Bug 1750752

Summary: Crypto provider not installed: SunPKCS11 - in FIPS mode
Product: Red Hat Enterprise Linux 8 Reporter: Ondrej Moriš <omoris>
Component: java-1.8.0-openjdkAssignee: Andrew John Hughes <ahughes>
Status: CLOSED CURRENTRELEASE QA Contact: OpenJDK QA <java-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.1CC: dbhole, hkario, java-qa, jjelen, jvanek, mbalao, nhorman, szidek, wchadwic, zzambers
Target Milestone: rc   
Target Release: 8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: java-1.8.0-openjdk-1.8.0.222.b10-3.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-01-20 16:54:27 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1760838, 1818909    
Attachments:
Description Flags
RH1750752 patch v0 none

Description Ondrej Moriš 2019-09-10 12:24:54 UTC 
Description of problem:

When FIPS mode is enabled and the following our OCSP provider [1] written in java is used, we got the following error (see below for complete traceback):

java.security.ProviderException: Crypto provider not installed: SunPKCS11

The problem happens only when FIPS crypto-policy is applied. We did not change anything in java.security, nss.cfg or nss.fips.cfg. They seem to be configured properly.

[1] http://download.eng.bos.redhat.com/qa/rhts/lookaside/ocspsrvd/ocspsrvd.jar

Version-Release number of selected component (if applicable):

java-1.8.0-openjdk-1.8.0.222.b10-2.el8

How reproducible:

100% in FIPS mode

Steps to Reproduce:

0. Set FIPS crypto-policy.
1. Download ocspsrvd.jar from [1].
2. Generate CA key pair.
2. Execute 
java -jar ocspsrvd.jar -s SHA256withRSA -k certs/ca_key.key -c certs/ca_cert.pem -p 4242 -t GOOD 2>&1

Actual results:

java -jar ocspsrvd.jar -s SHA256withRSA -k certs/ca_key.key -c certs/ca_cert.pem -p 4242 -t GOOD 2>&1
Exception in thread "main" java.lang.reflect.InvocationTargetException
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.eclipse.jdt.internal.jarinjarloader.JarRsrcLoader.main(JarRsrcLoader.java:58)
Caused by: java.security.ProviderException: Crypto provider not installed: SunPKCS11
	at sun.security.ssl.SunJSSE.<init>(SunJSSE.java:142)
	at sun.security.ssl.SunJSSE.<init>(SunJSSE.java:123)
	at com.sun.net.ssl.internal.ssl.Provider.<init>(Provider.java:51)
	at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
	at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
	at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
	at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
	at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:224)
	at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:206)
	at java.security.AccessController.doPrivileged(Native Method)
	at sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:206)
	at sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:187)
	at sun.security.jca.ProviderList.loadAll(ProviderList.java:282)
	at sun.security.jca.ProviderList.removeInvalid(ProviderList.java:299)
	at sun.security.jca.Providers.getFullProviderList(Providers.java:173)
	at java.security.Security.insertProviderAt(Security.java:375)
	at java.security.Security.addProvider(Security.java:418)
	at com.redhat.ocspsrvd.OCSPServd.main(OCSPServd.java:77)
	... 5 more

Expected results:

java -jar ocspsrvd.jar -s SHA256withRSA -k certs/ca_key.key -c certs/ca_cert.pem -p 4242 -t GOOD 2>&1
OCSPsrvd started on 0.0.0.0:4242

Additional info:

It is possible that this is just a configuration issue. If so, please let me know how to modify configuration and feel free to close the bug.
Comment 2 Martin Balao 2019-09-11 02:38:21 UTC 
This is a bug apparently affecting java-1.8.0-openjdk package.

Candidate fix:

diff --git a/openjdk/jdk/src/share/lib/security/java.security-linux b/openjdk/jdk/src/share/lib/security/java.security-linux
index 24f2a6e..6f5d4ec 100644
--- a/openjdk/jdk/src/share/lib/security/java.security-linux
+++ b/openjdk/jdk/src/share/lib/security/java.security-linux
@@ -82,7 +82,7 @@ security.provider.9=sun.security.smartcardio.SunPCSC
 fips.provider.1=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.fips.cfg
 fips.provider.2=sun.security.provider.Sun
 fips.provider.3=sun.security.ec.SunEC
-fips.provider.4=com.sun.net.ssl.internal.ssl.Provider SunPKCS11
+fips.provider.4=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-NSS
 
 #
 # Sun Provider SecureRandom seed source.


I still need to figure out why java-11-openjdk is apparently not affected and do some more testing. Keep you posted.

Thanks,
Martin.-
Comment 3 Martin Balao 2019-09-11 20:37:53 UTC 
I can now confirm that:

1) java-1.8.0-openjdk and java-11-openjdk RHEL 8.1.0 builds are both affected by this bug

2) The fix proposed in comment:2 works for java-1.8.0-openjdk. A similar one is required for java-11-openjdk.

3) java-11-openjdk build is also affected by a bug in the upstream code, for which I have a candidate fix. I'll open a followup ticket in OpenJDK's JIRA.

4) ocspsrvd.jar is apparently not suitable to be run in RHEL's FIPS configuration because it uses external security providers such as bouncycastle. If you need to run it anyways, set the system/security property to disable OpenJDK's alignment with the system global policy. These properties are "java.security.disableSystemPropertiesFile" and "security.useSystemPropertiesFile".

I'll proceed with followup tickets and patches.

Thanks,
Martin.-
Comment 4 Ondrej Moriš 2019-09-12 07:33:38 UTC 
Martin, thanks a lot for quick analysis.
Comment 6 Martin Balao 2019-09-12 18:15:00 UTC 
Created attachment 1614619 [details]
RH1750752 patch v0
Comment 7 Martin Balao 2019-09-12 18:20:47 UTC 
I've attached "RH1750752 patch v0" to fix this issue in java-1.8.0-openjdk.