Bug 1908876

Summary:	Crypto provider not installed: SunPKCS11-NSS-FIPS
Product:	Red Hat Enterprise Linux 8	Reporter:	Paulo Andrade <pandrade>
Component:	java-1.8.0-openjdk	Assignee:	Martin Balao <mbalao>
Status:	CLOSED DUPLICATE	QA Contact:	OpenJDK QA <java-qa>
Severity:	medium	Docs Contact:
Priority:	unspecified
Version:	8.3	CC:	jvanek, pdelbell
Target Milestone:	rc	Flags:	pm-rhel: mirror+
Target Release:	8.0
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2021-04-08 22:02:39 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Paulo Andrade 2020-12-17 19:04:34 UTC

Should be related to bz#1750752, and user is running an openjdk that
should have the fix.

Example command line:

keytool -genkeypair -v -alias myproject -keyalg RSA -keysize 4096 -storetype PKCS12 -dname "cn=myproject, ou=Devices, ou=Example Company, ou=Example Company, o=Example Company, c=US"  -keypass ExamplePassword$ -storepass ExamplePassword$ -keystore my.keystore

and java output:

java.security.ProviderException: Crypto provider not installed: SunPKCS11-NSS-FIPS
        at sun.security.ssl.SunJSSE.<init>(SunJSSE.java:146)
        at sun.security.ssl.SunJSSE.<init>(SunJSSE.java:127)
        at com.sun.net.ssl.internal.ssl.Provider.<init>(Provider.java:51)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
        at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
        at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
        at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:224)
        at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:206)
        at java.security.AccessController.doPrivileged(Native Method)
        at sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:206)
        at sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:187)
        at sun.security.jca.ProviderList.getProvider(ProviderList.java:233)
        at sun.security.jca.ProviderList.getService(ProviderList.java:331)
        at sun.security.jca.GetInstance.getInstance(GetInstance.java:157)
        at java.security.Security.getImpl(Security.java:710)
        at java.security.KeyStore.getInstance(KeyStore.java:848)
        at sun.security.tools.keytool.Main.doCommands(Main.java:800)
        at sun.security.tools.keytool.Main.run(Main.java:370)
        at sun.security.tools.keytool.Main.main(Main.java:363)

Comment 1 Saurabh Sharma 2020-12-22 05:06:30 UTC

User has a query requesting help with query to create a custom Global Crypto Provider that encompasses all of FIPS, except Java for the short term.

Experts,

Could someone please advice on how to address the customer request ?

Comment 2 Patrick Del Bello 2021-01-07 19:20:10 UTC

Hi team,

Is there any updates about this? I think we have 2 cases where customers are experiencing this issue with both Java 8 275 and Java 11

Comment 3 Andrew John Hughes 2021-01-09 03:11:25 UTC

I see a different failure:

$ /usr/lib/jvm/java-1.8.0-openjdk/bin/keytool -genkeypair -v -alias myproject -keyalg RSA -keysize 4096 -storetype PKCS12 -dname "cn=myproject, ou=Devices, ou=Example Company, ou=Example Company, o=Example Company, c=US"  -keypass ExamplePassword$ -storepass ExamplePassword$ -keystore my.keystore
keytool error: java.security.ProviderException: NSS module not available: fips
java.security.ProviderException: NSS module not available: fips
	at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:283)
	at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:103)
	at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
	at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
	at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
	at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
	at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:224)
	at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:206)
	at java.security.AccessController.doPrivileged(Native Method)
	at sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:206)
	at sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:187)
	at sun.security.jca.ProviderList.getProvider(ProviderList.java:233)
	at sun.security.jca.ProviderList.getService(ProviderList.java:331)
	at sun.security.jca.GetInstance.getInstance(GetInstance.java:157)
	at java.security.Security.getImpl(Security.java:710)
	at java.security.KeyStore.getInstance(KeyStore.java:848)
	at sun.security.tools.keytool.Main.doCommands(Main.java:800)
	at sun.security.tools.keytool.Main.run(Main.java:370)
	at sun.security.tools.keytool.Main.main(Main.java:363)

This is with /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.272.b10-3.el8_3.x86_64 (apparently latest available here...)

Assigning to Martin to investigate.

Comment 5 Martin Balao 2021-01-12 17:34:59 UTC

The error I see is different:

[test@vmrheltarget tmp]$ cat /etc/redhat-release 
Red Hat Enterprise Linux release 8.3 (Ootpa)

[test@vmrheltarget tmp]$ fips-mode-setup --check
FIPS mode is enabled.

