BCFIPS 2.0 StackOverflowError when loading com.sun.jna.Native #1800
Comments
|
securerandom.strongAlgorithms should be set to NativePRNGBlocking:SUN, or a QRNG if you've got one - the field is used for retrieving the JVMs seed generator as an entropy source. BCFIPS is a software provider, it cannot generate it's own entropy. |
|
@dghgit Thanks for your response, David! Can you also confirm that using "securerandom.StrongAlgorithms = NativePRNGBlocking:SUN" is FIPS compliant ? |
|
It would be good to get clarification on this. Reading online would suggest that using the SUN provider is not FIPS compliant. To be certain of FIPS compliance we would like the un-register non-FIPS providers from the JCA, but removing the SUN provider breaks BouncyCastle. |
|
There are some things in the SUN provider which are not FIPS compliant, although as it happens it's safe to use the CertPath API and usually safe to use NativePRNGBlocking:SUN. You can remove the SUN provider providing you provide an alternative entropy source at: securerandom.StrongAlgorithms note: the BCFIPS provider is a software provider, putting DEFAULT:BCFIPS there will not work (it usually results in a stack overflow). We're currently experimenting with a single entropy provider based on JENT (as an example). One further note: as SP 800-90B becomes more established, use of NativePRNGBlocking:SUN can potentially move into non-compliance if /dev/random in the underlying OS is not SP 800-90B compliant, as far as I am aware it is not a big issue right now, but it's coming. |
|
Thanks for the response @dghgit |
We are trying to upgrade of BCFIPS 1.0.2.4 to BCFIPS 2.0.0, and immediately run into the issue before. Our Java service uses the BouncyCastleFipsProvider to be FIPS compliant. Our java.security file has the following line.
security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
securerandom.source=file:/dev/random
This happens if the securerandom.strongAlgorithms is missing or set to DEFAULT:BCFIPS.
securerandom.strongAlgorithms=DEFAULT:BCFIPS
Setting it to NativePRNGBlocking:SUN will make the issue disappear, but we heard the algorithm is NOT FIPS compliant.
We are not seeing the issue with the previous version, only with the new 2.0.0 version. If anything changed, we expect there is a recommended java.security configuration to make BCFIPS 2.0 just work out of the box. However, we cannot find a documentation on how to make the configuration work.
PS: Writing a customized initialization, by bootstrapping from a default JVM SecureRandom to a FipsSecureRandom can get rid of the issue, but we are not sure that workaround is FIPS-compliant.
Everyone is expecting BCFIPS 2.0 can just work out of the box without writing a customized initalizer.
Caused by: java.lang.ExceptionInInitializerError: Exception java.lang.StackOverflowError [in thread "main"]
at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$1.get(Unknown Source) ~[bc-fips-2.0.0.jar:2.0.0]
at org.bouncycastle.crypto.CryptoServicesRegistrar.getSecureRandomIfSet(Unknown Source) ~[bc-fips-2.0.0.jar:2.0.0]
at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider.getDefaultSecureRandom(Unknown Source) ~[bc-fips-2.0.0.jar:2.0.0]
...
at java.base/java.security.SecureRandom.getDefaultPRNG(Unknown Source) ~[?:?]
at java.base/java.security.SecureRandom.(Unknown Source) ~[?:?]
at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$3.run(Unknown Source) ~[bc-fips-2.0.0.jar:2.0.0]
at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$3.run(Unknown Source) ~[bc-fips-2.0.0.jar:2.0.0]
at java.base/java.security.AccessController.doPrivileged(Unknown Source) ~[?:?]
at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider.getCoreSecureRandom(Unknown Source) ~[bc-fips-2.0.0.jar:2.0.0]
at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider.access$900(Unknown Source) ~[bc-fips-2.0.0.jar:2.0.0]
at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$HybridSecureRandom.(Unknown Source) ~[bc-fips-2.0.0.jar:2.0.0]
at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$2.run(Unknown Source) ~[bc-fips-2.0.0.jar:2.0.0]
at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$2.run(Unknown Source) ~[bc-fips-2.0.0.jar:2.0.0]
at java.base/java.security.AccessController.doPrivileged(Unknown Source) ~[?:?]
at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider.getDefaultEntropySource(Unknown Source) ~[bc-fips-2.0.0.jar:2.0.0]
at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$1.get(Unknown Source) ~[bc-fips-2.0.0.jar:2.0.0]
at org.bouncycastle.crypto.CryptoServicesRegistrar.getSecureRandomIfSet(Unknown Source) ~[bc-fips-2.0.0.jar:2.0.0]
at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider.getDefaultSecureRandom(Unknown Source) ~[bc-fips-2.0.0.jar:2.0.0]
at org.bouncycastle.jcajce.provider.ProvRandom$1.createInstance(ProvRandom.java:28) ~[bc-fips-2.0.0.jar:2.0.0]
at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$BcService.newInstance(Unknown Source) ~[bc-fips-2.0.0.jar:2.0.0]
at java.base/java.security.SecureRandom.getDefaultPRNG(Unknown Source) ~[?:?]
at java.base/java.security.SecureRandom.(Unknown Source) ~[?:?]
at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$3.run(Unknown Source) ~[bc-fips-2.0.0.jar:2.0.0]
at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$3.run(Unknown Source) ~[bc-fips-2.0.0.jar:2.0.0]
at java.base/java.security.AccessController.doPrivileged(Unknown Source) ~[?:?]
at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider.getCoreSecureRandom(Unknown Source) ~[bc-fips-2.0.0.jar:2.0.0]
at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider.access$900(Unknown Source) ~[bc-fips-2.0.0.jar:2.0.0]
at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$HybridSecureRandom.(Unknown Source) ~[bc-fips-2.0.0.jar:2.0.0]
at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$2.run(Unknown Source) ~[bc-fips-2.0.0.jar:2.0.0]
at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$2.run(Unknown Source) ~[bc-fips-2.0.0.jar:2.0.0]
at java.base/java.security.AccessController.doPrivileged(Unknown Source) ~[?:?]
at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider.getDefaultEntropySource(Unknown Source) ~[bc-fips-2.0.0.jar:2.0.0]
at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$1.get(Unknown Source) ~[bc-fips-2.0.0.jar:2.0.0]
at org.bouncycastle.crypto.CryptoServicesRegistrar.getSecureRandomIfSet(Unknown Source) ~[bc-fips-2.0.0.jar:2.0.0]
at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider.getDefaultSecureRandom(Unknown Source) ~[bc-fips-2.0.0.jar:2.0.0]
at org.bouncycastle.jcajce.provider.ProvRandom$1.createInstance(ProvRandom.java:28) ~[bc-fips-2.0.0.jar:2.0.0]
at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$BcService.newInstance(Unknown Source) ~[bc-fips-2.0.0.jar:2.0.0]
at java.base/java.security.SecureRandom.getDefaultPRNG(Unknown Source) ~[?:?]
at java.base/java.security.SecureRandom.(Unknown Source) ~[?:?]
at java.base/java.io.File$TempDirectory.(Unknown Source) ~[?:?]
at java.base/java.io.File.createTempFile(Unknown Source) ~[?:?]
at com.sun.jna.Native.extractFromResourcePath(Native.java:1170) ~[jna-5.14.0.jar:5.14.0 (b0)]
at com.sun.jna.Native.loadNativeDispatchLibraryFromClasspath(Native.java:1032) ~[jna-5.14.0.jar:5.14.0 (b0)]
at com.sun.jna.Native.loadNativeDispatchLibrary(Native.java:1011) ~[jna-5.14.0.jar:5.14.0 (b0)]
at com.sun.jna.Native.(Native.java:221) ~[jna-5.14.0.jar:5.14.0 (b0)]
at com.sun.jna.ptr.PointerByReference.(PointerByReference.java:40) ~[jna-5.14.0.jar:5.14.0 (b0)]
The text was updated successfully, but these errors were encountered: