Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DaoAuthenticationProvider is not usable on RHEL 8.7 with enforced FIPS mode #12873

Closed
psvo opened this issue Mar 16, 2023 · 2 comments
Closed

DaoAuthenticationProvider is not usable on RHEL 8.7 with enforced FIPS mode #12873

psvo opened this issue Mar 16, 2023 · 2 comments
Assignees
@marcusdacoregio
Labels
in: crypto An issue in spring-security-crypto type: bug A general bug
Milestone
5.8.3

Comments

@psvo
Copy link
Contributor

psvo commented Mar 16, 2023

Describe the bug

Creating instance of DaoAuthenticationProvider fails due to "PBKDF2WithHmacSHA256 SecretKeyFactory not available" when running on RHEL 8.7 with enforced FIPS mode.

The problem is that the DaoAuthenticationProvider creates a default delegating password encoder and one of the delegates fails to instantiate due to limited JCE provider availability when FIPS is enforced.

There's no workaround, because the DaoAuthenticationProvider has only the default constructor which fails due to unconditionally calling org.springframework.security.crypto.factory.PasswordEncoderFactories#createDelegatingPasswordEncoder.

The error is:

org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.springframework.security.authentication.dao.DaoAuthenticationProvider]: Constructor threw exception; nested exception is java.lang.IllegalArgumentException: Invalid algorithm 'PBKDF2WithHmacSHA256'.
	... more
Caused by: java.security.NoSuchAlgorithmException: PBKDF2WithHmacSHA256 SecretKeyFactory not available
	at javax.crypto.SecretKeyFactory.<init>(SecretKeyFactory.java:122) ~[?:?]
	at javax.crypto.SecretKeyFactory.getInstance(SecretKeyFactory.java:168) ~[?:?]
	at org.springframework.security.crypto.password.Pbkdf2PasswordEncoder.setAlgorithm(Pbkdf2PasswordEncoder.java:226) ~[spring-security-crypto-5.8.2.jar:5.8.2]
	at org.springframework.security.crypto.password.Pbkdf2PasswordEncoder.<init>(Pbkdf2PasswordEncoder.java:179) ~[spring-security-crypto-5.8.2.jar:5.8.2]
	at org.springframework.security.crypto.password.Pbkdf2PasswordEncoder.defaultsForSpringSecurity_v5_8(Pbkdf2PasswordEncoder.java:207) ~[spring-security-crypto-5.8.2.jar:5.8.2]
	at org.springframework.security.crypto.factory.PasswordEncoderFactories.createDelegatingPasswordEncoder(PasswordEncoderFactories.java:81) ~[spring-security-crypto-5.8.2.jar:5.8.2]
	at org.springframework.security.authentication.dao.DaoAuthenticationProvider.<init>(DaoAuthenticationProvider.java:64) ~[spring-security-core-5.8.2.jar:5.8.2]
	at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
	... more

This is a regression in 5.8.2. It worked for us in Spring Security 5.7.4, because we were overwriting the default password encoder before it tried to retrieve the algorithm.

The issue was most probably introduced by PR #11904 (c50441b) as a fix for issue #10489.

To Reproduce

  1. Write an application using DaoAuthenticationProvider from Spring Security 5.8.2.
  2. Run the application on RHEL 8.7 with enforced FIPS mode for JDK 11.

Expected behavior

Be able to use DaoAuthenticationProvider on RHEL 8.7 with enforced FIPS mode for JDK 11.

Allow providing a custom PasswordEncoder when instantiating DaoAuthenticationProvider to bypass the instantiation of the default delegating password encoder (PasswordEncoderFactories#createDelegatingPasswordEncoder).
@psvo psvo added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Mar 16, 2023
psvo added a commit to psvo/spring-security that referenced this issue Mar 16, 2023
@psvo
Add new DaoAuthenticationProvider constructor
50b2bc5 
Add a new constructor to the DaoAuthenticationProvider, which allows
providing a custom PasswordEncoder to prevent instantiation of the
default delegating PasswordEncoder in the default constructor.

This provides a way to instantiate the DaoAuthenticationProvider on JDKs
where the default delegating PasswordEncoder cannot be instantiated due
to limited JCE providers for compliance reasons (e.g., FIPS).

Closes spring-projectsgh-12873
@psvo psvo mentioned this issue Mar 16, 2023
Closed
@marcusdacoregio marcusdacoregio added in: core An issue in spring-security-core and removed status: waiting-for-triage An issue we've not yet triaged labels Mar 31, 2023
marcusdacoregio added a commit to marcusdacoregio/spring-security that referenced this issue Apr 3, 2023
@marcusdacoregio
Avoid exception if PBKDF2WithHmacSHA256 is not available
45b50de 
Closes spring-projectsgh-12873
marcusdacoregio added a commit that referenced this issue Apr 4, 2023
@marcusdacoregio
Avoid exception if PBKDF2WithHmacSHA256 is not available
d5603a9 
Issue gh-12873
@marcusdacoregio marcusdacoregio added this to the 5.8.3 milestone Apr 4, 2023
@marcusdacoregio marcusdacoregio added in: crypto An issue in spring-security-crypto and removed in: core An issue in spring-security-core labels Apr 4, 2023
@marcusdacoregio
Copy link
Contributor

Thanks, @psvo, this is now fixed in 5.8.x via d5603a9. That commit adds a guard around the new algorithm added and prevents an application from breaking.

Please if you can test the SNAPSHOT it would be great to have feedback if it is working fine before the GA.

The new constructor was added to 6.0.x via #12874

@psvo
Copy link
Contributor Author

psvo commented Apr 12, 2023

Please if you can test the SNAPSHOT it would be great to have feedback if it is working fine before the GA.

@marcusdacoregio, I can confirm the fix merged to 5.8.3-SNAPSHOT works for me. Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@marcusdacoregio marcusdacoregio

Labels
in: crypto An issue in spring-security-crypto type: bug A general bug
Projects
Spring Security Team
Status: Done
Milestone
5.8.3
Development

No branches or pull requests
3 participants
@rwinch @psvo @marcusdacoregio