Add support for FIPS Bouncy Castle library #3590
Comments
robhafner
added a commit
to robhafner/java
that referenced
this issue
Jul 25, 2024
Prefer FIPS version of bouncy castle if available. Otherwise, fallback to non FIPS version.
|
This looks like a server side error? This SDK is only client side. Can you explain why the FIPS provider is required? I'm not opposed in principal to supporting both providers, but I need further explanation about why it is causing this specific problem. |
k8s-ci-robot
added a commit
that referenced
this issue
Aug 2, 2024
feat: add support for FIPS bouncy castle #3590
|
Closing this via #3595 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
We are attempting to use version 19.0.1 of the Kubernetes Java Client from a Spring Boot 2.7 application to invoke the Kubernetes API server to validate a service account token. Our Spring Boot application is configured with the FIPS enabled version 1.0.2.4 of the Bouncy Castle library (and does not include the non FIPS version of the Bouncy Castle library). The call to the API with a valid token results in the following status.
class V1TokenReviewStatus {
audiences: null
authenticated: null
error: [invalid bearer token, service account token has been invalidated]
user: class V1UserInfo {
extra: null
groups: null
uid: null
username: null
}
}
Stepping through the debugger the token appears to be consider invalid as a result of the non FIPS enabled bouncy castle class not being available which is defined in src/main/java/io/kubernetes/client/SSLUtils.java
static { Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider()); }Updating the SSLUtils.java with the following changes allows the token to be verified successfully.
`
static –{
Provider provider;
try {
Class clazz = getProvider();
provider = (Provider) clazz.getDeclaredConstructor(null).newInstance();
} catch (Exception e) {
throw new RuntimeException(e);
}
}
public static Class getProvider() throws ClassNotFoundException {
Class clazz;
try {
clazz = Class.forName("org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider");
} catch(ClassNotFoundException cnf) {
clazz = Class.forName("org.bouncycastle.jce.provider.BouncyCastleProvider");
}
return clazz;
}
`
I'd be happy to put a PR together with this change to resolve this issue. However, I ran across another issue which seemed very similar which was closed without a fix.
#2086
Can you confirm if the Kubernetes Java Client project is willing to support the FIPS version of Bouncy Castle? If not, we will likely be forced to fork the library to meet our needs.
Client Version
1.29.2
Kubernetes Version
1.28.2
Java Version
Java 17
To Reproduce
Steps to reproduce the behavior:
Expected behavior
The call to verify a token works successfully when only the FIPS version of bouncy castle is on the classpath.
KubeConfig
If applicable, add a KubeConfig file with secrets redacted.
Server (please complete the following information):
Linux
The text was updated successfully, but these errors were encountered: