RFR 8238555: Allow Initialization of SunPKCS11 with NSS when there are external FIPS modules in the NSSDB

Martin Balao mbalao at redhat.com
Thu Feb 27 19:32:18 UTC 2020


Hi Sean and Valerie,

Thanks for your feedback.

I've written the "8240191: Release Note: Allow SunPKCS11 initialization
with NSS when FIPS external modules are available in the Security
Modules Database" release note [1]. Please feel free to edit or ask me
to do so if you have any suggestion.

Look forward to your final approval so I push.

Thanks,
Martin.-

--
[1] - https://bugs.openjdk.java.net/browse/JDK-8240191



On 2/13/20 6:07 PM, Valerie Peng wrote:
> 
> I think it's fine to remove this check given the recent NSS changes as
> Martin mentioned.
> 
> Second Sean's release note suggestion as well.
> 
> Thanks,
> 
> Valerie
> 
> On 2/10/2020 11:14 AM, Sean Mullan wrote:
>> Looks good to me, although I would also like Valerie to review it as
>> she has the most experience with the PKCS11 code.
>>
>> This issue should probably also have a release note. Have you ever
>> written one?
>>
>> Thanks,
>> Sean
>>
>> On 2/5/20 10:47 AM, Martin Balao wrote:
>>> Hi,
>>>
>>> I'd like to propose a solution for 8238555 [1].
>>>
>>> Webrev.00:
>>>
>>>   *
>>> http://cr.openjdk.java.net/~mbalao/webrevs/8238555/8238555.webrev.00/
>>>
>>> Reproducing this issue requires manual configuration steps and there is
>>> not a single way of doing so. The ultimate goal for a reproduction is to
>>> initialize a SunPKCS11 provider with an NSSDB that has at least 1
>>> external module configured in FIPS mode, with at least 1 opened slot.
>>>
>>> The 8238555_manual_reproducer_v0 code [2] provides a standalone
>>> SunPKCS11 initialization with an NSSDB that has a single internal FIPS
>>> module configured. That's not enough though because the external module
>>> is still missing in the NSSDB. There are two paths from this point:
>>>
>>> 1) Manually add an external module ("modutil" command) in FIPS mode to
>>> the NSSDB
>>>
>>> 2) Run the code in the latest Fedora/CentOS/RHEL Linux release -I'm not
>>> sure if other distributions work- where p11-kit-proxy PKCS#11 module is
>>> automatically added to every NSSDB. If you go this way, configure FIPS
>>> policy globally (fips-mode-setup --enable) and recompile the NSS library
>>> to artificially expose a slot for p11-kit-proxy module [3] (use
>>> LD_PRELOAD when running the reproducer code). If you don't want to
>>> recompile the NSS library, manually add a module to p11-kit (such as
>>> softHSM) so a slot is opened.
>>>
>>> In my own environment, I had the following output before the patch:
>>>
>>> Beginning test run ExternalFipsModules...
>>> Cannot resolve artifact, please check if JIB jar is present in
>>> classpath.
>>> nssLibDir: /usr/lib64/
>>> Exception in thread "main" java.lang.RuntimeException: FIPS flag set for
>>> non-internal module: p11-kit-proxy.so, p11-kit-proxy
>>>     at
>>> jdk.crypto.cryptoki/sun.security.pkcs11.Secmod$Module.<init>(Secmod.java:418)
>>>
>>>     at
>>> jdk.crypto.cryptoki/sun.security.pkcs11.Secmod.nssGetModuleList(Native
>>> Method)
>>>     at
>>> jdk.crypto.cryptoki/sun.security.pkcs11.Secmod.getModules(Secmod.java:258)
>>>
>>>     at
>>> jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:219)
>>>
>>>     at
>>> jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunPKCS11.java:112)
>>>
>>>     at
>>> jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunPKCS11.java:109)
>>>
>>>     at
>>> java.base/java.security.AccessController.doPrivileged(AccessController.java:554)
>>>
>>>     at
>>> jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.configure(SunPKCS11.java:109)
>>>
>>>     at PKCS11Test.getSunPKCS11(PKCS11Test.java:160)
>>>     at PKCS11Test.testNSS(PKCS11Test.java:580)
>>>     at PKCS11Test.main(PKCS11Test.java:220)
>>>     at PKCS11Test.main(PKCS11Test.java:196)
>>>     at ExternalFipsModules.main(ExternalFipsModules.java:31)
>>>
>>> And after the patch:
>>>
>>> Beginning test run ExternalFipsModules...
>>> Cannot resolve artifact, please check if JIB jar is present in
>>> classpath.
>>> nssLibDir: /usr/lib64/
>>> Running test with provider SunPKCS11-NSS-FIPS (security manager
>>> disabled) ...
>>> Provider: SunPKCS11-NSS-FIPS version 15
>>> TEST PASS - OK
>>> Completed test with provider SunPKCS11-NSS-FIPS (2 ms).
>>>
>>> Thanks,
>>> Martin.-
>>>
>>> -- 
>>> [1] - https://bugs.openjdk.java.net/browse/JDK-8238555
>>> [2] -
>>> http://cr.openjdk.java.net/~mbalao/webrevs/8238555/8238555_manual_reproducer_v0.tar.gz
>>>
>>> [3] -
>>> http://cr.openjdk.java.net/~mbalao/webrevs/8238555/emulate_p11-kit-proxy_with_slots.nss.patch
>>>
>>>
> 




More information about the security-dev mailing list