This bug has been migrated to another issue tracking site. It has been closed here and may no longer be being monitored.

If you would like to get updates for this issue, or to participate in it, you may do so at Red Hat Issue Tracker .
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1940064 - Enable XML Signature provider in FIPS mode [rhel-8, openjdk-8]
Summary: Enable XML Signature provider in FIPS mode [rhel-8, openjdk-8]
Keywords:
Status: CLOSED MIGRATED
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: java-1.8.0-openjdk
Version: 8.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Francisco Ferrari Bihurriet
QA Contact: OpenJDK QA
URL:
Whiteboard:
Depends On: 2029655
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-03-17 14:33 UTC by Mike Millson
Modified: 2024-06-14 00:52 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-09-12 21:51:53 UTC
Type: Bug
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker   RHEL-3413 0 None Migrated None 2023-09-12 21:51:46 UTC

Description Mike Millson 2021-03-17 14:33:26 UTC
When OpenJDK is configured in FIPS mode, the XML Signature provider is currently disabled, and the keystore type must be PKCS11 (/etc/pki/nssdb is used, in read-only mode).

This is not compatible with some 3rd party applications. 

For example, it leads to the following error running Jenkins on RHEL in FIPs mode:

java.security.KeyStoreException: FIPS mode: KeyStore must be from provider SunPKCS11-NSS-FIPS

Comment 1 Martin Balao 2021-03-29 13:24:51 UTC
Contrary to SunJSSE in JDK-11 and JDK-8, the XML Signature engine does not provide a way to use a single security provider for cryptographic primitives. As a result, the security providers preference order will be used. In our FIPS configuration, we have the SUN and SunEC security providers for different reasons -the former for X.509 support and the latter because it's a helper of SunPKCS11 for ECC-. Both SUN and SunEC implement other algorithms that should not be used. If the algorithm is not available in SunPKCS11 -first one in our preference order-, a non-FIPS compliant implementation may get inadvertently used. To stay on the safe side we did not enable the XML Signature provider when developing the FIPS feature.

What we can do as part of this enhancement is to explicitly block non-X.509 algorithms in the SUN provider and any direct use of SunEC when in FIPS mode, so the XML Signature provider can be safely enabled.

The keystore type is a separated issue. We discussed this before and developed an experimental feature to use other keystore types -in particular, file-based keystores- along with an NSS Software Token configured in FIPS mode. It's unclear to me whether this is FIPS compliant or not, because there is some non-FIPS-compliant crypto processing when protecting file-based keystores in OpenJDK. On the other hand, we can consider these file-based keystores as non-protected and apply OS file permissions as if the keys were in plain. We should resume the discussion with the crypto-team.

Comment 9 Zach Jones 2022-05-23 19:34:32 UTC
Is there any additional information needed? 
This bug is stopping us from using a product on RHEL 8 with FIPS enabled

Comment 10 mposolda 2022-12-08 09:10:32 UTC
(In reply to Martin Balao from comment #1)
 
> What we can do as part of this enhancement is to explicitly block non-X.509
> algorithms in the SUN provider and any direct use of SunEC when in FIPS
> mode, so the XML Signature provider can be safely enabled.

If I understand correctly, this blocking of unsafe algorithms is already done for the SUN provider in OpenJDK 17? Does it mean that XML Signature provider can be safely enabled or are there more verifications needed?

Comment 11 Francisco Ferrari Bihurriet 2022-12-16 00:46:42 UTC
(In reply to mposolda from comment #10)
> If I understand correctly, this blocking of unsafe algorithms is already
> done for the SUN provider in OpenJDK 17? Does it mean that XML Signature
> provider can be safely enabled or are there more verifications needed?

Hi Marek,

You are right, the lock down of unsafe algorithms from SUN providers was later done for OpenJDK 17, since SunJSSE (used for TLS) dropped its "fips mode", removing the ability to configure a single security provider for all its cryptographic operations. This was developed and iterated in bugs 1995150, 2094027, 2052070, 2092507, 2134669.

However, we still need to statically analyze the XMLDSig provider code (and dependencies) to see if non-FIPS-compliant crypto operations are performed. Also, once XMLDSig is enabled, we need to check if SunPKCS11 and NSS provide the required algorithms for it to properly work under FIPS mode.

Comment 12 mposolda 2022-12-19 19:26:28 UTC
Thanks for the update Francisco.

Comment 13 Francisco Ferrari Bihurriet 2022-12-28 02:37:46 UTC
In order to enable the XMLDSig security provider, we should add the following line to java.security:
______________________________________________________________________

fips.provider.7=XMLDSig
______________________________________________________________________

I have been reviewing org.jcp.xml.dsig.internal.dom.XMLDSigRI [1], the implementation of the XMLDSig provider, and it seems to use JCA generic APIs, allowing us to provide all the cryptographic operations through SunPKCS11 (the only provider allowed for such operations when in FIPS-mode, for compliance reasons).

