MySQL client does not use providers by default available in FIPS-enabled environment

[michalvavrik]

Questions

I am having trouble to use MySQL client in FIPS-enabled environment as RSA/ECB/OAEPWithSHA-1AndMGF1Padding set in the https://github.com/eclipse-vertx/vertx-sql-client/blob/master/vertx-mysql-client/src/main/java/io/vertx/mysqlclient/impl/util/RsaPublicKeyEncryptor.java#L59 is in OpenJDK provided by SunJCE provider in non-FIPS mode. But the provier is not present by default in FIPS-enabled env.

11:31:40,980 INFO  [app] 11:31:39,754 HTTP Request to /q/webauthn/register failed, error id: fca3b38c-d42c-4b73-8248-28a5070e0afc-1: java.security.NoSuchAlgorithmException: Cannot find any provider supporting RSA/ECB/OAEPWithSHA-1AndMGF1Padding
11:31:40,980 INFO  [app]    at java.base/javax.crypto.Cipher.getInstance(Cipher.java:571)
11:31:40,980 INFO  [app]    at io.vertx.mysqlclient.impl.util.RsaPublicKeyEncryptor.encrypt(RsaPublicKeyEncryptor.java:59)
11:31:40,980 INFO  [app]    at io.vertx.mysqlclient.impl.util.RsaPublicKeyEncryptor.encrypt(RsaPublicKeyEncryptor.java:34)
11:31:40,980 INFO  [app]    at io.vertx.mysqlclient.impl.codec.AuthenticationCommandBaseCodec.sendEncryptedPasswordWithServerRsaPublicKey(AuthenticationCommandBaseCodec.java:87)
11:31:40,980 INFO  [app]    at io.vertx.mysqlclient.impl.codec.AuthenticationCommandBaseCodec.handleAuthMoreData(AuthenticationCommandBaseCodec.java:46)
11:31:40,981 INFO  [app]    at io.vertx.mysqlclient.impl.codec.InitialHandshakeCommandCodec.handleAuthentication(InitialHandshakeCommandCodec.java:179)
11:31:40,981 INFO  [app]    at io.vertx.mysqlclient.impl.codec.InitialHandshakeCommandCodec.decodePayload(InitialHandshakeCommandCodec.java:63)
11:31:40,981 INFO  [app]    at io.vertx.mysqlclient.impl.codec.MySQLDecoder.decodePackets(MySQLDecoder.java:69)
11:31:40,981 INFO  [app]    at io.vertx.mysqlclient.impl.codec.MySQLDecoder.channelRead(MySQLDecoder.java:45)
11:31:40,981 INFO  [app]    at io.netty.channel.CombinedChannelDuplexHandler.channelRead(CombinedChannelDuplexHandler.java:251)
11:31:40,981 INFO  [app]    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:442)
11:31:40,981 INFO  [app]    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
11:31:40,981 INFO  [app]    at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)
11:31:40,981 INFO  [app]    at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:346)
11:31:40,982 INFO  [app]    at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:318)
11:31:40,982 INFO  [app]    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444)
11:31:40,982 INFO  [app]    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
11:31:40,982 INFO  [app]    at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)
11:31:40,982 INFO  [app]    at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
11:31:40,982 INFO  [app]    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:440)
11:31:40,982 INFO  [app]    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
11:31:40,982 INFO  [app]    at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
11:31:40,982 INFO  [app]    at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166)
11:31:40,983 INFO  [app]    at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:788)
11:31:40,983 INFO  [app]    at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:724)
11:31:40,983 INFO  [app]    at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:650)
11:31:40,983 INFO  [app]    at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:562)
11:31:40,983 INFO  [app]    at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:997)
11:31:40,983 INFO  [app]    at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
11:31:40,983 INFO  [app]    at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
11:31:40,983 INFO  [app]    at java.base/java.lang.Thread.run(Thread.java:840)
11:31:40,984 INFO  [app] Caused by: javax.crypto.NoSuchPaddingException: Unsupported padding OAEPWithSHA-1AndMGF1Padding
11:31:40,984 INFO  [app]    at jdk.crypto.cryptoki/sun.security.pkcs11.P11RSACipher.engineSetPadding(P11RSACipher.java:137)
11:31:40,984 INFO  [app]    at java.base/javax.crypto.Cipher$Transform.setModePadding(Cipher.java:388)
11:31:40,984 INFO  [app]    at java.base/javax.crypto.Cipher.getInstance(Cipher.java:564)
11:31:40,984 INFO  [app]    ... 30 more
11:31:40,984 INFO  [app] 11:31:39,917 HTTP Request to /q/webauthn/register failed, error id: fca3b38c-d42c-4b73-8248-28a5070e0afc-2: java.security.NoSuchAlgorithmException: Cannot find any provider supporting RSA/ECB/OAEPWithSHA-1AndMGF1Padding
11:31:40,984 INFO  [app]    at java.base/javax.crypto.Cipher.getInstance(Cipher.java:571)
11:31:40,984 INFO  [app]    at io.vertx.mysqlclient.impl.util.RsaPublicKeyEncryptor.encrypt(RsaPublicKeyEncryptor.java:59)
11:31:40,984 INFO  [app]    at io.vertx.mysqlclient.impl.util.RsaPublicKeyEncryptor.encrypt(RsaPublicKeyEncryptor.java:34)
11:31:40,985 INFO  [app]    at io.vertx.mysqlclient.impl.codec.AuthenticationCommandBaseCodec.sendEncryptedPasswordWithServerRsaPublicKey(AuthenticationCommandBaseCodec.java:87)
11:31:40,985 INFO  [app]    at io.vertx.mysqlclient.impl.codec.AuthenticationCommandBaseCodec.handleAuthMoreData(AuthenticationCommandBaseCodec.java:46)
11:31:40,985 INFO  [app]    at io.vertx.mysqlclient.impl.codec.InitialHandshakeCommandCodec.handleAuthentication(InitialHandshakeCommandCodec.java:179)
11:31:40,985 INFO  [app]    at io.vertx.mysqlclient.impl.codec.InitialHandshakeCommandCodec.decodePayload(InitialHandshakeCommandCodec.java:63)
11:31:40,985 INFO  [app]    at io.vertx.mysqlclient.impl.codec.MySQLDecoder.decodePackets(MySQLDecoder.java:69)
11:31:40,985 INFO  [app]    at io.vertx.mysqlclient.impl.codec.MySQLDecoder.channelRead(MySQLDecoder.java:45)
11:31:40,985 INFO  [app]    at io.netty.channel.CombinedChannelDuplexHandler.channelRead(CombinedChannelDuplexHandler.java:251)
11:31:40,985 INFO  [app]    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:442)
11:31:40,985 INFO  [app]    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
11:31:40,986 INFO  [app]    at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)
11:31:40,986 INFO  [app]    at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:346)
11:31:40,986 INFO  [app]    at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:318)
11:31:40,986 INFO  [app]    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444)
11:31:40,986 INFO  [app]    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
11:31:40,986 INFO  [app]    at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)
11:31:40,986 INFO  [app]    at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
11:31:40,986 INFO  [app]    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:440)
11:31:40,986 INFO  [app]    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
11:31:40,986 INFO  [app]    at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
11:31:40,987 INFO  [app]    at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166)
11:31:40,987 INFO  [app]    at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:788)
11:31:40,987 INFO  [app]    at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:724)
11:31:40,987 INFO  [app]    at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:650)
11:31:40,987 INFO  [app]    at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:562)
11:31:40,987 INFO  [app]    at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:997)
11:31:40,987 INFO  [app]    at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
11:31:40,987 INFO  [app]    at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
11:31:40,988 INFO  [app]    at java.base/java.lang.Thread.run(Thread.java:840)
11:31:40,988 INFO  [app] Caused by: javax.crypto.NoSuchPaddingException: Unsupported padding OAEPWithSHA-1AndMGF1Padding
11:31:40,988 INFO  [app]    at jdk.crypto.cryptoki/sun.security.pkcs11.P11RSACipher.engineSetPadding(P11RSACipher.java:137)
11:31:40,988 INFO  [app]    at java.base/javax.crypto.Cipher$Transform.setModePadding(Cipher.java:388)
11:31:40,988 INFO  [app]    at java.base/javax.crypto.Cipher.getInstance(Cipher.java:564)
11:31:40,988 INFO  [app]    ... 30 more

Version

Vert.X 4.5.7.

Context

I'd expect that if the cipher has to be hardcoded, the default cipher is such that I can actually use in FIPS-enabled environment. with the RH OpenJDK without doing any extra work and have it working. For example RSA/ECB/PKCS1Padding could be used.

Do you have a reproducer?

Yes. Run it in FIPS-enabled environment.

Steps to reproduce

1. git clone git@github.com:michalvavrik/quarkus-test-suite.git
2. cd quarkus-test-suite/security/webauthn
3. git checkout feature/fix-webauth-fips
4. mvn clean verify -Dreruns=0 (if you don't have Quarkus 999-SNAPSHOT I guess you can also use -Dquarkus.platform.version=3.9.4 or some other version)

Extra

• RHEL 8.8, Red Hat OpenJDK 17 & 21, Quarkus extension, registry.access.redhat.com/rhscl/mysql-80-rhel7

[tsegismont]

Thanks for reporting this @michalvavrik , I'll take a look asap

[tsegismont]

@michalvavrik I've checked what the MySQL Connector for Java does for caching sha-2 authentication and it seems to use the same cipher.

Have you bean able to create a working setup with Quarkus + MySQL JDBC driver with fips mode enabled? In this case, can you help me do the same or get access to such an environment? I'd like to debug what the driver does in this case. Thanks

[michalvavrik]

@michalvavrik I've checked what the MySQL Connector for Java does for caching sha-2 authentication and it seems to use the same cipher.

Have you bean able to create a working setup with Quarkus + MySQL JDBC driver with fips mode enabled? In this case, can you help me do the same or get access to such an environment? I'd like to debug what the driver does in this case. Thanks

MySQL JDBC driver is now working in FIPS-enabled environment with the https://github.com/mysql/mysql-connector-j/blob/release/8.x/src/main/protocol-impl/java/com/mysql/cj/protocol/a/authentication/CachingSha2PasswordPlugin.java#L156 RSA/ECB/PKCS1Padding, I can certainly give you temp access to such an environment. I'll send you DM.

[tsegismont]

@michalvavrik any news about this?

[michalvavrik]

@michalvavrik any news about this?

Yeah, right? I am terribly sorry to forgetting about you. ATM I have urgent work stuff, but I'll find time by the end of this week and prepare you env. I'll send you email before the end of the week.

[tsegismont]

No worries, this is not high priority from a community standpoint, so it can wait until next week. In fact, I won't be able to work on this immediately. Just wanted to give you heads-up so that we both plan some time.