Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MySQL client does not use providers by default available in FIPS-enabled environment #1436

Open
michalvavrik opened this issue May 2, 2024 · 6 comments
Open

MySQL client does not use providers by default available in FIPS-enabled environment #1436

michalvavrik opened this issue May 2, 2024 · 6 comments
Assignees
@tsegismont
Labels
bug
Milestone
4.5.11

Comments

@michalvavrik
Copy link

michalvavrik commented May 2, 2024
edited
Loading

Questions

I am having trouble to use MySQL client in FIPS-enabled environment as RSA/ECB/OAEPWithSHA-1AndMGF1Padding set in the https://github.com/eclipse-vertx/vertx-sql-client/blob/master/vertx-mysql-client/src/main/java/io/vertx/mysqlclient/impl/util/RsaPublicKeyEncryptor.java#L59 is in OpenJDK provided by SunJCE provider in non-FIPS mode. But the provier is not present by default in FIPS-enabled env.

11:31:40,980 INFO  [app] 11:31:39,754 HTTP Request to /q/webauthn/register failed, error id: fca3b38c-d42c-4b73-8248-28a5070e0afc-1: java.security.NoSuchAlgorithmException: Cannot find any provider supporting RSA/ECB/OAEPWithSHA-1AndMGF1Padding
11:31:40,980 INFO  [app] 	at java.base/javax.crypto.Cipher.getInstance(Cipher.java:571)
11:31:40,980 INFO  [app] 	at io.vertx.mysqlclient.impl.util.RsaPublicKeyEncryptor.encrypt(RsaPublicKeyEncryptor.java:59)
11:31:40,980 INFO  [app] 	at io.vertx.mysqlclient.impl.util.RsaPublicKeyEncryptor.encrypt(RsaPublicKeyEncryptor.java:34)
11:31:40,980 INFO  [app] 	at io.vertx.mysqlclient.impl.codec.AuthenticationCommandBaseCodec.sendEncryptedPasswordWithServerRsaPublicKey(AuthenticationCommandBaseCodec.java:87)
11:31:40,980 INFO  [app] 	at io.vertx.mysqlclient.impl.codec.AuthenticationCommandBaseCodec.handleAuthMoreData(AuthenticationCommandBaseCodec.java:46)
11:31:40,981 INFO  [app] 	at io.vertx.mysqlclient.impl.codec.InitialHandshakeCommandCodec.handleAuthentication(InitialHandshakeCommandCodec.java:179)
11:31:40,981 INFO  [app] 	at io.vertx.mysqlclient.impl.codec.InitialHandshakeCommandCodec.decodePayload(InitialHandshakeCommandCodec.java:63)
11:31:40,981 INFO  [app] 	at io.vertx.mysqlclient.impl.codec.MySQLDecoder.decodePackets(MySQLDecoder.java:69)
11:31:40,981 INFO  [app] 	at io.vertx.mysqlclient.impl.codec.MySQLDecoder.channelRead(MySQLDecoder.java:45)
11:31:40,981 INFO  [app] 	at io.netty.channel.CombinedChannelDuplexHandler.channelRead(CombinedChannelDuplexHandler.java:251)
11:31:40,981 INFO  [app] 	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:442)
11:31:40,981 INFO  [app] 	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
11:31:40,981 INFO  [app] 	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)
11:31:40,981 INFO  [app] 	at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:346)
11:31:40,982 INFO  [app] 	at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:318)
11:31:40,982 INFO  [app] 	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444)
11:31:40,982 INFO  [app] 	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
11:31:40,982 INFO  [app] 	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)
11:31:40,982 INFO  [app] 	at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
11:31:40,982 INFO  [app] 	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:440)
11:31:40,982 INFO  [app] 	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
11:31:40,982 INFO  [app] 	at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
11:31:40,982 INFO  [app] 	at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166)
11:31:40,983 INFO  [app] 	at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:788)
11:31:40,983 INFO  [app] 	at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:724)
11:31:40,983 INFO  [app] 	at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:650)
11:31:40,983 INFO  [app] 	at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:562)
11:31:40,983 INFO  [app] 	at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:997)
11:31:40,983 INFO  [app] 	at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
11:31:40,983 INFO  [app] 	at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
11:31:40,983 INFO  [app] 	at java.base/java.lang.Thread.run(Thread.java:840)
11:31:40,984 INFO  [app] Caused by: javax.crypto.NoSuchPaddingException: Unsupported padding OAEPWithSHA-1AndMGF1Padding
11:31:40,984 INFO  [app] 	at jdk.crypto.cryptoki/sun.security.pkcs11.P11RSACipher.engineSetPadding(P11RSACipher.java:137)
11:31:40,984 INFO  [app] 	at java.base/javax.crypto.Cipher$Transform.setModePadding(Cipher.java:388)
11:31:40,984 INFO  [app] 	at java.base/javax.crypto.Cipher.getInstance(Cipher.java:564)
11:31:40,984 INFO  [app] 	... 30 more
11:31:40,984 INFO  [app] 11:31:39,917 HTTP Request to /q/webauthn/register failed, error id: fca3b38c-d42c-4b73-8248-28a5070e0afc-2: java.security.NoSuchAlgorithmException: Cannot find any provider supporting RSA/ECB/OAEPWithSHA-1AndMGF1Padding
11:31:40,984 INFO  [app] 	at java.base/javax.crypto.Cipher.getInstance(Cipher.java:571)
11:31:40,984 INFO  [app] 	at io.vertx.mysqlclient.impl.util.RsaPublicKeyEncryptor.encrypt(RsaPublicKeyEncryptor.java:59)
11:31:40,984 INFO  [app] 	at io.vertx.mysqlclient.impl.util.RsaPublicKeyEncryptor.encrypt(RsaPublicKeyEncryptor.java:34)
11:31:40,985 INFO  [app] 	at io.vertx.mysqlclient.impl.codec.AuthenticationCommandBaseCodec.sendEncryptedPasswordWithServerRsaPublicKey(AuthenticationCommandBaseCodec.java:87)
11:31:40,985 INFO  [app] 	at io.vertx.mysqlclient.impl.codec.AuthenticationCommandBaseCodec.handleAuthMoreData(AuthenticationCommandBaseCodec.java:46)
11:31:40,985 INFO  [app] 	at io.vertx.mysqlclient.impl.codec.InitialHandshakeCommandCodec.handleAuthentication(InitialHandshakeCommandCodec.java:179)
11:31:40,985 INFO  [app] 	at io.vertx.mysqlclient.impl.codec.InitialHandshakeCommandCodec.decodePayload(InitialHandshakeCommandCodec.java:63)
11:31:40,985 INFO  [app] 	at io.vertx.mysqlclient.impl.codec.MySQLDecoder.decodePackets(MySQLDecoder.java:69)
11:31:40,985 INFO  [app] 	at io.vertx.mysqlclient.impl.codec.MySQLDecoder.channelRead(MySQLDecoder.java:45)
11:31:40,985 INFO  [app] 	at io.netty.channel.CombinedChannelDuplexHandler.channelRead(CombinedChannelDuplexHandler.java:251)
11:31:40,985 INFO  [app] 	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:442)
11:31:40,985 INFO  [app] 	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
11:31:40,986 INFO  [app] 	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)
11:31:40,986 INFO  [app] 	at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:346)
11:31:40,986 INFO  [app] 	at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:318)
11:31:40,986 INFO  [app] 	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444)
11:31:40,986 INFO  [app] 	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
11:31:40,986 INFO  [app] 	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)
11:31:40,986 INFO  [app] 	at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
11:31:40,986 INFO  [app] 	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:440)
11:31:40,986 INFO  [app] 	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
11:31:40,986 INFO  [app] 	at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
11:31:40,987 INFO  [app] 	at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166)
11:31:40,987 INFO  [app] 	at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:788)
11:31:40,987 INFO  [app] 	at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:724)
11:31:40,987 INFO  [app] 	at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:650)
11:31:40,987 INFO  [app] 	at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:562)
11:31:40,987 INFO  [app] 	at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:997)
11:31:40,987 INFO  [app] 	at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
11:31:40,987 INFO  [app] 	at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
11:31:40,988 INFO  [app] 	at java.base/java.lang.Thread.run(Thread.java:840)
11:31:40,988 INFO  [app] Caused by: javax.crypto.NoSuchPaddingException: Unsupported padding OAEPWithSHA-1AndMGF1Padding
11:31:40,988 INFO  [app] 	at jdk.crypto.cryptoki/sun.security.pkcs11.P11RSACipher.engineSetPadding(P11RSACipher.java:137)
11:31:40,988 INFO  [app] 	at java.base/javax.crypto.Cipher$Transform.setModePadding(Cipher.java:388)
11:31:40,988 INFO  [app] 	at java.base/javax.crypto.Cipher.getInstance(Cipher.java:564)
11:31:40,988 INFO  [app] 	... 30 more

Version

Vert.X 4.5.7.

Context

I'd expect that if the cipher has to be hardcoded, the default cipher is such that I can actually use in FIPS-enabled environment. with the RH OpenJDK without doing any extra work and have it working. For example RSA/ECB/PKCS1Padding could be used.

Do you have a reproducer?

Yes. Run it in FIPS-enabled environment.

Steps to reproduce

  1. git clone git@github.com:michalvavrik/quarkus-test-suite.git
  2. cd quarkus-test-suite/security/webauthn
  3. git checkout feature/fix-webauth-fips
  4. mvn clean verify -Dreruns=0 (if you don't have Quarkus 999-SNAPSHOT I guess you can also use -Dquarkus.platform.version=3.9.4 or some other version)

Extra

  • RHEL 8.8, Red Hat OpenJDK 17 & 21, Quarkus extension, registry.access.redhat.com/rhscl/mysql-80-rhel7
This was referenced May 2, 2024
Merged
Merged
@tsegismont tsegismont self-assigned this May 17, 2024
@tsegismont tsegismont added this to the 4.5.8 milestone May 17, 2024
@tsegismont
Copy link
Contributor

Thanks for reporting this @michalvavrik , I'll take a look asap

@tsegismont
Copy link
Contributor

@michalvavrik I've checked what the MySQL Connector for Java does for caching sha-2 authentication and it seems to use the same cipher.

Have you bean able to create a working setup with Quarkus + MySQL JDBC driver with fips mode enabled? In this case, can you help me do the same or get access to such an environment? I'd like to debug what the driver does in this case. Thanks

@michalvavrik
Copy link
Author

@michalvavrik I've checked what the MySQL Connector for Java does for caching sha-2 authentication and it seems to use the same cipher.

Have you bean able to create a working setup with Quarkus + MySQL JDBC driver with fips mode enabled? In this case, can you help me do the same or get access to such an environment? I'd like to debug what the driver does in this case. Thanks

MySQL JDBC driver is now working in FIPS-enabled environment with the https://github.com/mysql/mysql-connector-j/blob/release/8.x/src/main/protocol-impl/java/com/mysql/cj/protocol/a/authentication/CachingSha2PasswordPlugin.java#L156 RSA/ECB/PKCS1Padding, I can certainly give you temp access to such an environment. I'll send you DM.

@vietj vietj modified the milestones: 4.5.8, 4.5.9 May 24, 2024
@vietj vietj modified the milestones: 4.5.9, 4.5.10 Jul 17, 2024
@tsegismont
Copy link
Contributor

@michalvavrik any news about this?

@michalvavrik
Copy link
Author

@michalvavrik any news about this?

Yeah, right? I am terribly sorry to forgetting about you. ATM I have urgent work stuff, but I'll find time by the end of this week and prepare you env. I'll send you email before the end of the week.

@tsegismont
Copy link
Contributor

No worries, this is not high priority from a community standpoint, so it can wait until next week. In fact, I won't be able to work on this immediately. Just wanted to give you heads-up so that we both plan some time.

@vietj vietj modified the milestones: 4.5.10, 4.5.11 Sep 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tsegismont tsegismont

Labels
bug
Projects
None yet
Milestone
4.5.11
Development

No branches or pull requests
3 participants
@vietj @tsegismont @michalvavrik