Gracefully handle exceptions from Security Providers (#65464) (#65554)

In certain situations, such as when configured in FIPS 140 mode,
the Java security provider in use might throw a subclass of
java.lang.Error. We currently do not catch these and as a result
the JVM exits, shutting down elasticsearch.

This commit attempts to address this by catching subclasses of Error
that might be thrown for instance when a PBKDF2 implementation
is used from a Security Provider in FIPS 140 mode, with the password
input being less than 14 bytes (112 bits).

- In our PBKDF2 family of hashers, we catch the Error and
throw an ElasticsearchException while creating or verifying the
hash. We throw on verification instead of simply returning false
on purpose so that the message bubbles up and the cause becomes
obvious (otherwise it would be indistinguishable from a wrong
password).
- In KeyStoreWrapper, we catch the Error in order to wrap and re-throw 
a GeneralSecurityException with a helpful message. This can happen when 
using any of the keystore CLI commands, when the node starts or when we 
attempt to reload secure settings.
- In the `elasticsearch-users` tool, we catch the ElasticsearchException that
the Hasher class re-throws and throw an appropriate UserException.

Tests are missing because it's not trivial to set CI in fips approved mode
right now, and thus any tests would need to be muted. There is a parallel
effort in #64024 to enable that and tests will be added in a followup.
This commit is contained in:
Ioannis Kakavas 2020-11-26 17:04:34 +02:00 committed by GitHub
parent 9f35b3d402
commit 12ba9e3e16
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 26 additions and 6 deletions

View File

@ -70,11 +70,11 @@ public abstract class KeyStoreAwareCommand extends EnvironmentAwareCommand {
* Decrypt the {@code keyStore}, prompting the user to enter the password in the {@link Terminal} if it is password protected * Decrypt the {@code keyStore}, prompting the user to enter the password in the {@link Terminal} if it is password protected
*/ */
protected static void decryptKeyStore(KeyStoreWrapper keyStore, Terminal terminal) protected static void decryptKeyStore(KeyStoreWrapper keyStore, Terminal terminal)
throws UserException, GeneralSecurityException, IOException { throws UserException, IOException {
try (SecureString keystorePassword = keyStore.hasPassword() ? try (SecureString keystorePassword = keyStore.hasPassword() ?
readPassword(terminal, false) : new SecureString(new char[0])) { readPassword(terminal, false) : new SecureString(new char[0])) {
keyStore.decrypt(keystorePassword.getChars()); keyStore.decrypt(keystorePassword.getChars());
} catch (SecurityException e) { } catch (SecurityException | GeneralSecurityException e) {
throw new UserException(ExitCodes.DATA_ERROR, e.getMessage()); throw new UserException(ExitCodes.DATA_ERROR, e.getMessage());
} }
} }

View File

@ -28,6 +28,7 @@ import org.elasticsearch.cli.UserException;
import org.elasticsearch.env.Environment; import org.elasticsearch.env.Environment;
import java.nio.file.Path; import java.nio.file.Path;
import java.security.GeneralSecurityException;
public abstract class BaseKeyStoreCommand extends KeyStoreAwareCommand { public abstract class BaseKeyStoreCommand extends KeyStoreAwareCommand {
@ -64,7 +65,7 @@ public abstract class BaseKeyStoreCommand extends KeyStoreAwareCommand {
keyStore.decrypt(keyStorePassword.getChars()); keyStore.decrypt(keyStorePassword.getChars());
} }
executeCommand(terminal, options, env); executeCommand(terminal, options, env);
} catch (SecurityException e) { } catch (SecurityException | GeneralSecurityException e) {
throw new UserException(ExitCodes.DATA_ERROR, e.getMessage()); throw new UserException(ExitCodes.DATA_ERROR, e.getMessage());
} finally { } finally {
if (keyStorePassword != null) { if (keyStorePassword != null) {

View File

@ -310,7 +310,14 @@ public class KeyStoreWrapper implements SecureSettings {
private Cipher createCipher(int opmode, char[] password, byte[] salt, byte[] iv) throws GeneralSecurityException { private Cipher createCipher(int opmode, char[] password, byte[] salt, byte[] iv) throws GeneralSecurityException {
PBEKeySpec keySpec = new PBEKeySpec(password, salt, KDF_ITERS, CIPHER_KEY_BITS); PBEKeySpec keySpec = new PBEKeySpec(password, salt, KDF_ITERS, CIPHER_KEY_BITS);
SecretKeyFactory keyFactory = SecretKeyFactory.getInstance(KDF_ALGO); SecretKeyFactory keyFactory = SecretKeyFactory.getInstance(KDF_ALGO);
SecretKey secretKey = keyFactory.generateSecret(keySpec); SecretKey secretKey;
try {
secretKey = keyFactory.generateSecret(keySpec);
} catch (Error e) {
// Security Providers might throw a subclass of Error in FIPS 140 mode, if some prerequisite like
// salt, iv, or password length is not met. We catch this because we don't want the JVM to exit.
throw new GeneralSecurityException("Error generating an encryption key from the provided password", e);
}
SecretKeySpec secret = new SecretKeySpec(secretKey.getEncoded(), CIPHER_ALGO); SecretKeySpec secret = new SecretKeySpec(secretKey.getEncoded(), CIPHER_ALGO);
GCMParameterSpec spec = new GCMParameterSpec(GCM_TAG_BITS, iv); GCMParameterSpec spec = new GCMParameterSpec(GCM_TAG_BITS, iv);

View File

@ -513,7 +513,11 @@ public enum Hasher {
result.put(Base64.getEncoder().encodeToString(secretKeyFactory.generateSecret(keySpec).getEncoded())); result.put(Base64.getEncoder().encodeToString(secretKeyFactory.generateSecret(keySpec).getEncoded()));
return result.array(); return result.array();
} catch (InvalidKeySpecException | NoSuchAlgorithmException e) { } catch (InvalidKeySpecException | NoSuchAlgorithmException e) {
throw new ElasticsearchException("Can't use PBKDF2 for password hashing", e); throw new ElasticsearchException("Error using PBKDF2 for password hashing", e);
} catch (Error e) {
// Security Providers might throw a subclass of Error in FIPS 140 mode, if some prerequisite like
// salt, iv, or password length is not met. We catch this because we don't want the JVM to exit.
throw new ElasticsearchException("Error using PBKDF2 implementation from the selected Security Provider", e);
} }
} }
@ -539,7 +543,11 @@ public enum Hasher {
final boolean result = CharArrays.constantTimeEquals(computedPwdHash, hashChars); final boolean result = CharArrays.constantTimeEquals(computedPwdHash, hashChars);
return result; return result;
} catch (InvalidKeySpecException | NoSuchAlgorithmException e) { } catch (InvalidKeySpecException | NoSuchAlgorithmException e) {
throw new ElasticsearchException("Can't use PBKDF2 for password hashing", e); throw new ElasticsearchException("Error using PBKDF2 for password hashing", e);
} catch (Error e) {
// Security Providers might throw a subclass of Error in FIPS 140 mode, if some prerequisite like
// salt, iv, or password length is not met. We catch this because we don't want the JVM to exit.
throw new ElasticsearchException("Error using PBKDF2 implementation from the selected Security Provider", e);
} finally { } finally {
if (null != hashChars) { if (null != hashChars) {
Arrays.fill(hashChars, '\u0000'); Arrays.fill(hashChars, '\u0000');

View File

@ -7,6 +7,7 @@ package org.elasticsearch.xpack.security.authc.file.tool;
import joptsimple.OptionSet; import joptsimple.OptionSet;
import joptsimple.OptionSpec; import joptsimple.OptionSpec;
import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.cli.EnvironmentAwareCommand; import org.elasticsearch.cli.EnvironmentAwareCommand;
import org.elasticsearch.cli.ExitCodes; import org.elasticsearch.cli.ExitCodes;
import org.elasticsearch.cli.LoggingAwareMultiCommand; import org.elasticsearch.cli.LoggingAwareMultiCommand;
@ -446,7 +447,10 @@ public class UsersTool extends LoggingAwareMultiCommand {
final char[] passwordHash; final char[] passwordHash;
try (SecureString password = parsePassword(terminal, cliPasswordValue)) { try (SecureString password = parsePassword(terminal, cliPasswordValue)) {
passwordHash = hasher.hash(password); passwordHash = hasher.hash(password);
} catch (ElasticsearchException e) {
throw new UserException(ExitCodes.DATA_ERROR, "Error storing the password for the new user", e);
} }
return passwordHash; return passwordHash;
} }