-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to enable FIPS mode on latest Node 18 LTS #23633
Comments
@elliot-huffman which credential are you using and is there a particular service call you're trying to make? |
I am using |
@elliot-huffman I'm struggling a bit to get this to work with Graph since I think to do what you want would require either admin consent to allow the app to access graph without a signed in user or to use a different credential type that would permit delegated access. I did try it against keyvault: const crypto = require("crypto");
require('dotenv').config();
const { ClientSecretCredential } = require('@azure/identity');
const { SecretClient } = require("@azure/keyvault-secrets");
async function repro() {
crypto.setFips(true);
const credential = new ClientSecretCredential(
process.env.AZURE_TENANT_ID,
process.env.AZURE_CLIENT_ID,
process.env.AZURE_CLIENT_SECRET
);
const client = new SecretClient(process.env.KEYVAULT_URL, credential);
const secret = await client.getSecret("test");
console.log(secret.value);
}
repro().catch(e => console.error(e)); But the error I get back is an SSL one instead:
If you use |
I'll build a once off test project and get the results back here. |
much appreciated! |
Just ran a test and I was able to retrieve an access token while in FIPS mode, this is most likely an issue with the Microsoft Graph client. I will open a ticket with them. import { DefaultAzureCredential } from "@azure/identity";
import * as crypto from "crypto";
// @ts-ignore
crypto.setFips(true);
const credential = new DefaultAzureCredential();
credential.getToken("https://graph.microsoft.com").then(
(results) => {
console.log(results);
console.log(crypto.getFips());
}
); |
Did some work on the Graph API side of things and it turns out it is the credential causing the issue and not the Graph Client. Wrote this code and was able to re-pro the issue: import { getFips, setFips } from 'crypto';
import { ClientSecretCredential } from '@azure/identity';
const tenantId = 'TenantGuidHere';
const clientId = 'ClientIdHere';
const clientSecret = 'ClientSecretHere';
// Turn on FIPS mode
setFips(true);
/** Instance of credential client */
const credential = new ClientSecretCredential(tenantId, clientId, clientSecret);
// Get an access token
credential.getToken('https://graph.microsoft.com').
then((results) => {
console.log(results);
console.log(getFips());
}).
catch((error) => {
console.log(error);
}); It causes this error:
|
Tried this code but still has the same issue: /* eslint-disable no-console */
import { ClientSecretCredential, ClientSecretCredentialOptions } from '@azure/identity';
import { getFips, setFips } from 'crypto';
const tenantId = '<redacted>';
const clientId = '<redacted>';
const clientSecret = '<redacted>';
// Turn on FIPS mode
setFips(true);
const knownAuthority: ClientSecretCredentialOptions = {
'authorityHost': 'https://login.microsoftonline.com'
};
/** Instance of credential client */
const credential = new ClientSecretCredential(tenantId, clientId, clientSecret, knownAuthority);
// Get an access token
credential.getToken('https://graph.microsoft.com').
then((results) => {
console.log(results);
console.log(getFips());
}).
catch((error) => {
console.log(error);
}); |
FIPS reduces the amount of cryptographic and hashing algorithms to a smaller set of 'known good' ones as defined by the US Government's NIST. Starting in Node 17, the OpenSSL suite of tools was updated to version 3. Version 3 has been FIPS Validated and is able to provide FIPS operation without having to build a special build of it. So, this means, FIPS operation is available out of the box to all users of Node.JS 17 without having to build OpenSSL and Node.JS from source as long as the setFips method is called. That error indicates that it is trying to use non-allowed algorithms to authenticate, and they aren't available. This could also indicate a security risk as it may be using a potentially weak algorithm as it is not on the approved list. |
@KarishmaGhiya and @xirzec , Checking in on the status. |
So MSAL was obscuring this quite a bit, but when I debugged through the goop ultimately this came down to MSAL trying to request the cloud discovery metadata. In my case the URL looked like But when MSAL asked IdentityClient to make a request to this endpoint, the ultimate error being thrown from the platform was
Which is the same error I was seeing before. I'm using Node v18.14.0 so I'm not sure why it's not finding any ciphers... |
@elliot-huffman one minor correction to your repro I had to make was the scope was wrong for graph, it should be |
I'm starting to think the standard NodeJS Windows build doesn't have proper FIPS bindings:
|
I'll give that a try in my primary project, I had a custom set of permissions that I granted my manage identity and didn't want to have just user.read. I'm guessing |
That has to be a bug in Node then, the OpenSSL 3 libs have FIPS support built into it. Unlike v1... |
Do you think Windows needs to be in FIPS mode? |
I am not sure what the rationale of |
I tried using the command line flag on codespaces and had a similar issue on Linux as I did on Windows:
|
This makes me think that is it just a misconfig on the Node.JS build when they are statically linking the Libraries for OpenSSL.
Get Outlook for Android<https://aka.ms/AAb9ysg>
…________________________________
From: Jeff Fisher ***@***.***>
Sent: Monday, February 6, 2023 4:51:23 PM
To: Azure/azure-sdk-for-js ***@***.***>
Cc: Elliot Huffman ***@***.***>; Mention ***@***.***>
Subject: Re: [Azure/azure-sdk-for-js] Unable to enable FIPS mode on latest Node 18 LTS (Issue #23633)
I tried using the command line flag on codespaces and had a similar issue on Linux as I did on Windows:
node: OpenSSL error when trying to enable FIPS:
C0D74C82757F0000:error:12800067:DSO support routines:dlfcn_load:could not load the shared library:../deps/openssl/openssl/crypto/dso/dso_dlfcn.c:118:filename(/home/iojs/build/ws/out/$(BUILDTYPE)/obj.target/deps/openssl/lib/openssl-modules/fips.so): /home/iojs/build/ws/out/$(BUILDTYPE)/obj.target/deps/openssl/lib/openssl-modules/fips.so: cannot open shared object file: No such file or directory
—
Reply to this email directly, view it on GitHub<#23633 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ABGMEWVADAZWGQWLP6KM2JTWWFW5XANCNFSM6AAAAAARQTOXGQ>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
@elliot-huffman Looks like the issue you faced may be linked to the MSAL bug, the fix for which was shipped in AzureAD/microsoft-authentication-library-for-js#4879 (comment) Please let me know if that works for you. |
Hi @elliot-huffman. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue. |
Hi @elliot-huffman, we're sending this friendly reminder because we haven't heard back from you in 7 days. We need more information about this issue to help address it. Please be sure to give us your input. If we don't hear back from you within 14 days of this comment the issue will be automatically closed. Thank you! |
The issue still persists for me. Error:
|
@elliot-huffman Have you filed a bug on node? https://github.com/nodejs/node |
Hi @elliot-huffman. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue. |
I have, they say you need to have a build of Node.JS with a FIPS enabled OpenSSL component. They aren't gonna change their build process. |
@elliot-huffman Are you still having this issue with Node 20? We have moved to Node 20 a while back. |
Hi @elliot-huffman. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue. |
Thanks for checking on this, we are on Node 20 and it is working great right now on the latest version of this package |
Describe the bug
After FIPS mode is enabled with
crypto.setFips(true)
the module is now unable to authenticate to Azure AD.To Reproduce
Steps to reproduce the behavior:
crypto.setFips(true)
to the top of your app and ensure the latest LTS release of Node.JS is installed (18.12.0 at the time of this wiring)Expected behavior
Successful authentication should happen, regardless of if FIPS mode is enabled or not.
Screenshots
Additional context
Here is the error that happens after FIPS is enabled:
The text was updated successfully, but these errors were encountered: