+++ This bug was initially created as a clone of Bug #1492781 +++ The JSS test suite fails with latest JSS, a full log can be found here: https://bot.nss-crypto.org:8011/builders/rhel6-fips-x64-DBG/builds/1461/steps/shell/logs/stdio ============= HMAC Unwrap /etc/alternatives/java_sdk_1.8.0/jre/bin/java -d64 -cp /home/tinderbox/slavedir/rhel6-fips-x64-DBG/hg/dist/Linux2.6_x86_64_glibc_PTH_64_DBG.OBJ/../xpclass_dbg.jar org.mozilla.jss.tests.HmacTest /home/tinderbox/slavedir/rhel6-fips-x64-DBG/hg/tests_results/jss/nssfips.1 passwords main: jss library loaded JSSTEST_CASE 14 (HMAC Unwrap): FAILED return value 1 ============= KeyWrapping FIPSMODE /etc/alternatives/java_sdk_1.8.0/jre/bin/java -d64 -cp /home/tinderbox/slavedir/rhel6-fips-x64-DBG/hg/dist/Linux2.6_x86_64_glibc_PTH_64_DBG.OBJ/../xpclass_dbg.jar org.mozilla.jss.tests.JCAKeyWrap /home/tinderbox/slavedir/rhel6-fips-x64-DBG/hg/tests_results/jss/nssfips.1 passwords main: jss library loaded ***FilePasswordCallback returns m1oZilla in Fipsmode. Wrap DESede 168 with RSA. Test DESede/CBC/PKCS5Padding encrypt with Mozilla-JSS decrypt Mozilla-JSS Wrap DESede 168 with AES 128 symmetric key. Test DESede/CBC/PKCS5Padding encrypt with Mozilla-JSS decrypt Mozilla-JSS Wrap AES 128 with AES 128 symmetric key. Test AES/CBC/NoPadding encrypt with Mozilla-JSS decrypt Mozilla-JSS Wrap AES 128 with RSA. Test AES/ECB/NoPadding encrypt with Mozilla-JSS decrypt Mozilla-JSS Wrap DESede 168 with AES 192 symmetric key. Test DESede/CBC/PKCS5Padding encrypt with Mozilla-JSS decrypt Mozilla-JSS Wrap AES 128 with AES 192 symmetric key. Test AES/CBC/NoPadding encrypt with Mozilla-JSS decrypt Mozilla-JSS Wrap AES 192 with RSA. Test AES/ECB/NoPadding encrypt with Mozilla-JSS decrypt Mozilla-JSS Wrap DESede 168 with AES 256 symmetric key. Test DESede/CBC/PKCS5Padding encrypt with Mozilla-JSS decrypt Mozilla-JSS Wrap AES 192 with AES 256 symmetric key. Test AES/CBC/PKCS5Padding encrypt with Mozilla-JSS decrypt Mozilla-JSS Wrap AES 256 with RSA. Test AES/CBC/PKCS5Padding encrypt with Mozilla-JSS decrypt Mozilla-JSS org.mozilla.jss.util.AssertionException: should not be reached: Unknown algorithm at org.mozilla.jss.util.Assert.notReached(Assert.java:51) at org.mozilla.jss.pkcs11.PK11Cipher.checkKey(PK11Cipher.java:261) at org.mozilla.jss.pkcs11.PK11Cipher.initEncrypt(PK11Cipher.java:84) at org.mozilla.jss.provider.javax.crypto.JSSCipherSpi.engineInit(JSSCipherSpi.java:152) at org.mozilla.jss.provider.javax.crypto.JSSCipherSpi$AES.engineInit(JSSCipherSpi.java:511) at org.mozilla.jss.provider.javax.crypto.JSSCipherSpi.engineInit(JSSCipherSpi.java:238) at org.mozilla.jss.provider.javax.crypto.JSSCipherSpi$AES.engineInit(JSSCipherSpi.java:511) at javax.crypto.Cipher.init(Cipher.java:1246) at javax.crypto.Cipher.init(Cipher.java:1186) at org.mozilla.jss.tests.JCAKeyWrap.testKeys(JCAKeyWrap.java:391) at org.mozilla.jss.tests.JCAKeyWrap.wrapSymetricKeyWithRSA(JCAKeyWrap.java:295) at org.mozilla.jss.tests.JCAKeyWrap.wrapSymetricKeyWithRSA(JCAKeyWrap.java:260) at org.mozilla.jss.tests.JCAKeyWrap.main(JCAKeyWrap.java:144) JSSTEST_CASE 28 (KeyWrapping FIPSMODE): FAILED return value 1
