[jira] [Created] (GUACAMOLE-2004) Fix KSM integration for RHEL systems with FIPS mode enabled

Fri, 13 Dec 2024 08:57:24 -0800 

Eugen Hartmann created GUACAMOLE-2004:
-----------------------------------------

             Summary: Fix KSM integration for RHEL systems with FIPS mode 
enabled
                 Key: GUACAMOLE-2004
                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-2004
             Project: Guacamole
          Issue Type: Bug
          Components: guacamole-client
    Affects Versions: 1.5.5
            Reporter: Eugen Hartmann


The change fixes the following KSM issue on RHEL systems with FIPS enabled:
{code:java}
Exception in thread "main" java.security.ProviderException: Could not derive 
key     at 
sun.security.pkcs11.P11ECDHKeyAgreement.engineGenerateSecret(P11ECDHKeyAgreement.java:145)
     at javax.crypto.KeyAgreement.generateSecret(KeyAgreement.java:586)     at 
com.keepersecurity.secretsManager.core.CryptoUtils.getEciesSymmetricKey(CryptoUtils.kt:149)
     at 
com.keepersecurity.secretsManager.core.CryptoUtils.publicEncrypt(CryptoUtils.kt:160)
     at 
com.keepersecurity.secretsManager.core.SecretsManager.generateTransmissionKey(SecretsManager.kt:1105)
     at 
com.keepersecurity.secretsManager.core.SecretsManager.fetchAndDecryptSecrets(SecretsManager.kt:1517)
     at 
com.keepersecurity.secretsManager.core.SecretsManager.getSecrets(SecretsManager.kt:395)
     at 
com.keepersecurity.secretsManager.core.SecretsManager.getSecrets$default(SecretsManager.kt:393)
     at 
com.keepersecurity.secretsManager.core.SecretsManager.getSecrets(SecretsManager.kt)
     at com.keepersecurity.secretsManager.fipsTest.Main.main(Main.java:17) 
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ATTRIBUTE_SENSITIVE 
    at sun.security.pkcs11.wrapper.PKCS11.C_GetAttributeValue(Native Method)    
 at 
sun.security.pkcs11.P11ECDHKeyAgreement.engineGenerateSecret(P11ECDHKeyAgreement.java:140)
     ... 9 more {code}
 

KSM expects us to use a correct security provider for proper functioning of 
[Java/Kotlin 
SDK|https://docs.keeper.io/en/secrets-manager/secrets-manager/developer-sdk-library/java-sdk]
{code:java}
Keeper will use the default cryptographic module of the Java runtime unless a 
specific provider is added. In the examples here in this documentation, we are 
using the BouncyCastle FIPS provider. {code}
The Security.addProvider method checks internally for duplication so it is safe 
to add the same provider multiple times.
{code:java}
-1 if the provider was not added because it is already installed. {code}
The provider is added to the end of the provider list so I believe it is safe 
to add the BouncyCastle FIPS provider by default. In this case, when some code 
requests a cryptographic method/protocol, the BouncyCastle FIPS provider will 
be used either in case of an exact match or as a fallback option.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to