[test@vmrheltarget tmp]$ echo $JAVA_HOME
/lib/jvm/java-1.8.0-openjdk

[test@vmrheltarget tmp]$ $JAVA_HOME/bin/java -version
openjdk version "1.8.0_275-debug"
OpenJDK Runtime Environment (build 1.8.0_275-debug-b01)
OpenJDK 64-Bit Server VM (build 25.275-b01-debug, mixed mode)

[test@vmrheltarget tmp]$ $JAVA_HOME/bin/keytool -genkeypair -v -alias myproject -keyalg RSA -keysize 4096 -storetype PKCS12 -dname "cn=myproject, ou=Devices, ou=Example Company, ou=Example Company, o=Example Company, c=US"  -keypass ExamplePassword$ -storepass ExamplePassword$ -keystore my.keystore
Generating 4,096 bit RSA key pair and self-signed certificate (SHA256withRSA) with a validity of 90 days
	for: CN=myproject, OU=Devices, OU=Example Company, OU=Example Company, O=Example Company, C=US
keytool error: java.security.KeyStoreException: Key protection  algorithm not found: java.lang.NullPointerException
java.security.KeyStoreException: Key protection  algorithm not found: java.lang.NullPointerException
	at sun.security.pkcs12.PKCS12KeyStore.setKeyEntry(PKCS12KeyStore.java:677)
	at sun.security.pkcs12.PKCS12KeyStore.engineSetKeyEntry(PKCS12KeyStore.java:577)
	at java.security.KeyStore.setKeyEntry(KeyStore.java:1140)
	at sun.security.tools.keytool.Main.doGenKeyPair(Main.java:1782)
	at sun.security.tools.keytool.Main.doCommands(Main.java:1013)
	at sun.security.tools.keytool.Main.run(Main.java:370)
	at sun.security.tools.keytool.Main.main(Main.java:363)
Caused by: java.lang.NullPointerException
	at sun.security.pkcs12.PKCS12KeyStore.setKeyEntry(PKCS12KeyStore.java:603)
	... 6 more

This error is caused by a know bug. See:

 * https://bugzilla.redhat.com/show_bug.cgi?id=1915071
 * https://bugzilla.redhat.com/show_bug.cgi?id=1906862


@Paulo: can you please try on 8u275? In case it fails again with the same error you got before, can you please list all installed security providers? (Security.getProviders()).

Comment 6 Paulo Andrade 2021-01-18 12:42:24 UTC

Just tested a plain rhel-8.3 vm. Setting fips mode and rebooting,
when updating to latest java-1.8.0-openjdk from brew I see:

warning: /etc/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.275.b01-2.el8_3.x86_64/lib/security/blacklisted.certs created as /etc/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.275.b01-2.el8_3.x86_64/lib/security/blacklisted.certs.rpmnew
warning: /etc/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.275.b01-2.el8_3.x86_64/lib/security/java.security created as /etc/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.275.b01-2.el8_3.x86_64/lib/security/java.security.rpmnew
restored /etc/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.275.b01-2.el8_3.x86_64/lib/security/blacklisted.certs.rpmnew to /etc/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.275.b01-2.el8_3.x86_64/lib/security/blacklisted.certs
restored /etc/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.275.b01-2.el8_3.x86_64/lib/security/java.security.rpmnew to /etc/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.275.b01-2.el8_3.x86_64/lib/security/java.security
mv: cannot stat '/etc/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.275.b01-2.el8_3.x86_64/lib/security/blacklisted.certs.rpmnew': No such file or directory
FAILED to restore /etc/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.275.b01-2.el8_3.x86_64/lib/security/blacklisted.certs.rpmnew to /etc/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.275.b01-2.el8_3.x86_64/lib/security/blacklisted.certs
mv: cannot stat '/etc/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.275.b01-2.el8_3.x86_64/lib/security/java.security.rpmnew': No such file or directory
FAILED to restore /etc/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.275.b01-2.el8_3.x86_64/lib/security/java.security.rpmnew to /etc/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.275.b01-2.el8_3.x86_64/lib/security/java.security

and then the same failure pattern as in comment #3

As commented in support case 02821277, adding "-J-Dcom.redhat.fips=false"
to the command line corrects the issue.