hierynomus / smbj

Server Message Block (SMB2, SMB3) implementation in Java
Other
713 stars 180 forks source link

BCSecurityProvider doesn't work with BC FIPS #665

Closed pboyd04 closed 3 years ago

pboyd04 commented 3 years ago

When using the BC FIPS library the BCSecurityProvider throws an exception related to the fact that BCFIPS doesn't have org.bouncycastle.crypto.Digest. The BCSecurityProvider also doesn't seem to have the code to work around FIPS lacking MD4 functionality.


Exception in thread "main" java.lang.NoClassDefFoundError: org/bouncycastle/crypto/Digest
        at com.hierynomus.security.bc.BCMessageDigest.<clinit>(BCMessageDigest.java:32)
        at com.hierynomus.security.bc.BCSecurityProvider.getDigest(BCSecurityProvider.java:33)
        at com.hierynomus.smbj.connection.SMBProtocolNegotiator.calculatePreauthHashValue(SMBProtocolNegotiator.java:174)
        at com.hierynomus.smbj.connection.SMBProtocolNegotiator.handlePreAuthNegotiateContext(SMBProtocolNegotiator.java:163)
        at com.hierynomus.smbj.connection.SMBProtocolNegotiator.initializeNegotiationContext(SMBProtocolNegotiator.java:104)
        at com.hierynomus.smbj.connection.SMBProtocolNegotiator.negotiateDialect(SMBProtocolNegotiator.java:82)
        at com.hierynomus.smbj.connection.Connection.connect(Connection.java:137)
        at com.hierynomus.smbj.SMBClient.getEstablishedOrConnect(SMBClient.java:108)
        at com.hierynomus.smbj.SMBClient.connect(SMBClient.java:79)
        at com.pboyd.App.main(App.java:50)
Caused by: java.lang.ClassNotFoundException: org.bouncycastle.crypto.Digest
        at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:581)
        at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:178)
        at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:522)```
pboyd04 commented 3 years ago

Resolving this then results in an exception about CipherParameters which BCFIPS also doesn't have....

Exception in thread "main" java.lang.NoClassDefFoundError: org/bouncycastle/crypto/CipherParameters
        at com.hierynomus.security.bc.BCSecurityProvider.getMac(BCSecurityProvider.java:45)
        at com.hierynomus.ntlm.functions.NtlmFunctions.hmac_md5(NtlmFunctions.java:121)
        at com.hierynomus.ntlm.functions.NtlmFunctions.NTOWFv2(NtlmFunctions.java:65)
        at com.hierynomus.smbj.auth.NtlmAuthenticator.authenticate(NtlmAuthenticator.java:96)
        at com.hierynomus.smbj.connection.SMBSessionBuilder.processAuthenticationToken(SMBSessionBuilder.java:178)
        at com.hierynomus.smbj.connection.SMBSessionBuilder.setupSession(SMBSessionBuilder.java:141)
        at com.hierynomus.smbj.connection.SMBSessionBuilder.establish(SMBSessionBuilder.java:109)
        at com.hierynomus.smbj.connection.Connection.authenticate(Connection.java:202)
        at com.pboyd.App.main(App.java:52)
Caused by: java.lang.ClassNotFoundException: org.bouncycastle.crypto.CipherParameters
        at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:581)
        at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:178)
        at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:522)
rokkakasu commented 3 years ago

Hi @pboyd04 ,

if you are using SMBJ 0.11.1 and JDK 11 and getting this exception then try to add below dependency.

com.hierynomus smbj 0.11.1 org.bouncycastle bcprov-jdk15on
    <dependency>
        <groupId>org.bouncycastle</groupId>
        <artifactId>bcprov-jdk15on</artifactId>
        <version>1.65</version>
    </dependency>

Thanks, R Ramarajan.

rokkakasu commented 3 years ago

`

com.hierynomus
        <artifactId>smbj</artifactId>
        <version>${version.smbj}</version>
        <exclusions>
            <!-- Already provided by camel-core -->
            <exclusion>
                <groupId>org.slf4j</groupId>
                <artifactId>slf4j-api</artifactId>
            </exclusion>
            <exclusion>
                <groupId>org.bouncycastle</groupId>
                <artifactId>bcprov-jdk15on</artifactId>
            </exclusion>
        </exclusions>
    </dependency>
    <dependency>
        <groupId>org.bouncycastle</groupId>
        <artifactId>bcprov-jdk15on</artifactId>
        <version>1.65</version>
    </dependency>`
pboyd04 commented 3 years ago

@vrr6, that undoes bouncy castle running in FIPS mode. FIPS is needed for any application purchased or used by the US federal government and BC does provide a FIPS module, but it doesn't have some of the same behavior as the standard BC module (because certain algorithms aren't allowed in this mode and such).

SheldonWang3000 commented 1 month ago

Hello @pboyd04,

I'm also trying to connect to a fips compliant smb share here. I tried to import bc-fips and saw the same exception you did. I see there is a PR you created about JceSecurityProvider. I tried and it helped to get rid of the exception above. But it still cannot allow me to connect to the smb share. Here is my sample code

Security.addProvider(new BouncyCastleFipsProvider());
System.setProperty("crypto.policy", "limited");

SmbConfig.Builder smbConfig = SmbConfig.builder()
    .withDialects(SMB2Dialect.SMB_3_1_1)
    .withSecurityProvider(new JceSecurityProvider())
    .withEncryptData(true)
    .withSigningRequired(true);

SMBClient client = new SMBClient(smbConfig.build());

try (Connection connection = client.connect("<smb address>")) {

  String username = "<ad user>";
  String password = "<password>";
  AuthenticationContext authContext = new AuthenticationContext(username, password.toCharArray(), "<ad domain>");

  // Create session
  Session session = connection.authenticate(authContext);

  DiskShare share = (DiskShare) session.connectShare("smbshare1");

  // Now you can interact with the share
  System.out.println("Connected to share successfully!");

} catch (IOException e) {
  e.printStackTrace();
}

And it always get STATUS_LOGON_FAILURE even though smbclient command works with the same address/user/password. Could you or anyone else here give me any advice about this issue?

Appreciate it!

Sheldon