RFR 8238555: Allow Initialization of SunPKCS11 with NSS when there are external FIPS modules in the NSSDB

Martin Balao mbalao at redhat.com
Wed Feb 5 15:47:55 UTC 2020


Hi,

I'd like to propose a solution for 8238555 [1].

Webrev.00:

 * http://cr.openjdk.java.net/~mbalao/webrevs/8238555/8238555.webrev.00/

Reproducing this issue requires manual configuration steps and there is
not a single way of doing so. The ultimate goal for a reproduction is to
initialize a SunPKCS11 provider with an NSSDB that has at least 1
external module configured in FIPS mode, with at least 1 opened slot.

The 8238555_manual_reproducer_v0 code [2] provides a standalone
SunPKCS11 initialization with an NSSDB that has a single internal FIPS
module configured. That's not enough though because the external module
is still missing in the NSSDB. There are two paths from this point:

1) Manually add an external module ("modutil" command) in FIPS mode to
the NSSDB

2) Run the code in the latest Fedora/CentOS/RHEL Linux release -I'm not
sure if other distributions work- where p11-kit-proxy PKCS#11 module is
automatically added to every NSSDB. If you go this way, configure FIPS
policy globally (fips-mode-setup --enable) and recompile the NSS library
to artificially expose a slot for p11-kit-proxy module [3] (use
LD_PRELOAD when running the reproducer code). If you don't want to
recompile the NSS library, manually add a module to p11-kit (such as
softHSM) so a slot is opened.

In my own environment, I had the following output before the patch:

Beginning test run ExternalFipsModules...
Cannot resolve artifact, please check if JIB jar is present in classpath.
nssLibDir: /usr/lib64/
Exception in thread "main" java.lang.RuntimeException: FIPS flag set for
non-internal module: p11-kit-proxy.so, p11-kit-proxy
	at
jdk.crypto.cryptoki/sun.security.pkcs11.Secmod$Module.<init>(Secmod.java:418)
	at
jdk.crypto.cryptoki/sun.security.pkcs11.Secmod.nssGetModuleList(Native
Method)
	at
jdk.crypto.cryptoki/sun.security.pkcs11.Secmod.getModules(Secmod.java:258)
	at
jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:219)
	at
jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunPKCS11.java:112)
	at
jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunPKCS11.java:109)
	at
java.base/java.security.AccessController.doPrivileged(AccessController.java:554)
	at
jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.configure(SunPKCS11.java:109)
	at PKCS11Test.getSunPKCS11(PKCS11Test.java:160)
	at PKCS11Test.testNSS(PKCS11Test.java:580)
	at PKCS11Test.main(PKCS11Test.java:220)
	at PKCS11Test.main(PKCS11Test.java:196)
	at ExternalFipsModules.main(ExternalFipsModules.java:31)

And after the patch:

Beginning test run ExternalFipsModules...
Cannot resolve artifact, please check if JIB jar is present in classpath.
nssLibDir: /usr/lib64/
Running test with provider SunPKCS11-NSS-FIPS (security manager
disabled) ...
Provider: SunPKCS11-NSS-FIPS version 15
TEST PASS - OK
Completed test with provider SunPKCS11-NSS-FIPS (2 ms).

Thanks,
Martin.-

--
[1] - https://bugs.openjdk.java.net/browse/JDK-8238555
[2] -
http://cr.openjdk.java.net/~mbalao/webrevs/8238555/8238555_manual_reproducer_v0.tar.gz
[3] -
http://cr.openjdk.java.net/~mbalao/webrevs/8238555/emulate_p11-kit-proxy_with_slots.nss.patch



More information about the security-dev mailing list