Bug 1760437
Summary: | SunPKCS11 in FIPS-enabled OpenJDK can't understand SQL-only NSS DBs | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | Alex Scheel <ascheel> |
Component: | java-1.8.0-openjdk | Assignee: | Martin Balao <mbalao> |
Status: | CLOSED ERRATA | QA Contact: | OpenJDK QA <java-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 8.1 | CC: | ahughes, cheimes, dbhole, jvanek, zzambers |
Target Milestone: | rc | ||
Target Release: | 8.0 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | java-1.8.0-openjdk-1.8.0.242.b08-3.el8 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2020-04-28 15:46:27 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1655466, 1760850 |
Description
Alex Scheel
2019-10-10 14:32:36 UTC
On my checkout of jdk8u upstream, this is caused by this incorrect snippet of code, lines 198 - 207 in jdk/src/share/classes/sun/security/pkcs11/Secmod.java (changeset: 13685:69c4f673b33e):
> if (configDir != null) {
> File configBase = new File(configDir);
> if (configBase.isDirectory() == false ) {
> throw new IOException("configDir must be a directory: " + configDir);
> }
> File secmodFile = new File(configBase, "secmod.db");
> if (secmodFile.isFile() == false) {
> throw new FileNotFoundException(secmodFile.getPath());
> }
> }
secmod.db isn't a valid heuristic for "is this directory a NSS DB".
Corect heuristic is ((cert8.db && key3.db && secmod.db) || (cert9.db && key4.db && pkcs11.txt)) The 8u backport of 8165996 [1][2] and 8195607 [3][4] would be needed to support SQLite DBs. -- [1] - https://bugs.openjdk.java.net/browse/JDK-8165996 [2] - http://hg.openjdk.java.net/jdk/jdk/rev/55b9b1e184c6 [3] - https://bugs.openjdk.java.net/browse/JDK-8195607 [4] - http://hg.openjdk.java.net/jdk/jdk/rev/4bf4c7918063 Status update: * 8165996: PKCS11 using NSS throws an error regarding secmod.db when NSS uses sqlite * 8u backport proposed but blocked by the requirement of a dependency (8133318) [1] * 8133318: Exclude intermittent failing PKCS11 tests on Solaris SPARC 11.1 and earlier * 8u backport proposed [2]. Waiting for review. * 8195607: sun/security/pkcs11/Secmod/TestNssDbSqlite.java failed with "NSS initialization failed" on NSS 3.34.1 * 8u backport will come after 8165996 is pushed. -- [1] - https://mail.openjdk.java.net/pipermail/jdk8u-dev/2019-November/010572.html [2] - https://mail.openjdk.java.net/pipermail/jdk8u-dev/2020-January/010989.html This bug does not need to be dependent on the upstreaming process, and its long trail of testing dependencies. We can get this fixed in the RPM and then pick up the upstream version in April. That avoids rushing the upstream process for the sake of getting this bug into RHEL 8.2. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:1646 |