[
https://issues.apache.org/jira/browse/NIFI-14048?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17908342#comment-17908342
]
David Handermann commented on NIFI-14048:
-----------------------------------------
On further consideration, one potential way forward is to implement feature
detection for the Ed25519 algorithm and fallback to RSA when the Java Security
Provider reports that Ed25519 is not supported. The feature detection and
fallback approach would avoid the need for introducing a new application
property. This is beneficial as a way to avoid introducing a new
security-relevant contract for configuration support.
Regarding FIPS 186-5, the [Bouncy Castle Java FIPS
Roadmap|https://www.bouncycastle.org/download/bouncy-castle-java-fips/roadmap/]
for version 2.1.0 indicates that adding EdDSA to the list of approved
algorithms is planned. The Roadmap also notes that this was submitted in
December 2023.
Introducing the algorithm fallback approach, with a log message indicating
selected algorithm status would enable support for Ed25519 when the Security
Providers supports it, without requiring configuration changes. This would also
provide a way forward for removing the fallback to RSA strategy without
removing support for an application configuration property.
> Ed25519 and RHEL 9 in FIPS Mode
> -------------------------------
>
> Key: NIFI-14048
> URL: https://issues.apache.org/jira/browse/NIFI-14048
> Project: Apache NiFi
> Issue Type: Bug
> Components: Core Framework, Security
> Affects Versions: 2.0.0
> Environment: On a Red Hat 9.5 FIPS mode installation, NiFi 2.0 will
> not start since Ed25519 (and Ed448) signatures are disabled in the
> system-wide FIPS crypto policy. We are unable to deviate from this crypto
> policy.
> Reporter: Angela E
> Priority: Critical
>
> On a Red Hat 9.5 FIPS mode installation, NiFi 2.0 will not start since
> Ed25519 (and Ed448) signatures are disabled in the system-wide FIPS crypto
> policy. We are unable to deviate from this crypto policy.
>
> JSON Web Token change in NiFi 2.0.0-M4 as referenced in:
>
> https://issues.apache.org/jira/browse/NIFI-13424
>
> When attempting to start, NiFi issues this exception:
>
> Factory method 'keyGenerationCommand' threw exception with message:
> java.security.NoSuchAlgorithmException: Ed25519 KeyPairGenerator not available
>
> Recommending an optional setting in nifi.properties to allow the JWT to
> revert to previous PS512 signatures.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