Upstream checkin: author Jack Magne <jmagne> Thu, 28 Sep 2017 16:20:50 -0700 (3 weeks ago) changeset 2206 252c10f44897 parent 2205 3e9a5ae2149d push id 77 push user edewata push date 2017-10-05 20:11 +0000 bugs 1400884 Fix: Bug 1400884 - new JSS failures: HMAC Unwrap and KeyWrapping FIPSMODE. org/mozilla/jss/pkcs11/KeyType.java file | annotate | diff | comparison | revisions --- a/org/mozilla/jss/pkcs11/KeyType.java +++ b/org/mozilla/jss/pkcs11/KeyType.java @@ -199,19 +199,17 @@ public final class KeyType { KeyWrapAlgorithm.AES_KEY_WRAP, KeyWrapAlgorithm.AES_KEY_WRAP_PAD, EncryptionAlgorithm.AES_128_ECB, EncryptionAlgorithm.AES_128_CBC, EncryptionAlgorithm.AES_192_ECB, EncryptionAlgorithm.AES_192_CBC, EncryptionAlgorithm.AES_256_ECB, EncryptionAlgorithm.AES_256_CBC, - /* AES CBC PAD is the same as AES_256_CBC_PAD */ - /* shouldn't break backward compatibility 313798*/ - //EncryptionAlgorithm.AES_CBC_PAD, + EncryptionAlgorithm.AES_CBC_PAD, EncryptionAlgorithm.AES_128_CBC_PAD, EncryptionAlgorithm.AES_192_CBC_PAD, EncryptionAlgorithm.AES_256_CBC_PAD }, "AES" ); //////////////////////////////////////////////////////////////
[root@auto-hv-01-guest02 ~]# rpm -qi jss Name : jss Version : 4.4.0 Release : 9.el7_4 Architecture: x86_64 Install Date: Tue 14 Nov 2017 08:14:44 PM EST Group : System Environment/Libraries Size : 1029605 License : MPLv1.1 or GPLv2+ or LGPLv2+ Signature : RSA/SHA256, Fri 27 Oct 2017 02:50:00 PM EDT, Key ID 199e2f91fd431d51 Source RPM : jss-4.4.0-9.el7_4.src.rpm Build Date : Fri 27 Oct 2017 02:34:31 PM EDT Build Host : x86-039.build.eng.bos.redhat.com Relocations : (not relocatable) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> Vendor : Red Hat, Inc. URL : http://www.mozilla.org/projects/security/pki/jss/ Summary : Java Security Services (JSS) Sanity testing using smartcards.
Accidently marked the bug verified, moving back to ON_QA
[root@nocp1 certdb]# rpm -qi jss Name : jss Version : 4.4.0 Release : 10.el7 Architecture: x86_64 Install Date: Tue 28 Nov 2017 02:30:31 PM EST Group : System Environment/Libraries Size : 1029659 License : MPLv1.1 or GPLv2+ or LGPLv2+ Signature : RSA/SHA256, Wed 01 Nov 2017 02:37:50 PM EDT, Key ID 199e2f91fd431d51 Source RPM : jss-4.4.0-10.el7.src.rpm Build Date : Wed 01 Nov 2017 02:19:14 PM EDT Build Host : x86-020.build.eng.bos.redhat.com Relocations : (not relocatable) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> Vendor : Red Hat, Inc. URL : http://www.mozilla.org/projects/security/pki/jss/ Summary : Java Security Services (JSS) Sanity testing using smartcards.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0958