Bug 1868740

Summary: java-11-openjdk / rhel-8 / FIPS: IllegalAccessException by pkcs11 provider
Product: Red Hat Enterprise Linux 8 Reporter: zzambers
Component: java-11-openjdkAssignee: Martin Balao <mbalao>
Status: CLOSED ERRATA QA Contact: OpenJDK QA <java-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.3CC: ahughes, jandrlik, lmiksik, mbalao, pmikova
Target Milestone: rc   
Target Release: 8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: java-11-openjdk-11.0.8.10-6.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-11-04 02:43:55 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1883849    
Attachments:
Description Flags
IllegalAccess.java
none
fixed-illegal-access-from-p11-provider.patch none

Description zzambers 2020-08-13 16:57:10 UTC 
IllegalAccessException by pkcs11 provider:
- triggered when trying to obtain DH private/public keys
- pkcs11 provider tries to create instance of SunJCE provider (placed in java.base module) which causes "Illegal access exception" [1]
- affects only modular jdks (affected: 11, latest-upstream; not affected: 8)
- should be probably easy to fix using "export to" in java.base's module-info [2]

Stack trace:
Exception in thread "main" java.security.ProviderException: Could not find provider SunJCE
	at jdk.crypto.cryptoki/sun.security.pkcs11.P11Util.getProvider(P11Util.java:95)
	at jdk.crypto.cryptoki/sun.security.pkcs11.P11Util.getSunJceProvider(P11Util.java:76)
	at jdk.crypto.cryptoki/sun.security.pkcs11.P11Key$P11DHPublicKey.getEncodedInternal(P11Key.java:952)
	at jdk.crypto.cryptoki/sun.security.pkcs11.P11Key.getEncoded(P11Key.java:164)
	at IllegalAccess.main(IllegalAccess.java:8)
Caused by: java.lang.IllegalAccessException: class sun.security.pkcs11.P11Util (in module jdk.crypto.cryptoki) cannot access class com.sun.crypto.provider.SunJCE (in module java.base) because module java.base does not export com.sun.crypto.provider to module jdk.crypto.cryptoki
	at java.base/jdk.internal.reflect.Reflection.newIllegalAccessException(Reflection.java:361)
	at java.base/jdk.internal.reflect.Reflection.ensureMemberAccess(Reflection.java:99)
	at java.base/java.lang.Class.newInstance(Class.java:579)
	at jdk.crypto.cryptoki/sun.security.pkcs11.P11Util.getProvider(P11Util.java:92)
	... 4 more

[1] https://hg.openjdk.java.net/jdk-updates/jdk11u/file/030bc020dc04/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Util.java#l71
[2] https://hg.openjdk.java.net/jdk-updates/jdk11u/file/030bc020dc04/src/java.base/share/classes/module-info.java
Comment 1 zzambers 2020-08-13 16:58:43 UTC 
Created attachment 1711344 [details]
IllegalAccess.java

Reproducer
Comment 2 zzambers 2020-08-13 17:00:46 UTC 
Created attachment 1711345 [details]
fixed-illegal-access-from-p11-provider.patch

Patch for upstream jdk
Comment 19 errata-xmlrpc 2020-11-04 02:43:55 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (java-11-openjdk bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4657
Comment 20 Martin Balao 2021-01-06 15:42:54 UTC 
Update: fix (along with RH1883849) proposed upstream at https://bugs.openjdk.java.net/browse/JDK-8259319