BouncyCastle BCFIPS provider fails with OpenJDK 17 and RHEL8 in FIPS-enabled environment #40659
Labels
area/securepipeline
issues related to ensure Quarkus can be used in a secure pipeline setups like FIPS or similar
area/security
kind/bug
Something isn't working
Milestone
Describe the bug
Described in here bcgit/bc-java#1285. When BCFIPS provider is used with OpenJDK 17 on RHEL8, app fails to start as (citing) securerandom.strongAlgorithms needs to point at something that can be used to generate seed material.
I tested it with
OpenJDK Runtime Environment (Red_Hat-21.0.1.0.12-2)
and it works, however it doesn't workOpenJDK Runtime Environment (Red_Hat-17.0.10.0.7-1.el7openjdkportable)
.Expected behavior
Keycloak works around this issue like this /~https://github.com/keycloak/keycloak/blob/main/crypto/fips1402/src/main/java/org/keycloak/crypto/fips/FIPS1402Provider.java#L327 it would be nice if we could do something about it.
Actual behavior
App fails to start and an exception is thrown
How to Reproduce?
In FIPS-enabled environment, run:
git clone /~https://github.com/quarkus-qe/quarkus-test-suite
cd quarkus-test-suite/security/bouncycastle-fips/bcFipsJsse
mvn clean verify -Dreruns=0
Output of
uname -a
orver
Fedora 38
Output of
java -version
openjdk version "17.0.7"
Quarkus version or git rev
999-SNAPSHOT, 3.8.4 etc.
Build tool (ie. output of
mvnw --version
orgradlew --version
)Apache Maven 3.9.4
Additional information
I'd like to try and look into the workaround as I'm in hurry.
The text was updated successfully, but these errors were encountered: