Open RaghuramEttaboina opened 1 month ago
dghgit
commented
1 month ago You could try -Djava.security.debug=provider and see what it tells you. My guess is it will tell you the securerandom.strongAlgorithms isn't pointing at anything that exists. With the Redhat VM, from memory I think they do do something a bit weird with the SecureRandom settings in FIPS mode, I'd check to see what the valid hardware RNG is for the VM as well.
ramtech123
commented
2 weeks ago I have the similar issue with FIPS enabled AlmaLinux 9.2 VM as well as VMware Photon 4.0 VM, running on VMware ESXi hypervisor.
In both cases, my main thread is stuck waiting for secure random and the application is hung. Below is excerpt from thread dump capture in AlmaLinux for your reference.
"main" #1 prio=5 os_prio=0 cpu=568612.59ms elapsed=577.14s tid=0x00007fe6c0028910 nid=0xe6e runnable [0x00007fe6c7317000]
java.lang.Thread.State: RUNNABLE
at java.util.regex.Pattern$GroupTail.match(java.base@17.0.11.0.1/Unknown Source)
at java.util.regex.Pattern$CharPropertyGreedy.match(java.base@17.0.11.0.1/Unknown Source)
at java.util.regex.Pattern$GroupHead.match(java.base@17.0.11.0.1/Unknown Source)
at java.util.regex.Pattern$BmpCharProperty.match(java.base@17.0.11.0.1/Unknown Source)
at java.util.regex.Pattern$GroupHead.match(java.base@17.0.11.0.1/Unknown Source)
at java.util.regex.Pattern$Branch.match(java.base@17.0.11.0.1/Unknown Source)
at java.util.regex.Pattern$GroupTail.match(java.base@17.0.11.0.1/Unknown Source)
at java.util.regex.Pattern$CharPropertyGreedy.match(java.base@17.0.11.0.1/Unknown Source)
at java.util.regex.Pattern$GroupHead.match(java.base@17.0.11.0.1/Unknown Source)
at java.util.regex.Pattern$BmpCharPropertyGreedy.match(java.base@17.0.11.0.1/Unknown Source)
at java.util.regex.Matcher.match(java.base@17.0.11.0.1/Unknown Source)
at java.util.regex.Matcher.matches(java.base@17.0.11.0.1/Unknown Source)
at java.security.SecureRandom.getInstanceStrong(java.base@17.0.11.0.1/Unknown Source)
at jdk.internal.reflect.GeneratedMethodAccessor1.invoke(java.base@17.0.11.0.1/Unknown Source)
at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(java.base@17.0.11.0.1/Unknown Source)
at java.lang.reflect.Method.invoke(java.base@17.0.11.0.1/Unknown Source)
at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$3.run(Unknown Source)
at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$3.run(Unknown Source)
at java.security.AccessController.executePrivileged(java.base@17.0.11.0.1/Unknown Source)
at java.security.AccessController.doPrivileged(java.base@17.0.11.0.1/Unknown Source)
at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider.getCoreSecureRandom(Unknown Source)
at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider.access$900(Unknown Source)
at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$2.run(Unknown Source)
at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$2.run(Unknown Source)
at java.security.AccessController.executePrivileged(java.base@17.0.11.0.1/Unknown Source)
at java.security.AccessController.doPrivileged(java.base@17.0.11.0.1/Unknown Source)
at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider.getDefaultEntropySource(Unknown Source)
at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$1.get(Unknown Source)
- locked <0x0000000740aad558> (a [Ljava.util.concurrent.atomic.AtomicReference;)
at org.bouncycastle.crypto.CryptoServicesRegistrar.getSecureRandomIfSet(Unknown Source)
at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider.getDefaultSecureRandom(Unknown Source)
at org.bouncycastle.jcajce.provider.ProvRandom$1.createInstance(ProvRandom.java:28)
at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$BcService.newInstance(Unknown Source)
at sun.security.jca.GetInstance.getInstance(java.base@17.0.11.0.1/Unknown Source)
at sun.security.jca.GetInstance.getInstance(java.base@17.0.11.0.1/Unknown Source)
at java.security.SecureRandom.getInstance(java.base@17.0.11.0.1/Unknown Source)
at java.security.SecureRandom.getInstanceStrong(java.base@17.0.11.0.1/Unknown Source)
at jdk.internal.reflect.GeneratedMethodAccessor1.invoke(java.base@17.0.11.0.1/Unknown Source)
at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(java.base@17.0.11.0.1/Unknown Source)
at java.lang.reflect.Method.invoke(java.base@17.0.11.0.1/Unknown Source)
at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$3.run(Unknown Source)
at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$3.run(Unknown Source)
at java.security.AccessController.executePrivileged(java.base@17.0.11.0.1/Unknown Source)
at java.security.AccessController.doPrivileged(java.base@17.0.11.0.1/Unknown Source)
at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider.getCoreSecureRandom(Unknown Source)
.......
