Workaround OpenJDK17 & RHEL & BCFIPS provider issue in FIPS

quarkusio · May 15, 2024 · da0a2cd · da0a2cd
1 parent ee1d4ee
commit da0a2cd
Showing 1 changed file with 29 additions and 0 deletions.
diff --git a/.../security/runtime/src/main/java/io/quarkus/security/runtime/SecurityProviderRecorder.java b/.../security/runtime/src/main/java/io/quarkus/security/runtime/SecurityProviderRecorder.java
@@ -6,16 +6,27 @@
 import static io.quarkus.security.runtime.SecurityProviderUtils.loadProvider;
 import static io.quarkus.security.runtime.SecurityProviderUtils.loadProviderWithParams;
 
+import java.security.NoSuchAlgorithmException;
 import java.security.Provider;
+import java.security.SecureRandom;
+import java.security.Security;
+
+import org.jboss.logging.Logger;
 
 import io.quarkus.runtime.annotations.Recorder;
 
 @Recorder
 public class SecurityProviderRecorder {
+
+    private static final Logger LOG = Logger.getLogger(SecurityProviderRecorder.class);
+
     public void addBouncyCastleProvider(boolean inFipsMode) {
         final String providerName = inFipsMode ? SecurityProviderUtils.BOUNCYCASTLE_FIPS_PROVIDER_CLASS_NAME
                 : SecurityProviderUtils.BOUNCYCASTLE_PROVIDER_CLASS_NAME;
         addProvider(loadProvider(providerName));
+        if (inFipsMode) {
+            setSecureRandomStrongAlgorithmIfNecessary();
+        }
     }
 
     public void addBouncyCastleJsseProvider() {
@@ -33,5 +44,23 @@ public void addBouncyCastleFipsJsseProvider() {
         Provider bcJsse = loadProviderWithParams(SecurityProviderUtils.BOUNCYCASTLE_JSSE_PROVIDER_CLASS_NAME,
                 new Class[] { boolean.class, Provider.class }, new Object[] { true, bc });
         insertProvider(bcJsse, sunIndex + 1);
+        setSecureRandomStrongAlgorithmIfNecessary();
+    }
+
+    private void setSecureRandomStrongAlgorithmIfNecessary() {
+        try {
+            // workaround for the issue on OpenJDK 17 & RHEL8 & FIPS
+            // see https://github.com/bcgit/bc-java/issues/1285#issuecomment-2068958587
+            // we can remove this when OpenJDK 17 support is dropped or if it starts working on newer versions of RHEL8+
+            SecureRandom.getInstanceStrong();
+        } catch (NoSuchAlgorithmException e) {
+            SecureRandom secRandom = new SecureRandom();
+            String origStrongAlgorithms = Security.getProperty("securerandom.strongAlgorithms");
+            String usedAlgorithm = secRandom.getAlgorithm() + ":" + secRandom.getProvider().getName();
+            String strongAlgorithms = origStrongAlgorithms == null ? usedAlgorithm : usedAlgorithm + "," + origStrongAlgorithms;
+            LOG.debugf("Strong SecureRandom algorithm '%s' is not available. "
+                    + "Using fallback algorithm '%s'.", origStrongAlgorithms, usedAlgorithm);
+            Security.setProperty("securerandom.strongAlgorithms", strongAlgorithms);
+        }
     }
 }