search

aws-samples / aws-cloudhsm-jce-examples

Sample applications demonstrating how to use the CloudHSM JCE
MIT No Attribution
37 stars 57 forks source link

Login Methods Other Than 'explicit' Not Working #26

Closed dpond closed 1 year ago

dpond commented 5 years ago

Hi Ryan,

Avni asked me to file this issue. We're (Adobe) trying to build/test the samples against our HSM instance, and I'm only able to get things working use the 'explicit' method. If I attempt to use 'system-properties' or 'environment', then all of the samples fail with "Exception in thread "main" java.security.NoSuchProviderException: JCE cannot authenticate the provider Cavium". Also, I've set up an 'HsmCredentials.properties' file, and it doesn't seem to get used/found either.

What this means is that doing the 'mvn verify' step listed in the README always fails even if I have the HSM_USER, HSM_PASSWORD, and HSM_PARTITION environment vars set (or if I have the HsmCredentials.properties file specified in my $CLASSPATH with those entities set). I can get login-runner.jar to work if I set all of the 'explicit' params. I can't get any of the other samples to work because only LoginRunner seems to use the LoginManager. All of the other samples seem to reply on the implicit mechanisms.

rday commented 5 years ago

Do you have the following information about your test environment handy: OS used, client version, and Java version?

Is the key management utility working correctly (login, create a key)?

Thanks!

dpond commented 5 years ago

$ more /etc/centos-release CentOS release 6.9 (Final) $ ll /opt/cloudhsm/java/ total 2284 -rw-r--r--. 1 root root 161001 May 13 13:36 cloudhsm-2.0.3.jar -rw-r--r--. 1 root root 5084 May 13 13:36 cloudhsm-test-2.0.3.jar -rw-r--r--. 1 root root 306578 May 13 13:36 hamcrest-all-1.3.jar -rw-r--r--. 1 root root 245039 May 13 13:36 junit.jar -rw-r--r--. 1 root root 226170 May 13 13:36 log4j-api-2.8.jar -rw-r--r--. 1 root root 1381528 May 13 13:36 log4j-core-2.8.jar $ java -version java version "1.8.0_162" Java(TM) SE Runtime Environment (build 1.8.0_162-b12) Java HotSpot(TM) 64-Bit Server VM (build 25.162-b12, mixed mode)

key_mgmt_util is working: Command: loginHSM -u CU -s **** -p ****

Cfm3LoginHSM returned: 0x00 : HSM Return: SUCCESS

Cluster Error Status
Node id 0 and err state 0x00000000 : HSM Return: SUCCESS

Command: loginStatus

CU has logged-in
rday commented 5 years ago

This is confirmed on CentOS 6.9. CentOS 6.10 is passing tests. CentOS 6.10 could be a mitigation in the short term. Investigation in progress.

rday commented 5 years ago

After further investigation we are able to use JCE login on CentOS6.9 and RHEL6.9. The previous failure we saw was due to a failed login count on the HSM. Once we reset the password, we were able to login.

Could you provide the full stack trace that you see when using system-properties and environment?

dpond commented 5 years ago

Full output from the 'mvn verify' (after 'mvn clean package' completes successfully):

