admin管理员组文章数量:1415573
I'm trying to make my Spring Boot microservices FIPS 10-3 compliant, which led me to Bouncycastle as the security providers.
I have a basic Spring Boot application created with Spring initializr which I run to test the java.security configuration.
I'm running the application in a container, which has JRE onboard and the bouncycastle jars:
bc-fips-2.1.0.jar
bcpkix-fips-2.1.8.jar
bctls-fips-2.1.20.jar
bcutil-fips-2.1.4.jar
And pointing the application to these jars as module path
ENTRYPOINT ["java", "--module-path", "/usr/share/java/bouncycastle-modules","-jar", "application.jar"]
The following configuration works fine:
security.provider.1=.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
security.provider.2=.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS
security.provider.3=SUN
However, if I remove the SUN provider, the application fails to start with a stackoverflow error:
INFO: Found string system property [javax.ssl.trustStoreType]: FIPS
Exception in thread "main" java.lang.reflect.InvocationTargetException
at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:118)
at java.base/java.lang.reflect.Method.invoke(Method.java:580)
at .springframework.boot.loader.launch.Launcher.launch(Launcher.java:102)
at .springframework.boot.loader.launch.Launcher.launch(Launcher.java:64)
at .springframework.boot.loader.launch.JarLauncher.main(JarLauncher.java:40)
Caused by: java.lang.StackOverflowError
at java.base/java.util.regex.Pattern$CharPropertyGreedy.match(Pattern.java:4453)
at java.base/java.util.regex.Pattern$GroupHead.match(Pattern.java:4969)
at java.base/java.util.regex.Pattern$BmpCharProperty.match(Pattern.java:4134)
at java.base/java.util.regex.Pattern$GroupHead.match(Pattern.java:4969)
at java.base/java.util.regex.Pattern$Branch.match(Pattern.java:4914)
at java.base/java.util.regex.Pattern$GroupTail.match(Pattern.java:5000)
at java.base/java.util.regex.Pattern$CharPropertyGreedy.match(Pattern.java:4470)
at java.base/java.util.regex.Pattern$GroupHead.match(Pattern.java:4969)
at java.base/java.util.regex.Pattern$BmpCharPropertyGreedy.match(Pattern.java:4509)
at java.base/java.util.regex.Matcher.match(Matcher.java:1794)
at java.base/java.util.regex.Matcher.matches(Matcher.java:754)
at java.base/java.security.SecureRandom.getInstanceStrong(SecureRandom.java:959)
at .bouncycastle.fips.core/.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$2.run(Unknown Source)
at .bouncycastle.fips.core/.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$2.run(Unknown Source)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:319)
at .bouncycastle.fips.core/.bouncycastle.jcajce.provider.BouncyCastleFipsProvider.getCoreSecureRandom(Unknown Source)
at .bouncycastle.fips.core/.bouncycastle.jcajce.provider.BouncyCastleFipsProvider.access$300(Unknown Source)
at .bouncycastle.fips.core/.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$1.run(Unknown Source)
at .bouncycastle.fips.core/.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$1.run(Unknown Source)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:319)
at .bouncycastle.fips.core/.bouncycastle.jcajce.provider.BouncyCastleFipsProvider.getEntropySourceProvider(Unknown Source)
at .bouncycastle.fips.core/.bouncycastle.jcajce.provider.BouncyCastleFipsProvider.getDefaultEntropySourceProvider(Unknown Source)
at .bouncycastle.fips.core/.bouncycastle.jcajce.provider.BouncyCastleFipsProvider.access$500(Unknown Source)
at .bouncycastle.fips.core/.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$PooledSecureRandomProvider.get(Unknown Source)
at .bouncycastle.fips.core/.bouncycastle.crypto.CryptoServicesRegistrar.getSecureRandomIfSet(Unknown Source)
at .bouncycastle.fips.core/.bouncycastle.jcajce.provider.BouncyCastleFipsProvider.getDefaultSecureRandom(Unknown Source)
at .bouncycastle.fips.core/.bouncycastle.jcajce.provider.ProvRandom$PooledSecureRandomProvider.get(ProvRandom.java:84)
at .bouncycastle.fips.core/.bouncycastle.jcajce.provider.ProvRandom$MySecureRandomSpi.<init>(ProvRandom.java:178)
at .bouncycastle.fips.core/.bouncycastle.jcajce.provider.ProvRandom$1.createInstance(ProvRandom.java:32)
at .bouncycastle.fips.core/.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$BcService.newInstance(Unknown Source)
at java.base/java.security.SecureRandom.getDefaultPRNG(SecureRandom.java:298)
at java.base/java.security.SecureRandom.<init>(SecureRandom.java:225)
Looks like the error is related to SecureRandom, however I was not able to find a BouncyCastle provider that would satisfy this dependency. Is there a BouncyCastle alternative for the SUN provider and does presence of the SUN provider along with the Bouncycastle providers make the application non FIPS-compliant?
本文标签:
版权声明:本文标题:java - Spring Boot application intended to be FIPS-compliant by using bouncycastle fails to start without SUN security provider 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1744585997a2614198.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论