Quarkus native build does not work with Bouncy Castle BC-FIPS 1.0.2.4

[jingwang]

Describe the bug

When trying to build native image with BouncyCastle BC-FIPS 1.0.2.4 (https://www.bouncycastle.org/latest_releases.html#1.0.2.4-NONCERT)

        <dependency>
            <groupId>org.bouncycastle</groupId>
            <artifactId>bc-fips</artifactId>
            <version>1.0.2.4</version>
        </dependency>

the build failed with Error: could not find target field: private java.security.SecureRandom io.quarkus.security.runtime.graal.Target_org_bouncycastle_jcajce_provider_BouncyCastleFipsProvider.providerDefaultRandom com.oracle.svm.core.util.UserError$UserException: could not find target field: private java.security.SecureRandom io.quarkus.security.runtime.graal.Target_org_bouncycastle_jcajce_provider_BouncyCastleFipsProvider.providerDefaultRandom

Expected behavior

Build should pass with the following config/cmd
pom.xml

......
    <properties>
        <version.cdi>4.0.1</version.cdi>

        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
        <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
        <quarkus.platform.artifact-id>quarkus-bom</quarkus.platform.artifact-id>
        <quarkus.platform.group-id>io.quarkus.platform</quarkus.platform.group-id>
        <quarkus.platform.version>3.0.1.Final</quarkus.platform.version>
        <quarkus-plugin.version>3.0.1.Final</quarkus-plugin.version>
        <compiler-plugin.version>3.11.0</compiler-plugin.version>
        <surefire-plugin.version>3.0.0</surefire-plugin.version>
        <lombok.version>1.18.26</lombok.version>
        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
        <maven.compiler.source>17</maven.compiler.source>
        <maven.compiler.target>17</maven.compiler.target>
        <maven.compiler.parameters>true</maven.compiler.parameters>
    </properties>

    <dependencyManagement>
        <dependencies>

            <dependency>
                <groupId>${quarkus.platform.group-id}</groupId>
                <artifactId>${quarkus.platform.artifact-id}</artifactId>
                <version>${quarkus.platform.version}</version>
                <type>pom</type>
                <scope>import</scope>
            </dependency>

        </dependencies>
    </dependencyManagement>

    <dependencies>
        <dependency>
            <groupId>jakarta.enterprise</groupId>
            <artifactId>jakarta.enterprise.cdi-api</artifactId>
            <version>${version.cdi}</version>
        </dependency>
        <dependency>
            <groupId>io.quarkus</groupId>
            <artifactId>quarkus-security</artifactId>
        </dependency>

        <dependency>
            <groupId>io.quarkus</groupId>
            <artifactId>quarkus-netty</artifactId>
        </dependency>

        <dependency>
            <groupId>org.bouncycastle</groupId>
            <artifactId>bc-fips</artifactId>
            <version>1.0.2.4</version>
        </dependency>

    </dependencies>
......

build cmd:

mvn clean package -Dquarkus.container-image.build=true -Dquarkus.native.container-runtime=docker -Pnative

Actual behavior

Build failed with the following error:

Error: could not find target field: private java.security.SecureRandom io.quarkus.security.runtime.graal.Target_org_bouncycastle_jcajce_provider_BouncyCastleFipsProvider.providerDefaultRandom
com.oracle.svm.core.util.UserError$UserException: could not find target field: private java.security.SecureRandom io.quarkus.security.runtime.graal.Target_org_bouncycastle_jcajce_provider_BouncyCastleFipsProvider.providerDefaultRandom
	at org.graalvm.nativeimage.builder/com.oracle.svm.core.util.UserError.abort(UserError.java:73)
	at org.graalvm.nativeimage.builder/com.oracle.svm.core.util.UserError.guarantee(UserError.java:97)
	at org.graalvm.nativeimage.builder/com.oracle.svm.hosted.substitute.AnnotationSubstitutionProcessor.findOriginalField(AnnotationSubstitutionProcessor.java:878)
	at org.graalvm.nativeimage.builder/com.oracle.svm.hosted.substitute.AnnotationSubstitutionProcessor.handleFieldInAliasClass(AnnotationSubstitutionProcessor.java:523)
	at org.graalvm.nativeimage.builder/com.oracle.svm.hosted.substitute.AnnotationSubstitutionProcessor.handleAliasClass(AnnotationSubstitutionProcessor.java:427)
	at org.graalvm.nativeimage.builder/com.oracle.svm.hosted.substitute.AnnotationSubstitutionProcessor.handleClass(AnnotationSubstitutionProcessor.java:394)
	at org.graalvm.nativeimage.builder/com.oracle.svm.hosted.substitute.AnnotationSubstitutionProcessor.init(AnnotationSubstitutionProcessor.java:350)
	at org.graalvm.nativeimage.builder/com.oracle.svm.hosted.NativeImageGenerator.createAnnotationSubstitutionProcessor(NativeImageGenerator.java:966)
	at org.graalvm.nativeimage.builder/com.oracle.svm.hosted.NativeImageGenerator.setupNativeImage(NativeImageGenerator.java:868)
	at org.graalvm.nativeimage.builder/com.oracle.svm.hosted.NativeImageGenerator.doRun(NativeImageGenerator.java:575)
	at org.graalvm.nativeimage.builder/com.oracle.svm.hosted.NativeImageGenerator.run(NativeImageGenerator.java:535)
	at org.graalvm.nativeimage.builder/com.oracle.svm.hosted.NativeImageGeneratorRunner.buildImage(NativeImageGeneratorRunner.java:403)
	at org.graalvm.nativeimage.builder/com.oracle.svm.hosted.NativeImageGeneratorRunner.build(NativeImageGeneratorRunner.java:580)
	at org.graalvm.nativeimage.builder/com.oracle.svm.hosted.NativeImageGeneratorRunner.main(NativeImageGeneratorRunner.java:128)

How to Reproduce?

No response

Output of uname -a or ver

Darwin 22.4.0 Darwin Kernel Version 22.4.0: Mon Mar 6 21:00:17 PST 2023; root:xnu-8796.101.5~3/RELEASE_X86_64 x86_64

Output of java -version

openjdk version "17.0.6" 2023-01-17 OpenJDK Runtime Environment GraalVM CE 22.3.1 (build 17.0.6+10-jvmci-22.3-b13) OpenJDK 64-Bit Server VM GraalVM CE 22.3.1 (build 17.0.6+10-jvmci-22.3-b13, mixed mode, sharing)

GraalVM version (if different from Java)

No response

Quarkus version or git rev

3.0.1.Final

Build tool (ie. output of mvnw --version or gradlew --version)

Apache Maven 3.8.4 (9b656c72d54e5bacbed989b64718c159fe39b537)

Additional information

BC-FIPS 1.0.2.4 is a patched version of 1.0.2.3 that addresses a CVE targeting java 13+.
Note that BC-FIPS 1.0.2.3 works fine with native build.

[quarkus-bot]

/cc @Karm (securepipeline), @jerboaa (securepipeline)

[sberyozkin]

Current version used in Quarkus is 1.0.2.3 so it is not bug. I also think it may be invalid - since Quarkus does some build time processing for native only if it is sees quarkus.security.security-providers=BCFIPS configuration property.

[sberyozkin]

Will keep the issue open as a reminder that we have to update to 1.0.2.4

[jingwang]

Hi @sberyozkin sorry I forgot to mention that I did have this configured in the properties file:

quarkus.security.security-providers=BCFIPS

The reason we need to use (or prepare to use) 1.0.2.4 is that bc-fips 1.x is only certified with java 8 and 11. We recently upgraded to java 17. While bc-fips 2.0 is still being certified, earlier this year, Bouncy Castle patched a memory corruption bug that corrupted the encryption key and it impacts only Java 13 or higher. As a result, before bc-fips 2.0 is officially certified and available, we are left with the only option with 1.0.2.4.

We have also asked Bouncy Castle - here is the reply:

With Quarkus, it looks like they've made use of reflection, we're completely in the dark on this one, didn't even know they'd done it otherwise we might have been able to take it into account or point out a safer way of doing it. You'll need to speak to them.

The internal structure of the DRBG set up has changed to avoid a synchronization bottleneck that some applications were running into. From a user point of view there isn't any change, Quarkus is not attempting to use the published API, it appears to be trying to use reflection.

[gsmet]

@sberyozkin I will see if I can handle this one.

[jingwang]

Thanks @gsmet
Note that bc-fips 1.0.2.4 is not currently available from the central maven repository. You will need to get the jar from Bouncy Castle's website.

[sberyozkin]

@jingwang Hi, that code replaces some test key generation methods as far as I recall, otherwise it wont work in native mode. So that code will have be tuned to work with 1.0.2.4, but not sure how to handle it without it being in Maven Central...

[sberyozkin]

Hey @gsmet thanks for having a look, we looked at it with Galder as far as I recall

[gsmet]

The fact that it's not available on Maven Central is definitely not ideal. Why is that?

One option would be to have conditional substitutions but we wouldn't be able to test them, which is not very appealing...

[jingwang]

1.0.2.4 is not in maven central because it hasn't been certified. Please see the explanation here: https://www.bouncycastle.org/latest_releases.html#1.0.2.4-NONCERT

[jingwang]

Thanks @sberyozkin and @gsmet
According to bouncy castle, 1.0.2.4 "are the closest thing to release candidates for the next update" even though it is not certified yet (hence why it is not in maven central). That's why we are hoping if we could make it work, we should be able to make the next certified version work.
The source jar file can be downloaded from https://www.bouncycastle.org/latest_releases.html#1.0.2.4-NONCERT
You mentioned some test key generation methods were replaced - is it possible to point me to a PR or the classes that were affected?
Thanks.

[sberyozkin]

@jingwang Sure, see #16105.

You can find the actual class and method signatures in those substitutions, if you can help to identify the actual method signature change in 1.2.0.4 which causes the above failure then it would be great, hopefully we can indeed do a finer grained conditional substitution

[jingwang]

Thanks @sberyozkin . I will take a look.

[sberyozkin]

Closing as a duplicate of #36735