1780335 – FIPS mode Provider refuses to load pk11-kit-trust

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1780335 - FIPS mode Provider refuses to load pk11-kit-trust

Summary: FIPS mode Provider refuses to load pk11-kit-trust

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	java-1.8.0-openjdk
Sub Component:
Version:	8.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	8.0
Assignee:	Martin Balao
QA Contact:	OpenJDK QA
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1760850 1818900
TreeView+	depends on / blocked

Reported:	2019-12-05 17:29 UTC by Alex Scheel
Modified:	2020-11-04 02:43 UTC (History)
CC List:	5 users (show)
Fixed In Version:	java-1.8.0-openjdk-1.8.0.262.b01-0.1.ea.el8
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1818900 (view as bug list)
Environment:
Last Closed:	2020-11-04 02:43:27 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
openjdk bug system	JDK-8238555	0	None	None	None	2020-02-05 15:54:47 UTC

Description Alex Scheel 2019-12-05 17:29:31 UTC

Description of problem:

When running in fips mode (-Dcom.redhat.fips=true), if the NSS DB specified in the nss.fips.cfg under the nssSecmodDirectory has p11-kit-trust module explicitly added to it, the JDK will fail to start and give a stack trace when trying to load the PKCS11 keystore. 

Version-Release number of selected component (if applicable):

[root@localhost CliServ]# rpm -qa | grep -i openjdk
java-1.8.0-openjdk-headless-1.8.0.232.b09-3.el8.x86_64
java-1.8.0-openjdk-devel-1.8.0.232.b09-3.el8.x86_64
java-1.8.0-openjdk-1.8.0.232.b09-3.el8.x86_64


How reproducible:

Very


Steps to Reproduce:
1. Create a new nssdb and load p11-kit-trust into it: 
   mkdir /nssdb
   echo nss.SECret.123 > /nssdb/password.txt
   certutil -N -d /nssdb -f /nssdb/password.txt
   modutil -dbdir /nssdb -add p11-kit-trust -libfile /usr/share/pki/lib/p11-kit-trust.so -force
   touch /nssdb/secmod.db # workaround for rhbz#1760437
2. Modify nss.fips.cfg to point to /nssdb
3. Run a sample program:

[root@localhost CliServ]# cat Main.java
import java.io.*;
import java.util.*;
import java.security.*;
import javax.net.ssl.*;

class Main {
	public static String db_password = "nss.SECret.123";

	public static void main(String[] args) throws Exception {
		if (args.length != 1) {
			System.out.println("Usage: java Main password-for-nssdb");
			System.exit(1);
		}

		KeyStore ks = KeyStore.getInstance("PKCS11", "SunPKCS11-NSS-FIPS");
		ks.load(null, args[0].toCharArray());

		System.out.println("All known SunJSSE.PKCS12 aliases:");
		for (Enumeration<String> e = ks.aliases(); e.hasMoreElements(); ) {
			System.out.println(" - " + e.nextElement());
		}
		System.out.println();
	}
}
[root@localhost CliServ]# javac Main.java && java -Djava.security.debug=all -Dcom.redhat.fips=true Main nss.SECret.123


Actual results:

Fails with stack trace:

Provider: Set SUN provider property [CertStore.com.sun.security.IndexedCollection ImplementedIn/Software]
ProviderConfig: Loaded provider SUN version 1.8
ProviderConfig: Loading provider: sun.security.ec.SunEC
scl:  getPermissions ProtectionDomain  (file:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.232.b09-3.el8.x86_64/jre/lib/ext/sunec.jar <no signer certificates>)
 sun.misc.Launcher$ExtClassLoader@55f96302
 <no principals>
 java.security.Permissions@3cd1a2f1 (
 ("java.io.FilePermission" "/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.232.b09-3.el8.x86_64/jre/lib/ext/sunec.jar" "read")
)


