Bug 1997360

Summary: Login to the NSS software token in FIPS [java-11-openjdk, RHEL 9]
Product: Red Hat Enterprise Linux 9 Reporter: Andrew John Hughes <ahughes>
Component: java-11-openjdkAssignee: Andrew John Hughes <ahughes>
Status: CLOSED CURRENTRELEASE QA Contact: OpenJDK QA <java-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 9.0CC: abokovoy, jandrlik, pmikova
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: java-11-openjdk-11.0.12.0.7-2.el9 Doc Type: Bug Fix
Doc Text:
The use of the NSS FIPS mode by OpenJDK requires the JDK to login to the NSS software token. Previously, this happened indirectly as part of some crypto operations, but not others. With this update, the JDK logs in to the token on initialisation.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-12-07 22:04:56 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Andrew John Hughes 2021-08-25 04:14:14 UTC 
This bug was initially created as a copy of Bug #1996182

I am copying this bug because: 

Need to sync to RHEL 9.

Description of problem:

When the NSS software token is configured in FIPS mode -as we do for OpenJDK's system FIPS mode-, a token login is required prior to (almost) any operation. The token login can be achieved by means of a C_Login PKCS#11 call, passing the NSSDB PIN (if any). As an example, C_CreateObject (PKCS#11 API to create keys among other objects) cannot be invoked without a login [1] [2].

OpenJDK will perform a login into the token if a KeyStore::load API is invoked and the keystore implementation is from the SunPKCS11 provider [3] [4]. However, in the case that the application does not perform such call and tries to execute a PKCS#11 action (such as importing a public RSA key into the token [5]), a CKR_USER_NOT_LOGGED_IN error will be thrown.

Proposed solution:

When in system FIPS mode, login into the token right after the SunPKCS11 security provider is initialized. The PIN for the /etc/pki/nssdb token is empty. Note: only privileged (root) users have the right to modify /etc/pki/nssdb files, so there was no need to set a PIN there. OpenJDK's FIPS mode will open the token in read-only mode.

--
[1] - https://github.com/nss-dev/nss/blob/b6145f4aaeb6970f25b497f55ed9a5476f13b715/lib/softoken/fipstokn.c#L970
[2] - https://github.com/nss-dev/nss/blob/b6145f4aaeb6970f25b497f55ed9a5476f13b715/lib/softoken/fipstokn.c#L198
[3] - https://github.com/openjdk/jdk17/blob/dfacda488bfbe2e11e8d607a6d08527710286982/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyStore.java#L752
[4] - https://github.com/openjdk/jdk17/blob/dfacda488bfbe2e11e8d607a6d08527710286982/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java#L1403
[5] - https://github.com/openjdk/jdk17/blob/dfacda488bfbe2e11e8d607a6d08527710286982/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11RSAKeyFactory.java#L193