Bug 1780335
| Summary: | FIPS mode Provider refuses to load pk11-kit-trust | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Alex Scheel <ascheel> | |
| Component: | java-1.8.0-openjdk | Assignee: | Martin Balao <mbalao> | |
| Status: | CLOSED ERRATA | QA Contact: | OpenJDK QA <java-qa> | |
| Severity: | unspecified | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 8.2 | CC: | ahughes, dbhole, jandrlik, jvanek, mbalao | |
| Target Milestone: | rc | |||
| Target Release: | 8.0 | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | java-1.8.0-openjdk-1.8.0.262.b01-0.1.ea.el8 | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1818900 (view as bug list) | Environment: | ||
| Last Closed: | 2020-11-04 02:43:27 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1760850, 1818900 | |||
Note that p11-kit-trust can be removed from the NSS DB: [root@localhost ~]# modutil -dbdir /nssdb -delete p11-kit-trust After which, the test will succeed: Provider: MessageDigest.SHA-1 algorithm from: SunPKCS11-NSS-FIPS Killing session (sun.security.pkcs11.P11Digest.engineReset(P11Digest.java:145)) active: 3 Provider: MessageDigest.SHA-1 algorithm from: SunPKCS11-NSS-FIPS Killing session (sun.security.pkcs11.P11Digest.engineReset(P11Digest.java:145)) active: 3 Token Alias Map: localhost type=[private key] label=[localhost] id=0xd4b9ef47ebeb5414c277c068dc94459328422185 trusted=[false] matched=[true] cert=[ subject: CN=localhost, O=CIPHERBOY issuer: CN=CA Root Certificate, OU=pki-tomcat, O=CIPHERBOY serialNum: 20878] CA Root type=[private key] label=[CA Root] id=0x9af25882bf3ef65f07bc9034dd87081ed34b3216 trusted=[false] matched=[true] cert=[ subject: CN=CA Root Certificate, OU=pki-tomcat, O=CIPHERBOY issuer: CN=CA Root Certificate, OU=pki-tomcat, O=CIPHERBOY serialNum: 28335] All known SunJSSE.PKCS12 aliases: - localhost - CA Root Yes, OpenJDK explicitly checks that no module other than the software token is in NSSDB when configured in FIPS mode: http://hg.openjdk.java.net/jdk/jdk/file/b2aca65cc099/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Secmod.java#l417 This check has been there since the initial revision. I'm not sure of the rationale though. I wonder if we are able to initialize NSS in FIPS mode using an NSSDB with external modules. I can further investigate this. Hello Alex,
I've been investigating a bit deeper into this issue and want to make some notes -which will hopefully clarify my initial comment in this ticket-.
NSS represents modules internally with a "struct SECMODModuleStr" object. In particular, there is a isFIPS member [1] which is initialized with PR_FALSE by default [2]. The only code line that may change the value of isFIPS to PR_TRUE is here [3], and depends on the existence of a "FIPS" flag in the spec. This isFIPS value gets passed to OpenJDK as the "fips" variable and is used here [4] to check whether or not the module is allowed. What OpenJDK does not allow is the existence of a module that has isFIPS = true but is different than the internal software token. That means that if there is a module (say p11-kit-trust) which has isFIPS = false, there shouldn't be any problems.
I could not reproduce this issue yet.
My NSSDB has:
[martin@vmhost test]$ modutil -dbdir /home/martin/redhat/java/openjdk/workspace/rhel_8_fips/fips/test/src/nssdb -list
Listing of PKCS #11 Modules
-----------------------------------------------------------
1. NSS Internal FIPS PKCS #11 Module
slots: 1 slot attached
status: loaded
slot: NSS FIPS 140-2 User Private Key Services
token: NSS FIPS 140-2 Certificate DB
2. p11-kit-trust
library name: /usr/lib64/p11-kit-trust.so
slots: 2 slots attached
status: loaded
slot: /etc/pki/ca-trust/source
token: System Trust
slot: /usr/share/pki/ca-trust-source
token: Default Trust
-----------------------------------------------------------
It's FIPS enabled:
[martin@vmhost test]$ modutil -dbdir /home/martin/redhat/java/openjdk/workspace/rhel_8_fips/fips/test/src/nssdb -chkfips true
FIPS mode enabled.
The spec for #1 module is:
" name=\"NSS Internal FIPS PKCS #11 Module\" parameters=\"configdir='/home/martin/redhat/java/openjdk/workspace/rhel_8_fips/fips/test/src/nssdb' certPrefix='' keyPrefix='' secmod='secmod.db' flags=readOnly updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' \" NSS=\" slotParams={0x00000003=[slotFlags=RSA,RC4,RC2,DES,DH,SHA1,MD5,MD2,SSL,TLS,AES,RANDOM ] } Flags=internal,FIPS,critical\""
And the SECMODModule module for #1 is:
(gdb) print *((*((*(SECMODModuleList*)0x7f59c13b94e0).next)).module)
$8 = {arena = 0x7f59b826d8d0, internal = 3, loaded = 1, isFIPS = 1, dllName = 0x0, commonName = 0x7f59b8271e78 "NSS Internal FIPS PKCS #11 Module", library = 0x0, functionList = 0x7f59c0815420, refLock = 0x7f59b8271fa0, refCount = 2, slots = 0x7f59b82720b0, slotCount = 1, slotInfo = 0x7f59b8272070, slotInfoCount = 0, moduleID = 1, isThreadSafe = 1, ssl = {0, 0}, libraryParams = 0x7f59b8271ea0 "configdir='/home/martin/redhat/java/openjdk/workspace/rhel_8_fips/fips/test/src/nssdb' certPrefix='' keyPrefix='' secmod='secmod.db' flags=readOnly updatedir='' updateCertPrefix='' updateKeyPrefix='' "..., moduleDBFunc = 0x0, parent = 0x7f59b826d630, isCritical = 1, isModuleDB = 0, moduleDBOnly = 0, trustOrder = 50, cipherOrder = 0, evControlMask = 0, cryptokiVersion = {major = 2 '\002', minor = 20 '\024'}}
The spec for #2 module is:
"library=/usr/lib64/p11-kit-trust.so name=p11-kit-trust NSS=\"trustOrder=100 \""
And the SECMODModule module for #2 is:
(gdb) print *((*((*((*(SECMODModuleList*)0x7f59c13b94e0).next)).next)).module)
$11 = {arena = 0x7f59b8293560, internal = 0, loaded = 1, isFIPS = 0, dllName = 0x7f59b8293758 "/usr/lib64/p11-kit-trust.so", commonName = 0x7f59b8293748 "p11-kit-trust", library = 0x7f59b8293530, functionList = 0x7f599a4f9020, refLock = 0x7f59b8293870, refCount = 1, slots = 0x7f59b8293778, slotCount = 2, slotInfo = 0x7f59b82937c8, slotInfoCount = 0, moduleID = 2, isThreadSafe = 1, ssl = {0, 0}, libraryParams = 0x0, moduleDBFunc = 0x0, parent = 0x7f59b826d630, isCritical = 0, isModuleDB = 0, moduleDBOnly = 0, trustOrder = 100, cipherOrder = 0, evControlMask = 0, cryptokiVersion = {major = 2 '\002', minor = 20 '\024'}}
Looks to me that your spec for p11-kit-trust (#2 in my case) has the "FIPS" flag in it. Is this correct? Is it required for you?
Beyond that, and assuming that you are able to initialize SunPKCS11-NSS-FIPS with the NSSDB you want, do you need access from OpenJDK to p11-kit-trust module?
Thanks,
Martin.-
--
[1] - https://github.com/nss-dev/nss/blob/c1ff439ca931f53c318e7381636ed5889b3d66f1/lib/pk11wrap/secmodt.h#L49
[2] - https://github.com/nss-dev/nss/blob/a141cd68ece76118aebf8033c06d46a3692b55fe/lib/pk11wrap/pk11pars.c#L49
[3] - https://github.com/nss-dev/nss/blob/a141cd68ece76118aebf8033c06d46a3692b55fe/lib/pk11wrap/pk11pars.c#L819
[4] - http://hg.openjdk.java.net/jdk/jdk/file/b2aca65cc099/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Secmod.java#l417
[5] - http://hg.openjdk.java.net/jdk/jdk/file/f93bd058a4ce/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java#l235
Update: I've just realized that newer NSS versions have a secmod_GetSystemFIPSEnabled function, introduced by 1531267 [1] [2]. As a result, all modules have isFIPS = PR_TRUE when global FIPS in enabled in the system; you don't need a "FIPS" flag in your p11-kit-trust spec (and you don't probably have it). I'll investigate what happens if we remove the check from OpenJDK. Keep you posted. -- [1] - https://bugzilla.mozilla.org/show_bug.cgi?id=1531267 [2] - https://hg.mozilla.org/projects/nss/rev/536fd7c9db5a (In reply to mbalao from comment #4) > > I'll investigate what happens if we remove the check from OpenJDK. Keep you > posted. > I've done a quick test removing the check but couldn't notice anything in my testing environment, so I raised the discussion in upstream [1]. -- [1] - https://mail.openjdk.java.net/pipermail/security-dev/2019-December/021077.html Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (java-1.8.0-openjdk bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:4656 |
Description of problem: When running in fips mode (-Dcom.redhat.fips=true), if the NSS DB specified in the nss.fips.cfg under the nssSecmodDirectory has p11-kit-trust module explicitly added to it, the JDK will fail to start and give a stack trace when trying to load the PKCS11 keystore. Version-Release number of selected component (if applicable): [root@localhost CliServ]# rpm -qa | grep -i openjdk java-1.8.0-openjdk-headless-1.8.0.232.b09-3.el8.x86_64 java-1.8.0-openjdk-devel-1.8.0.232.b09-3.el8.x86_64 java-1.8.0-openjdk-1.8.0.232.b09-3.el8.x86_64 How reproducible: Very Steps to Reproduce: 1. Create a new nssdb and load p11-kit-trust into it: mkdir /nssdb echo nss.SECret.123 > /nssdb/password.txt certutil -N -d /nssdb -f /nssdb/password.txt modutil -dbdir /nssdb -add p11-kit-trust -libfile /usr/share/pki/lib/p11-kit-trust.so -force touch /nssdb/secmod.db # workaround for rhbz#1760437 2. Modify nss.fips.cfg to point to /nssdb 3. Run a sample program: [root@localhost CliServ]# cat Main.java import java.io.*; import java.util.*; import java.security.*; import javax.net.ssl.*; class Main { public static String db_password = "nss.SECret.123"; public static void main(String[] args) throws Exception { if (args.length != 1) { System.out.println("Usage: java Main password-for-nssdb"); System.exit(1); } KeyStore ks = KeyStore.getInstance("PKCS11", "SunPKCS11-NSS-FIPS"); ks.load(null, args[0].toCharArray()); System.out.println("All known SunJSSE.PKCS12 aliases:"); for (Enumeration<String> e = ks.aliases(); e.hasMoreElements(); ) { System.out.println(" - " + e.nextElement()); } System.out.println(); } } [root@localhost CliServ]# javac Main.java && java -Djava.security.debug=all -Dcom.redhat.fips=true Main nss.SECret.123 Actual results: Fails with stack trace: Provider: Set SUN provider property [CertStore.com.sun.security.IndexedCollection ImplementedIn/Software] ProviderConfig: Loaded provider SUN version 1.8 ProviderConfig: Loading provider: sun.security.ec.SunEC scl: getPermissions ProtectionDomain (file:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.232.b09-3.el8.x86_64/jre/lib/ext/sunec.jar <no signer certificates>) sun.misc.Launcher$ExtClassLoader@55f96302 <no principals> java.security.Permissions@3cd1a2f1 ( ("java.io.FilePermission" "/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.232.b09-3.el8.x86_64/jre/lib/ext/sunec.jar" "read") ) scl: Provider: Set SunEC provider property [KeyFactory.EC/sun.security.ec.ECKeyFactory] Provider: Set SunEC provider property [Alg.Alias.KeyFactory.EllipticCurve/EC] Provider: Set SunEC provider property [KeyFactory.EC ImplementedIn/Software] Provider: Set SunEC provider property [AlgorithmParameters.EC/sun.security.ec.ECParameters] Provider: Set SunEC provider property [Alg.Alias.AlgorithmParameters.EllipticCurve/EC] Provider: Set SunEC provider property [Alg.Alias.AlgorithmParameters.1.2.840.10045.2.1/EC] Provider: Set SunEC provider property [AlgorithmParameters.EC KeySize/256] Provider: Set SunEC provider property [AlgorithmParameters.EC ImplementedIn/Software] Provider: Set SunEC provider property [AlgorithmParameters.EC SupportedCurves/[secp256r1,NIST P-256,X9.62 prime256v1,1.2.840.10045.3.1.7]|[secp384r1,NIST P-384,1.3.132.0.34]|[secp521r1,NIST P-521,1.3.132.0.35]] Provider: Set SunEC provider property [Signature.NONEwithECDSA/sun.security.ec.ECDSASignature$Raw] Provider: Set SunEC provider property [Signature.SHA1withECDSA/sun.security.ec.ECDSASignature$SHA1] Provider: Set SunEC provider property [Alg.Alias.Signature.OID.1.2.840.10045.4.1/SHA1withECDSA] Provider: Set SunEC provider property [Alg.Alias.Signature.1.2.840.10045.4.1/SHA1withECDSA] Provider: Set SunEC provider property [Signature.SHA224withECDSA/sun.security.ec.ECDSASignature$SHA224] Provider: Set SunEC provider property [Alg.Alias.Signature.OID.1.2.840.10045.4.3.1/SHA224withECDSA] Provider: Set SunEC provider property [Alg.Alias.Signature.1.2.840.10045.4.3.1/SHA224withECDSA] Provider: Set SunEC provider property [Signature.SHA256withECDSA/sun.security.ec.ECDSASignature$SHA256] Provider: Set SunEC provider property [Alg.Alias.Signature.OID.1.2.840.10045.4.3.2/SHA256withECDSA] Provider: Set SunEC provider property [Alg.Alias.Signature.1.2.840.10045.4.3.2/SHA256withECDSA] Provider: Set SunEC provider property [Signature.SHA384withECDSA/sun.security.ec.ECDSASignature$SHA384] Provider: Set SunEC provider property [Alg.Alias.Signature.OID.1.2.840.10045.4.3.3/SHA384withECDSA] Provider: Set SunEC provider property [Alg.Alias.Signature.1.2.840.10045.4.3.3/SHA384withECDSA] Provider: Set SunEC provider property [Signature.SHA512withECDSA/sun.security.ec.ECDSASignature$SHA512] Provider: Set SunEC provider property [Alg.Alias.Signature.OID.1.2.840.10045.4.3.4/SHA512withECDSA] Provider: Set SunEC provider property [Alg.Alias.Signature.1.2.840.10045.4.3.4/SHA512withECDSA] Provider: Set SunEC provider property [Signature.NONEwithECDSA SupportedKeyClasses/java.security.interfaces.ECPublicKey|java.security.interfaces.ECPrivateKey] Provider: Set SunEC provider property [Signature.SHA1withECDSA SupportedKeyClasses/java.security.interfaces.ECPublicKey|java.security.interfaces.ECPrivateKey] Provider: Set SunEC provider property [Signature.SHA224withECDSA SupportedKeyClasses/java.security.interfaces.ECPublicKey|java.security.interfaces.ECPrivateKey] Provider: Set SunEC provider property [Signature.SHA256withECDSA SupportedKeyClasses/java.security.interfaces.ECPublicKey|java.security.interfaces.ECPrivateKey] Provider: Set SunEC provider property [Signature.SHA384withECDSA SupportedKeyClasses/java.security.interfaces.ECPublicKey|java.security.interfaces.ECPrivateKey] Provider: Set SunEC provider property [Signature.SHA512withECDSA SupportedKeyClasses/java.security.interfaces.ECPublicKey|java.security.interfaces.ECPrivateKey] Provider: Set SunEC provider property [Signature.SHA1withECDSA KeySize/256] Provider: Set SunEC provider property [Signature.NONEwithECDSA ImplementedIn/Software] Provider: Set SunEC provider property [Signature.SHA1withECDSA ImplementedIn/Software] Provider: Set SunEC provider property [Signature.SHA224withECDSA ImplementedIn/Software] Provider: Set SunEC provider property [Signature.SHA256withECDSA ImplementedIn/Software] Provider: Set SunEC provider property [Signature.SHA384withECDSA ImplementedIn/Software] Provider: Set SunEC provider property [Signature.SHA512withECDSA ImplementedIn/Software] Provider: Set SunEC provider property [KeyPairGenerator.EC/sun.security.ec.ECKeyPairGenerator] Provider: Set SunEC provider property [Alg.Alias.KeyPairGenerator.EllipticCurve/EC] Provider: Set SunEC provider property [KeyPairGenerator.EC KeySize/256] Provider: Set SunEC provider property [KeyPairGenerator.EC ImplementedIn/Software] Provider: Set SunEC provider property [KeyAgreement.ECDH/sun.security.ec.ECDHKeyAgreement] Provider: Set SunEC provider property [KeyAgreement.ECDH SupportedKeyClasses/java.security.interfaces.ECPublicKey|java.security.interfaces.ECPrivateKey] Provider: Set SunEC provider property [KeyAgreement.ECDH ImplementedIn/Software] ProviderConfig: Loaded provider SunEC version 1.8 ProviderConfig: Loading provider: com.sun.net.ssl.internal.ssl.Provider('SunPKCS11-NSS-FIPS') ProviderConfig: Loading provider: sun.security.pkcs11.SunPKCS11('/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.232.b09-3.el8.x86_64/jre/lib/security/nss.fips.cfg') SunPKCS11 loading /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.232.b09-3.el8.x86_64/jre/lib/security/nss.fips.cfg ProviderConfig: Error loading provider sun.security.pkcs11.SunPKCS11('/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.232.b09-3.el8.x86_64/jre/lib/security/nss.fips.cfg') java.lang.RuntimeException: FIPS flag set for non-internal module: /usr/share/pki/lib/p11-kit-trust.so, p11-kit-trust at sun.security.pkcs11.Secmod$Module.<init>(Secmod.java:408) at sun.security.pkcs11.Secmod.nssGetModuleList(Native Method) at sun.security.pkcs11.Secmod.getModules(Secmod.java:248) at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:225) at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:103) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:224) at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:206) at java.security.AccessController.doPrivileged(Native Method) at sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:206) at sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:187) at sun.security.jca.ProviderList.getProvider(ProviderList.java:233) at sun.security.jca.ProviderList.getIndex(ProviderList.java:263) at sun.security.jca.ProviderList.getProviderConfig(ProviderList.java:247) at sun.security.jca.ProviderList.getProvider(ProviderList.java:253) at java.security.Security.getProvider(Security.java:483) at sun.security.ssl.SunJSSE.<init>(SunJSSE.java:140) at sun.security.ssl.SunJSSE.<init>(SunJSSE.java:123) at com.sun.net.ssl.internal.ssl.Provider.<init>(Provider.java:51) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:224) at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:206) at java.security.AccessController.doPrivileged(Native Method) at sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:206) at sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:187) at sun.security.jca.ProviderList.getProvider(ProviderList.java:233) at sun.security.jca.ProviderList.getIndex(ProviderList.java:263) at sun.security.jca.ProviderList.getProviderConfig(ProviderList.java:247) at sun.security.jca.ProviderList.getProvider(ProviderList.java:253) at sun.security.jca.GetInstance.getService(GetInstance.java:81) at sun.security.jca.GetInstance.getInstance(GetInstance.java:206) at java.security.Security.getImpl(Security.java:713) at java.security.KeyStore.getInstance(KeyStore.java:896) at Main.main(Main.java:15) ProviderConfig: Recursion loading provider: com.sun.net.ssl.internal.ssl.Provider('SunPKCS11-NSS-FIPS') java.lang.Exception: Call trace at sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:180) at sun.security.jca.ProviderList.getProvider(ProviderList.java:233) at sun.security.jca.ProviderList.getIndex(ProviderList.java:263) at sun.security.jca.ProviderList.getProviderConfig(ProviderList.java:247) at sun.security.jca.ProviderList.getProvider(ProviderList.java:253) at java.security.Security.getProvider(Security.java:483) at sun.security.ssl.SunJSSE.<init>(SunJSSE.java:140) at sun.security.ssl.SunJSSE.<init>(SunJSSE.java:123) at com.sun.net.ssl.internal.ssl.Provider.<init>(Provider.java:51) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:224) at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:206) at java.security.AccessController.doPrivileged(Native Method) at sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:206) at sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:187) at sun.security.jca.ProviderList.getProvider(ProviderList.java:233) at sun.security.jca.ProviderList.getIndex(ProviderList.java:263) at sun.security.jca.ProviderList.getProviderConfig(ProviderList.java:247) at sun.security.jca.ProviderList.getProvider(ProviderList.java:253) at sun.security.jca.GetInstance.getService(GetInstance.java:81) at sun.security.jca.GetInstance.getInstance(GetInstance.java:206) at java.security.Security.getImpl(Security.java:713) at java.security.KeyStore.getInstance(KeyStore.java:896) at Main.main(Main.java:15) ProviderConfig: Error loading provider com.sun.net.ssl.internal.ssl.Provider('SunPKCS11-NSS-FIPS') java.security.ProviderException: Crypto provider not installed: SunPKCS11-NSS-FIPS at sun.security.ssl.SunJSSE.<init>(SunJSSE.java:142) at sun.security.ssl.SunJSSE.<init>(SunJSSE.java:123) at com.sun.net.ssl.internal.ssl.Provider.<init>(Provider.java:51) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:224) at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:206) at java.security.AccessController.doPrivileged(Native Method) at sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:206) at sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:187) at sun.security.jca.ProviderList.getProvider(ProviderList.java:233) at sun.security.jca.ProviderList.getIndex(ProviderList.java:263) at sun.security.jca.ProviderList.getProviderConfig(ProviderList.java:247) at sun.security.jca.ProviderList.getProvider(ProviderList.java:253) at sun.security.jca.GetInstance.getService(GetInstance.java:81) at sun.security.jca.GetInstance.getInstance(GetInstance.java:206) at java.security.Security.getImpl(Security.java:713) at java.security.KeyStore.getInstance(KeyStore.java:896) at Main.main(Main.java:15) Exception in thread "main" java.security.ProviderException: Crypto provider not installed: SunPKCS11-NSS-FIPS at sun.security.ssl.SunJSSE.<init>(SunJSSE.java:142) at sun.security.ssl.SunJSSE.<init>(SunJSSE.java:123) at com.sun.net.ssl.internal.ssl.Provider.<init>(Provider.java:51) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:224) at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:206) at java.security.AccessController.doPrivileged(Native Method) at sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:206) at sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:187) at sun.security.jca.ProviderList.getProvider(ProviderList.java:233) at sun.security.jca.ProviderList.getIndex(ProviderList.java:263) at sun.security.jca.ProviderList.getProviderConfig(ProviderList.java:247) at sun.security.jca.ProviderList.getProvider(ProviderList.java:253) at sun.security.jca.GetInstance.getService(GetInstance.java:81) at sun.security.jca.GetInstance.getInstance(GetInstance.java:206) at java.security.Security.getImpl(Security.java:713) at java.security.KeyStore.getInstance(KeyStore.java:896) at Main.main(Main.java:15) Expected results: Should succeed. Additional info: p11-kit-trust is a required module for letting NSS access the system trust store. Without this application owners are required to export the system trust store certificates and import them into the NSS DB manually, losing system updates.