Provide clearer error message for encrypted PEM(PKCS#8) Keys in FIPS-enable environments

[jcarranzan]

Description

Currently, when using the encrypted PEM(PKCS#8) key feature introduced in Quarkus TLS registry, if the environment is FIPS enabled, the feature will fail due to unsupported encryption algorithms(eg AES-128-CBC). This results in a NPE:

java.lang.NullPointerException: algParams must be non-null
    at javax.crypto.EncryptedPrivateKeyInfo.<init>(EncryptedPrivateKeyInfo.java:181)
    at io.smallrye.certs.CertificateUtils.writePrivateKeyToPem(CertificateUtils.java:229)

Using PBEWithSHA1AndDESede Quarkus fails to decrypt it with the next error trace :

10:24:51,984 INFO  [app] 10:24:50,417 Failed to start application: java.lang.RuntimeException: Failed to start quarkus
10:24:51,985 INFO  [app] 	at io.quarkus.runner.ApplicationImpl.doStart(Unknown Source)
10:24:51,985 INFO  [app] 	at io.quarkus.runtime.Application.start(Application.java:101)
10:24:51,985 INFO  [app] 	at io.quarkus.runtime.ApplicationLifecycleManager.run(ApplicationLifecycleManager.java:121)
10:24:51,985 INFO  [app] 	at io.quarkus.runtime.Quarkus.run(Quarkus.java:77)
10:24:51,985 INFO  [app] 	at io.quarkus.runtime.Quarkus.run(Quarkus.java:48)
10:24:51,985 INFO  [app] 	at io.quarkus.runtime.Quarkus.run(Quarkus.java:137)
10:24:51,985 INFO  [app] 	at io.quarkus.runner.GeneratedMain.main(Unknown Source)
10:24:51,985 INFO  [app] 	at io.quarkus.bootstrap.runner.QuarkusEntryPoint.doRun(QuarkusEntryPoint.java:68)
10:24:51,985 INFO  [app] 	at io.quarkus.bootstrap.runner.QuarkusEntryPoint.main(QuarkusEntryPoint.java:36)
10:24:51,986 INFO  [app] Caused by: java.lang.IllegalStateException: Invalid key/certificate pair configuration for certificate '<default>'
10:24:51,986 INFO  [app] 	at io.quarkus.tls.runtime.keystores.PemKeyStores.verifyPEMKeyStore(PemKeyStores.java:35)
10:24:51,986 INFO  [app] 	at io.quarkus.tls.runtime.CertificateRecorder.getKeyStore(CertificateRecorder.java:136)
10:24:51,986 INFO  [app] 	at io.quarkus.tls.runtime.CertificateRecorder.verifyCertificateConfigInternal(CertificateRecorder.java:103)
10:24:51,986 INFO  [app] 	at io.quarkus.tls.runtime.CertificateRecorder.verifyCertificateConfig(CertificateRecorder.java:89)
10:24:51,986 INFO  [app] 	at io.quarkus.tls.runtime.CertificateRecorder.validateCertificates(CertificateRecorder.java:57)
10:24:51,986 INFO  [app] 	at io.quarkus.runner.recorded.CertificatesProcessor$initializeCertificate426175759.deploy_0(Unknown Source)
10:24:51,986 INFO  [app] 	at io.quarkus.runner.recorded.CertificatesProcessor$initializeCertificate426175759.deploy(Unknown Source)
10:24:51,986 INFO  [app] 	... 9 more
10:24:51,987 INFO  [app] Caused by: java.lang.IllegalArgumentException: Unable to decrypt the key file: /tmp/encrypted-key9036254923741336897.pem
10:24:51,987 INFO  [app] 	at io.quarkus.tls.runtime.config.PemKeyCertConfig.toOptions(PemKeyCertConfig.java:72)
10:24:51,987 INFO  [app] 	at io.quarkus.tls.runtime.keystores.PemKeyStores.verifyPEMKeyStore(PemKeyStores.java:29)
10:24:51,987 INFO  [app] 	... 15 more

It would be good to provide a clearer and informative error message when encrypted PEM certificates are used in a FIPS enabled environment, for instance:
"Provided PEM private key cannot be decrypted because AES-128-CBC is unavailable. Please note that encrypted PEM is currently not supported in FIPS-enabled environments"

This will improve the user experience, avoiding confusion

[quarkus-bot]

/cc @Karm (securepipeline), @jerboaa (securepipeline)

[sberyozkin]

@michalvavrik Hi Michal FYI, we can consider it for our test collection in the future.

@jcarranzan Is it possible to choose which algorithm is used to create encrypted PEMs ?

[michalvavrik]

@michalvavrik Hi Michal FYI, we can consider it for our test collection in the future.

Long story short, this is about https://issues.redhat.com/browse/QUARKUS-5666 not being supported in FIPS-enabled environment. We know about that, but IMO it is not great user experience as Quarkus could inform about that. Sure, it would be very nice to support that, but testing we have, Jose is my coleague.

@jcarranzan Is it possible to choose which algorithm is used to create encrypted PEMs ?

Nope, Quarkus documents https://quarkus.io/guides/tls-registry-reference#pem-keystores explicitly Encrypted PKCS#8 private key (encrypted with AES-128-CBC)

[jerboaa]

It looks like there won't be a way to support the PEM store in FIPS:

https://docs.redhat.com/en/documentation/red_hat_build_of_openjdk/21/html/configuring_red_hat_build_of_openjdk_21_on_rhel_with_fips/openjdk-default-fips-configuration#keystores

The suggestion would be to use PKCS12 stores instead. I'm aware this doesn't answer the question about usability.