Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Use PKCS5Padding instead of ISO10126Padding for secrets encryption (#…
…14193) * Use PKCS5 instead of ISO10126 padding for secrets encryption If Graylog is run in an FIPS environment there is no crypto provider available that supports "AES/CBC/ISO10126Padding". This is likely because this padding standard was withdrawn from ISO in 2007. It is considered bad practice to leave a subliminal channel in the padding. We tried to workaround this by explicitly using BouncyCastle for the encryption/decryption. This however creates problems with Oracle Java, because we strip the signature off the bouncy castle jar while repackaging it into our Uber-Jar. In contrast to OpenJDK, Oracle Java does not allow the use of unsigned Security Providers. Solution: Change our secret encryption to using PKCS5Padding instead. There is a FIPS compatible provider "SunPKCS11-NSS-FIPS" available which supports "AES/CBC/PKCS5Padding". For backwards compatibility, we decrypt the ISO10126Padded keys without stripping the padding, and do that manually. Fixes #14153 Refs #13525 * use explicit type to simplify backport * Also try legacy decoding when catching a ProviderException This seems to happen with FIPS enabled OpenJDK 17 * Try decrypting legacy keys on any Exception * improve wording on comments * improve changelog
- Loading branch information
Showing
3 changed files
with
67 additions
and
16 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
type = "fixed" | ||
message = "Improve JVM security provider compatibility by switching to a widely supported cipher transformation" | ||
|
||
issues = ["14153"] | ||
pulls = ["14193"] | ||
|
||
contributors = [""] | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters