I recently wanted to build a small Spring Boot utility and created a project using Spring Initializer. It worked all fine until I tried to use ./mvnw spring-boot:run,
where the application failed with a quite confusing error (manually wrapped here):
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-surefire-plugin:2.22.2:test (default-test) on project spring-boot-config-resolver:
Execution default-test of goal org.apache.maven.plugins:maven-surefire-plugin:2.22.2:test failed:
Plugin org.apache.maven.plugins:maven-surefire-plugin:2.22.2 or one of its dependencies could not be resolved:
Failed to collect dependencies at org.apache.maven.plugins:maven-surefire-plugin:jar:2.22.2 -> org.apache.maven.surefire:maven-surefire-common:jar:2.22.2:
Failed to read artifact descriptor for org.apache.maven.surefire:maven-surefire-common:jar:2.22.2:
Could not transfer artifact org.apache.maven.surefire:maven-surefire-common:pom:2.22.2 from/to central (https://repo.maven.apache.org/maven2):
transfer failed for https://repo.maven.apache.org/maven2/org/apache/maven/surefire/maven-surefire-common/2.22.2/maven-surefire-common-2.22.2.pom:
PKIX path validation failed: java.security.cert.CertPathValidatorException:
Algorithm constraints check failed on keysize limits: RSA 2048 bit key used with certificate: CN=GlobalSign Atlas R3 DV TLS CA H2 2021, O=GlobalSign nv-sa, C=BE -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/PluginResolutionException
The strange part here is the Algorithm constraints check failed on keysize limits: RSA 2048 bit key used with certificate.
While researching the exception I found only errors regarding 1048 bit keys, but there was a hint to java.security file.
So I checked mine, but on the first look only found the following, which limits keys below 2048 bits. Very confusing.
# $JAVA_HOME/conf/security/java.security
jdk.security.legacyAlgorithms=SHA1, \
RSA keySize < 2048, DSA keySize < 2048
Going on with my very confused, I finally found a small hint: /etc/crypto-policies.
Checking there I found this:
$ cat /etc/crypto-policies/config
DEFAULT:MYCRYPTO1:NO-AES128
MYCRYPTO1 you may ask, and so did I. Seems to be the placeholder value used by this RHEL hardening guide (I was running this on a shared machine not set up by me but a collague).
5.7. Customizing system-wide cryptographic policies with policy modifiers
And there also is a /etc/crypto-policies/back-ends/java.config, which includes the following; note the RSA keySize < 3072 – this fits our error!
jdk.certpath.disabledAlgorithms=MD2, MD5, DSA, RSA keySize < 3072
But how does this get into JVM?
After some digging around I found a hint to security.useSystemPropertiesFile which is included in my java.security file, but I did not find it in Java documentation.
# $JAVA_HOME/config/security/java.security
#
# Determines whether this properties file will be appended to
# using the system properties file stored at
# /etc/crypto-policies/back-ends/java.config
#
security.useSystemPropertiesFile=true
Turns out to be a Fedora/RHEL patch!
Whew; that was fun to look for.