[
https://issues.apache.org/jira/browse/GUACAMOLE-2004?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Nick Couchman updated GUACAMOLE-2004:
-------------------------------------
Fix Version/s: 1.6.1
> Fix KSM integration for RHEL systems with FIPS mode enabled
> -----------------------------------------------------------
>
> Key: GUACAMOLE-2004
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-2004
> Project: Guacamole
> Issue Type: Bug
> Components: guacamole-client
> Affects Versions: 1.5.5
> Reporter: Eugen Hartmann
> Priority: Major
> Fix For: 1.6.1
>
>
> The change fixes the following KSM issue on RHEL systems with FIPS enabled:
> {code:java}
> Exception in thread "main" java.security.ProviderException: Could not derive
> key at
> sun.security.pkcs11.P11ECDHKeyAgreement.engineGenerateSecret(P11ECDHKeyAgreement.java:145)
> at javax.crypto.KeyAgreement.generateSecret(KeyAgreement.java:586)
> at
> com.keepersecurity.secretsManager.core.CryptoUtils.getEciesSymmetricKey(CryptoUtils.kt:149)
> at
> com.keepersecurity.secretsManager.core.CryptoUtils.publicEncrypt(CryptoUtils.kt:160)
> at
> com.keepersecurity.secretsManager.core.SecretsManager.generateTransmissionKey(SecretsManager.kt:1105)
> at
> com.keepersecurity.secretsManager.core.SecretsManager.fetchAndDecryptSecrets(SecretsManager.kt:1517)
> at
> com.keepersecurity.secretsManager.core.SecretsManager.getSecrets(SecretsManager.kt:395)
> at
> com.keepersecurity.secretsManager.core.SecretsManager.getSecrets$default(SecretsManager.kt:393)
> at
> com.keepersecurity.secretsManager.core.SecretsManager.getSecrets(SecretsManager.kt)
> at com.keepersecurity.secretsManager.fipsTest.Main.main(Main.java:17)
> Caused by: sun.security.pkcs11.wrapper.PKCS11Exception:
> CKR_ATTRIBUTE_SENSITIVE at
> sun.security.pkcs11.wrapper.PKCS11.C_GetAttributeValue(Native Method) at
> sun.security.pkcs11.P11ECDHKeyAgreement.engineGenerateSecret(P11ECDHKeyAgreement.java:140)
> ... 9 more {code}
>
> KSM expects us to use a correct security provider for proper functioning of
> [Java/Kotlin
> SDK|https://docs.keeper.io/en/secrets-manager/secrets-manager/developer-sdk-library/java-sdk]
> {code:java}
> Keeper will use the default cryptographic module of the Java runtime unless a
> specific provider is added. In the examples here in this documentation, we
> are using the BouncyCastle FIPS provider. {code}
> The Security.addProvider method checks internally for duplication so it is
> safe to add the same provider multiple times.
> {code:java}
> -1 if the provider was not added because it is already installed. {code}
> The provider is added to the end of the provider list so I believe it is safe
> to add the BouncyCastle FIPS provider by default. In this case, when some
> code requests a cryptographic method/protocol, the BouncyCastle FIPS provider
> will be used either in case of an exact match or as a fallback option.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
