Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

UnsatisfiedLinkError for libbc-probe.so while upgrading to BC FIPS 2.1 from BC FIPS 2.0 #1987

Open
saritha3h opened this issue Feb 5, 2025 · 13 comments
Open

UnsatisfiedLinkError for libbc-probe.so while upgrading to BC FIPS 2.1 from BC FIPS 2.0 #1987

saritha3h opened this issue Feb 5, 2025 · 13 comments

Comments

@saritha3h
Copy link

I am trying to upgrade my springboot app to use BC FIPS 2.1 from BC FIPS 2.0 . The app fails to start and throws the below exception.

Caused by: java.lang.ExceptionInInitializerError: Exception java.lang.UnsatisfiedLinkError: /tmp/bc-fips-jni4pv701a2ie-libs/libbc-probe.so: /tmp/bc-fips-jni4pv701a2ie-libs/libbc-probe.so: failed to map segment from shared object [in thread "background-preinit"]
at java.base/jdk.internal.loader.NativeLibraries.load(Native Method)
at java.base/jdk.internal.loader.NativeLibraries$NativeLibraryImpl.open(NativeLibraries.java:388)
at java.base/jdk.internal.loader.NativeLibraries.loadLibrary(NativeLibraries.java:232)
at java.base/jdk.internal.loader.NativeLibraries.loadLibrary(NativeLibraries.java:174)
at java.base/java.lang.ClassLoader.loadLibrary(ClassLoader.java:2394)
at java.base/java.lang.Runtime.load0(Runtime.java:755)
at java.base/java.lang.System.load(System.java:1957)
at org.bouncycastle.crypto.fips.NativeLoader$2.run(Unknown Source)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:318)
at org.bouncycastle.crypto.fips.NativeLoader.loadDriver(Unknown Source)
at org.bouncycastle.crypto.fips.FipsStatus.isReady(Unknown Source)
at org.bouncycastle.crypto.CryptoServicesRegistrar.getDefaultMode(Unknown Source)
at org.bouncycastle.crypto.CryptoServicesRegistrar.(Unknown Source)
at org.bouncycastle.jcajce.provider.ProvSecureHash$MD5.configure(Unknown Source)
at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider.(Unknown Source)
at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider.(Unknown Source)
at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider.(Unknown Source)
at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:77)
at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:500)
at java.base/java.lang.reflect.ReflectAccess.newInstance(ReflectAccess.java:128)
at java.base/jdk.internal.reflect.ReflectionFactory.newInstance(ReflectionFactory.java:347)
at java.base/java.lang.Class.newInstance(Class.java:645)
at java.base/sun.security.jca.ProviderConfig$ProviderLoader$1.run(ProviderConfig.java:407)
at java.base/sun.security.jca.ProviderConfig$ProviderLoader$1.run(ProviderConfig.java:404)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:569)
at java.base/sun.security.jca.ProviderConfig$ProviderLoader.legacyLoad(ProviderConfig.java:404)
at java.base/sun.security.jca.ProviderConfig$ProviderLoader.load(ProviderConfig.java:369)
at java.base/sun.security.jca.ProviderConfig$3.run(ProviderConfig.java:254)
at java.base/sun.security.jca.ProviderConfig$3.run(ProviderConfig.java:248)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:318)
at java.base/sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:248)
at java.base/sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:226)
at java.base/sun.security.jca.ProviderList.loadAll(ProviderList.java:317)
at java.base/sun.security.jca.ProviderList.removeInvalid(ProviderList.java:334)
at java.base/sun.security.jca.Providers.getFullProviderList(Providers.java:186)
at java.base/java.security.Security.getProviders(Security.java:433)
at java.base/java.security.Security.getAlgorithms(Security.java:1058)
at org.apache.catalina.util.SessionIdGeneratorBase.(SessionIdGeneratorBase.java:48)
at org.apache.catalina.authenticator.AuthenticatorBase.(AuthenticatorBase.java:190)
at org.apache.catalina.authenticator.NonLoginAuthenticator.(NonLoginAuthenticator.java:31)
at org.springframework.boot.autoconfigure.BackgroundPreinitializer$TomcatInitializer.run(BackgroundPreinitializer.java:202)
at org.springframework.boot.autoconfigure.BackgroundPreinitializer$1.runSafely(BackgroundPreinitializer.java:120)
at org.springframework.boot.autoconfigure.BackgroundPreinitializer$1.run(BackgroundPreinitializer.java:113)
at java.base/java.lang.Thread.run(Thread.java:840)

Security.provider file is
security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS

There is no file in the path /tmp/bc-fips-jni4pv701a2ie-libs/ . Is there any other libraries that needs to be installed along with bc-fips 2.1.0 or is there anything missing in the classpath?
@mwcw
Copy link
Collaborator

mwcw commented Feb 5, 2025

Hi,

What is the version of spring boot, the architecture of the CPU and the OS you are using please?

