SSLEngineImpl.
14:18:48,960 INFO  [stdout] (default I/O-6) Allow unsafe renegotiation: false
14:18:48,960 INFO  [stdout] (default I/O-6) Allow legacy hello messages: true
14:18:48,960 INFO  [stdout] (default I/O-6) Is initial handshake: true
14:18:48,960 INFO  [stdout] (default I/O-6) Is secure renegotiation: false
14:18:48,961 INFO  [stdout] (default I/O-6) [Raw read]: length = 5
14:18:48,961 INFO  [stdout] (default I/O-6) 0000: 16 03 01 00 BA                                     .....
14:18:48,961 INFO  [stdout] (default I/O-6) [Raw read]: length = 186
14:18:48,961 INFO  [stdout] (default I/O-6) 0000: 01 00 00 B6 03 03 A6 CF   F8 CE 88 BF 18 47 BE D3  .............G..
14:18:48,962 INFO  [stdout] (default I/O-6) 0010: 4C BC 2D D1 D6 CA 1E 3B   51 4B 9F 87 C6 1D 73 A7  L.-....;QK....s.
14:18:48,962 INFO  [stdout] (default I/O-6) 0020: 30 84 D8 E9 9F BA 00 00   2A AA AA C0 2B C0 2F 00  0.......*...+./.
14:18:48,962 INFO  [stdout] (default I/O-6) 0030: 9E C0 2C C0 30 CC A9 CC   A8 CC 14 CC 13 C0 09 C0  ..,.0...........
14:18:48,963 INFO  [stdout] (default I/O-6) 0040: 13 00 33 C0 0A C0 14 00   39 00 9C 00 9D 00 2F 00  ..3.....9...../.
14:18:48,963 INFO  [stdout] (default I/O-6) 0050: 35 00 0A 01 00 00 63 FA   FA 00 00 FF 01 00 01 00  5.....c.........
14:18:48,963 INFO  [stdout] (default I/O-6) 0060: 00 17 00 00 00 23 00 00   00 0D 00 12 00 10 06 01  .....#..........
14:18:48,964 INFO  [stdout] (default I/O-6) 0070: 06 03 05 01 05 03 04 01   04 03 02 01 02 03 00 05  ................
14:18:48,964 INFO  [stdout] (default I/O-6) 0080: 00 05 01 00 00 00 00 00   12 00 00 00 10 00 0E 00  ................
14:18:48,964 INFO  [stdout] (default I/O-6) 0090: 0C 02 68 32 08 68 74 74   70 2F 31 2E 31 75 50 00  ..h2.http/1.1uP.
14:18:48,965 INFO  [stdout] (default I/O-6) 00A0: 00 00 0B 00 02 01 00 00   0A 00 0A 00 08 CA CA 00  ................
14:18:48,965 INFO  [stdout] (default I/O-6) 00B0: 1D 00 17 00 18 CA CA 00   01 00                    ..........
14:18:48,965 INFO  [stdout] (default I/O-6) default I/O-6, READ: TLSv1 Handshake, length = 186
14:18:48,966 INFO  [stdout] (default task-15) *** ClientHello, TLSv1.2
14:18:48,966 INFO  [stdout] (default task-15) RandomCookie:  GMT: -1513162802 bytes = { 136, 191, 24, 71, 190, 211, 76, 188, 45, 209, 214, 202, 30, 59, 81, 75, 159, 135, 198, 29, 115, 167, 48, 132, 216, 233, 159, 186 }
14:18:48,966 INFO  [stdout] (default task-15) Session ID:  {}
14:18:48,966 INFO  [stdout] (default task-15) Cipher Suites: [Unknown 0xaa:0xaa, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, Unknown 0xcc:0xa9, Unknown 0xcc:0xa8, Unknown 0xcc:0x14, Unknown 0xcc:0x13, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA]
14:18:48,966 INFO  [stdout] (default task-15) Compression Methods:  { 0 }
14:18:48,966 INFO  [stdout] (default task-15) Unsupported extension type_64250, data: 
