RFR 8238555: Allow Initialization of SunPKCS11 with NSS when there are external FIPS modules in the NSSDB

Valerie Peng valerie.peng at oracle.com
Fri Feb 28 02:48:52 UTC 2020 

Hi Martin,

I have looked over the release note subtask and made some minor changes 
on wordings and added RN-Change label.

Sean may have additional comments to add though. Also, when you mark it 
as delivered, the tech writer will also make their edit. Just FYI.

Thanks,
Valerie
On 2/27/2020 11:32 AM, Martin Balao wrote:
> Hi Sean and Valerie,
>
> Thanks for your feedback.
>
> I've written the "8240191: Release Note: Allow SunPKCS11 initialization
> with NSS when FIPS external modules are available in the Security
> Modules Database" release note [1]. Please feel free to edit or ask me
> to do so if you have any suggestion.
>
> Look forward to your final approval so I push.
>
> Thanks,
> Martin.-
>
> --
> [1] - https://bugs.openjdk.java.net/browse/JDK-8240191
>
>
>
> On 2/13/20 6:07 PM, Valerie Peng wrote:
>> I think it's fine to remove this check given the recent NSS changes as
>> Martin mentioned.
>>
>> Second Sean's release note suggestion as well.
>>
>> Thanks,
>>
>> Valerie
>>
>> On 2/10/2020 11:14 AM, Sean Mullan wrote:
>>> Looks good to me, although I would also like Valerie to review it as
>>> she has the most experience with the PKCS11 code.
>>>
>>> This issue should probably also have a release note. Have you ever
>>> written one?
>>>
>>> Thanks,
>>> Sean
>>>
>>> On 2/5/20 10:47 AM, Martin Balao wrote:
>>>> Hi,
>>>>
>>>> I'd like to propose a solution for 8238555 [1].
>>>>
>>>> Webrev.00:
>>>>
>>>>    *
>>>> http://cr.openjdk.java.net/~mbalao/webrevs/8238555/8238555.webrev.00/
>>>>
>>>> Reproducing this issue requires manual configuration steps and there is
>>>> not a single way of doing so. The ultimate goal for a reproduction is to
>>>> initialize a SunPKCS11 provider with an NSSDB that has at least 1
>>>> external module configured in FIPS mode, with at least 1 opened slot.
>>>>
>>>> The 8238555_manual_reproducer_v0 code [2] provides a standalone
>>>> SunPKCS11 initialization with an NSSDB that has a single internal FIPS
>>>> module configured. That's not enough though because the external module
>>>> is still missing in the NSSDB. There are two paths from this point:
>>>>
>>>> 1) Manually add an external module ("modutil" command) in FIPS mode to
>>>> the NSSDB
>>>>
>>>> 2) Run the code in the latest Fedora/CentOS/RHEL Linux release -I'm not
>>>> sure if other distributions work- where p11-kit-proxy PKCS#11 module is
>>>> automatically added to every NSSDB. If you go this way, configure FIPS
>>>> policy globally (fips-mode-setup --enable) and recompile the NSS library
>>>> to artificially expose a slot for p11-kit-proxy module [3] (use
>>>> LD_PRELOAD when running the reproducer code). If you don't want to
>>>> recompile the NSS library, manually add a module to p11-kit (such as
>>>> softHSM) so a slot is opened.
>>>>
>>>> In my own environment, I had the following output before the patch:
>>>>
>>>> Beginning test run ExternalFipsModules...
>>>> Cannot resolve artifact, please check if JIB jar is present in
>>>> classpath.
>>>> nssLibDir: /usr/lib64/
>>>> Exception in thread "main" java.lang.RuntimeException: FIPS flag set for
>>>> non-internal module: p11-kit-proxy.so, p11-kit-proxy
>>>>      at
>>>> jdk.crypto.cryptoki/sun.security.pkcs11.Secmod$Module.<init>(Secmod.java:418)
>>>>
>>>>      at
>>>> jdk.crypto.cryptoki/sun.security.pkcs11.Secmod.nssGetModuleList(Native
>>>> Method)
>>>>      at
>>>> jdk.crypto.cryptoki/sun.security.pkcs11.Secmod.getModules(Secmod.java:258)
>>>>
>>>>      at
>>>> jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:219)
>>>>
>>>>      at
>>>> jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunPKCS11.java:112)
>>>>
>>>>      at
>>>> jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunPKCS11.java:109)
>>>>
>>>>      at
>>>> java.base/java.security.AccessController.doPrivileged(AccessController.java:554)
>>>>
>>>>      at
>>>> jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.configure(SunPKCS11.java:109)
>>>>
>>>>      at PKCS11Test.getSunPKCS11(PKCS11Test.java:160)
>>>>      at PKCS11Test.testNSS(PKCS11Test.java:580)
>>>>      at PKCS11Test.main(PKCS11Test.java:220)
>>>>      at PKCS11Test.main(PKCS11Test.java:196)
>>>>      at ExternalFipsModules.main(ExternalFipsModules.java:31)
>>>>
>>>> And after the patch:
>>>>
>>>> Beginning test run ExternalFipsModules...
>>>> Cannot resolve artifact, please check if JIB jar is present in
>>>> classpath.
>>>> nssLibDir: /usr/lib64/
>>>> Running test with provider SunPKCS11-NSS-FIPS (security manager
>>>> disabled) ...
>>>> Provider: SunPKCS11-NSS-FIPS version 15
>>>> TEST PASS - OK
>>>> Completed test with provider SunPKCS11-NSS-FIPS (2 ms).
>>>>
>>>> Thanks,
>>>> Martin.-
>>>>
>>>> -- 
>>>> [1] - https://bugs.openjdk.java.net/browse/JDK-8238555
>>>> [2] -
>>>> http://cr.openjdk.java.net/~mbalao/webrevs/8238555/8238555_manual_reproducer_v0.tar.gz
>>>>
>>>> [3] -
>>>> http://cr.openjdk.java.net/~mbalao/webrevs/8238555/emulate_p11-kit-proxy_with_slots.nss.patch
>>>>
>>>>

More information about the security-dev mailing list