Bug 2019555

Summary: nss.fips.cfg needs sql: prefix
Product: [Fedora] Fedora Reporter: Severin Gehwolf <sgehwolf>
Component: java-11-openjdkAssignee: Severin Gehwolf <sgehwolf>
Status: CLOSED ERRATA QA Contact: OpenJDK QA <java-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 35CC: ahughes, ashundi, jerboaa, jvanek, mageia-java
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: java-11-openjdk-11.0.13.0.8-2.fc35 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-11 01:19:02 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
ListProviders.java
none
ListProviders8.java
none
ListProviders17.java none

Description Severin Gehwolf 2021-11-02 19:50:35 UTC 
Created attachment 1839356 [details]
ListProviders.java

Description of problem:
When in FIPS mode on F35 initialization of the SunPKCS11 provider fails. This makes java unusable.

Version-Release number of selected component (if applicable):
java-11-openjdk-headless-11.0.13.0.8-1.fc35.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Install java-11-openjdk-headless
2. Move to FIPS mode via 'fips-mode-setup --enable'
3. Reboot
4. Run the reproducer, ListProvider.java
   $ java --add-exports=java.base/jdk.internal.misc=ALL-UNNAMED ListProviders

Actual results:
FIPS: yes
Exception in thread "main" java.security.ProviderException: Could not initialize NSS
        at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:245)
        at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunPKCS11.java:140)
        at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunPKCS11.java:137)
        at java.base/java.security.AccessController.doPrivileged(Native Method)
        at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.configure(SunPKCS11.java:137)
        at java.base/sun.security.jca.ProviderConfig$3.run(ProviderConfig.java:251)
        at java.base/sun.security.jca.ProviderConfig$3.run(ProviderConfig.java:242)
        at java.base/java.security.AccessController.doPrivileged(Native Method)
        at java.base/sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:242)
        at java.base/sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:222)
        at java.base/sun.security.jca.ProviderList.loadAll(ProviderList.java:315)
        at java.base/sun.security.jca.ProviderList.removeInvalid(ProviderList.java:332)
        at java.base/sun.security.jca.Providers.getFullProviderList(Providers.java:174)
        at java.base/java.security.Security.getProviders(Security.java:487)
        at ListProviders.main(ListProviders.java:20)
Caused by: java.io.FileNotFoundException: /etc/pki/nssdb/secmod.db
        at jdk.crypto.cryptoki/sun.security.pkcs11.Secmod.initialize(Secmod.java:223)
        at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:240)
        ... 14 more

Expected results:
FIPS: yes
Number of providers: 4
SunPKCS11-NSS-FIPS 11.0
sun.security.pkcs11.SunPKCS11
SUN 11.0
sun.security.provider.Sun
SunEC 11.0
sun.security.ec.SunEC
SunJSSE 11.0
com.sun.net.ssl.internal.ssl.Provider


Additional info:

Adding the 'sql:' prefix to nss.fips.cfg fixes the problem:

$ cat /etc/java/java-11-openjdk/java-11-openjdk-11.0.13.0.8-1.fc35.x86_64/conf/security/nss.fips.cfg
name = NSS-FIPS
nssLibraryDirectory = /usr/lib64
nssSecmodDirectory = sql:/etc/pki/nssdb
nssDbMode = readOnly
nssModule = fips
Comment 1 Severin Gehwolf 2021-11-02 19:55:41 UTC 
Default package installation of java-11-openjdk-headless is:

$ cat /etc/java/java-11-openjdk/java-11-openjdk-11.0.13.0.8-1.fc35.x86_64/conf/security/nss.fips.cfg
name = NSS-FIPS
nssLibraryDirectory = /usr/lib64
nssSecmodDirectory = /etc/pki/nssdb
nssDbMode = readOnly
nssModule = fips
Comment 2 Severin Gehwolf 2021-11-02 20:02:15 UTC 
See also:
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.35_release_notes#notable_changes_in_nss_3.35

It seems F35 removed the legacy secmod.db version since I have a F34 installation of nss (same version than F35) which includes the secmod.db file. F35 no longer has it.
Comment 3 Severin Gehwolf 2021-11-03 10:05:37 UTC 
Affects java-1.8.0-openjdk and java-latest-openjdk too:

$ /usr/lib/jvm/java-17-openjdk-17.0.1.0.12-1.rolling.fc35.x86_64/bin/java --add-exports=java.base/jdk.internal.access=ALL-UNNAMED ListProviders17
FIPS: yes
Exception in thread "main" java.security.ProviderException: Could not initialize NSS
	at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:250)
	at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunPKCS11.java:145)
	at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunPKCS11.java:142)
	at java.base/java.security.AccessController.doPrivileged(AccessController.java:569)
	at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.configure(SunPKCS11.java:142)
	at java.base/sun.security.jca.ProviderConfig$3.run(ProviderConfig.java:257)
	at java.base/sun.security.jca.ProviderConfig$3.run(ProviderConfig.java:248)
	at java.base/java.security.AccessController.doPrivileged(AccessController.java:318)
	at java.base/sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:248)
	at java.base/sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:226)
	at java.base/sun.security.jca.ProviderList.loadAll(ProviderList.java:317)
	at java.base/sun.security.jca.ProviderList.removeInvalid(ProviderList.java:334)
	at java.base/sun.security.jca.Providers.getFullProviderList(Providers.java:186)
	at java.base/java.security.Security.getProviders(Security.java:488)
	at ListProviders17.main(ListProviders17.java:20)
Caused by: java.io.FileNotFoundException: /etc/pki/nssdb/secmod.db
	at jdk.crypto.cryptoki/sun.security.pkcs11.Secmod.initialize(Secmod.java:223)
	at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:245)
	... 14 more

$ /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.312.b07-1.fc35.x86_64/jre/bin/java ListProviders8 
FIPS: yes
Exception in thread "main" java.security.ProviderException: Could not initialize NSS
	at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:251)
	at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:131)
	at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
	at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
	at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
	at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
	at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:224)
	at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:206)
	at java.security.AccessController.doPrivileged(Native Method)
	at sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:206)
	at sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:187)
	at sun.security.jca.ProviderList.loadAll(ProviderList.java:282)
	at sun.security.jca.ProviderList.removeInvalid(ProviderList.java:299)
	at sun.security.jca.Providers.getFullProviderList(Providers.java:174)
	at java.security.Security.getProviders(Security.java:482)
	at ListProviders8.main(ListProviders8.java:20)
Caused by: java.io.FileNotFoundException: /etc/pki/nssdb/secmod.db
	at sun.security.pkcs11.Secmod.initialize(Secmod.java:223)
	at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:246)
	... 15 more
Comment 4 Severin Gehwolf 2021-11-03 10:24:08 UTC 
PR: https://src.fedoraproject.org/rpms/java-11-openjdk/pull-request/136
Comment 5 Severin Gehwolf 2021-11-03 10:48:07 UTC 
PR for JDK 8: https://src.fedoraproject.org/rpms/java-1.8.0-openjdk/pull-request/148
Comment 6 Severin Gehwolf 2021-11-03 10:53:44 UTC 
PR for JDK 17 (java-latest-openjdk): https://src.fedoraproject.org/rpms/java-latest-openjdk/pull-request/84
Comment 7 Severin Gehwolf 2021-11-03 10:54:30 UTC 
Created attachment 1839542 [details]
ListProviders8.java
Comment 8 Severin Gehwolf 2021-11-03 10:55:05 UTC 
Created attachment 1839543 [details]
ListProviders17.java
Comment 9 Fedora Update System 2021-11-08 04:46:34 UTC 
FEDORA-2021-e2c673f0d0 has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2021-e2c673f0d0
Comment 10 Severin Gehwolf 2021-11-08 13:28:58 UTC 
Update for java-latest-openjdk is here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-93b53747d9
Comment 11 Fedora Update System 2021-11-09 02:22:07 UTC 
FEDORA-2021-e2c673f0d0 has been pushed to the Fedora 35 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-e2c673f0d0`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-e2c673f0d0

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 12 Fedora Update System 2021-11-11 01:19:02 UTC 
FEDORA-2021-e2c673f0d0 has been pushed to the Fedora 35 stable repository.
If problem still persists, please make note of it in this bug report.