Unable to enable FIPS mode on latest Node 18 LTS

[elliot-huffman]

• Package Name: @azure/identity
• Package Version: 3.0.0
• Operating system: Windows 11 22H2
• nodejs
  • version: 18.12.0
• browser
  • name/version: N/A
• typescript
  • version: 4.8.4
• Is the bug related to documentation in
  • README.md
  • source code documentation
  • SDK API docs on https://docs.microsoft.com

Describe the bug
After FIPS mode is enabled with crypto.setFips(true) the module is now unable to authenticate to Azure AD.

To Reproduce
Steps to reproduce the behavior:

1. Add crypto.setFips(true) to the top of your app and ensure the latest LTS release of Node.JS is installed (18.12.0 at the time of this wiring)

Expected behavior
Successful authentication should happen, regardless of if FIPS mode is enabled or not.

Screenshots

Additional context
Here is the error that happens after FIPS is enabled:

ChainedTokenCredential authentication failed.
CredentialUnavailableError: endpoints_resolution_error: Error: could not resolve endpoints. Please check network and try again. Detail: ClientConfigurationError: untrusted_authority: The provided authority is not a trusted authority. Please include this authority in the knownAuthorities config parameter.
node:internal/process/promises:288
            triggerUncaughtException(err, true /* fromPromise */);
            ^

AggregateAuthenticationError: ChainedTokenCredential authentication failed.
CredentialUnavailableError: endpoints_resolution_error: Error: could not resolve endpoints. Please check network and try again. Detail: ClientConfigurationError: untrusted_authority: The provided authority is not a trusted authority. Please include this authority in the knownAuthorities config parameter.
    at C:\GitHub\**Redacted**\Server\node_modules\@azure\identity\dist\index.js:2657:29
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async Object.withSpan (C:\GitHub\**Redacted**\Server\node_modules\@azure\identity\node_modules\@azure\core-tracing\dist\index.js:140:28)

Node.js v18.12.0

[xirzec]

@elliot-huffman which credential are you using and is there a particular service call you're trying to make?

[elliot-huffman]

I am using ClientSecretCredential or ManagedIdentityCredential in a ChainedTokenCredential.
Just Graph API calls using the @microsoft/microsoft-graph-client package.

[xirzec]

@elliot-huffman I'm struggling a bit to get this to work with Graph since I think to do what you want would require either admin consent to allow the app to access graph without a signed in user or to use a different credential type that would permit delegated access.

I did try it against keyvault:

const crypto = require("crypto");
require('dotenv').config();
const { ClientSecretCredential } = require('@azure/identity');
const { SecretClient } = require("@azure/keyvault-secrets");

async function repro() {
  crypto.setFips(true);
  const credential = new ClientSecretCredential(
    process.env.AZURE_TENANT_ID, 
    process.env.AZURE_CLIENT_ID, 
    process.env.AZURE_CLIENT_SECRET
  );
  
  const client = new SecretClient(process.env.KEYVAULT_URL, credential);
  const secret = await client.getSecret("test");
  console.log(secret.value);
}

repro().catch(e => console.error(e));

But the error I get back is an SSL one instead:

C:\src\fips-repro>node index.js
Error: error:0A0000A1:SSL routines::library has no ciphers
    at new SecureContext (node:_tls_common:89:16)
    at Object.createSecureContext (node:_tls_common:114:13)
    at Object.connect (node:_tls_wrap:1629:48)
    at Agent.createConnection (node:https:150:22)
    at Agent.createSocket (node:_http_agent:350:26)
    at Agent.addRequest (node:_http_agent:297:10)
    at new ClientRequest (node:_http_client:335:16)
    at Object.request (node:https:360:10)
    at C:\src\fips-repro\node_modules\@azure\core-rest-pipeline\dist\index.js:1694:99
    at new Promise (<anonymous>) {
  library: 'SSL routines',
  reason: 'library has no ciphers',
  code: 'ERR_SSL_LIBRARY_HAS_NO_CIPHERS'
}

If you use ClientSecretCredential directly do you see the same? I'm not very familiar with FIPS and searching around for that error wasn't particularly enlightening.

