Bug 2186647

Summary: Enable XML Signature provider in FIPS mode [rhel-9, openjdk-17]
Product: Red Hat Enterprise Linux 9 Reporter: Andrew John Hughes <ahughes>
Component: java-17-openjdkAssignee: Andrew John Hughes <ahughes>
Status: CLOSED CURRENTRELEASE QA Contact: OpenJDK QA <java-qa>
Severity: unspecified Docs Contact: Jacob Taylor Valdez <jvaldez>
Priority: unspecified    
Version: 9.2CC: jvanek
Target Milestone: rcKeywords: Triaged, ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: java-17-openjdk-17.0.7.0.7-3.el9 Doc Type: Bug Fix
Doc Text:
Previously, the XML signature provider was unable to operate in FIPS mode. Following recent enhancements to FIPS mode support, the XML signature provider can now be supported. It is now enabled in FIPS mode.
Story Points: ---
Clone Of:
: 2186810 2186811 2186812 (view as bug list) Environment:
Last Closed: 2023-06-26 15:39:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2186810, 2186811, 2186812    

Description Andrew John Hughes 2023-04-14 01:43:59 UTC
This bug was initially created as a copy of Bug #2156945

I am copying this bug because: 

We need to keep RHEL 9 in sync.

This bug was initially created as a copy of Bug #1940064

I am copying this bug because: we need to fix this in OpenJDK 17 too.


When OpenJDK is configured in FIPS mode, the XML Signature provider is currently disabled, and the keystore type must be PKCS11 (/etc/pki/nssdb is used, in read-only mode).

This is not compatible with some 3rd party applications. 

For example, it leads to the following error running Jenkins on RHEL in FIPs mode:

java.security.KeyStoreException: FIPS mode: KeyStore must be from provider SunPKCS11-NSS-FIPS