2052070 – Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode [rhel-8, openjdk-17]

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2052070 - Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode [rhel-8, openjdk-17]

Summary: Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS m...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	java-17-openjdk
Sub Component:
Version:	8.6
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Martin Balao
QA Contact:	OpenJDK QA
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	2034698 (view as bug list)
Depends On:
Blocks:	1994661 2055396 2128104 2156945
TreeView+	depends on / blocked

Reported:	2022-02-08 16:10 UTC by Martin Balao
Modified:	2022-12-29 20:46 UTC (History)
CC List:	5 users (show)
Fixed In Version:	java-17-openjdk-17.0.2.0.8-15.el8
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	2055396 2128104 (view as bug list)
Environment:
Last Closed:	2022-05-10 13:32:42 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	rh-openjdk/jdk/commit/6e74f283739af0d867df01d20f82865f559a45ea	None	None	None	2022-10-14 16:40:56 UTC
Red Hat Issue Tracker	RHELPLAN-111511	None	None	None	2022-02-08 18:50:21 UTC
Red Hat Product Errata	RHEA-2022:1768	None	None	None	2022-05-10 13:32:50 UTC

Description Martin Balao 2022-02-08 16:10:57 UTC

As noticed while developing the FIPS Key Importer enhancement for java-17-openjdk, some AlgorithmParameters services are required in FIPS mode. As indicated by their name, these services are used to hold data later used as input for crypto services. It is worth noticing that none of them implement the actual crypto primitives, so enabling them should not affect FIPS compliance in any sense. An analogous case can be described for AlgorithmParameterGenerator services.

In the context of fixing this bug, we should consider the following approaches:

1) Enabling all AlgorithmParameters and AlgorithmParameterGenerator services under the rationale that they do not affect FIPS compliance, that they might be required in the future or even now by yet-to-be-uncovered bugs;

2) Enabling only those known to be required at this time and update the list in farther iterations if needed;

3) Perform a thorough static analysis to determine exactly what is required now and enable the rest only if needed in the future; and,

4) Something in-between #1, #2 and #3.

As demonstrated in a first analysis of this issue, the approach #3 has more complexity than what it looks like.

--
[1] - https://bugzilla.redhat.com/show_bug.cgi?id=1994661#c6

Comment 2 Martin Balao 2022-02-08 19:59:58 UTC

AlgorithmParameterGenerator analysis
================================================

 * Implementors
  * DH
   * SunJCE.java
    * DHParameterGenerator.java
  * DSA
   * SunEntries.java
    * DSAParameterGenerator.java

 * Clients (users)
  * DH
   * ParameterCache.java
  * DSA
   * ParameterCache.java
   * DHParameterGenerator.java

Conclusions
-----------------------------------------------

AlgorithmParameterGenerator for DSA should be supported. P11KeyPairGenerator::generateKeyPair can potentially invoke ParameterCache::getDSAParameterSpec, ParameterCache::getNewDSAParameterSpec and AlgorithmParameterGenerator.getInstance("DSA"). Notice that DSAParameterGenerator::engineGenerateParameters (instance returned in the previous call) can potentially invoke AlgorithmParameters.getInstance("DSA", "SUN"). Thus, AlgorithmParameters DSA must be enabled in SUN (this is a 2nd reason in addition to [1]).

AlgorithmParameterGenerator for DH should be supported. P11KeyPairGenerator::generateKeyPair can potentially invoke ParameterCache::getDHParameterSpec and AlgorithmParameterGenerator.getInstance("DH").

--
[1] - https://bugzilla.redhat.com/show_bug.cgi?id=1994661#c6

Comment 3 Martin Balao 2022-02-08 20:11:19 UTC

AlgorithmParameters - the DSAParameters case

In java-17-openjdk, after RH1995150 [1], we took the approach of disabling all non-FIPS crypto services from security providers enabled in FIPS mode. In example, the SUN security provider is enabled in FIPS mode but its Signature services do not provide FIPS-compliant crypto and are, thus, disabled. This approach can help applications to avoid inadvertently using non-FIPS crypto while in FIPS mode.

While running the FIPS Key Importer test [2] under this configuration, we realized that the AlgorithmParameters service for the DSA algorithm is required. This service is provided by the SUN security provider and do not pose a FIPS-compliance conflict, so it can and should be enabled. Determining which other AlgorithmParameters services must be enabled in FIPS mode based on static analysis is not simple a simple task, though.

To tackle this problem, I analyzed why DSA AlgorithmParameters is needed in the first place. This could hint a pattern to look-for.

In the DSA AlgorithmParameters scneario, we need to build a P11 DSA public key from a spec (i.e.: from an encoded byte array read from a X509 certificate). A sun.security.provider.DSAPublicKey key instance will be constructed [3] and the translation to P11 will take place afterwards [4]. The point of building an intermediate DSAPublicKey object is parsing the key data from the encoded byte array form, and get values by calling well defined APIs. DSAPublicKey keys have parameters of type sun.security.provider.DSAParameters. These parameters contain information such as the prime (p), sub-prime (q) and base (g). When a DSA public key is parsed, the method X509Key::decode is called [5]. Note: X509Key is the superclass of DSAPublicKey. Parameters are parsed by AlgorithmId::decodeParams [6]. AlgorithmId::decodeParams makes use of 'AlgorithmParameters.getInstance(algidName)' to get a DSAParameters instance which will finally parse the values [7]. Once DSAPublicKey::getParams is called, the information comes from what was previously parsed [8]. As a result, a failure in 'AlgorithmParameters.getInstance(algidName)' will lead to null DSAParameters parameters and the P11 public key cannot be constructed.

--
[1] - https://bugzilla.redhat.com/show_bug.cgi?id=1995150
[2] - https://bugzilla.redhat.com/show_bug.cgi?id=1994661#c4
[3] - https://github.com/openjdk/jdk17u/blob/jdk-17+35/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11DSAKeyFactory.java#L108
[4] - https://github.com/openjdk/jdk17u/blob/jdk-17+35/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11DSAKeyFactory.java#L52
[5] - https://github.com/openjdk/jdk17u/blob/jdk-17%2B35/src/java.base/share/classes/sun/security/x509/X509Key.java#L389
[6] - https://github.com/openjdk/jdk17u/blob/jdk-17+35/src/java.base/share/classes/sun/security/x509/AlgorithmId.java#L133
[7] - https://github.com/openjdk/jdk17u/blob/jdk-17%2B35/src/java.base/share/classes/sun/security/provider/DSAParameters.java#L72
[8] - https://github.com/openjdk/jdk17u/blob/jdk-17%2B35/src/java.base/share/classes/sun/security/provider/DSAPublicKey.java#L120

Comment 4 Martin Balao 2022-02-08 20:16:35 UTC

*** Bug 2034698 has been marked as a duplicate of this bug. ***

Comment 18 errata-xmlrpc 2022-05-10 13:32:42 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (java-17-openjdk bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2022:1768

Note You need to log in before you can comment on or make changes to this bug.