Details
-
Bug
-
Status: Open
-
Major
-
Resolution: Unresolved
-
1.5.5
-
None
-
None
Description
The change fixes the following KSM issue on RHEL systems with FIPS enabled:
Exception in thread "main" java.security.ProviderException: Could not derive key at sun.security.pkcs11.P11ECDHKeyAgreement.engineGenerateSecret(P11ECDHKeyAgreement.java:145) at javax.crypto.KeyAgreement.generateSecret(KeyAgreement.java:586) at com.keepersecurity.secretsManager.core.CryptoUtils.getEciesSymmetricKey(CryptoUtils.kt:149) at com.keepersecurity.secretsManager.core.CryptoUtils.publicEncrypt(CryptoUtils.kt:160) at com.keepersecurity.secretsManager.core.SecretsManager.generateTransmissionKey(SecretsManager.kt:1105) at com.keepersecurity.secretsManager.core.SecretsManager.fetchAndDecryptSecrets(SecretsManager.kt:1517) at com.keepersecurity.secretsManager.core.SecretsManager.getSecrets(SecretsManager.kt:395) at com.keepersecurity.secretsManager.core.SecretsManager.getSecrets$default(SecretsManager.kt:393) at com.keepersecurity.secretsManager.core.SecretsManager.getSecrets(SecretsManager.kt) at com.keepersecurity.secretsManager.fipsTest.Main.main(Main.java:17) Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ATTRIBUTE_SENSITIVE at sun.security.pkcs11.wrapper.PKCS11.C_GetAttributeValue(Native Method) at sun.security.pkcs11.P11ECDHKeyAgreement.engineGenerateSecret(P11ECDHKeyAgreement.java:140) ... 9 more
KSM expects us to use a correct security provider for proper functioning of Java/Kotlin SDK
Keeper will use the default cryptographic module of the Java runtime unless a specific provider is added. In the examples here in this documentation, we are using the BouncyCastle FIPS provider.
The Security.addProvider method checks internally for duplication so it is safe to add the same provider multiple times.
-1 if the provider was not added because it is already installed.
The provider is added to the end of the provider list so I believe it is safe to add the BouncyCastle FIPS provider by default. In this case, when some code requests a cryptographic method/protocol, the BouncyCastle FIPS provider will be used either in case of an exact match or as a fallback option.