RH1940064: Enable XML Signature provider in FIPS mode #24
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Any idea why the actions haven't run? Are they enabled on your fork? |
Author
I don't know what is happening with the PR run, the actions seem to have run in my fork's version of the commit: franferrax/jdk@b68e966 (in run 3802858214). |
gnu-andrew
approved these changes
Feb 13, 2023
gnu-andrew
left a comment
gnu-andrew
left a comment
There was a problem hiding this comment.
Strange. The test results look good so I can't see any issue with this going in.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Search this PR in Red Hat Jira
RH1940064: Enable XML Signature provider in FIPS mode
A pull request for RH2156945: Enable XML Signature provider in FIPS mode [rhel-8, openjdk-17]. This work depends on the lock-down of disallowed algorithms from non-FIPS providers (765baf2, 6e74f28, #1, #5, #16, #19).
In order to enable the XMLDSig security provider, we must add the following line to
java.security:Notes
I have been reviewing
org.jcp.xml.dsig.internal.dom.XMLDSigRI, the implementation of the XMLDSig provider, and it seems to use JCA generic APIs, allowing us to provide all the cryptographic operations through SunPKCS11 (the only provider allowed for such operations when in FIPS-mode, for compliance reasons).The following
DOMSignContext/DOMValidateContextproperties accept aProviderinstance to use cryptographic operations from it:org.jcp.xml.dsig.internal.dom.MacProviderorg.jcp.xml.dsig.internal.dom.SignatureProviderAlthough these properties seem to be unknown / undocumented, there is a usage sample in Apache Santuario tests, in
src/test/java/javax/xml/crypto/test/dsig/XMLSignatureTest.java:194-229.However, we don't need to remove these properties, since a user that tries to pass them while in FIPS-mode, is in one of the following scenarios:
Providerinstance (this is fine)Providerinstance (SunJCE has the lock-down in place, so any cryptographic operation is removed, and the user will face an error at some point)java.security, and pass an instance of thatProvider(this is unsupported, and we can't assert their configuration is FIPS compliant, regardless of theDOMSignContext/DOMValidateContextproperties usage)After editing
java.securityto enable the XMLDSig provider, I executed theXMLDSigWithSecMgrtest in a RHEL VM configured in FIPS-mode. Then I confirmed through debugging that SunPKCS11 is being used for digest, sign and verify operations.Finally, I also checked for direct instantiation of provider classes, such as that which caused #16, in
sun.security.pkcs11.P11Util.getSunJceProvider(). I was unable to spot any direct usage of SunJCE, which would cause errors due to removed algorithms in FIPS.