Svnkit doesn't handle FIPS mode crypto-policies

On RHEL8 machines that use FIPS mode, the java.security restrictions can sometimes restrict the use of PKCS12 certificates (which it seems like svnkit defaults to).

Similarly FIPS mode can restrict ssl providers on the specific machine (for instance my machine’s ssl provider must be set to fips.provider.4=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-NSS-FIPS) and thus this restricts the use of any none SunJSSE KeyManagers and it expects PKCS11 certificates). This seems to be preventing svnkit from fetching/generating an KeyStore when performing a SVN checkout in Jenkins.

Error message:
“org.tmatesoft.svn.core.SVNException: svn: E175002: FIPS mode: only SunJSSE KeyManagers may be used”

I am using a RHEL 8.4 machine with openjdk version 11.0.11

Hello Matthew,
thanks for the report! I have zero knowledge on the topic unfortunately.

Would you like to propose a patch? I yes, I’d accept it.
If no, it could take a while until I learn enough about this problem and I can’t give time estimate on that.

Another question: do you expect that SVNKit needs a small and nearly trivial change to fix the problem? Or is it a question of missing functionality that would take time and efforts to implement?

Anyway thanks for the information provided!

I’m fairly new to the topic myself. FIPS mode is a RHEL 8 specific feature that automatically interfaces with installed applications (like Java) and sets the security crypto-policies.

I think that if there was a was for svn kit to utilized the crypto-policies defined in the java.security file (for openjdk 11 on my machine it is located at /usr/lib/jvm/java-11-openjdk-11.0.11.0.9-2.el8_4.x86_64/conf/security).

It’s a new feature that various developers are just starting to updates to packages for something along the lines of (if the machines is in FIPS mode then handle the crypto policies defined in the java.security file, otherwise, use default implementation for encrypted network traffic).

I think this is mostly a suggestion that the TMate team take a look at FIPS mode on RHEL 8 and see how it can restrict the use of various encryption algorthims on RHEL machines and requires specific algorithms be used (can vary on any given computer - but there is a FIPS standardized crypto-policy).

Here is some code that might solve the issue if it were to be integrated with the org.tmatesoft.svn.core.internal.io.dav.http.HTTPSSLKeyManager class (it allows for the standard FIPS security provider SunJSSE to be used as well as their preferred algorithm “PKCS#11”:

Adding this provider and algorithm type alongside the “CAPI” and “SunMSCAPI” providers in the HTTPSSLKeyManager would likely fix this restriction.

import java.security.Provider
import java.security.Security
import java.security.KeyStore
import javax.net.ssl.KeyManagerFactory

Provider pmscapi = Security.getProvider(“SunJSSE”);
KeyStore keyStore = KeyStore.getInstance(“PKCS11”);

keyStore.load(null, null);

kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());

kmf.init(keyStore, null);