$ mvn verify [INFO] Scanning for projects... [INFO] [INFO] ------------------------------------------------------------------------ [INFO] Building aws-cloudhsm-jce-examples 1.0-SNAPSHOT [INFO] ------------------------------------------------------------------------ [INFO] [INFO] --- maven-install-plugin:2.5.1:install-file (install-log4j-core) @ aws-cloudhsm-jce-examples --- [INFO] Installing /opt/cloudhsm/java/log4j-core-2.8.jar to /home/dpond/.m2/repository/org/apache/logging/log4j-core/log4j-core/2.8/log4j-core-2.8.jar [INFO] Installing /tmp/mvninstall7632894654224936200.pom to /home/dpond/.m2/repository/org/apache/logging/log4j-core/log4j-core/2.8/log4j-core-2.8.pom [INFO] [INFO] --- maven-install-plugin:2.5.1:install-file (install-log4j-api) @ aws-cloudhsm-jce-examples --- [INFO] Installing /opt/cloudhsm/java/log4j-api-2.8.jar to /home/dpond/.m2/repository/org/apache/logging/log4j-api/log4j-api/2.8/log4j-api-2.8.jar [INFO] Installing /tmp/mvninstall8651693991347708277.pom to /home/dpond/.m2/repository/org/apache/logging/log4j-api/log4j-api/2.8/log4j-api-2.8.pom [INFO] [INFO] --- maven-install-plugin:2.5.1:install-file (install-cloudhsm-jce) @ aws-cloudhsm-jce-examples --- [INFO] pom.xml not found in cloudhsm-2.0.3.jar [INFO] Installing /opt/cloudhsm/java/cloudhsm-2.0.3.jar to /home/dpond/.m2/repository/com/cavium/cloudhsm/2.0.3/cloudhsm-2.0.3.jar [INFO] Installing /tmp/mvninstall910651047845588565.pom to /home/dpond/.m2/repository/com/cavium/cloudhsm/2.0.3/cloudhsm-2.0.3.pom [INFO] [INFO] --- maven-resources-plugin:2.6:resources (default-resources) @ aws-cloudhsm-jce-examples --- [WARNING] Using platform encoding (UTF-8 actually) to copy filtered resources, i.e. build is platform dependent! [INFO] skip non existing resourceDirectory /home/dpond/aws-cloudhsm-jce-examples/src/main/resources [INFO] [INFO] --- maven-compiler-plugin:3.1:compile (default-compile) @ aws-cloudhsm-jce-examples --- [INFO] Nothing to compile - all classes are up to date [INFO] [INFO] --- maven-resources-plugin:2.6:testResources (default-testResources) @ aws-cloudhsm-jce-examples --- [WARNING] Using platform encoding (UTF-8 actually) to copy filtered resources, i.e. build is platform dependent! [INFO] skip non existing resourceDirectory /home/dpond/aws-cloudhsm-jce-examples/src/test/resources [INFO] [INFO] --- maven-compiler-plugin:3.1:testCompile (default-testCompile) @ aws-cloudhsm-jce-examples --- [INFO] No sources to compile [INFO] [INFO] --- maven-surefire-plugin:2.12.4:test (default-test) @ aws-cloudhsm-jce-examples --- [INFO] No tests to run. [INFO] [INFO] --- maven-jar-plugin:2.4:jar (default-jar) @ aws-cloudhsm-jce-examples --- [INFO] [INFO] --- maven-shade-plugin:2.4.1:shade (build-login) @ aws-cloudhsm-jce-examples --- [INFO] Including org.apache.logging.log4j-core:log4j-core:jar:2.8 in the shaded jar. [INFO] Including org.apache.logging.log4j-api:log4j-api:jar:2.8 in the shaded jar. [INFO] Including com.cavium:cloudhsm:jar:2.0.3 in the shaded jar. [INFO] [INFO] --- maven-shade-plugin:2.4.1:shade (build-client-failure) @ aws-cloudhsm-jce-examples --- [INFO] Including org.apache.logging.log4j-core:log4j-core:jar:2.8 in the shaded jar. [INFO] Including org.apache.logging.log4j-api:log4j-api:jar:2.8 in the shaded jar. [INFO] Including com.cavium:cloudhsm:jar:2.0.3 in the shaded jar. [INFO] [INFO] --- maven-shade-plugin:2.4.1:shade (build-cbc-runner) @ aws-cloudhsm-jce-examples --- [INFO] Including org.apache.logging.log4j-core:log4j-core:jar:2.8 in the shaded jar. [INFO] Including org.apache.logging.log4j-api:log4j-api:jar:2.8 in the shaded jar. [INFO] Including com.cavium:cloudhsm:jar:2.0.3 in the shaded jar. [INFO] [INFO] --- maven-shade-plugin:2.4.1:shade (build-ecb-runner) @ aws-cloudhsm-jce-examples --- [INFO] Including org.apache.logging.log4j-core:log4j-core:jar:2.8 in the shaded jar. [INFO] Including org.apache.logging.log4j-api:log4j-api:jar:2.8 in the shaded jar. [INFO] Including com.cavium:cloudhsm:jar:2.0.3 in the shaded jar. [INFO] [INFO] --- maven-shade-plugin:2.4.1:shade (build-aesgcm-runner) @ aws-cloudhsm-jce-examples --- [INFO] Including org.apache.logging.log4j-core:log4j-core:jar:2.8 in the shaded jar. [INFO] Including org.apache.logging.log4j-api:log4j-api:jar:2.8 in the shaded jar. [INFO] Including com.cavium:cloudhsm:jar:2.0.3 in the shaded jar. [INFO] [INFO] --- maven-shade-plugin:2.4.1:shade (build-wrapping-runner) @ aws-cloudhsm-jce-examples --- [INFO] Including org.apache.logging.log4j-core:log4j-core:jar:2.8 in the shaded jar. [INFO] Including org.apache.logging.log4j-api:log4j-api:jar:2.8 in the shaded jar. [INFO] Including com.cavium:cloudhsm:jar:2.0.3 in the shaded jar. [INFO] [INFO] --- maven-shade-plugin:2.4.1:shade (build-signature) @ aws-cloudhsm-jce-examples --- [INFO] Including org.apache.logging.log4j-core:log4j-core:jar:2.8 in the shaded jar. [INFO] Including org.apache.logging.log4j-api:log4j-api:jar:2.8 in the shaded jar. [INFO] Including com.cavium:cloudhsm:jar:2.0.3 in the shaded jar. [INFO] [INFO] --- maven-shade-plugin:2.4.1:shade (build-keystore) @ aws-cloudhsm-jce-examples --- [INFO] Including org.apache.logging.log4j-core:log4j-core:jar:2.8 in the shaded jar. [INFO] Including org.apache.logging.log4j-api:log4j-api:jar:2.8 in the shaded jar. [INFO] Including com.cavium:cloudhsm:jar:2.0.3 in the shaded jar. [INFO] [INFO] --- maven-shade-plugin:2.4.1:shade (build-rsawrap-runner) @ aws-cloudhsm-jce-examples --- [INFO] Including org.apache.logging.log4j-core:log4j-core:jar:2.8 in the shaded jar. [INFO] Including org.apache.logging.log4j-api:log4j-api:jar:2.8 in the shaded jar. [INFO] Including com.cavium:cloudhsm:jar:2.0.3 in the shaded jar. [INFO] [INFO] --- maven-shade-plugin:2.4.1:shade (build-rsaops-runner) @ aws-cloudhsm-jce-examples --- [INFO] Including org.apache.logging.log4j-core:log4j-core:jar:2.8 in the shaded jar. [INFO] Including org.apache.logging.log4j-api:log4j-api:jar:2.8 in the shaded jar. [INFO] Including com.cavium:cloudhsm:jar:2.0.3 in the shaded jar. [INFO] [INFO] --- maven-shade-plugin:2.4.1:shade (build-ecops-runner) @ aws-cloudhsm-jce-examples --- [INFO] Including org.apache.logging.log4j-core:log4j-core:jar:2.8 in the shaded jar. [INFO] Including org.apache.logging.log4j-api:log4j-api:jar:2.8 in the shaded jar. [INFO] Including com.cavium:cloudhsm:jar:2.0.3 in the shaded jar. [INFO] [INFO] --- maven-shade-plugin:2.4.1:shade (build-key-utility) @ aws-cloudhsm-jce-examples --- [INFO] Including org.apache.logging.log4j-core:log4j-core:jar:2.8 in the shaded jar. [INFO] Including org.apache.logging.log4j-api:log4j-api:jar:2.8 in the shaded jar. [INFO] Including com.cavium:cloudhsm:jar:2.0.3 in the shaded jar. [INFO] [INFO] --- maven-shade-plugin:2.4.1:shade (build-rsaimport-utility) @ aws-cloudhsm-jce-examples --- [INFO] Including org.apache.logging.log4j-core:log4j-core:jar:2.8 in the shaded jar. [INFO] Including org.apache.logging.log4j-api:log4j-api:jar:2.8 in the shaded jar. [INFO] Including com.cavium:cloudhsm:jar:2.0.3 in the shaded jar. [INFO] [INFO] --- exec-maven-plugin:1.6.0:exec (verify-login) @ aws-cloudhsm-jce-examples --- ERROR StatusLogger No log4j2 configuration file found. Using default configuration: logging only errors to the console. Exception in