RFR 8238555: Allow Initialization of SunPKCS11 with NSS when there are external FIPS modules in the NSSDB

Thu Feb 13 21:07:33 UTC 2020

I think it's fine to remove this check given the recent NSS changes as 
Martin mentioned.

Second Sean's release note suggestion as well.

Thanks,

Valerie

On 2/10/2020 11:14 AM, Sean Mullan wrote:
> Looks good to me, although I would also like Valerie to review it as 
> she has the most experience with the PKCS11 code.
>
> This issue should probably also have a release note. Have you ever 
> written one?
>
> Thanks,
> Sean
>
> On 2/5/20 10:47 AM, Martin Balao wrote:
>> Hi,
>>
>> I'd like to propose a solution for 8238555 [1].
>>
>> Webrev.00:
>>
>>   * 
>> http://cr.openjdk.java.net/~mbalao/webrevs/8238555/8238555.webrev.00/
>>
>> Reproducing this issue requires manual configuration steps and there is
>> not a single way of doing so. The ultimate goal for a reproduction is to
>> initialize a SunPKCS11 provider with an NSSDB that has at least 1
>> external module configured in FIPS mode, with at least 1 opened slot.
>>
>> The 8238555_manual_reproducer_v0 code [2] provides a standalone
>> SunPKCS11 initialization with an NSSDB that has a single internal FIPS
>> module configured. That's not enough though because the external module
>> is still missing in the NSSDB. There are two paths from this point:
>>
>> 1) Manually add an external module ("modutil" command) in FIPS mode to
>> the NSSDB
>>
>> 2) Run the code in the latest Fedora/CentOS/RHEL Linux release -I'm not
>> sure if other distributions work- where p11-kit-proxy PKCS#11 module is
>> automatically added to every NSSDB. If you go this way, configure FIPS
>> policy globally (fips-mode-setup --enable) and recompile the NSS library
>> to artificially expose a slot for p11-kit-proxy module [3] (use
>> LD_PRELOAD when running the reproducer code). If you don't want to
>> recompile the NSS library, manually add a module to p11-kit (such as
>> softHSM) so a slot is opened.
>>
>> In my own environment, I had the following output before the patch:
>>
>> Beginning test run ExternalFipsModules...
>> Cannot resolve artifact, please check if JIB jar is present in 
>> classpath.
>> nssLibDir: /usr/lib64/
>> Exception in thread "main" java.lang.RuntimeException: FIPS flag set for
>> non-internal module: p11-kit-proxy.so, p11-kit-proxy
>>     at
>> jdk.crypto.cryptoki/sun.security.pkcs11.Secmod$Module.<init>(Secmod.java:418) 
>>
>>     at
>> jdk.crypto.cryptoki/sun.security.pkcs11.Secmod.nssGetModuleList(Native
>> Method)
>>     at
>> jdk.crypto.cryptoki/sun.security.pkcs11.Secmod.getModules(Secmod.java:258) 
>>
>>     at
>> jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:219) 
>>
>>     at
>> jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunPKCS11.java:112) 
>>
>>     at
>> jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunPKCS11.java:109) 
>>
>>     at
>> java.base/java.security.AccessController.doPrivileged(AccessController.java:554) 
>>
>>     at
>> jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.configure(SunPKCS11.java:109) 
>>
>>     at PKCS11Test.getSunPKCS11(PKCS11Test.java:160)
>>     at PKCS11Test.testNSS(PKCS11Test.java:580)
>>     at PKCS11Test.main(PKCS11Test.java:220)
>>     at PKCS11Test.main(PKCS11Test.java:196)
>>     at ExternalFipsModules.main(ExternalFipsModules.java:31)
>>
>> And after the patch:
>>
>> Beginning test run ExternalFipsModules...
>> Cannot resolve artifact, please check if JIB jar is present in 
>> classpath.
>> nssLibDir: /usr/lib64/
>> Running test with provider SunPKCS11-NSS-FIPS (security manager
>> disabled) ...
>> Provider: SunPKCS11-NSS-FIPS version 15
>> TEST PASS - OK
>> Completed test with provider SunPKCS11-NSS-FIPS (2 ms).
>>
>> Thanks,
>> Martin.-
>>
>> -- 
>> [1] - https://bugs.openjdk.java.net/browse/JDK-8238555
>> [2] -
>> http://cr.openjdk.java.net/~mbalao/webrevs/8238555/8238555_manual_reproducer_v0.tar.gz 
>>
>> [3] -
>> http://cr.openjdk.java.net/~mbalao/webrevs/8238555/emulate_p11-kit-proxy_with_slots.nss.patch 
>>
>>