-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Quarkus native build does not work with Bouncy Castle BC-FIPS 1.0.2.4 #33038
Comments
Current version used in Quarkus is 1.0.2.3 so it is not bug. I also think it may be invalid - since Quarkus does some build time processing for native only if it is sees |
Will keep the issue open as a reminder that we have to update to 1.0.2.4 |
Hi @sberyozkin sorry I forgot to mention that I did have this configured in the properties file:
The reason we need to use (or prepare to use) 1.0.2.4 is that bc-fips 1.x is only certified with java 8 and 11. We recently upgraded to java 17. While bc-fips 2.0 is still being certified, earlier this year, Bouncy Castle patched a memory corruption bug that corrupted the encryption key and it impacts only Java 13 or higher. As a result, before bc-fips 2.0 is officially certified and available, we are left with the only option with 1.0.2.4. We have also asked Bouncy Castle - here is the reply:
|
@sberyozkin I will see if I can handle this one. |
Thanks @gsmet |
@jingwang Hi, that code replaces some test key generation methods as far as I recall, otherwise it wont work in native mode. So that code will have be tuned to work with 1.0.2.4, but not sure how to handle it without it being in Maven Central... |
Hey @gsmet thanks for having a look, we looked at it with Galder as far as I recall |
The fact that it's not available on Maven Central is definitely not ideal. Why is that? One option would be to have conditional substitutions but we wouldn't be able to test them, which is not very appealing... |
1.0.2.4 is not in maven central because it hasn't been certified. Please see the explanation here: https://www.bouncycastle.org/latest_releases.html#1.0.2.4-NONCERT |
Thanks @sberyozkin and @gsmet |
You can find the actual class and method signatures in those substitutions, if you can help to identify the actual method signature change in 1.2.0.4 which causes the above failure then it would be great, hopefully we can indeed do a finer grained conditional substitution |
Thanks @sberyozkin . I will take a look. |
Closing as a duplicate of #36735 |
Describe the bug
When trying to build native image with BouncyCastle BC-FIPS 1.0.2.4 (https://www.bouncycastle.org/latest_releases.html#1.0.2.4-NONCERT)
the build failed with
Error: could not find target field: private java.security.SecureRandom io.quarkus.security.runtime.graal.Target_org_bouncycastle_jcajce_provider_BouncyCastleFipsProvider.providerDefaultRandom com.oracle.svm.core.util.UserError$UserException: could not find target field: private java.security.SecureRandom io.quarkus.security.runtime.graal.Target_org_bouncycastle_jcajce_provider_BouncyCastleFipsProvider.providerDefaultRandom
Expected behavior
Build should pass with the following config/cmd
pom.xml
build cmd:
Actual behavior
Build failed with the following error:
How to Reproduce?
No response
Output of
uname -a
orver
Darwin 22.4.0 Darwin Kernel Version 22.4.0: Mon Mar 6 21:00:17 PST 2023; root:xnu-8796.101.5~3/RELEASE_X86_64 x86_64
Output of
java -version
openjdk version "17.0.6" 2023-01-17 OpenJDK Runtime Environment GraalVM CE 22.3.1 (build 17.0.6+10-jvmci-22.3-b13) OpenJDK 64-Bit Server VM GraalVM CE 22.3.1 (build 17.0.6+10-jvmci-22.3-b13, mixed mode, sharing)
GraalVM version (if different from Java)
No response
Quarkus version or git rev
3.0.1.Final
Build tool (ie. output of
mvnw --version
orgradlew --version
)Apache Maven 3.8.4 (9b656c72d54e5bacbed989b64718c159fe39b537)
Additional information
BC-FIPS 1.0.2.4 is a patched version of 1.0.2.3 that addresses a CVE targeting java 13+.
Note that BC-FIPS 1.0.2.3 works fine with native build.
The text was updated successfully, but these errors were encountered: