java icon indicating copy to clipboard operation
java copied to clipboard
verified publisher icon kubernetes-client

API incompatible with BouncyCastle in FIPS mode

Open nano2007 opened this issue 4 years ago • 8 comments

Describe the bug API incompatible with BouncyCastle in FIPS mode

Client Version all versions >= 7.0.0

Kubernetes Version 1.19.2

Java Version Java 11

To Reproduce Modify JDK11 conf/security/java.security file to use the BC FIPS provider as follows:

security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider C:DEFRND[CTRAES256];ENABLE{ALL};
security.provider.2=sun.security.provider.Sun
security.provider.3=sun.security.rsa.SunRsaSign
security.provider.4=com.sun.net.ssl.internal.ssl.Provider BCFIPS
security.provider.5=com.sun.crypto.provider.SunJCE
security.provider.6=apple.security.AppleProvider

pom.xml:

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
  <modelVersion>4.0.0</modelVersion>
  <groupId>com.test.java</groupId>
  <artifactId>java-app</artifactId>
  <packaging>jar</packaging>
  <version>1.0-SNAPSHOT</version>
  <name>java-app</name>
  <url>http://maven.apache.org</url>
  <dependencies>
    <dependency>
      <groupId>junit</groupId>
      <artifactId>junit</artifactId>
      <version>3.8.1</version>
      <scope>test</scope>
    </dependency>
    <dependency>
        <groupId>io.kubernetes</groupId>
        <artifactId>client-java</artifactId>
        <version>7.0.0</version> <!-- version 6.0.1 works fine -->
    </dependency>    
  </dependencies>
</project>

Java test class:

package com.test.java;

import io.kubernetes.client.openapi.ApiClient;
import io.kubernetes.client.openapi.Configuration;
import io.kubernetes.client.openapi.apis.CoreV1Api;
import io.kubernetes.client.openapi.models.V1Pod;
import io.kubernetes.client.openapi.models.V1PodList;
import io.kubernetes.client.util.Config;

public class KubeTest {
    public static void main(String[] args) throws Exception {
        ApiClient client = Config.defaultClient();
        Configuration.setDefaultApiClient(client);

        CoreV1Api api = new CoreV1Api();
        V1PodList list = api.listPodForAllNamespaces(null, null, null, null, null, null, null, null, null/*, null*/);
        for (V1Pod item : list.getItems()) {
            System.out.println(item.getMetadata().getName());
        }
    }
}

Program Output:

Exception in thread "main" java.lang.NoClassDefFoundError: org/bouncycastle/crypto/CipherParameters
	at java.base/java.lang.ClassLoader.defineClass1(Native Method)
	at java.base/java.lang.ClassLoader.defineClass(ClassLoader.java:1017)
	at java.base/java.security.SecureClassLoader.defineClass(SecureClassLoader.java:174)
	at java.base/jdk.internal.loader.BuiltinClassLoader.defineClass(BuiltinClassLoader.java:800)
	at java.base/jdk.internal.loader.BuiltinClassLoader.findClassOnClassPathOrNull(BuiltinClassLoader.java:698)
	at java.base/jdk.internal.loader.BuiltinClassLoader.loadClassOrNull(BuiltinClassLoader.java:621)
	at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:579)
	at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:178)
	at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:522)
	at org.bouncycastle.jcajce.provider.asymmetric.DSA$Mappings.configure(Unknown Source)
	at org.bouncycastle.jce.provider.BouncyCastleProvider.loadAlgorithms(Unknown Source)
	at org.bouncycastle.jce.provider.BouncyCastleProvider.setup(Unknown Source)
	at org.bouncycastle.jce.provider.BouncyCastleProvider.access$000(Unknown Source)
	at org.bouncycastle.jce.provider.BouncyCastleProvider$1.run(Unknown Source)
	at java.base/java.security.AccessController.doPrivileged(Native Method)
	at org.bouncycastle.jce.provider.BouncyCastleProvider.<init>(Unknown Source)
	at io.kubernetes.client.util.SSLUtils.<clinit>(SSLUtils.java:52)
	at io.kubernetes.client.util.credentials.ClientCertificateAuthentication.provide(ClientCertificateAuthentication.java:37)
	at io.kubernetes.client.util.credentials.KubeconfigAuthentication.provide(KubeconfigAuthentication.java:39)
	at io.kubernetes.client.util.ClientBuilder.build(ClientBuilder.java:307)
	at io.kubernetes.client.util.Config.defaultClient(Config.java:113)
	at com.journaldev.java.KubeTest.main(KubeTest.java:12)```

**Expected behavior**
The program lists the pods in all namespaces

**KubeConfig**
If applicable, add a KubeConfig file with secrets redacted.

**Server (please complete the following information):**
 - OS: MacOS
 - Environment: Running directly on the host
 - Cloud: None

**Additional context**
The same program with minor modifications for the kubernetes imports and the listPodForAllNamespaces works as expected when using kubernetes client version 6.0.1.

nano2007 avatar Jan 12 '22 17:01 nano2007

What version of BouncyCastle are you using? This looks like a problem in BouncyCastle itself, I suspect that the FIPS version is different than the standard one that we use.

brendandburns avatar Jan 13 '22 00:01 brendandburns

What version of BouncyCastle are you using? This looks like a problem in BouncyCastle itself, I suspect that the FIPS version is different than the standard one that we use.

We have a requirement to use the FIPS version of BouncyCastle. We are currently using bcfips-1.0.2. This is configured in the java.security file as a security provider and causes some dependency issues. It would help to be able to use the FIPS version if configured in the classpath similar to how https://github.com/puppetlabs/jvm-ssl-utils/blob/main/src/java/com/puppetlabs/ssl_utils/SSLUtils.java is doing it. Is this something that can be considered?

nano2007 avatar Jan 24 '22 11:01 nano2007

My company also requires BouncyCastle FIPs (as do most companies now). Java Client 14.0.0 is incompatible with it. Please upgrade to BouncyCastle FIPs 1.0.2, its not a major change. It's a drop in replacement.

SledgeHammer01 avatar Feb 15 '22 17:02 SledgeHammer01

@brendandburns Any update on this issue? The "standard" BouncyCastle (bcprov) is considered insecure and not allowed at most companies. You should be using bc-fips and bcpkix-fips. They are mostly drop in replacements. A few minor namespace differences and a few classes were renamed to xxxFips, etc.

This issue makes the library unusable in most modern Java apps.

SledgeHammer01 avatar Feb 15 '22 18:02 SledgeHammer01

I also need this update as part of fips migration, can I do it myself? the new version will also fix https://github.com/kubernetes-client/java/issues/2168

benor1470 avatar Mar 22 '22 13:03 benor1470

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot avatar Jun 20 '22 13:06 k8s-triage-robot

I also need this update as part of fips migration, can I do it myself? the new version will also fix #2168

yup. go for it.

SledgeHammer01 avatar Jun 20 '22 13:06 SledgeHammer01

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

k8s-triage-robot avatar Jul 20 '22 13:07 k8s-triage-robot

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Reopen this issue or PR with /reopen
  • Mark this issue or PR as fresh with /remove-lifecycle rotten
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close

k8s-triage-robot avatar Aug 19 '22 14:08 k8s-triage-robot

@k8s-triage-robot: Closing this issue.

In response to this:

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Reopen this issue or PR with /reopen
  • Mark this issue or PR as fresh with /remove-lifecycle rotten
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

k8s-ci-robot avatar Aug 19 '22 14:08 k8s-ci-robot

Does anyone know if this was resolved via another ticket, or is the library still not compatible with Bouncy Castle in FIPS mode?

psjamesh avatar May 03 '24 08:05 psjamesh