.......
<same stack repeats>I looked for the RNGs and the entropy available in the VMs.
Below are the results for AlmaLinux 9.2 VM
> cat /sys/devices/virtual/misc/hw_random/rng_current
none
> cat /sys/devices/virtual/misc/hw_random/rng_available
<empty result>
> lsmod | grep rng
ansi_cprng 16384 0
> cat /proc/sys/kernel/random/entropy_avail
256I thought the issue was due to missing hardware RNG in the above AlmaLinux VM, causing lack of entropy. But, below are the results for Photon 4.0 VM and I still have the same issue with BCFIPS 2.x application.
> cat /sys/devices/virtual/misc/hw_random/rng_current
rdrand_rng
> cat /sys/devices/virtual/misc/hw_random/rng_available
rdrand_rng
> lsmod | grep rng
rdrand_rng 16384 0
rng_core 20480 1 rdrand_rng
> cat /proc/sys/kernel/random/entropy_avail
256I initialize the FIPS providers as below.
Security.insertProviderAt(new BouncyCastleFipsProvider(), 1);
// After facing issue with BCFIPS 2.x, also tried with HYBRID constructor parameter as below, without success.
// Security.insertProviderAt(new BouncyCastleFipsProvider("C:HYBRID;ENABLE{ALL};"), 1);
Security.insertProviderAt(new BouncyCastleJsseProvider("fips:BCFIPS"), 2);With BCFIPS 1.x, application is launching fine in both the VMs.
Any recommendations to overcome this issue? Thanks
ramtech123
commented
1 week ago Update:
I was able to get it working a few days ago. In my case, I had a custom java.security file, it was missing securerandom.strongAlgorithms configuration. Setting it to SUN provider's NativePRNG variant had finally resolved the issue.
We recently upgraded our bc-fips jar from 1.0.2.5 to 2.0.0 after that we are facing below issue on starting of tomcat server or when I ran command "java -cp bc-fips-2.0.0.jar org.bouncycastle.util.DumpInfo" : Exception in thread "main" java.lang.StackOverflowError at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$3.run(Unknown Source) at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$3.run(Unknown Source) at java.base/java.security.AccessController.doPrivileged(AccessController.java:318) at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider.getCoreSecureRandom(Unknown Source) at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider.access$900(Unknown Source) at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$2.run(Unknown Source) at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$2.run(Unknown Source) at java.base/java.security.AccessController.doPrivileged(AccessController.java:318) at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider.getDefaultEntropySource(Unknown Source) at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$1.get(Unknown Source) at org.bouncycastle.crypto.CryptoServicesRegistrar.getSecureRandomIfSet(Unknown Source) at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider.getDefaultSecureRandom(Unknown Source) at org.bouncycastle.jcajce.provider.ProvRandom$1.createInstance(ProvRandom.java:28) at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$BcService.newInstance(Unknown Source) at java.base/java.security.SecureRandom.getDefaultPRNG(SecureRandom.java:296) at java.base/java.security.SecureRandom.(SecureRandom.java:225)
at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$3.run(Unknown Source)
at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$3.run(Unknown Source)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:318)
at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider.getCoreSecureRandom(Unknown Source)
at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider.access$900(Unknown Source)
at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$2.run(Unknown Source)
at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$2.run(Unknown Source)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:318)
at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider.getDefaultEntropySource(Unknown Source)
at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$1.get(Unknown Source)
at org.bouncycastle.crypto.CryptoServicesRegistrar.getSecureRandomIfSet(Unknown Source)
at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider.getDefaultSecureRandom(Unknown Source)
at org.bouncycastle.jcajce.provider.ProvRandom$1.createInstance(ProvRandom.java:28)
at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$BcService.newInstance(Unknown Source)
at java.base/java.security.SecureRandom.getDefaultPRNG(SecureRandom.java:296)
at java.base/java.security.SecureRandom.(SecureRandom.java:225)
at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$3.run(Unknown Source)
at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$3.run(Unknown Source)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:318)
We are trying this in a Redhat VM and below is the FIPS provider order : fips.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider fips.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS fips.provider.3=sun.security.provider.SUN
fips.provider.4=XMLDSig
I tried solutions provided in https://github.com/bcgit/bc-java/issues/1800 but didn't help.
Any quick support will be appreciated.