search

quarkusio / quarkus

Quarkus: Supersonic Subatomic Java.
https://quarkus.io
Apache License 2.0
13.72k stars 2.66k forks source link

Documentation should BouncyCastle FIPS doesn't work in native only in FIPS-enabled environment with Mandrel 23.1 #43935

Open michalvavrik opened 2 hours ago

michalvavrik commented 2 hours ago

Describe the bug

(this is more of suggestion for docs improvement, but I am opening it as a bug in case I misunderstood situation)

I am using BouncyCastle FIPS in native mode. It "works" when FIPS are not enabled, but when I run my application with registry.access.redhat.com/quarkus/mandrel-for-jdk-21-rhel8:23.1 inside FIPS-enabled environment, both Security.getProvider("BCFIPS") and Security.getProviders() are failing with UnsupportedFeatureError. They do not fail with RH OpenJDK 21 when FIPS is enabled. I asked @jerboaa and IIUC this is expected behavior. However I am opening this ticket because https://quarkus.io/guides/security-customization#bouncy-castle-fips says that native is supported and I think users like me can expect that BCFIPS will work in FIPS-enabled env.

Expected behavior

I think documentation should mention this fact.

Actual behavior

Exception for Security.getProviders():

12:25:07,778 INFO  [app] Caused by: com.oracle.svm.core.jdk.UnsupportedFeatureError: Cannot load new security provider at runtime: BCFIPS.
12:25:07,778 INFO  [app]    at org.graalvm.nativeimage.builder/com.oracle.svm.core.util.VMError.unsupportedFeature(VMError.java:121)
12:25:07,779 INFO  [app]    at java.base@21.0.4/sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:645)
12:25:07,779 INFO  [app]    at java.base@21.0.4/sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:225)
12:25:07,779 INFO  [app]    at org.graalvm.nativeimage.builder/com.oracle.svm.core.jdk.SunPKCS11ProviderAccessors.reinitialize(SecuritySubstitutions.java:712)
12:25:07,779 INFO  [app]    at org.graalvm.nativeimage.builder/com.oracle.svm.core.jdk.SunPKCS11ProviderAccessors.getProvider(SecuritySubstitutions.java:665)
12:25:07,779 INFO  [app]    at java.base@21.0.4/sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:165)
12:25:07,779 INFO  [app]    at java.base@21.0.4/sun.security.jca.ProviderList.getProvider(ProviderList.java:271)
12:25:07,779 INFO  [app]    at java.base@21.0.4/sun.security.jca.ProviderList.getIndex(ProviderList.java:301)
12:25:07,779 INFO  [app]    at java.base@21.0.4/sun.security.jca.ProviderList.getProviderConfig(ProviderList.java:285)
12:25:07,779 INFO  [app]    at java.base@21.0.4/sun.security.jca.ProviderList.getProvider(ProviderList.java:291)
12:25:07,779 INFO  [app]    at java.base@21.0.4/sun.security.jca.GetInstance.getService(GetInstance.java:81)
12:25:07,780 INFO  [app]    at java.base@21.0.4/sun.security.jca.GetInstance.getInstance(GetInstance.java:206)
12:25:07,780 INFO  [app]    at java.base@21.0.4/java.security.Signature.getInstance(Signature.java:403)
12:25:07,780 INFO  [app]    at io.quarkus.ts.security.bouncycastle.fips.BouncyCastleFipsEndpoint.checkSHA256withRSAandMGF1(BouncyCastleFipsEndpoint.java:24)

How to Reproduce?

Steps to reproduce behavior in FIPS-enabled environment:

git clone https://github.com/quarkus-qe/quarkus-test-suite
cd quarkus-test-suite/security/bouncycastle-fips/bcfips
mvn clean verify -Dit.test=BouncyCastleFipsIT -Dnative -Dquarkus.native.container-build=true -Dquarkus.native.native-image-xmx=5g -Dquarkus.native.builder-image=registry.access.redhat.com/quarkus/mandrel-for-jdk-21-rhel8:23.1 -Dquarkus-plugin.version=3.15.1.redhat-00002 -Dquarkus.platform.version=3.15.1.redhat-00002 -Dquarkus.platform.artifact-id=quarkus-bom -Dquarkus.platform.group-id=com.redhat.quarkus.platform

(I'll probably disable it in native in FIPS so maybe uncomment that disable annotation when I add it).

Output of uname -a or ver

RHEL 8.9

Output of java -version

OpenJDK Runtime Environment (Red_Hat-21.0.4.0.7-1) (build 21.0.4+7-LTS)

Mandrel or GraalVM version (if different from Java)

registry.access.redhat.com/quarkus/mandrel-for-jdk-21-rhel8:23.1

Quarkus version or git rev

3.15.1

Build tool (ie. output of mvnw --version or gradlew --version)

Apache Maven 3.8.6 (84538c9988a25aec085021c365c560670ad80f63)

Additional information

No response

quarkus-bot[bot] commented 2 hours ago

/cc @Karm (mandrel,securepipeline), @galderz (mandrel), @jerboaa (securepipeline), @zakkak (mandrel,native-image)