search

eclipse-openj9 / openj9

Eclipse OpenJ9: A Java Virtual Machine for OpenJDK that's optimized for small footprint, fast start-up, and high throughput. Builds on Eclipse OMR (https://github.com/eclipse/omr) and combines with the Extensions for OpenJDK for OpenJ9 repo.
Other
3.29k stars 722 forks source link

java.base/java.util.UUID.nameUUIDFromBytes() requires MD5 which is not available in FIPS mode #20084

Open KostasTsiounis opened 3 months ago

KostasTsiounis commented 3 months ago

The UUID.nameUUIDFromBytes() method requires the use of MD5. But MD5 is not FIPS-compliant. So, if the RestrictedSecurity profile used doesn't include MD5 or if RestrictedSecurity isn't used, but the underlying OpenSSL is in FIPS mode, an error occurs and the method cannot be used.

deepika-pm commented 1 month ago

Hi @KostasTsiounis , We have updated our JVM argument with "jdk.nativeDigest=false" and we are still getting MD5 not supported error.

jensengelke commented 1 month ago

I ran into the same issue with a Semeru 17.0.12.0 docker image (on top of UBI 9). openssl failed (or rejected) to provide an implementation for MD5 in a FIPS enabled OCP cluster. Adding -Djdk.nativeDigest=false to my Java invocation helped. We have many images that add their Java app on top of a common base image layer that bring the latest Semeru version to app development teams. Is there any way to force the JVM option on the base image, e.g. by adding it to java.security or a comparable file? Or maybe env variables?

KostasTsiounis commented 1 month ago

I ran into the same issue with a Semeru 17.0.12.0 docker image (on top of UBI 9). openssl failed (or rejected) to provide an implementation for MD5 in a FIPS enabled OCP cluster. Adding -Djdk.nativeDigest=false to my Java invocation helped. We have many images that add their Java app on top of a common base image layer that bring the latest Semeru version to app development teams. Is there any way to force the JVM option on the base image, e.g. by adding it to java.security or a comparable file? Or maybe env variables?

You could try export JAVA_TOOL_OPTIONS='-Djdk.nativeDigest=false' or export JAVA_OPTS='-Djdk.nativeDigest=false' which appends those options whenever you run Java. Keep in mind though that this will affect all of your java processes.

deepika-pm commented 1 month ago

@KostasTsiounis @kgibm @JamesKingdon As we already discussed in the slack thread, We are blocked to upgrade our product's OL/Semeru version to latest for last 2 releases. Just wanted to check with you on when can we expect this MD5 in FIPS mode issue to be resolved? I could see latest OpenLiberty version got released yesterday. Will this JVM argument jdk.nativeDigest=false will be a feature for the coming releases... Will you able to provide an update on your resolution plan?

KostasTsiounis commented 1 month ago

@KostasTsiounis @kgibm @JamesKingdon As we already discussed in the slack thread, We are blocked to upgrade our product's OL/Semeru version to latest for last 2 releases. Just wanted to check with you on when can we expect this MD5 in FIPS mode issue to be resolved? I could see latest OpenLiberty version got released yesterday. Will this JVM argument jdk.nativeDigest=false will be a feature for the coming releases... Will you able to provide an update on your resolution plan?

The jdk.nativeDigest=false JVM option is available now. MD5 cannot be allowed through OpenSSL FIPS, but we are working on a two-fold fix. For one, we will add another JVM option, namely jdk.nativeMD5=false that will allow you to disable native support for MD5 alone without compromising performance of other digests like SHA-256. Then on top of that, we'll implement some logic to avoid using OpenSSL for some algorithms when it is detected to be in FIPS mode, and effectively just use the Java implementation.

Unfortunately, this fix will probably not be in for the release that's coming up in the next few weeks, but rather the one after that, which means sometime in January.

KostasTsiounis commented 2 weeks ago

To help resolve this issue, a few changes have been implemented.

First of all, more granular JVM options have been added for the different digests. More specifically, there is a jdk.nativeMD5=false JVM option that is now available, allowing to disable just MD5 instead of all digests.

Moreover, additional functionality was added to check if the underlying OpenSSL is in FIPS mode. In that case, the Java implementation is used for MD5, instead of the native one.

Those changes should be available in the upcoming Semeru release.

I think this issue can be closed after those changes. @jasonkatonica What do you think?

pshipton commented 2 weeks ago

Pls link the list of changes, I don't see them mentioned in this issue. The changes in jdk(next) are fine.

KostasTsiounis commented 2 weeks ago

Sure. Here are the PRs for those changes: