Contrary to SunJSSE in JDK-11 and JDK-8, the XML Signature engine does not provide a way to use a single security provider for cryptographic primitives. As a result, the security providers preference order will be used. In our FIPS configuration, we have the SUN and SunEC security providers for different reasons -the former for X.509 support and the latter because it's a helper of SunPKCS11 for ECC-. Both SUN and SunEC implement other algorithms that should not be used. If the algorithm is not available in SunPKCS11 -first one in our preference order-, a non-FIPS compliant implementation may get inadvertently used. To stay on the safe side we did not enable the XML Signature provider when developing the FIPS feature.

What we can do as part of this enhancement is to explicitly block non-X.509 algorithms in the SUN provider and any direct use of SunEC when in FIPS mode, so the XML Signature provider can be safely enabled.

The keystore type is a separated issue. We discussed this before and developed an experimental feature to use other keystore types -in particular, file-based keystores- along with an NSS Software Token configured in FIPS mode. It's unclear to me whether this is FIPS compliant or not, because there is some non-FIPS-compliant crypto processing when protecting file-based keystores in OpenJDK. On the other hand, we can consider these file-based keystores as non-protected and apply OS file permissions as if the keys were in plain. We should resume the discussion with the crypto-team.

Is there any additional information needed? 
This bug is stopping us from using a product on RHEL 8 with FIPS enabled

(In reply to Martin Balao from comment #1)
 
> What we can do as part of this enhancement is to explicitly block non-X.509
> algorithms in the SUN provider and any direct use of SunEC when in FIPS
> mode, so the XML Signature provider can be safely enabled.

If I understand correctly, this blocking of unsafe algorithms is already done for the SUN provider in OpenJDK 17? Does it mean that XML Signature provider can be safely enabled or are there more verifications needed?

(In reply to mposolda from comment #10)
> If I understand correctly, this blocking of unsafe algorithms is already
> done for the SUN provider in OpenJDK 17? Does it mean that XML Signature
> provider can be safely enabled or are there more verifications needed?

Hi Marek,

You are right, the lock down of unsafe algorithms from SUN providers was later done for OpenJDK 17, since SunJSSE (used for TLS) dropped its "fips mode", removing the ability to configure a single security provider for all its cryptographic operations. This was developed and iterated in bugs 1995150, 2094027, 2052070, 2092507, 2134669.

However, we still need to statically analyze the XMLDSig provider code (and dependencies) to see if non-FIPS-compliant crypto operations are performed. Also, once XMLDSig is enabled, we need to check if SunPKCS11 and NSS provide the required algorithms for it to properly work under FIPS mode.

Thanks for the update Francisco.

In order to enable the XMLDSig security provider, we should add the following line to java.security:
______________________________________________________________________

fips.provider.7=XMLDSig
______________________________________________________________________

I have been reviewing org.jcp.xml.dsig.internal.dom.XMLDSigRI [1], the implementation of the XMLDSig provider, and it seems to use JCA generic APIs, allowing us to provide all the cryptographic operations through SunPKCS11 (the only provider allowed for such operations when in FIPS-mode, for compliance reasons).

The following DOMSignContext / DOMValidateContext properties accept a Provider instance to use cryptographic operations from it:
 • org.jcp.xml.dsig.internal.dom.MacProvider [2]
 • org.jcp.xml.dsig.internal.dom.SignatureProvider [3]

Although these properties seem to be unknown / undocumented, there is a usage sample in Apache Santuario tests, in src/test/java/javax/xml/crypto/test/dsig/XMLSignatureTest.java:194-229 [4].

However, we don't need to remove these properties, since a user that tries to pass them while in FIPS-mode, is in one of the following scenarios:
 • They pass a SunPKCS11 Provider instance (this is fine)
 • They pass a SunJCE Provider instance (SunJCE has the lock-down in place, so any cryptographic operation is removed, and the user will face an error at some point)
 • They add another custom provider to the FIPS configuration in java.security, and pass an instance of that Provider (this is unsupported, and we can't assert their configuration is FIPS compliant, regardless of the DOMSignContext / DOMValidateContext properties usage)

After editing java.security to enable the XMLDSig provider, I executed the XMLDSigWithSecMgr test [5] in a RHEL VM configured in FIPS-mode. Then I confirmed through debugging that SunPKCS11 is being used for digest, sign and verify operations.

Finally, I also checked for direct instantiation of provider classes, such as that which caused bug 2092507, in sun.security.pkcs11.P11Util.getSunJceProvider() [6]. I was unable to spot any direct usage of SunJCE, which would cause errors due to removed algorithms in FIPS.


[1] https://github.com/openjdk/jdk17u/blob/jdk-17.0.5-ga/src/java.xml.crypto/share/classes/org/jcp/xml/dsig/internal/dom/XMLDSigRI.java#L49
[2] https://github.com/openjdk/jdk17u/blob/jdk-17.0.5-ga/src/java.xml.crypto/share/classes/org/jcp/xml/dsig/internal/dom/DOMHMACSignatureMethod.java#L54
[3] https://github.com/openjdk/jdk17u/blob/jdk-17.0.5-ga/src/java.xml.crypto/share/classes/org/jcp/xml/dsig/internal/dom/DOMSignatureMethod.java#L53
[4] https://github.com/apache/santuario-java/blob/xmlsec-2.1.5/src/test/java/javax/xml/crypto/test/dsig/XMLSignatureTest.java#L194-L229
[5] https://github.com/openjdk/jdk17u/blob/jdk-17.0.5-ga/test/jdk/javax/xml/crypto/dsig/SecurityManager/XMLDSigWithSecMgr.java#L26-L28
[6] https://github.com/openjdk/jdk17u/blob/jdk-17.0.5-ga/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Util.java#L71-L116

(In reply to Francisco Ferrari Bihurriet from comment #13)
> In order to enable the XMLDSig security provider, we should add the
> following line to java.security:
> ______________________________________________________________________
> 
> fips.provider.7=XMLDSig
> ______________________________________________________________________
> 

I've did some testing in my environment and I confirm that when I add "fips.provider.7=XMLDSig" to java.security, things are OK in my environment (SAML works as expected inside Keycloak/RHSSO). My java version is 'openjdk version "17.0.5" 2022-10-18 LTS' on RHEL 8.6.

Issue migration from Bugzilla to Jira is in process at this time. This will be the last message in Jira copied from the Bugzilla bug.

This BZ has been automatically migrated to the issues.redhat.com Red Hat Issue Tracker. All future work related to this report will be managed there.

Due to differences in account names between systems, some fields were not replicated.  Be sure to add yourself to Jira issue's "Watchers" field to continue receiving updates and add others to the "Need Info From" field to continue requesting information.

To find the migrated issue, look in the "Links" section for a direct link to the new issue location. The issue key will have an icon of 2 footprints next to it, and begin with "RHEL-" followed by an integer.  You can also find this issue by visiting https://issues.redhat.com/issues/?jql= and searching the "Bugzilla Bug" field for this BZ's number, e.g. a search like:

"Bugzilla Bug" = 1234567

In the event you have trouble locating or viewing this issue, you can file an issue by sending mail to rh-issues. You can also visit https://access.redhat.com/articles/7032570 for general account information.