SunPKCS11's Secmod and external modules in FIPS mode

Martin Balao mbalao at redhat.com
Mon Jan 20 19:16:57 UTC 2020 

Ping. Any hint about this?

Thanks,
Martin.-

On 12/20/19 10:03 PM, Martin Balao wrote:
> Hello,
> 
> SunPKCS11's Secmod in OpenJDK does not allow modules other than the NSS
> Software Token to be configured in FIPS mode [1]. To give some context,
> NSS represents modules internally with a structure called "struct
> SECMODModuleStr" and the "fips" variable you see in [1] is the "isFIPS"
> member of the module structure [2]. isFIPS is initialized by NSS to
> false for all modules [3] but if the module spec string has a "FIPS"
> flag, it may be turned to true [4]. Newer NSS versions (since bug
> 1531267 [5] [6]) may set isFIPS to true for all modules when
> /proc/sys/crypto/fips_enabled is 1 in Linux systems. As a result, as
> soon as the system is in FIPS mode and the NSSDB has more than the NSS
> Software Token module in it, OpenJDK refuses to initialize the SunPKCS11
> provider. You can see a real case with pk11-kit-trust as the external
> module in RH1780335 [7].
> 
> This behavior has been the same since the very beginning of OpenJDK
> (revision 2), and I couldn't find much information about it. There might
> be a commit message previous to that.
> 
> I'm trying to understand the rationale behind it and see what would be
> the implications of removing the check (note: couldn't notice anything
> in my quick test by removing it).
> 
> Can someone give me a hint?
> 
> Thanks,
> Martin.-
> 
> --
> [1] -
> https://hg.openjdk.java.net/jdk/jdk/file/59ddac265649/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Secmod.java#l417
> [2] -
> https://github.com/nss-dev/nss/blob/c1ff439ca931f53c318e7381636ed5889b3d66f1/lib/pk11wrap/secmodt.h#L49
> [3] -
> https://github.com/nss-dev/nss/blob/a141cd68ece76118aebf8033c06d46a3692b55fe/lib/pk11wrap/pk11pars.c#L49
> [4] -
> https://github.com/nss-dev/nss/blob/a141cd68ece76118aebf8033c06d46a3692b55fe/lib/pk11wrap/pk11pars.c#L819
> [5] - https://bugzilla.mozilla.org/show_bug.cgi?id=1531267
> [6] - https://hg.mozilla.org/projects/nss/rev/536fd7c9db5a
> [7] - https://bugzilla.redhat.com/show_bug.cgi?id=1780335
>

More information about the security-dev mailing list