14:18:48,966 INFO  [stdout] (default task-15) Extension renegotiation_info, renegotiated_connection: <empty>
14:18:48,966 INFO  [stdout] (default task-15) Unsupported extension type_23, data: 
14:18:48,966 INFO  [stdout] (default task-15) Unsupported extension type_35, data: 
14:18:48,966 INFO  [stdout] (default task-15) Extension signature_algorithms, signature_algorithms: SHA512withRSA, SHA512withECDSA, SHA384withRSA, SHA384withECDSA, SHA256withRSA, SHA256withECDSA, SHA1withRSA, SHA1withECDSA
14:18:48,966 INFO  [stdout] (default task-15) Unsupported extension status_request, data: 01:00:00:00:00
14:18:48,966 INFO  [stdout] (default task-15) Unsupported extension type_18, data: 
14:18:48,966 INFO  [stdout] (default task-15) Unsupported extension type_16, data: 00:0c:02:68:32:08:68:74:74:70:2f:31:2e:31
14:18:48,966 INFO  [stdout] (default task-15) Unsupported extension type_30032, data: 
14:18:48,966 INFO  [stdout] (default task-15) Extension ec_point_formats, formats: [uncompressed]
14:18:48,966 INFO  [stdout] (default task-15) Extension elliptic_curves, curve names: {unknown curve 51914, unknown curve 29, 1.2.840.10045.3.1.7, 1.3.132.0.34}
14:18:48,966 INFO  [stdout] (default task-15) Unsupported extension type_51914, data: 00
14:18:48,966 INFO  [stdout] (default task-15) ***
14:18:48,966 INFO  [stdout] (default task-15) [read] MD5 and SHA1 hashes:  len = 186
14:18:48,967 INFO  [stdout] (default task-15) 0000: 01 00 00 B6 03 03 A6 CF   F8 CE 88 BF 18 47 BE D3  .............G..
14:18:48,967 INFO  [stdout] (default task-15) 0010: 4C BC 2D D1 D6 CA 1E 3B   51 4B 9F 87 C6 1D 73 A7  L.-....;QK....s.
14:18:48,967 INFO  [stdout] (default task-15) 0020: 30 84 D8 E9 9F BA 00 00   2A AA AA C0 2B C0 2F 00  0.......*...+./.
14:18:48,967 INFO  [stdout] (default task-15) 0030: 9E C0 2C C0 30 CC A9 CC   A8 CC 14 CC 13 C0 09 C0  ..,.0...........
14:18:48,968 INFO  [stdout] (default task-15) 0040: 13 00 33 C0 0A C0 14 00   39 00 9C 00 9D 00 2F 00  ..3.....9...../.
14:18:48,968 INFO  [stdout] (default task-15) 0050: 35 00 0A 01 00 00 63 FA   FA 00 00 FF 01 00 01 00  5.....c.........
14:18:48,968 INFO  [stdout] (default task-15) 0060: 00 17 00 00 00 23 00 00   00 0D 00 12 00 10 06 01  .....#..........
14:18:48,968 INFO  [stdout] (default task-15) 0070: 06 03 05 01 05 03 04 01   04 03 02 01 02 03 00 05  ................
14:18:48,969 INFO  [stdout] (default task-15) 0080: 00 05 01 00 00 00 00 00   12 00 00 00 10 00 0E 00  ................
14:18:48,969 INFO  [stdout] (default task-15) 0090: 0C 02 68 32 08 68 74 74   70 2F 31 2E 31 75 50 00  ..h2.http/1.1uP.
14:18:48,969 INFO  [stdout] (default task-15) 00A0: 00 00 0B 00 02 01 00 00   0A 00 0A 00 08 CA CA 00  ................
14:18:48,970 INFO  [stdout] (default task-15) 00B0: 1D 00 17 00 18 CA CA 00   01 00                    ..........
14:18:48,970 INFO  [stdout] (default task-15) %% Initialized:  [Session-15, SSL_NULL_WITH_NULL_NULL]
14:18:48,972 INFO  [stdout] (default task-15) %% Negotiating:  [Session-15, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]
14:18:48,973 INFO  [stdout] (default task-15) *** ServerHello, TLSv1.1
14:18:48,973 INFO  [stdout] (default task-15) RandomCookie:  GMT: 1470387512 bytes = { 42, 79, 213, 13, 18, 161, 229, 191, 19, 153, 138, 114, 203, 93, 154, 48, 119, 19, 189, 58, 29, 42, 237, 144, 184, 153, 200, 182 }
14:18:48,973 INFO  [stdout] (default task-15) Session ID:  {88, 164, 85, 56, 192, 148, 151, 99, 221, 146, 121, 218, 245, 83, 77, 12, 117, 196, 45, 85, 215, 120, 108, 129, 249, 63, 100, 101, 127, 192, 131, 160}
14:18:48,973 INFO  [stdout] (default task-15) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
14:18:48,973 INFO  [stdout] (default task-15) Compression Method: 0
14:18:48,973 INFO  [stdout] (default task-15) Extension renegotiation_info, renegotiated_connection: <empty>
14:18:48,973 INFO  [stdout] (default task-15) ***
14:18:48,973 INFO  [stdout] (default task-15) Cipher suite:  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
14:18:48,973 INFO  [stdout] (default task-15) *** Certificate chain
14:18:48,974 INFO  [stdout] (default task-15) chain [0] =   [0]         Version: 3
14:18:48,974 INFO  [stdout] (default task-15)          SerialNumber: 1338569861
14:18:48,974 INFO  [stdout] (default task-15)              IssuerDN: CN=appserver, OU=Sales, O=Systems Inc, L=Raleigh, ST=NC, C=US
14:18:48,974 INFO  [stdout] (default task-15)            Start Date: Wed Feb 15 13:56:29 CET 2017
14:18:48,974 INFO  [stdout] (default task-15)            Final Date: Fri Feb 15 13:56:29 CET 2019
14:18:48,974 INFO  [stdout] (default task-15)             SubjectDN: CN=appserver, OU=Sales, O=Systems Inc, L=Raleigh, ST=NC, C=US
14:18:48,974 INFO  [stdout] (default task-15)            Public Key: RSA Public Key
14:18:48,974 INFO  [stdout] (default task-15)             modulus: bf6ce5abc56f6b857234383fe45e9622d0228354c484f14449902327c9068aa69f64232e01d9d27487fb60303d20daf6e3e0e10dd4d35e847faf9fc2c829e07aa7167aa06e478a0b71ad7c7201c8227f636846f8995623fb3bd8e2b02fe0670d456ed292e31efe2b79c375e395ccfdbbe4be155b3753f42fa4a31cb0968cf8475f319e13085d8faaaf5e1ac91bcf3e96639499889fa5d23a8d8b2758ca9239a854750b31b3469bcffd743fa175178232a376384d1c6e8481494a56fc14dc38dcd8c256c16ed8e24a9b9c805cf11aacaff5d8af45ff5d08ea3012eb07a3486fabb78187cf00c8187e924c5a3295836f44b38ad49d0c8917ec873944044c5e93c5
14:18:48,974 INFO  [stdout] (default task-15)     public exponent: 10001
14:18:48,974 INFO  [stdout] (default task-15) 
14:18:48,974 INFO  [stdout] (default task-15)   Signature Algorithm: SHA256WITHRSA
14:18:48,974 INFO  [stdout] (default task-15)             Signature: 09b90bb8c5d92246c397b809f61ca4c567354653
14:18:48,974 INFO  [stdout] (default task-15)                        447685852e0f4a43497d11d3bfe898b4f02c915d
14:18:48,974 INFO  [stdout] (default task-15)                        87cc604613b0d59ff5d6da532881b9c715cc176c
14:18:48,974 INFO  [stdout] (default task-15)                        92f3d054dbe252f154bd6665218f38376a23c561
14:18:48,974 INFO  [stdout] (default task-15)                        c9d11bae7c53144a0696c3ebac7bbbbb9da1a797
14:18:48,974 INFO  [stdout] (default task-15)                        cf6851846ed6a087574e1c7003738239e6b1197e
14:18:48,974 INFO  [stdout] (default task-15)                        c622026a4e297cfa2d3bbb807ef6182b62ad7585
14:18:48,974 INFO  [stdout] (default task-15)                        34129c20ee8fc316f2a625f50b9f80b67f5c8027
14:18:48,974 INFO  [stdout] (default task-15)                        f4efe2d6395fafa55031fab024c468ce9676e3f7
14:18:48,974 INFO  [stdout] (default task-15)                        0ba53b9aa8be7b4e21d1412f4da2fcb81eb70aa1
14:18:48,974 INFO  [stdout] (default task-15)                        58d8675ecc20c30142ca320ad3cee6cf27a8e011
14:18:48,975 INFO  [stdout] (default task-15)                        c56000073ba96182fba7c830578c2ec15ad47871
14:18:48,975 INFO  [stdout] (default task-15)                        15b057fba7db65b1a3b4a71336a821f5
14:18:48,975 INFO  [stdout] (default task-15)        Extensions: 
14:18:48,975 INFO  [stdout] (default task-15)                        critical(false) 2.5.29.14 value = DER Octet String[20] 
14:18:48,975 INFO  [stdout] (default task-15) 
14:18:48,975 INFO  [stdout] (default task-15) 
14:18:48,975 INFO  [stdout] (default task-15) ***
14:18:48,979 INFO  [stdout] (default I/O-6) default I/O-6, fatal error: 80: problem unwrapping net record
14:18:48,979 INFO  [stdout] (default I/O-6) java.lang.RuntimeException: No default SecureRandom specified and one requested - use CryptoServicesRegistrar.setSecureRandom().
14:18:48,979 INFO  [stdout] (default I/O-6) %% Invalidated:  [Session-15, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]
14:18:48,979 INFO  [stdout] (default I/O-6) default I/O-6, SEND TLSv1.1 ALERT:  fatal, description = internal_error
14:18:48,979 INFO  [stdout] (default I/O-6) default I/O-6, WRITE: TLSv1.1 Alert, length = 2
14:18:48,979 INFO  [stdout] (default I/O-6) default I/O-6, called closeInbound()
14:18:48,979 INFO  [stdout] (default I/O-6) default I/O-6, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?
14:18:48,980 INFO  [stdout] (default I/O-6) default I/O-6, called closeOutbound()
14:18:48,980 INFO  [stdout] (default I/O-6) default I/O-6, closeOutboundInternal()
14:18:48,980 ERROR [org.xnio.nio] (default I/O-6) XNIO000011: Task io.undertow.protocols.ssl.SslConduit$5$1@14614c43 failed with an exception: java.lang.RuntimeException: No default SecureRandom specified and one requested - use CryptoServicesRegistrar.setSecureRandom().
	at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1429)
	at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)
	at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:813)
	at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)
	at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
	at org.wildfly.security.ssl.AbstractDelegatingSSLEngine.unwrap(AbstractDelegatingSSLEngine.java:56)
	at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:749)
	at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:646)
	at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63)
	at io.undertow.protocols.ssl.SslConduit$5$1.run(SslConduit.java:1046)
	at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:588)
	at org.xnio.nio.WorkerThread.run(WorkerThread.java:468)
Caused by: java.lang.IllegalStateException: No default SecureRandom specified and one requested - use CryptoServicesRegistrar.setSecureRandom().
	at org.bouncycastle.crypto.CryptoServicesRegistrar.getSecureRandom(Unknown Source)
	at org.bouncycastle.crypto.fips.FipsRSA$SignatureOperatorFactory$RSASigner.getSigningStream(Unknown Source)
	at org.bouncycastle.jcajce.provider.BaseSignature.engineInitSign(Unknown Source)
	at java.security.Signature$Delegate.engineInitSign(Signature.java:1183)
	at java.security.Signature.initSign(Signature.java:550)
	at sun.security.ssl.RSASignature.engineInitSign(RSASignature.java:126)
	at sun.security.ssl.RSASignature.engineInitSign(RSASignature.java:118)
	at java.security.Signature$Delegate.engineInitSign(Signature.java:1174)
	at java.security.Signature.initSign(Signature.java:527)
	at sun.security.ssl.HandshakeMessage$ECDH_ServerKeyExchange.<init>(HandshakeMessage.java:1030)
	at sun.security.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:899)
	at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:221)
	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
	at sun.security.ssl.Handshaker$1.run(Handshaker.java:919)
	at sun.security.ssl.Handshaker$1.run(Handshaker.java:916)
	at java.security.AccessController.doPrivileged(Native Method)
	at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1369)
	at io.undertow.protocols.ssl.SslConduit$5.run(SslConduit.java:1034)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
	at java.lang.Thread.run(Thread.java:745)

      Attachments

        Activity

          People

            Unassigned Unassigned
            mchoma@redhat.com Martin Choma
            Martin Choma Martin Choma
            Martin Choma Martin Choma
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: