Description of problem:
FIPS can not be disabled setting security.useSystemPropertiesFile=false to <java.home>/jre/lib/security/java.security
Or setting java.security.disableSystemPropertiesFile=true
Version-Release number of selected component (if applicable):
How reproducible:
RHEL 8.3
OpenJDK 8u275 and 11.0.9
Steps to Reproduce:
1. Enable RHEL 8 FIPS and reboot.
2. Set security.useSystemPropertiesFile=false in <java.home>/jre/lib/security/java.security
3. Use PKCS12 or JKS
Java 8
$ keytool -genkeypair -v -alias myproject -keyalg RSA -keysize 4096 -storetype PKCS12 -dname "cn=myproject, ou=Devices, ou=Random Company, ou=Random Company, o=Random Company, c=US" -keypass 123456$ -storepass 123456$ -keystore my3.keystore
keytool error: java.security.KeyStoreException: PKCS12 not found
java.security.KeyStoreException: PKCS12 not found
at java.security.KeyStore.getInstance(KeyStore.java:851)
at sun.security.tools.keytool.Main.doCommands(Main.java:800)
at sun.security.tools.keytool.Main.run(Main.java:370)
at sun.security.tools.keytool.Main.main(Main.java:363)
Caused by: java.security.NoSuchAlgorithmException: PKCS12 KeyStore not available
at sun.security.jca.GetInstance.getInstance(GetInstance.java:159)
at java.security.Security.getImpl(Security.java:710)
at java.security.KeyStore.getInstance(KeyStore.java:848)
... 3 more
Java 11
$ keytool -genkeypair -v -alias myproject -keyalg RSA -keysize 4096 -storetype jks -dname "cn=myproject, ou=Devices, ou=Random Company, ou=Random Company, o=Random Company, c=US" -keypass 123456$ -storepass 123456$ -keystore my.keystore
keytool error: java.lang.NullPointerException
java.lang.NullPointerException
at java.base/sun.security.ssl.SunJSSE.doRegister(SunJSSE.java:201)
at java.base/sun.security.ssl.SunJSSE$1.run(SunJSSE.java:159)
at java.base/java.security.AccessController.doPrivileged(Native Method)
at java.base/sun.security.ssl.SunJSSE.registerAlgorithms(SunJSSE.java:156)
at java.base/sun.security.ssl.SunJSSE.<init>(SunJSSE.java:118)
at java.base/com.sun.net.ssl.internal.ssl.Provider.<init>(Provider.java:42)
at java.base/sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:185)
at java.base/sun.security.jca.ProviderList.loadAll(ProviderList.java:315)
at java.base/sun.security.jca.ProviderList.removeInvalid(ProviderList.java:332)
at java.base/sun.security.jca.Providers.getFullProviderList(Providers.java:173)
at java.base/java.security.Security.getProviders(Security.java:474)
at java.base/sun.security.x509.AlgorithmId.computeOidTable(AlgorithmId.java:617)
at java.base/sun.security.x509.AlgorithmId.oidTable(AlgorithmId.java:607)
at java.base/sun.security.x509.AlgorithmId.algOID(AlgorithmId.java:589)
at java.base/sun.security.x509.AlgorithmId.get(AlgorithmId.java:421)
at java.base/sun.security.x509.AlgorithmId.getWithParameterSpec(AlgorithmId.java:1118)
at java.base/sun.security.tools.keytool.CertAndKeyGen.getSelfCertificate(CertAndKeyGen.java:274)
at java.base/sun.security.tools.keytool.Main.doGenKeyPair(Main.java:1872)
at java.base/sun.security.tools.keytool.Main.doCommands(Main.java:1134)
at java.base/sun.security.tools.keytool.Main.run(Main.java:405)
at java.base/sun.security.tools.keytool.Main.main(Main.java:398)
Additional info:
Comment 18Andrew John Hughes
2021-01-21 17:16:00 UTC
*** Bug 1918144 has been marked as a duplicate of this bug. ***
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (java-11-openjdk bug fix and enhancement update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2021:1794
Note:
portable builds now also require com.redhat.fips=false to avoid FIPS configuration.
(As use of fips compatible providers was separated from system crypto setup there.)