The following DOMSignContext / DOMValidateContext properties accept a Provider instance to use cryptographic operations from it:
 • org.jcp.xml.dsig.internal.dom.MacProvider [2]
 • org.jcp.xml.dsig.internal.dom.SignatureProvider [3]

Although these properties seem to be unknown / undocumented, there is a usage sample in Apache Santuario tests, in src/test/java/javax/xml/crypto/test/dsig/XMLSignatureTest.java:194-229 [4].

However, we don't need to remove these properties, since a user that tries to pass them while in FIPS-mode, is in one of the following scenarios:
 • They pass a SunPKCS11 Provider instance (this is fine)
 • They pass a SunJCE Provider instance (SunJCE has the lock-down in place, so any cryptographic operation is removed, and the user will face an error at some point)
 • They add another custom provider to the FIPS configuration in java.security, and pass an instance of that Provider (this is unsupported, and we can't assert their configuration is FIPS compliant, regardless of the DOMSignContext / DOMValidateContext properties usage)

After editing java.security to enable the XMLDSig provider, I executed the XMLDSigWithSecMgr test [5] in a RHEL VM configured in FIPS-mode. Then I confirmed through debugging that SunPKCS11 is being used for digest, sign and verify operations.

Finally, I also checked for direct instantiation of provider classes, such as that which caused bug 2092507, in sun.security.pkcs11.P11Util.getSunJceProvider() [6]. I was unable to spot any direct usage of SunJCE, which would cause errors due to removed algorithms in FIPS.


[1] https://github.com/openjdk/jdk17u/blob/jdk-17.0.5-ga/src/java.xml.crypto/share/classes/org/jcp/xml/dsig/internal/dom/XMLDSigRI.java#L49
[2] https://github.com/openjdk/jdk17u/blob/jdk-17.0.5-ga/src/java.xml.crypto/share/classes/org/jcp/xml/dsig/internal/dom/DOMHMACSignatureMethod.java#L54
[3] https://github.com/openjdk/jdk17u/blob/jdk-17.0.5-ga/src/java.xml.crypto/share/classes/org/jcp/xml/dsig/internal/dom/DOMSignatureMethod.java#L53
[4] https://github.com/apache/santuario-java/blob/xmlsec-2.1.5/src/test/java/javax/xml/crypto/test/dsig/XMLSignatureTest.java#L194-L229
[5] https://github.com/openjdk/jdk17u/blob/jdk-17.0.5-ga/test/jdk/javax/xml/crypto/dsig/SecurityManager/XMLDSigWithSecMgr.java#L26-L28
[6] https://github.com/openjdk/jdk17u/blob/jdk-17.0.5-ga/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Util.java#L71-L116

Comment 14 mposolda 2023-01-04 07:28:25 UTC
(In reply to Francisco Ferrari Bihurriet from comment #13)
> In order to enable the XMLDSig security provider, we should add the
> following line to java.security:
> ______________________________________________________________________
> 
> fips.provider.7=XMLDSig
> ______________________________________________________________________
> 

I've did some testing in my environment and I confirm that when I add "fips.provider.7=XMLDSig" to java.security, things are OK in my environment (SAML works as expected inside Keycloak/RHSSO). My java version is 'openjdk version "17.0.5" 2022-10-18 LTS' on RHEL 8.6.

Comment 19 RHEL Program Management 2023-09-12 21:50:25 UTC
Issue migration from Bugzilla to Jira is in process at this time. This will be the last message in Jira copied from the Bugzilla bug.

Comment 20 RHEL Program Management 2023-09-12 21:51:53 UTC
This BZ has been automatically migrated to the issues.redhat.com Red Hat Issue Tracker. All future work related to this report will be managed there.

Due to differences in account names between systems, some fields were not replicated.  Be sure to add yourself to Jira issue's "Watchers" field to continue receiving updates and add others to the "Need Info From" field to continue requesting information.

To find the migrated issue, look in the "Links" section for a direct link to the new issue location. The issue key will have an icon of 2 footprints next to it, and begin with "RHEL-" followed by an integer.  You can also find this issue by visiting https://issues.redhat.com/issues/?jql= and searching the "Bugzilla Bug" field for this BZ's number, e.g. a search like:

"Bugzilla Bug" = 1234567

In the event you have trouble locating or viewing this issue, you can file an issue by sending mail to rh-issues. You can also visit https://access.redhat.com/articles/7032570 for general account information.

Comment 21 Red Hat Bugzilla 2024-01-11 04:25:05 UTC
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days


Note You need to log in before you can comment on or make changes to this bug.