search

tink-crypto / tink-java-gcpkms

Extension to Tink Java that provides Google Cloud KMS integration
https://developers.google.com/tink
Apache License 2.0
3 stars 0 forks source link

KMS client fail to start under FIPS compliant mode #1

Closed jazzyMix closed 7 months ago

jazzyMix commented 9 months ago

Help us help you

Tell us more about your Tink deployment.

Is your feature request related to a problem?

If so, provide a description of the problem. Context: I am making our service FIPS compliant, we depends on https://github.com/tink-crypto/tink-java-gcpkms and when we start our server we fail to start the kms client due to this error

java.security.GeneralSecurityException: cannot build GCP KMS client at com.google.crypto.tink.integration.gcpkms.GcpKmsClient.withCredentials(GcpKmsClient.java:141) at com.google.crypto.tink.integration.gcpkms.GcpKmsClient.withDefaultCredentials(GcpKmsClient.java:155) Caused by: java.io.IOException: parseAlgParameters failed: PBE AlgorithmParameters not available at java.base/sun.security.pkcs12.PKCS12KeyStore.parseAlgParameters(PKCS12KeyStore.java:855) at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2113) at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:221) at java.base/java.security.KeyStore.load(KeyStore.java:1473) at com.google.api.client.util.SecurityUtils.loadKeyStore(SecurityUtils.java:80) at com.google.api.client.googleapis.GoogleUtils.getCertificateTrustStore(GoogleUtils.java:86) at com.google.api.client.googleapis.javanet.GoogleNetHttpTransport.newTrustedTransport(GoogleNetHttpTransport.java:87) at com.google.api.client.googleapis.javanet.GoogleNetHttpTransport.newTrustedTransport(GoogleNetHttpTransport.java:58) at com.google.crypto.tink.integration.gcpkms.GcpKmsClient.withCredentials(GcpKmsClient.java:135) ... 4 more Caused by: java.security.NoSuchAlgorithmException: PBE AlgorithmParameters not available at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:159) at java.base/java.security.Security.getImpl(Security.java:676) at java.base/java.security.AlgorithmParameters.getInstance(AlgorithmParameters.java:157) at java.base/sun.security.pkcs12.PKCS12KeyStore.parseAlgParameters(PKCS12KeyStore.java:849) ... 12 more

What sort of feature would you like to see?

it seems like com.google.api.client.util.SecurityUtils.loadKeyStore failed, please advice

Have you considered any alternative solutions?

I have try to move away from google.api.client.googleapis dependency but failed

Would you like to add additional context?

Provide any other context about the feature request.

tholenst commented 8 months ago

Thanks for the report. This is working as intended.

Tink provides FIPS mode to guarantee that only FIPS compliant encryptions happen. If you use a KMS, Tink cannot guarantee anymore that this is true.

Note that the work around is simply to not use FIPS mode in Tink. Tink can still be FIPS complaint, even if it is not in FIPS mode.

I understand that this can be annoying, and we are working on providing more fine grained configuration options, but this will take a while to materialize.