thread "main" java.security.NoSuchProviderException: JCE cannot authenticate the provider Cavium at javax.crypto.JceSecurity.getInstance(JceSecurity.java:105) at javax.crypto.KeyGenerator.getInstance(KeyGenerator.java:265) at com.amazonaws.cloudhsm.examples.SymmetricKeys.generateAESKey(SymmetricKeys.java:46) at com.amazonaws.cloudhsm.examples.LoginRunner.loginWithEnvVariables(LoginRunner.java:171) at com.amazonaws.cloudhsm.examples.LoginRunner.main(LoginRunner.java:95) Caused by: java.util.jar.JarException: file:/home/dpond/aws-cloudhsm-jce-examples/target/assembly/login-runner.jar has unsigned entries - com/amazonaws/cloudhsm/examples/SymmetricKeys.class at javax.crypto.JarVerifier.verifySingleJar(JarVerifier.java:502) at javax.crypto.JarVerifier.verifyJars(JarVerifier.java:363) at javax.crypto.JarVerifier.verify(JarVerifier.java:289) at javax.crypto.JceSecurity.verifyProviderJar(JceSecurity.java:164) at javax.crypto.JceSecurity.getVerificationResult(JceSecurity.java:190) at javax.crypto.JceSecurity.getInstance(JceSecurity.java:102) ... 4 more [ERROR] Command execution failed. org.apache.commons.exec.ExecuteException: Process exited with an error: 1 (Exit value: 1) at org.apache.commons.exec.DefaultExecutor.executeInternal (DefaultExecutor.java:404) at org.apache.commons.exec.DefaultExecutor.execute (DefaultExecutor.java:166) at org.codehaus.mojo.exec.ExecMojo.executeCommandLine (ExecMojo.java:804) at org.codehaus.mojo.exec.ExecMojo.executeCommandLine (ExecMojo.java:751) at org.codehaus.mojo.exec.ExecMojo.execute (ExecMojo.java:313) at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:134) at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:208) at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:154) at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:146) at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117) at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81) at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:51) at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128) at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:309) at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:194) at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:107) at org.apache.maven.cli.MavenCli.execute (MavenCli.java:955) at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:290) at org.apache.maven.cli.MavenCli.main (MavenCli.java:194) at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke (Method.java:498) at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:289) at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:229) at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:415) at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:356) [INFO] ------------------------------------------------------------------------ [INFO] BUILD FAILURE [INFO] ------------------------------------------------------------------------ [INFO] Total time: 4.507 s [INFO] Finished at: 2019-08-06T19:55:58-07:00 [INFO] Final Memory: 18M/617M [INFO] ------------------------------------------------------------------------ [ERROR] Failed to execute goal org.codehaus.mojo:exec-maven-plugin:1.6.0:exec (verify-login) on project aws-cloudhsm-jce-examples: Command execution failed.: Process exited with an error: 1 (Exit value: 1) -> [Help 1] [ERROR] [ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch. [ERROR] Re-run Maven using the -X switch to enable full debug logging. [ERROR] [ERROR] For more information about the errors and possible solutions, please read the following articles: [ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionException

rday commented 5 years ago

I see the problem in the stack trace:

Caused by: java.util.jar.JarException: file:/home/dpond/aws-cloudhsm-jce-examples/target/assembly/login-runner.jar has unsigned entries - com/amazonaws/cloudhsm/examples/SymmetricKeys.class

com/amazonaws/cloudhsm/examples/SymmetricKeys.class is unsigned. Our sample code is only supported, and tested, with OpenJDK.

Could you run the following command using Oracle java:

java -Djava.library.path=/opt/cloudhsm/lib -classpath "/opt/cloudhsm/java/*" \
     org.junit.runner.JUnitCore TestBasicFunctionality

This will verify the CloudHSM jar is loading correctly.

Are you able to try running the samples using OpenJDK?

RommyDuarte commented 1 year ago

Hi. my case is opposite. I am using the JCE 5.8.0 version and I am not allowed to use the explicit login method.

oginWithExplicitCredentials com.amazonaws.cloudhsm.jce.jni.exception.FailedLoginException: Incorrect credentials are passed for this operation: Incorrect authentication credentials.

when I pass the credentials by variables.

System.setProperty("HSM_USER",user); System.setProperty("HSM_PASSWORD",pass);

Explict login unavailable using system credentials.: java.lang.IllegalStateException java.lang.IllegalStateException: Explict login unavailable using system credentials. at com.amazonaws.cloudhsm.jce.provider.CloudHsmProvider.login(CloudHsmProvider.java:673) at com.soyyo.lambda.CipherTransitLambda.loginWithPinOnGivenProvider(CipherTransitLambda.java:72) at com.soyyo.lambda.CipherTransitLambda.loginWithExplicitCredentials(CipherTransitLambda.java:65) at com.soyyo.lambda.CipherTransitLambda.handleRequest(CipherTransitLambda.java:35) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.base/java.lang.reflect.Method.invoke(Unknown Source)

In this code fail.

public static void loginWithExplicitCredentials(String user, String pass) { AuthProvider provider; System.setProperty("HSM_USER",user); System.setProperty("HSM_PASSWORD",pass); try {

        provider = (AuthProvider) Security.getProvider(CloudHsmProvider.PROVIDER_NAME);
        if (provider == null) {

            provider = new CloudHsmProvider();

        }
        Security.addProvider(provider);

    } catch (IOException | ProviderInitializationException | LoginException ex) {

        logger.info(
                "CipherTransitLambda.handleRequest() | loginWithExplicitCredentials "
                        + ex + " \n");
        return;
    }
    loginWithPinOnGivenProvider(user, pass, CloudHsmProvider.PROVIDER_NAME);
    logout(provider);
}
rday commented 1 year ago

@RommyDuarte it looks like you are using system properties to set the user/password. However you are trying to use the explicit login method. Please try to use one, or the other. If there is still a problem please open a new Issue.

RommyDuarte commented 1 year ago

Thanks.

raman1212 commented 9 months ago

i am having the same issue that Rommy is getting. I am passing the creds correctly to the method but still, it is failing. I am getting null provider from this statement - provider = (AuthProvider) Security.getProvider(CloudHsmProvider.PROVIDER_NAME); and then its trying to do implicit login using the below block which check for null provider.

Pls let me know if there is another thread opened for the same issue or tell me here if I am missing anything in the process.

com.amazonaws.cloudhsm.jce.jni.exception.FailedLoginException: Incorrect credentials are passed for this operation: Incorrect authentication credentials. at com.amazonaws.cloudhsm.jce.jni.Session.do_login(Native Method) at com.amazonaws.cloudhsm.jce.jni.Session.login(Session.java:22) at com.amazonaws.cloudhsm.jce.provider.LoginManager.login(LoginManager.java:88) at com.amazonaws.cloudhsm.jce.provider.CloudHsmProvider.login(CloudHsmProvider.java:666) at com.amazonaws.cloudhsm.jce.provider.CloudHsmProvider.attemptImplicitLogin(CloudHsmProvider.java:621) at com.amazonaws.cloudhsm.jce.provider.CloudHsmProvider.(CloudHsmProvider.java:165) at one.card.rest.cloud.aws.services.LoginRunner.loginWithExplicitCredentials(LoginRunner.java:98)

RommyDuarte commented 9 months ago

My problem was because I was using KMS to encrypt the environment variables of my lambda and in that process with CloudHsm it failed to decode. What I did was use secrets and with this I already had the user and pass data correctly.