You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@mina.apache.org by "James Nord (Jira)" <ji...@apache.org> on 2021/06/24 11:07:00 UTC

[jira] [Updated] (SSHD-1184) SSDH crashes if it can not regiser EdDSA

     [ https://issues.apache.org/jira/browse/SSHD-1184?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

James Nord updated SSHD-1184:
-----------------------------
    Description: 
[SecurityUtil.isEDDSACurveSupported()|https://github.com/apache/mina-sshd/blob/0eb40a4e162dddb0a38bafa12713856ad7ce1ce0/sshd-common/src/main/java/org/apache/sshd/common/util/security/SecurityUtils.java] Attempts to register dynamically the EdDSA provider.

Whilst this is generally OK in a FIPS compliant environment registering Providers may be restricted by a SecurityManager to prevent the registration of non compliant providers.

If the provider can not be registered due to a {{SecurityException}} then the code should just treat this as {{false}}
{noformat}
java.lang.RuntimeException: Failed to register EdDSA as a JCE provider
        at org.apache.sshd.common.util.security.SecurityUtils.registerSecurityProvider(SecurityUtils.java:458)
        at org.apache.sshd.common.util.security.SecurityUtils.register(SecurityUtils.java:412)
        at org.apache.sshd.common.util.security.SecurityUtils.isEDDSACurveSupported(SecurityUtils.java:529)
        at org.apache.sshd.common.signature.BuiltinSignatures$6.isSupported(BuiltinSignatures.java:103)
        at org.apache.sshd.common.NamedFactory.lambda$setUpBuiltinFactories$1(NamedFactory.java:63)
        at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
        at java.util.Spliterators$ArraySpliterator.forEachRemaining(Spliterators.java:948)
        at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:482)
        at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:472)
        at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:708)
        at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
        at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:566)
        at org.apache.sshd.common.NamedFactory.setUpBuiltinFactories(NamedFactory.java:64)
        at org.apache.sshd.common.BaseBuilder.setUpDefaultSignatures(BaseBuilder.java:339)
        at org.apache.sshd.common.BaseBuilder.fillWithDefaultValues(BaseBuilder.java:159)
        at org.apache.sshd.server.ServerBuilder.fillWithDefaultValues(ServerBuilder.java:102)
        at org.apache.sshd.server.ServerBuilder.fillWithDefaultValues(ServerBuilder.java:53)
        at org.apache.sshd.common.BaseBuilder.build(BaseBuilder.java:265)
        at org.apache.sshd.server.ServerBuilder.build(ServerBuilder.java:137)
        at org.apache.sshd.server.ServerBuilder.build(ServerBuilder.java:53)
        at org.apache.sshd.common.BaseBuilder.build(BaseBuilder.java:288)
        at org.apache.sshd.server.SshServer.setUpDefaultServer(SshServer.java:412)
...
Caused by: java.lang.SecurityException: Registration of new security Providers is not supported when running in FIPS compliance mode
...{noformat}

  was:
[SecurityUtil.isEDDSACurveSupported()|https://github.com/apache/mina-sshd/blob/0eb40a4e162dddb0a38bafa12713856ad7ce1ce0/sshd-common/src/main/java/org/apache/sshd/common/util/security/SecurityUtils.java] Attempts to register dynamically the EdDSA provider.

Whilst this is generally OK in a FIPS compliant environment registering Providers may be restricted by a SecurityManager to prevent code registiner a non compliant provider.

If the provider can not be registered due to a {{SecurityException}} then the code should just treat this as {{false}}


{noformat}
java.lang.RuntimeException: Failed to register EdDSA as a JCE provider
        at org.apache.sshd.common.util.security.SecurityUtils.registerSecurityProvider(SecurityUtils.java:458)
        at org.apache.sshd.common.util.security.SecurityUtils.register(SecurityUtils.java:412)
        at org.apache.sshd.common.util.security.SecurityUtils.isEDDSACurveSupported(SecurityUtils.java:529)
        at org.apache.sshd.common.signature.BuiltinSignatures$6.isSupported(BuiltinSignatures.java:103)
        at org.apache.sshd.common.NamedFactory.lambda$setUpBuiltinFactories$1(NamedFactory.java:63)
        at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
        at java.util.Spliterators$ArraySpliterator.forEachRemaining(Spliterators.java:948)
        at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:482)
        at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:472)
        at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:708)
        at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
        at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:566)
        at org.apache.sshd.common.NamedFactory.setUpBuiltinFactories(NamedFactory.java:64)
        at org.apache.sshd.common.BaseBuilder.setUpDefaultSignatures(BaseBuilder.java:339)
        at org.apache.sshd.common.BaseBuilder.fillWithDefaultValues(BaseBuilder.java:159)
        at org.apache.sshd.server.ServerBuilder.fillWithDefaultValues(ServerBuilder.java:102)
        at org.apache.sshd.server.ServerBuilder.fillWithDefaultValues(ServerBuilder.java:53)
        at org.apache.sshd.common.BaseBuilder.build(BaseBuilder.java:265)
        at org.apache.sshd.server.ServerBuilder.build(ServerBuilder.java:137)
        at org.apache.sshd.server.ServerBuilder.build(ServerBuilder.java:53)
        at org.apache.sshd.common.BaseBuilder.build(BaseBuilder.java:288)
        at org.apache.sshd.server.SshServer.setUpDefaultServer(SshServer.java:412)
...
Caused by: java.lang.SecurityException: Registration of new security Providers is not supported when running in FIPS compliance mode
...{noformat}


> SSDH crashes if it can not regiser EdDSA
> ----------------------------------------
>
>                 Key: SSHD-1184
>                 URL: https://issues.apache.org/jira/browse/SSHD-1184
>             Project: MINA SSHD
>          Issue Type: Bug
>    Affects Versions: 2.5.1
>            Reporter: James Nord
>            Priority: Major
>
> [SecurityUtil.isEDDSACurveSupported()|https://github.com/apache/mina-sshd/blob/0eb40a4e162dddb0a38bafa12713856ad7ce1ce0/sshd-common/src/main/java/org/apache/sshd/common/util/security/SecurityUtils.java] Attempts to register dynamically the EdDSA provider.
> Whilst this is generally OK in a FIPS compliant environment registering Providers may be restricted by a SecurityManager to prevent the registration of non compliant providers.
> If the provider can not be registered due to a {{SecurityException}} then the code should just treat this as {{false}}
> {noformat}
> java.lang.RuntimeException: Failed to register EdDSA as a JCE provider
>         at org.apache.sshd.common.util.security.SecurityUtils.registerSecurityProvider(SecurityUtils.java:458)
>         at org.apache.sshd.common.util.security.SecurityUtils.register(SecurityUtils.java:412)
>         at org.apache.sshd.common.util.security.SecurityUtils.isEDDSACurveSupported(SecurityUtils.java:529)
>         at org.apache.sshd.common.signature.BuiltinSignatures$6.isSupported(BuiltinSignatures.java:103)
>         at org.apache.sshd.common.NamedFactory.lambda$setUpBuiltinFactories$1(NamedFactory.java:63)
>         at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>         at java.util.Spliterators$ArraySpliterator.forEachRemaining(Spliterators.java:948)
>         at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:482)
>         at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:472)
>         at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:708)
>         at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>         at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:566)
>         at org.apache.sshd.common.NamedFactory.setUpBuiltinFactories(NamedFactory.java:64)
>         at org.apache.sshd.common.BaseBuilder.setUpDefaultSignatures(BaseBuilder.java:339)
>         at org.apache.sshd.common.BaseBuilder.fillWithDefaultValues(BaseBuilder.java:159)
>         at org.apache.sshd.server.ServerBuilder.fillWithDefaultValues(ServerBuilder.java:102)
>         at org.apache.sshd.server.ServerBuilder.fillWithDefaultValues(ServerBuilder.java:53)
>         at org.apache.sshd.common.BaseBuilder.build(BaseBuilder.java:265)
>         at org.apache.sshd.server.ServerBuilder.build(ServerBuilder.java:137)
>         at org.apache.sshd.server.ServerBuilder.build(ServerBuilder.java:53)
>         at org.apache.sshd.common.BaseBuilder.build(BaseBuilder.java:288)
>         at org.apache.sshd.server.SshServer.setUpDefaultServer(SshServer.java:412)
> ...
> Caused by: java.lang.SecurityException: Registration of new security Providers is not supported when running in FIPS compliance mode
> ...{noformat}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@mina.apache.org
For additional commands, e-mail: dev-help@mina.apache.org