Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

java.base/java.util.UUID.nameUUIDFromBytes() requires MD5 which is not available in FIPS mode #20084

Closed
KostasTsiounis opened this issue Aug 29, 2024 · 10 comments

Comments

@KostasTsiounis
Copy link
Contributor

KostasTsiounis commented Aug 29, 2024

The UUID.nameUUIDFromBytes() method requires the use of MD5. But MD5 is not FIPS-compliant. So, if the RestrictedSecurity profile used doesn't include MD5 or if RestrictedSecurity isn't used, but the underlying OpenSSL is in FIPS mode, an error occurs and the method cannot be used.

@KostasTsiounis KostasTsiounis changed the title java.base/java.util.UUID.nameUUIDFromBytes()requires MD5 which is not available in FIPS mode java.base/java.util.UUID.nameUUIDFromBytes() requires MD5 which is not available in FIPS mode Aug 29, 2024
@deepika-pm
Copy link

Hi @KostasTsiounis ,
We have updated our JVM argument with "jdk.nativeDigest=false" and we are still getting MD5 not supported error.

@jensengelke
Copy link

I ran into the same issue with a Semeru 17.0.12.0 docker image (on top of UBI 9). openssl failed (or rejected) to provide an implementation for MD5 in a FIPS enabled OCP cluster.
Adding -Djdk.nativeDigest=false to my Java invocation helped.
We have many images that add their Java app on top of a common base image layer that bring the latest Semeru version to app development teams.
Is there any way to force the JVM option on the base image, e.g. by adding it to java.security or a comparable file? Or maybe env variables?

@KostasTsiounis
Copy link
Contributor Author

I ran into the same issue with a Semeru 17.0.12.0 docker image (on top of UBI 9). openssl failed (or rejected) to provide an implementation for MD5 in a FIPS enabled OCP cluster. Adding -Djdk.nativeDigest=false to my Java invocation helped. We have many images that add their Java app on top of a common base image layer that bring the latest Semeru version to app development teams. Is there any way to force the JVM option on the base image, e.g. by adding it to java.security or a comparable file? Or maybe env variables?

You could try export JAVA_TOOL_OPTIONS='-Djdk.nativeDigest=false' or export JAVA_OPTS='-Djdk.nativeDigest=false' which appends those options whenever you run Java. Keep in mind though that this will affect all of your java processes.

@deepika-pm
Copy link

@KostasTsiounis @kgibm @JamesKingdon
As we already discussed in the slack thread, We are blocked to upgrade our product's OL/Semeru version to latest for last 2 releases. Just wanted to check with you on when can we expect this MD5 in FIPS mode issue to be resolved? I could see latest OpenLiberty version got released yesterday. Will this JVM argument jdk.nativeDigest=false will be a feature for the coming releases... Will you able to provide an update on your resolution plan?

@KostasTsiounis
Copy link
Contributor Author

@KostasTsiounis @kgibm @JamesKingdon As we already discussed in the slack thread, We are blocked to upgrade our product's OL/Semeru version to latest for last 2 releases. Just wanted to check with you on when can we expect this MD5 in FIPS mode issue to be resolved? I could see latest OpenLiberty version got released yesterday. Will this JVM argument jdk.nativeDigest=false will be a feature for the coming releases... Will you able to provide an update on your resolution plan?

The jdk.nativeDigest=false JVM option is available now. MD5 cannot be allowed through OpenSSL FIPS, but we are working on a two-fold fix. For one, we will add another JVM option, namely jdk.nativeMD5=false that will allow you to disable native support for MD5 alone without compromising performance of other digests like SHA-256. Then on top of that, we'll implement some logic to avoid using OpenSSL for some algorithms when it is detected to be in FIPS mode, and effectively just use the Java implementation.

Unfortunately, this fix will probably not be in for the release that's coming up in the next few weeks, but rather the one after that, which means sometime in January.

@KostasTsiounis
Copy link
Contributor Author

To help resolve this issue, a few changes have been implemented.

First of all, more granular JVM options have been added for the different digests. More specifically, there is a jdk.nativeMD5=false JVM option that is now available, allowing to disable just MD5 instead of all digests.

Moreover, additional functionality was added to check if the underlying OpenSSL is in FIPS mode. In that case, the Java implementation is used for MD5, instead of the native one.

Those changes should be available in the upcoming Semeru release.

I think this issue can be closed after those changes. @jasonkatonica What do you think?

@pshipton
Copy link
Member

pshipton commented Nov 12, 2024

Pls link the list of changes, I don't see them mentioned in this issue.
The changes in jdk(next) are fine.

@KostasTsiounis
Copy link
Contributor Author

KostasTsiounis commented Nov 12, 2024

Sure. Here are the PRs for those changes:

@jasonkatonica
Copy link
Contributor

Given the changes outlined by @KostasTsiounis above this issue can be closed. MD5 from the Sun providers should no longer drive into openssl when openssl is in fips mode.

Copy link

github-actions bot commented Dec 3, 2024

Issue Number: 20084
Status: Closed
Actual Components: userRaised, comp:crypto
Actual Assignees: No one :(
PR Assignees: No one :(

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

6 participants