Bug 2186647

Summary: Enable XML Signature provider in FIPS mode [rhel-9, openjdk-17]
Product: Red Hat Enterprise Linux 9 Reporter: Andrew John Hughes <ahughes>
Component: java-17-openjdkAssignee: Andrew John Hughes <ahughes>
Status: CLOSED CURRENTRELEASE QA Contact: OpenJDK QA <java-qa>
Severity: unspecified Docs Contact: Jacob Taylor Valdez <jvaldez>
Priority: unspecified    
Version: 9.2CC: jvanek, lmanasko
Target Milestone: rcKeywords: Triaged, ZStream
Target Release: ---Flags: ahughes: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: java-17-openjdk-17.0.7.0.7-3.el9 Doc Type: Bug Fix
Doc Text:
.The OpenJDK XML signature provider is now functional in FIPS mode Previously, the OpenJDK XML signature provider was unable to operate in FIPS mode. As a result of enhancements to FIPS mode support the OpenJDK XML signature provider is now enabled in FIPS mode.
 Story Points: ---
Clone Of:
: 2186810 2186811 2186812 (view as bug list) Environment:
Last Closed: 2023-06-26 15:39:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2186810, 2186811, 2186812    

Description Andrew John Hughes 2023-04-14 01:43:59 UTC 
This bug was initially created as a copy of Bug #2156945

I am copying this bug because: 

We need to keep RHEL 9 in sync.

This bug was initially created as a copy of Bug #1940064

I am copying this bug because: we need to fix this in OpenJDK 17 too.


When OpenJDK is configured in FIPS mode, the XML Signature provider is currently disabled, and the keystore type must be PKCS11 (/etc/pki/nssdb is used, in read-only mode).

This is not compatible with some 3rd party applications. 

For example, it leads to the following error running Jenkins on RHEL in FIPs mode:

java.security.KeyStoreException: FIPS mode: KeyStore must be from provider SunPKCS11-NSS-FIPS