[elliot-huffman]

I'll build a once off test project and get the results back here.

[xirzec]

I'll build a once off test project and get the results back here.

much appreciated!

[elliot-huffman]

Just ran a test and I was able to retrieve an access token while in FIPS mode, this is most likely an issue with the Microsoft Graph client. I will open a ticket with them.
Here is the code I ran to get the Access Token (Using VS Code's auth session):

import { DefaultAzureCredential } from "@azure/identity";
import * as crypto from "crypto";

// @ts-ignore
crypto.setFips(true);

const credential = new DefaultAzureCredential();

credential.getToken("https://graph.microsoft.com").then(
    (results) => {
        console.log(results);
        console.log(crypto.getFips());
    }
);

[elliot-huffman]

Did some work on the Graph API side of things and it turns out it is the credential causing the issue and not the Graph Client.

Wrote this code and was able to re-pro the issue:

import { getFips, setFips } from 'crypto';
import { ClientSecretCredential } from '@azure/identity';

const tenantId = 'TenantGuidHere';
const clientId = 'ClientIdHere';
const clientSecret = 'ClientSecretHere';

// Turn on FIPS mode
setFips(true);

/** Instance of credential client */
const credential = new ClientSecretCredential(tenantId, clientId, clientSecret);

// Get an access token
credential.getToken('https://graph.microsoft.com').
    then((results) => {
        console.log(results);
        console.log(getFips());
    }).
    catch((error) => {
        console.log(error);
    });

It causes this error:

CredentialUnavailableError: endpoints_resolution_error: Error: could not resolve endpoints. Please check network and try again. Detail: ClientConfigurationError: untrusted_authority: The provided authority is not a trusted authority. Please include this authority in the knownAuthorities config parameter.    at MsalClientSecret.handleError (C:\GitHub\Moot\Telemetry-Server\node_modules\@azure\identity\dist\index.js:452:28)
    at MsalClientSecret.doGetToken (C:\GitHub\Moot\Telemetry-Server\node_modules\@azure\identity\dist\index.js:2956:24)
    at async Object.withSpan (C:\GitHub\Moot\Telemetry-Server\node_modules\@azure\core-tracing\dist\index.js:140:28)

[elliot-huffman]

Tried this code but still has the same issue:

/* eslint-disable no-console */
import { ClientSecretCredential, ClientSecretCredentialOptions } from '@azure/identity';
import { getFips, setFips } from 'crypto';

const tenantId = '<redacted>';
const clientId = '<redacted>';
const clientSecret = '<redacted>';

// Turn on FIPS mode
setFips(true);

const knownAuthority: ClientSecretCredentialOptions = {
    'authorityHost': 'https://login.microsoftonline.com'
};

/** Instance of credential client */
const credential = new ClientSecretCredential(tenantId, clientId, clientSecret, knownAuthority);

// Get an access token
credential.getToken('https://graph.microsoft.com').
    then((results) => {
        console.log(results);
        console.log(getFips());
    }).
    catch((error) => {
        console.log(error);
    });

[elliot-huffman]

I'm not very familiar with FIPS and searching around for that error wasn't particularly enlightening.

FIPS reduces the amount of cryptographic and hashing algorithms to a smaller set of 'known good' ones as defined by the US Government's NIST. Starting in Node 17, the OpenSSL suite of tools was updated to version 3. Version 3 has been FIPS Validated and is able to provide FIPS operation without having to build a special build of it. So, this means, FIPS operation is available out of the box to all users of Node.JS 17 without having to build OpenSSL and Node.JS from source as long as the setFips method is called.

That error indicates that it is trying to use non-allowed algorithms to authenticate, and they aren't available. This could also indicate a security risk as it may be using a potentially weak algorithm as it is not on the approved list.

[elliot-huffman]

@KarishmaGhiya and @xirzec , Checking in on the status.

[xirzec]

So MSAL was obscuring this quite a bit, but when I debugged through the goop ultimately this came down to MSAL trying to request the cloud discovery metadata. In my case the URL looked like https://login.microsoftonline.com/common/discovery/instance?api-version=1.1&authorization_endpoint=https://login.microsoftonline.com/<redacted>/oauth2/v2.0/authorize

But when MSAL asked IdentityClient to make a request to this endpoint, the ultimate error being thrown from the platform was

'Error: error:0A0000A1:SSL routines::library has no ciphers
    at new SecureContext (node:_tls_common:89:16)
    at Object.createSecureContext (node:_tls_common:114:13)
    at Object.connect (node:_tls_wrap:1631:48)
    at Agent.createConnection (node:https:150:22)
    at Agent.createSocket (node:_http_agent:341:26)
    at Agent.addRequest (node:_http_agent:288:10)
    at new ClientRequest (node:_http_client:343:16)
    at Object.request (node:https:360:10)
    at C:\\src\\fips-repro\\node_modules\\@azure\\core-rest-pipeline\\dist\\index.js:1694:99\n    at new Promise (<anonymous>)'

Which is the same error I was seeing before. I'm using Node v18.14.0 so I'm not sure why it's not finding any ciphers...

[xirzec]

@elliot-huffman one minor correction to your repro I had to make was the scope was wrong for graph, it should be https://graph.microsoft.com/.default - not sure if that helps you get further with your working FIPS build. :)

[xirzec]

I'm starting to think the standard NodeJS Windows build doesn't have proper FIPS bindings:

C:\src\fips-repro>node --enable-fips index.js
node: OpenSSL error when trying to enable FIPS:
90380000:error:12800067:DSO support routines:win32_load:could not load the shared library:c:\ws\deps\openssl\openssl\crypto\dso\dso_win32.c:108:filename(c:ws$(ConfigurationName)\obj.target\deps\openssl\lib\openssl-modules\fips.dll)

[elliot-huffman]

@elliot-huffman one minor correction to your repro I had to make was the scope was wrong for graph, it should be https://graph.microsoft.com/.default - not sure if that helps you get further with your working FIPS build. :)

I'll give that a try in my primary project, I had a custom set of permissions that I granted my manage identity and didn't want to have just user.read. I'm guessing .default grants me all the permissions of my service principal?

[elliot-huffman]

I'm starting to think the standard NodeJS Windows build doesn't have proper FIPS bindings:

C:\src\fips-repro>node --enable-fips index.js
node: OpenSSL error when trying to enable FIPS:
90380000:error:12800067:DSO support routines:win32_load:could not load the shared library:c:\ws\deps\openssl\openssl\crypto\dso\dso_win32.c:108:filename(c:ws$(ConfigurationName)\obj.target\deps\openssl\lib\openssl-modules\fips.dll)

That has to be a bug in Node then, the OpenSSL 3 libs have FIPS support built into it. Unlike v1...

[elliot-huffman]

Do you think Windows needs to be in FIPS mode?

Details:
https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing

[xirzec]

I'll give that a try in my primary project, I had a custom set of permissions that I granted my manage identity and didn't want to have just user.read. I'm guessing .default grants me all the permissions of my service principal?

I am not sure what the rationale of .default as a magic string ultimately is, it's simply part of the arcana of AAD that I have come to accept when talking to service endpoints. It's possible the friendly folks at https://github.com/AzureAD/microsoft-authentication-library-for-js/ would have some better insights as to how that became the established convention for service permissions.

[xirzec]

I tried using the command line flag on codespaces and had a similar issue on Linux as I did on Windows:

node: OpenSSL error when trying to enable FIPS:
C0D74C82757F0000:error:12800067:DSO support routines:dlfcn_load:could not load the shared library:../deps/openssl/openssl/crypto/dso/dso_dlfcn.c:118:filename(/home/iojs/build/ws/out/$(BUILDTYPE)/obj.target/deps/openssl/lib/openssl-modules/fips.so): /home/iojs/build/ws/out/$(BUILDTYPE)/obj.target/deps/openssl/lib/openssl-modules/fips.so: cannot open shared object file: No such file or directory

[elliot-huffman]

This makes me think that is it just a misconfig on the Node.JS build when they are statically linking the Libraries for OpenSSL. Get Outlook for Android<https://aka.ms/AAb9ysg>

…

________________________________ From: Jeff Fisher ***@***.***> Sent: Monday, February 6, 2023 4:51:23 PM To: Azure/azure-sdk-for-js ***@***.***> Cc: Elliot Huffman ***@***.***>; Mention ***@***.***> Subject: Re: [Azure/azure-sdk-for-js] Unable to enable FIPS mode on latest Node 18 LTS (Issue #23633) I tried using the command line flag on codespaces and had a similar issue on Linux as I did on Windows: node: OpenSSL error when trying to enable FIPS: C0D74C82757F0000:error:12800067:DSO support routines:dlfcn_load:could not load the shared library:../deps/openssl/openssl/crypto/dso/dso_dlfcn.c:118:filename(/home/iojs/build/ws/out/$(BUILDTYPE)/obj.target/deps/openssl/lib/openssl-modules/fips.so): /home/iojs/build/ws/out/$(BUILDTYPE)/obj.target/deps/openssl/lib/openssl-modules/fips.so: cannot open shared object file: No such file or directory — Reply to this email directly, view it on GitHub<#23633 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ABGMEWVADAZWGQWLP6KM2JTWWFW5XANCNFSM6AAAAAARQTOXGQ>. You are receiving this because you were mentioned.Message ID: ***@***.***>

[KarishmaGhiya]

@elliot-huffman Looks like the issue you faced may be linked to the MSAL bug, the fix for which was shipped in AzureAD/microsoft-authentication-library-for-js#4879 (comment)
Please use @azure/identity version 3.2.3 to get the bug fix. https://www.npmjs.com/package/@azure/identity/v/3.2.3

Please let me know if that works for you.
In case it still does not work with FIPS mode on, then please file bug on node and you can link this issue - https://github.com/nodejs/node

[github-actions]

Hi @elliot-huffman. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue.

[github-actions]

Hi @elliot-huffman, we're sending this friendly reminder because we haven't heard back from you in 7 days. We need more information about this issue to help address it. Please be sure to give us your input. If we don't hear back from you within 14 days of this comment the issue will be automatically closed. Thank you!

[elliot-huffman]

The issue still persists for me.
I tested this using Node.JS LTS 18.16.1

Error:

Token retrieval error:
AggregateAuthenticationError: ChainedTokenCredential authentication failed.
CredentialUnavailableError: endpoints_resolution_error: Error: could not resolve endpoints. Please check network and try again. Detail: ClientConfigurationError: untrusted_authority: The provided authority is not a trusted authority. Please include this authority in the knownAuthorities config parameter.
    at C:\GitHub\Moot\Moot-Security-Management\Server\node_modules\@azure\identity\dist\index.js:2927:29
    at process.processTicksAndRejections (c:\GitHub\Moot\Moot-Security-Management\Server\lib\internal\process\task_queues.js:95:5)
    at async Object.withSpan (C:\GitHub\Moot\Moot-Security-Management\Server\node_modules\@azure\identity\node_modules\@azure\core-tracing\dist\index.js:140:28)
    at async ChainedTokenCredential.getToken (C:\GitHub\Moot\Moot-Security-Management\Server\node_modules\@azure\identity\dist\index.js:2902:27) {errors: Array(1), name: 'AggregateAuthenticationError', stack: 'AggregateAuthenticationError: ChainedTokenCre…odules\@azure\identity\dist\index.js:2902:27)', message: 'ChainedTokenCredential authentication failed…ty in the knownAuthorities config parameter.'}

[KarishmaGhiya]

@elliot-huffman Have you filed a bug on node? https://github.com/nodejs/node

[github-actions]

Hi @elliot-huffman. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue.

[elliot-huffman]

@elliot-huffman Have you filed a bug on node? https://github.com/nodejs/node

I have, they say you need to have a build of Node.JS with a FIPS enabled OpenSSL component. They aren't gonna change their build process.

[KarishmaGhiya]

@elliot-huffman Are you still having this issue with Node 20? We have moved to Node 20 a while back.

[github-actions]

Hi @elliot-huffman. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue.

[elliot-huffman]

Thanks for checking on this, we are on Node 20 and it is working great right now on the latest version of this package