When trying to run Quarkus with TLS enabled on a Semeru 17 JVM with FIPS mode enabled, the Quarkus application fails to start with the stacktrace below.
This is because the FIPS mode of Semeru requires that private keys in keystores have a long password (minimum 16 character long) but the KeyStoreHelper class of Vertx creates an intermediate in-memory keystore with a null password.
The stacktrace is
2023-10-12 08:55:36,121 ERROR [io.qua.run.Application] (main) Failed to start application (with profile [prod]): java.lang.RuntimeException: Failed to start quarkus
at io.quarkus.runner.ApplicationImpl.doStart(Unknown Source)
at io.quarkus.runtime.Application.start(Application.java:101)
at io.quarkus.runtime.ApplicationLifecycleManager.run(ApplicationLifecycleManager.java:111)
at io.quarkus.runtime.Quarkus.run(Quarkus.java:71)
at io.quarkus.runtime.Quarkus.run(Quarkus.java:44)
at io.quarkus.runtime.Quarkus.run(Quarkus.java:124)
at io.quarkus.runner.GeneratedMain.main(Unknown Source)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:568)
at io.quarkus.bootstrap.runner.QuarkusEntryPoint.doRun(QuarkusEntryPoint.java:61)
at io.quarkus.bootstrap.runner.QuarkusEntryPoint.main(QuarkusEntryPoint.java:32)
Caused by: java.lang.RuntimeException: Unable to start HTTP server
at io.quarkus.vertx.http.runtime.VertxHttpRecorder.doServerStart(VertxHttpRecorder.java:854)
at io.quarkus.vertx.http.runtime.VertxHttpRecorder.startServer(VertxHttpRecorder.java:342)
at io.quarkus.deployment.steps.VertxHttpProcessor$openSocket189362710.deploy_0(Unknown Source)
at io.quarkus.deployment.steps.VertxHttpProcessor$openSocket189362710.deploy(Unknown Source)
... 13 more
Caused by: java.util.concurrent.ExecutionException: java.security.KeyStoreException: Key protection algorithm not found: java.security.UnrecoverableKeyException: Encrypt Private Key failed: Error deriving PBKDF2 keys
at java.base/java.util.concurrent.CompletableFuture.reportGet(CompletableFuture.java:396)
at java.base/java.util.concurrent.CompletableFuture.get(CompletableFuture.java:2073)
at io.quarkus.vertx.http.runtime.VertxHttpRecorder.doServerStart(VertxHttpRecorder.java:775)
... 16 more
Caused by: java.security.KeyStoreException: Key protection algorithm not found: java.security.UnrecoverableKeyException: Encrypt Private Key failed: Error deriving PBKDF2 keys
at java.base/sun.security.pkcs12.PKCS12KeyStore.setKeyEntry(PKCS12KeyStore.java:709)
at java.base/sun.security.pkcs12.PKCS12KeyStore.engineSetEntry(PKCS12KeyStore.java:1442)
at java.base/sun.security.util.KeyStoreDelegator.engineSetEntry(KeyStoreDelegator.java:174)
at java.base/java.security.KeyStore.setEntry(KeyStore.java:1585)
at io.vertx.core.net.impl.KeyStoreHelper.loadKeyCert(KeyStoreHelper.java:296)
at io.vertx.core.net.PemKeyCertOptions.getHelper(PemKeyCertOptions.java:421)
at io.vertx.core.net.PemKeyCertOptions.getKeyManagerFactory(PemKeyCertOptions.java:439)
at io.vertx.core.net.impl.SSLHelper.lambda$build$6(SSLHelper.java:246)
at io.vertx.core.impl.ContextBase.lambda$executeBlocking$1(ContextBase.java:180)
at io.vertx.core.impl.ContextInternal.dispatch(ContextInternal.java:277)
at io.vertx.core.impl.ContextBase.lambda$internalExecuteBlocking$2(ContextBase.java:199)
at io.vertx.core.impl.TaskQueue.run(TaskQueue.java:76)
at org.jboss.threads.ContextHandler$1.runWith(ContextHandler.java:18)
at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2513)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1512)
at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29)
at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29)
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
at java.base/java.lang.Thread.run(Thread.java:857)
Caused by: java.security.UnrecoverableKeyException: Encrypt Private Key failed: Error deriving PBKDF2 keys
at java.base/sun.security.pkcs12.PKCS12KeyStore.encryptPrivateKey(PKCS12KeyStore.java:957)
at java.base/sun.security.pkcs12.PKCS12KeyStore.setKeyEntry(PKCS12KeyStore.java:631)
... 18 more
Caused by: java.lang.RuntimeException: Error deriving PBKDF2 keys
at java.base/com.sun.crypto.provider.PBKDF2KeyImpl.deriveKey(PBKDF2KeyImpl.java:219)
at java.base/com.sun.crypto.provider.PBKDF2KeyImpl.<init>(PBKDF2KeyImpl.java:130)
at java.base/com.sun.crypto.provider.PBKDF2Core.engineGenerateSecret(PBKDF2Core.java:70)
at java.base/com.sun.crypto.provider.PBES2Core.engineInit(PBES2Core.java:280)
at java.base/com.sun.crypto.provider.PBES2Core.engineInit(PBES2Core.java:309)
at java.base/javax.crypto.Cipher.implInit(Cipher.java:875)
at java.base/javax.crypto.Cipher.chooseProvider(Cipher.java:929)
at java.base/javax.crypto.Cipher.init(Cipher.java:1585)
at java.base/javax.crypto.Cipher.init(Cipher.java:1516)
at java.base/sun.security.pkcs12.PKCS12KeyStore.encryptPrivateKey(PKCS12KeyStore.java:937)
... 19 more
Caused by: java.security.InvalidKeyException: init() failed
at jdk.crypto.cryptoki/sun.security.pkcs11.P11Mac.engineInit(P11Mac.java:214)
at java.base/javax.crypto.Mac.init(Mac.java:432)
at java.base/com.sun.crypto.provider.PBKDF2KeyImpl.deriveKey(PBKDF2KeyImpl.java:191)
... 28 more
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_KEY_SIZE_RANGE
at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11.C_SignInit(Native Method)
at jdk.crypto.cryptoki/sun.security.pkcs11.P11Mac.initialize(P11Mac.java:183)
at jdk.crypto.cryptoki/sun.security.pkcs11.P11Mac.engineInit(P11Mac.java:212)
... 30 more
Version
Reproduced on 4.4.4 and 4.4.5
Context
When trying to run Quarkus with TLS enabled on a Semeru 17 JVM with FIPS mode enabled, the Quarkus application fails to start with the stacktrace below.
This is because the FIPS mode of Semeru requires that private keys in keystores have a long password (minimum 16 character long) but the
KeyStoreHelper
class of Vertx creates an intermediate in-memory keystore with a null password.The stacktrace is
Do you have a reproducer?
Reproduction requires a Semeru 17 JVM running on a RedHat x86_64 system with FIPS mode enabled. See https://www.ibm.com/support/pages/node/6612693 and https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening#switching-the-system-to-fips-mode_using-the-system-wide-cryptographic-policies
Download Semeru and install Semeru from https://github.com/ibmruntimes/semeru17-certified-binaries/releases/download/jdk-17.0.8.1%2B1_openj9-0.40.0/ibm-semeru-certified-jdk_x64_linux_17.0.8.1.tar.gz
Then this sample app allows to reproduce : https://github.com/Nicolas-Duboc-IBM/vertx-fips-issue-sample