-
Notifications
You must be signed in to change notification settings - Fork 401
WICKET-7174: Allow secure random with FIPS systems where SHA1PRNG not available #1357
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Closed
tim-burke-systemware
wants to merge
1
commit into
apache:wicket-9.x
from
tim-burke-systemware:wicket-9.x
Closed
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am not sure that this is a good solution. This is the default random supplier impl that works "most of the time".
If one needs to use a custom RandomSupplier then (s)he needs to do
getApplication().getSecuritySettings().setRandomSupplier(...)wicket/wicket-core/src/main/java/org/apache/wicket/settings/SecuritySettings.java
Line 204 in a12f1ca
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In the case of a FIPS system:
getApplication().getSecuritySettings() will throw an exception when it tries to create the SecuritySettings object because the SecuritySettings object initializes its randomSupplier member with a new DefaultSecureRandomSupplier instance. Based on the original code this will throw an exception that stops Wicket from initializing.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you please give more information why it will throw ?
Even better - paste the exception stacktrace.
FIPS is about the JDK security APIs, not about Wicket security related APIs (or any other library), no ?
Uh oh!
There was an error while loading. Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just to make my initial suggestion more clear:
You need to call
getSecuritySettings().setRandomSupplier(new MyCustomSupplier())inYourApplication#init()method.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We've attempted in setting the random supplier in our application init, but the exception occurs before this. Exception:
SEVERE: Exception starting filter [SwAppApplication] javax.servlet.ServletException: org.apache.wicket.WicketRuntimeException: java.security.NoSuchAlgorithmException: SHA1PRNG SecureRandom not available at org.apache.wicket.protocol.http.WicketFilter.init(WicketFilter.java:467) at org.apache.wicket.protocol.http.WicketFilter.init(WicketFilter.java:365) at org.apache.catalina.core.ApplicationFilterConfig.initFilter(ApplicationFilterConfig.java:239) at org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:221) at org.apache.catalina.core.ApplicationFilterConfig.<init>(ApplicationFilterConfig.java:97) at org.apache.catalina.core.StandardContext.filterStart(StandardContext.java:3908) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:4527) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:164) at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1203) at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1193) at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:317) at org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:76) at java.base/java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:145) at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:749) at org.apache.catalina.core.StandardHost.startInternal(StandardHost.java:721) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:164) at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1203) at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1193) at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:317) at org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:76) at java.base/java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:145) at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:749) at org.apache.catalina.core.StandardEngine.startInternal(StandardEngine.java:211) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:164) at org.apache.catalina.core.StandardService.startInternal(StandardService.java:412) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:164) at org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:874) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:164) at org.apache.catalina.startup.Tomcat.start(Tomcat.java:439) at com.systemware.ccisvc.embedded.EmbeddedTomcat.startTomcat(Unknown Source) at com.systemware.client.base.BaseAppInitControl.initTomcat(Unknown Source) at com.systemware.client.base.BaseAppInitControlForCM.init(Unknown Source) at com.systemware.client.base.BaseApp.main(Unknown Source) Caused by: org.apache.wicket.WicketRuntimeException: java.security.NoSuchAlgorithmException: SHA1PRNG SecureRandom not available at org.apache.wicket.core.random.DefaultSecureRandomSupplier.<init>(DefaultSecureRandomSupplier.java:45) at org.apache.wicket.settings.SecuritySettings.<init>(SecuritySettings.java:69) at org.apache.wicket.Application.getSecuritySettings(Application.java:1271) at com.systemware.swapp.SwAppApplication.init(Unknown Source) at org.apache.wicket.Application.initApplication(Application.java:768) at org.apache.wicket.protocol.http.WicketFilter.init(WicketFilter.java:441) ... 32 more Caused by: java.security.NoSuchAlgorithmException: SHA1PRNG SecureRandom not available at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:159) at java.base/java.security.SecureRandom.getInstance(SecureRandom.java:389) at org.apache.wicket.core.random.DefaultSecureRandomSupplier.<init>(DefaultSecureRandomSupplier.java:41)There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see! We get the SecureRandom in the constructor ...
We should rework this to be lazy.