Thanks

MW

@saritha3h
Copy link
Author

The version of springboot is 3.3.2, x86_64 GNU/Linux and Kernel version 6.1.118

@mwcw
Copy link
Collaborator

mwcw commented Feb 6, 2025

Ok thanks,

At this stage I am not going to be able to investigate this until early next week.

MW

@dghgit
Copy link
Contributor

dghgit commented Feb 7, 2025

Try the fix given here:

#1538 (comment)

@saritha3h
Copy link
Author

We are using BC-FIPS 2.0 with Spring Boot 3.2 and haven't encountered any issues. The problem only occurred after upgrading to BC-FIPS 2.1.

@dghgit
Copy link
Contributor

dghgit commented Feb 10, 2025

The .so files used by BC-FJA 2.1 create an additional stress point on finding a physical path. Have you tried the solution suggested?

@anandakshay44
Copy link

hitting the same issue :

Caused by: java.lang.ExceptionInInitializerError: Exception java.lang.UnsatisfiedLinkError: /tmp/bc-fips-jnifh8slhfvtk-libs/libbc-probe.so: /tmp/bc-fips-jnifh8slhfvtk-libs/libbc-probe.so: failed to map segment from shared object [in thread "background-preinit"]
at java.base/jdk.internal.loader.NativeLibraries.load(Native Method)
at java.base/jdk.internal.loader.NativeLibraries$NativeLibraryImpl.open(NativeLibraries.java:388)
at java.base/jdk.internal.loader.NativeLibraries.loadLibrary(NativeLibraries.java:232)
at java.base/jdk.internal.loader.NativeLibraries.loadLibrary(NativeLibraries.java:174)
at java.base/java.lang.ClassLoader.loadLibrary(ClassLoader.java:2394)
at java.base/java.lang.Runtime.load0(Runtime.java:755)
at java.base/java.lang.System.load(System.java:1957)
at org.bouncycastle.crypto.fips.NativeLoader$2.run(Unknown Source)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:318)
at org.bouncycastle.crypto.fips.NativeLoader.loadDriver(Unknown Source)
at org.bouncycastle.crypto.fips.FipsStatus.isReady(Unknown Source)
at org.bouncycastle.crypto.CryptoServicesRegistrar.getDefaultMode(Unknown Source)
at org.bouncycastle.crypto.CryptoServicesRegistrar.(Unknown Source)
at org.bouncycastle.jcajce.provider.ProvSecureHash$MD5.configure(Unknown Source)
at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider.(Unknown Source)
at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider.(Unknown Source)
at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider.(Unknown Source)

I see these /tmp/bc-fips-* files get created while app tries to initiate and later got deleted and created again n so on.In older bc-fips jar,i don't see such files gets dumped inside /tmp.

Any other dependencies to add ?

@dghgit
Copy link
Contributor

dghgit commented Feb 12, 2025

What version of Java is this?

@anandakshay44
Copy link

its java 17

@dghgit
Copy link
Contributor

dghgit commented Feb 12, 2025

Hmmm. Okay, is there anything automatically clearing /tmp - the JNI support requires the use of the external .so files, there's no way to load them without storing them on disk somewhere. If they get removed, it will error.

@saritha3h
Copy link
Author

The .so files used by BC-FJA 2.1 create an additional stress point on finding a physical path. Have you tried the solution suggested?

Yes this has already been tried out. We are using springboot 3.3.2 with bc fips 2.0 already without any issues

@dghgit
Copy link
Contributor

dghgit commented Feb 12, 2025
edited
Loading

2.0.0 doesn't provide AES-NI support - the issue you are seeing is related to native AES-NI support. Are there any restrictions on LD_LIBRARY_PATH? Also, what version of Linux (as in vendor) and what JVM (as in vendor) is in use here?

@mwcw
Copy link
Collaborator

mwcw commented Feb 13, 2025

Hi,

Is the temporary directory on the host mounted in such a way that it prevents execution?

That is, "noexe" is set.

Something to try would be to change the location of the java temp dir by setting it to a different directory.

java -Djava.io.tmpdir=$TEMP_DIR -jar my-app.jar

MW

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@dghgit @anandakshay44 @mwcw @saritha3h