New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use PKCS5Padding instead of ISO10126Padding for secrets encryption #14193
Conversation
If Graylog is run in an FIPS environment there is no crypto provider available that supports "AES/CBC/ISO10126Padding". This is likely because this padding standard was withdrawn from ISO in 2007. It is considered bad practice to leave a subliminal channel in the padding. We tried to workaround this by explicitly using BouncyCastle for the encryption/decryption. This however creates problems with Oracle Java, because we strip the signature off the bouncy castle jar while repackaging it into our Uber-Jar. In contrast to OpenJDK, Oracle Java does not allow the use of unsigned Security Providers. Solution: Change our secret encryption to using PKCS5Padding instead. There is a FIPS compatible provider "SunPKCS11-NSS-FIPS" available which supports "AES/CBC/PKCS5Padding". For backwards compatibility, we decrypt the ISO10126Padded keys without stripping the padding, and do that manually. Fixes #14153 Refs #13525
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great work, thank you! 🙏
I tested this with a 4.3 setup and LDAP. Without this change, I created the LDAP settings (and thus an encrypted value). Then I updated to a 4.3 that has this change applied. Everything worked.
I also tested on a FIPS-enabled RedHat. |
This seems to happen with FIPS enabled OpenJDK 17
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good. Pending the one comment from @bernd, I think this is good to go.
Tested with RHEL 9 with fips mode disabled and also enabled. I was able to reproduce the issue with Oracle JDK 17 and Graylog version 5.0 and could observe the error being fixed when using the snapshot build for this PR. Reading encrypted values which have been written with Graylog version 5.0 worked flawlessly after the fix was applied.
If Graylog is run in an FIPS environment there is no crypto provider available that supports
AES/CBC/ISO10126Padding
. This is likely because this padding standard was withdrawn from ISO in 2007.It is considered a bad practice to leave a subliminal channel in the padding.
We tried to workaround this by explicitly using BouncyCastle for the encryption/decryption.
This however creates problems with Oracle Java, because we strip the signature off the bouncy castle jar while repackaging it into our Uber-Jar.
In contrast to OpenJDK, Oracle Java does not allow the use of unsigned Security Providers.
Solution:
Change our secret encryption to using
PKCS5Padding
instead. There is a FIPS compatible providerSunPKCS11-NSS-FIPS
available which supportsAES/CBC/PKCS5Padding
.For backwards compatibility, we decrypt the ISO10126Padded keys without stripping the padding, and do that manually.
Fixes #14153
Refs #13525