Allow secure random with FIPS systems where SHA1PRNG not availabe #1357
Conversation
| catch (NoSuchAlgorithmException e) | ||
| { | ||
| throw new WicketRuntimeException(e); | ||
| random = new SecureRandom(); |
There was a problem hiding this comment.
I am not sure that this is a good solution. This is the default random supplier impl that works "most of the time".
If one needs to use a custom RandomSupplier then (s)he needs to do getApplication().getSecuritySettings().setRandomSupplier(...)
There was a problem hiding this comment.
In the case of a FIPS system:
getApplication().getSecuritySettings() will throw an exception when it tries to create the SecuritySettings object because the SecuritySettings object initializes its randomSupplier member with a new DefaultSecureRandomSupplier instance. Based on the original code this will throw an exception that stops Wicket from initializing.
There was a problem hiding this comment.
Could you please give more information why it will throw ?
Even better - paste the exception stacktrace.
FIPS is about the JDK security APIs, not about Wicket security related APIs (or any other library), no ?
There was a problem hiding this comment.
Just to make my initial suggestion more clear:
You need to call getSecuritySettings().setRandomSupplier(new MyCustomSupplier()) in YourApplication#init() method.
There was a problem hiding this comment.
We've attempted in setting the random supplier in our application init, but the exception occurs before this. Exception:
SEVERE: Exception starting filter [SwAppApplication] javax.servlet.ServletException: org.apache.wicket.WicketRuntimeException: java.security.NoSuchAlgorithmException: SHA1PRNG SecureRandom not available at org.apache.wicket.protocol.http.WicketFilter.init(WicketFilter.java:467) at org.apache.wicket.protocol.http.WicketFilter.init(WicketFilter.java:365) at org.apache.catalina.core.ApplicationFilterConfig.initFilter(ApplicationFilterConfig.java:239) at org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:221) at org.apache.catalina.core.ApplicationFilterConfig.<init>(ApplicationFilterConfig.java:97) at org.apache.catalina.core.StandardContext.filterStart(StandardContext.java:3908) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:4527) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:164) at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1203) at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1193) at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:317) at org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:76) at java.base/java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:145) at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:749) at org.apache.catalina.core.StandardHost.startInternal(StandardHost.java:721) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:164) at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1203) at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1193) at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:317) at org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:76) at java.base/java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:145) at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:749) at org.apache.catalina.core.StandardEngine.startInternal(StandardEngine.java:211) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:164) at org.apache.catalina.core.StandardService.startInternal(StandardService.java:412) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:164) at org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:874) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:164) at org.apache.catalina.startup.Tomcat.start(Tomcat.java:439) at com.systemware.ccisvc.embedded.EmbeddedTomcat.startTomcat(Unknown Source) at com.systemware.client.base.BaseAppInitControl.initTomcat(Unknown Source) at com.systemware.client.base.BaseAppInitControlForCM.init(Unknown Source) at com.systemware.client.base.BaseApp.main(Unknown Source) Caused by: org.apache.wicket.WicketRuntimeException: java.security.NoSuchAlgorithmException: SHA1PRNG SecureRandom not available at org.apache.wicket.core.random.DefaultSecureRandomSupplier.<init>(DefaultSecureRandomSupplier.java:45) at org.apache.wicket.settings.SecuritySettings.<init>(SecuritySettings.java:69) at org.apache.wicket.Application.getSecuritySettings(Application.java:1271) at com.systemware.swapp.SwAppApplication.init(Unknown Source) at org.apache.wicket.Application.initApplication(Application.java:768) at org.apache.wicket.protocol.http.WicketFilter.init(WicketFilter.java:441) ... 32 more Caused by: java.security.NoSuchAlgorithmException: SHA1PRNG SecureRandom not available at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:159) at java.base/java.security.SecureRandom.getInstance(SecureRandom.java:389) at org.apache.wicket.core.random.DefaultSecureRandomSupplier.<init>(DefaultSecureRandomSupplier.java:41)
There was a problem hiding this comment.
I see! We get the SecureRandom in the constructor ...
We should rework this to be lazy.
2 participants
We've run into an issue where our software is running on FIPS-3 systems and will not start because Wicket is requesting SHA1PRNG. I've replaced the exception with setting a new SecureRandom() to allow Java to choose the implementation.