-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Constructor of BouncyCastleFipsProvider$CoreSecureRandom does not work on Java 17 #1285
Comments
The code should never be called on Java 17, or Java 11 if securerandom.strongalgorithms is set correctly. If it is called it means there is something wrong with that setting. |
@dghgit Yes, exactly. The
Typically when the |
It's not a fallback, it's for earlier JVMs. SecureRandom.getInstanceStrong() must be available. Please note that, as documented in the Security Policy, the module is not FIPS compliant if used with Java 17. It has never been tested with it. |
Ok, Thanks for pointing it. As I've mentioned, In general, the support for Java 17 can be nice. So leaving to you if you prefer to close this issue or use it to track Java 17 support. Thanks! |
One question, if SecureRandom.getInstanceStrong() isn't available on RHEL 8.6, exactly what is? How do they provide entropy to a JVM? |
@dghgit The However calling of Just for the reference, my RHEL version is 8.6, my java version is:
I am planning to try on latest RHEL 9 and based on that, I will eventually report a bug to RHEL/OpenJDK as it looks like a mis-configuration that |
Okay, so it should be possible to deal with this by setting securerandom.strongAlgorithms to the implementation "new SecureRandom()" is using under the covers from the above it sounds like "PKCS11:SunPKCS11-NSS-FIPS" should do the trick. The security property is just a list of algorithm:provider pairs. I'd agree if they're going to do this they should add it. |
@dghgit Yes, that is exactly what I am doing in my application. It is a workaround, but works fine for me. Thanks! |
For the reference, here is the link to the Bugzilla about |
Hi, I met the same issue now with
Are there any news about the fix? |
I wonder if you guys are having similar problem that we faced when I found this issue. We were initialising BC FIPS in a way that resulted in recursive calls to |
Closing this one as it isn't anything to do with BC and has gone quiet - securerandom.strongAlgorithms needs to point at something that can be used to generate seed material. There's no other way for a 3rd party java provider to get access to a seed generator without going outside of the JVM. |
@JiriOndrusek I think this is what they meant https://github.com/keycloak/keycloak/blob/main/crypto/fips1402/src/main/java/org/keycloak/crypto/fips/FIPS1402Provider.java#L327. Judging by the reactions here ( :-( ) this is a Quarkus issue now so I'll open Quarkus issue and we should do something about it in the Quarkus. I'll try. |
We can make it work using java --add-exports java.base/sun.security.provider=ALL-UNNAMED -jar your-application.jar explicitly and incase of containerized env we can use ENV JAVA_OPTS="--add-exports java.base/sun.security.provider=ALL-UNNAMED" |
It's still better to manage this properly and set securerandom.strongAlgorithms to a RNG algorithm and provider that is seeded with decent entropy. I would not recommend using add-exports, you could end up falling back on the threaded seed generator and have to deal with it's performance issues instead. |
Setup:
java.security
file or programaticallyNOTE: Same code works on OpenJDK 11 (there is just warning about
Illegal reflective access
as specified in this other issue #510 )The text was updated successfully, but these errors were encountered: