java11 中的 FIPS 模式

FIPS mode in java11

提问人:Md Rehman 提问时间:11/6/2023 更新时间:11/6/2023 访问量:43

问:

尝试列出获取的 bcfips 提供程序

    java.util.ServiceConfigurationError: java.security.Provider: Provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider could not be instantiated
        at java.base/java.util.ServiceLoader.fail(Unknown Source)
        at java.base/java.util.ServiceLoader$ProviderImpl.newInstance(Unknown Source)
        at java.base/java.util.ServiceLoader$ProviderImpl.get(Unknown Source)
        at java.base/java.util.ServiceLoader$3.next(Unknown Source)
        at java.base/sun.security.jca.ProviderConfig$ProviderLoader.load(Unknown Source)
        at java.base/sun.security.jca.ProviderConfig$3.run(Unknown Source)
        at java.base/sun.security.jca.ProviderConfig$3.run(Unknown Source)
        at java.base/java.security.AccessController.doPrivileged(Native Method)
        at java.base/sun.security.jca.ProviderConfig.doLoadProvider(Unknown Source)
        at java.base/sun.security.jca.ProviderConfig.getProvider(Unknown Source)
        at java.base/sun.security.jca.ProviderList.loadAll(Unknown Source)
        at java.base/sun.security.jca.ProviderList.removeInvalid(Unknown Source)
        at java.base/sun.security.jca.Providers.getFullProviderList(Unknown Source)
        at java.base/java.security.Security.getProviders(Unknown Source)
        at ListSecurityProviders.main(ListSecurityProviders.java:6)
    Caused by: org.bouncycastle.crypto.fips.FipsOperationError: Module checksum failed: unable to calculate
        at org.bouncycastle.fips.core/org.bouncycastle.crypto.fips.FipsStatus.checksumValidate(Unknown Source)
        at org.bouncycastle.fips.core/org.bouncycastle.crypto.fips.FipsStatus.isReady(Unknown Source)
        at org.bouncycastle.fips.core/org.bouncycastle.crypto.CryptoServicesRegistrar.getDefaultMode(Unknown Source)
        at org.bouncycastle.fips.core/org.bouncycastle.crypto.CryptoServicesRegistrar.<clinit>(Unknown Source)
        at org.bouncycastle.fips.core/org.bouncycastle.jcajce.provider.ProvSecureHash$MD5.configure(Unknown Source)
        at org.bouncycastle.fips.core/org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider.<init>(Unknown Source)
        at org.bouncycastle.fips.core/org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider.<init>(Unknown Source)
        at org.bouncycastle.fips.core/org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider.<init>(Unknown Source)
        at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
        at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
        at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
        at java.base/java.lang.reflect.Constructor.newInstance(Unknown Source)
        ... 14 more
    scl:  getPermissions ProtectionDomain  (jrt:/java.security.jgss <no signer certificates>)
    jdk.internal.loader.ClassLoaders$PlatformClassLoader@7f13d6e
    <no principals>
    java.security.Permissions@51cdd8a (
    ("java.lang.RuntimePermission" "accessSystemModules"))

按照回答中提供的步骤对前面提出的相同问题进行操作。

使用以下命令创建 jre

./jlink --no-header-files --no-man-pages --compress=2 --strip-debug --module-path /root/bcjars/ --add-modules java.se,jdk    .unsupported,org.bouncycastle.fips.core --output /tmp/bcjdk/ --ignore-signing-information

JRE 创建时带有以下警告。

WARNING: signed modular JAR /root/bcjars/bc-fips-1.0.2.4.jar is currently not supported

创建 jre 后,我可以在 --list-modules commnd 中看到该模块。

   xx-xxx-xxxx:/tmp/bcjdk/bin # ./java --list-modules
    [email protected]
    [email protected]
    [email protected]
    [email protected]
    [email protected]
    [email protected]
    [email protected]
    [email protected]
    [email protected]
    [email protected]
    [email protected]
    [email protected]
    [email protected]
    [email protected]
    [email protected]
    [email protected]
    [email protected]
    [email protected]
    [email protected]
    [email protected]
    [email protected]
    [email protected]
    org.bouncycastle.fips.core

我运行的程序列出了提供程序。

  import java.security.Provider;
    import java.security.Security;
    
    public class ListSecurityProviders {
        public static void main(String[] args) {
            Provider[] providers = Security.getProviders();
    
            for (Provider provider : providers) {
                System.out.println("Provider: " + provider.getName());
               for (Provider.Service service : provider.getServices()) {
                   System.out.println("  Algorithm: " + service.getAlgorithm());
               }
            }
        }
    }

从错误来看,由于没有签名信息,它似乎失败了,但 jlink 无法使用签名信息创建 jre。

爪哇 充气城堡 Java-11 FIPS

评论

0赞 Abra 11/6/2023
也许这会有所帮助?带有加密提供程序的签名模块化 JAR 无法链接到运行时映像
0赞 Community 11/6/2023
请澄清您的具体问题或提供其他详细信息以准确说明您的需求。正如目前所写的那样,很难确切地说出你在问什么。
0赞 Md Rehman 11/7/2023
我得到了充气城堡人们的回应,这似乎是意料之中的。

答: 暂无答案

上一个:当 armored 为 false 时,Camel PGP 解密失败

下一个:使用 Bouncy Castle 从 PrivateKeyInfo 中提取公钥