RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1750752 - Crypto provider not installed: SunPKCS11 - in FIPS mode
Summary: Crypto provider not installed: SunPKCS11 - in FIPS mode
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: java-1.8.0-openjdk
Version: 8.1
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: 8.0
Assignee: Andrew John Hughes
QA Contact: OpenJDK QA
URL:
Whiteboard:
Depends On:
Blocks: 1760838 1818909
TreeView+ depends on / blocked
 
Reported: 2019-09-10 12:24 UTC by Ondrej Moriš
Modified: 2021-09-03 15:18 UTC (History)
10 users (show)

Fixed In Version: java-1.8.0-openjdk-1.8.0.222.b10-3.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-01-20 16:54:27 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
RH1750752 patch v0 (689 bytes, patch)
2019-09-12 18:15 UTC, Martin Balao 		no flags Details | Diff
View All

Description Ondrej Moriš 2019-09-10 12:24:54 UTC 
Description of problem:

When FIPS mode is enabled and the following our OCSP provider [1] written in java is used, we got the following error (see below for complete traceback):

java.security.ProviderException: Crypto provider not installed: SunPKCS11

The problem happens only when FIPS crypto-policy is applied. We did not change anything in java.security, nss.cfg or nss.fips.cfg. They seem to be configured properly.

[1] http://download.eng.bos.redhat.com/qa/rhts/lookaside/ocspsrvd/ocspsrvd.jar

Version-Release number of selected component (if applicable):

java-1.8.0-openjdk-1.8.0.222.b10-2.el8

How reproducible:

100% in FIPS mode

Steps to Reproduce:

0. Set FIPS crypto-policy.
1. Download ocspsrvd.jar from [1].
2. Generate CA key pair.
2. Execute 
java -jar ocspsrvd.jar -s SHA256withRSA -k certs/ca_key.key -c certs/ca_cert.pem -p 4242 -t GOOD 2>&1

Actual results:

java -jar ocspsrvd.jar -s SHA256withRSA -k certs/ca_key.key -c certs/ca_cert.pem -p 4242 -t GOOD 2>&1
Exception in thread "main" java.lang.reflect.InvocationTargetException
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.eclipse.jdt.internal.jarinjarloader.JarRsrcLoader.main(JarRsrcLoader.java:58)
Caused by: java.security.ProviderException: Crypto provider not installed: SunPKCS11
	at sun.security.ssl.SunJSSE.<init>(SunJSSE.java:142)
	at sun.security.ssl.SunJSSE.<init>(SunJSSE.java:123)
	at com.sun.net.ssl.internal.ssl.Provider.<init>(Provider.java:51)
	at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
	at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
	at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
	at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
	at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:224)
	at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:206)
	at java.security.AccessController.doPrivileged(Native Method)
	at sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:206)
	at sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:187)
	at sun.security.jca.ProviderList.loadAll(ProviderList.java:282)
	at sun.security.jca.ProviderList.removeInvalid(ProviderList.java:299)
	at sun.security.jca.Providers.getFullProviderList(Providers.java:173)
	at java.security.Security.insertProviderAt(Security.java:375)
	at java.security.Security.addProvider(Security.java:418)
	at com.redhat.ocspsrvd.OCSPServd.main(OCSPServd.java:77)
	... 5 more

Expected results:

java -jar ocspsrvd.jar -s SHA256withRSA -k certs/ca_key.key -c certs/ca_cert.pem -p 4242 -t GOOD 2>&1
OCSPsrvd started on 0.0.0.0:4242

Additional info:

It is possible that this is just a configuration issue. If so, please let me know how to modify configuration and feel free to close the bug.
Comment 2 Martin Balao 2019-09-11 02:38:21 UTC 
This is a bug apparently affecting java-1.8.0-openjdk package.

Candidate fix:

diff --git a/openjdk/jdk/src/share/lib/security/java.security-linux b/openjdk/jdk/src/share/lib/security/java.security-linux
index 24f2a6e..6f5d4ec 100644
--- a/openjdk/jdk/src/share/lib/security/java.security-linux
+++ b/openjdk/jdk/src/share/lib/security/java.security-linux
@@ -82,7 +82,7 @@ security.provider.9=sun.security.smartcardio.SunPCSC
 fips.provider.1=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.fips.cfg
 fips.provider.2=sun.security.provider.Sun
 fips.provider.3=sun.security.ec.SunEC
-fips.provider.4=com.sun.net.ssl.internal.ssl.Provider SunPKCS11
+fips.provider.4=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-NSS
 
 #
 # Sun Provider SecureRandom seed source.


I still need to figure out why java-11-openjdk is apparently not affected and do some more testing. Keep you posted.

Thanks,
Martin.-
Comment 3 Martin Balao 2019-09-11 20:37:53 UTC 
I can now confirm that:

1) java-1.8.0-openjdk and java-11-openjdk RHEL 8.1.0 builds are both affected by this bug

2) The fix proposed in comment:2 works for java-1.8.0-openjdk. A similar one is required for java-11-openjdk.

3) java-11-openjdk build is also affected by a bug in the upstream code, for which I have a candidate fix. I'll open a followup ticket in OpenJDK's JIRA.

4) ocspsrvd.jar is apparently not suitable to be run in RHEL's FIPS configuration because it uses external security providers such as bouncycastle. If you need to run it anyways, set the system/security property to disable OpenJDK's alignment with the system global policy. These properties are "java.security.disableSystemPropertiesFile" and "security.useSystemPropertiesFile".

I'll proceed with followup tickets and patches.

Thanks,
Martin.-
Comment 4 Ondrej Moriš 2019-09-12 07:33:38 UTC 
Martin, thanks a lot for quick analysis.
Comment 6 Martin Balao 2019-09-12 18:15:00 UTC 
Created attachment 1614619 [details]
RH1750752 patch v0
Comment 7 Martin Balao 2019-09-12 18:20:47 UTC 
I've attached "RH1750752 patch v0" to fix this issue in java-1.8.0-openjdk.
Note You need to log in before you can comment on or make changes to this bug.