scl: 
Provider: Set SunEC provider property [KeyFactory.EC/sun.security.ec.ECKeyFactory]
Provider: Set SunEC provider property [Alg.Alias.KeyFactory.EllipticCurve/EC]
Provider: Set SunEC provider property [KeyFactory.EC ImplementedIn/Software]
Provider: Set SunEC provider property [AlgorithmParameters.EC/sun.security.ec.ECParameters]
Provider: Set SunEC provider property [Alg.Alias.AlgorithmParameters.EllipticCurve/EC]
Provider: Set SunEC provider property [Alg.Alias.AlgorithmParameters.1.2.840.10045.2.1/EC]
Provider: Set SunEC provider property [AlgorithmParameters.EC KeySize/256]
Provider: Set SunEC provider property [AlgorithmParameters.EC ImplementedIn/Software]
Provider: Set SunEC provider property [AlgorithmParameters.EC SupportedCurves/[secp256r1,NIST P-256,X9.62 prime256v1,1.2.840.10045.3.1.7]|[secp384r1,NIST P-384,1.3.132.0.34]|[secp521r1,NIST P-521,1.3.132.0.35]]
Provider: Set SunEC provider property [Signature.NONEwithECDSA/sun.security.ec.ECDSASignature$Raw]
Provider: Set SunEC provider property [Signature.SHA1withECDSA/sun.security.ec.ECDSASignature$SHA1]
Provider: Set SunEC provider property [Alg.Alias.Signature.OID.1.2.840.10045.4.1/SHA1withECDSA]
Provider: Set SunEC provider property [Alg.Alias.Signature.1.2.840.10045.4.1/SHA1withECDSA]
Provider: Set SunEC provider property [Signature.SHA224withECDSA/sun.security.ec.ECDSASignature$SHA224]
Provider: Set SunEC provider property [Alg.Alias.Signature.OID.1.2.840.10045.4.3.1/SHA224withECDSA]
Provider: Set SunEC provider property [Alg.Alias.Signature.1.2.840.10045.4.3.1/SHA224withECDSA]
Provider: Set SunEC provider property [Signature.SHA256withECDSA/sun.security.ec.ECDSASignature$SHA256]
Provider: Set SunEC provider property [Alg.Alias.Signature.OID.1.2.840.10045.4.3.2/SHA256withECDSA]
Provider: Set SunEC provider property [Alg.Alias.Signature.1.2.840.10045.4.3.2/SHA256withECDSA]
Provider: Set SunEC provider property [Signature.SHA384withECDSA/sun.security.ec.ECDSASignature$SHA384]
Provider: Set SunEC provider property [Alg.Alias.Signature.OID.1.2.840.10045.4.3.3/SHA384withECDSA]
Provider: Set SunEC provider property [Alg.Alias.Signature.1.2.840.10045.4.3.3/SHA384withECDSA]
Provider: Set SunEC provider property [Signature.SHA512withECDSA/sun.security.ec.ECDSASignature$SHA512]
Provider: Set SunEC provider property [Alg.Alias.Signature.OID.1.2.840.10045.4.3.4/SHA512withECDSA]
Provider: Set SunEC provider property [Alg.Alias.Signature.1.2.840.10045.4.3.4/SHA512withECDSA]
Provider: Set SunEC provider property [Signature.NONEwithECDSA SupportedKeyClasses/java.security.interfaces.ECPublicKey|java.security.interfaces.ECPrivateKey]
Provider: Set SunEC provider property [Signature.SHA1withECDSA SupportedKeyClasses/java.security.interfaces.ECPublicKey|java.security.interfaces.ECPrivateKey]
Provider: Set SunEC provider property [Signature.SHA224withECDSA SupportedKeyClasses/java.security.interfaces.ECPublicKey|java.security.interfaces.ECPrivateKey]
Provider: Set SunEC provider property [Signature.SHA256withECDSA SupportedKeyClasses/java.security.interfaces.ECPublicKey|java.security.interfaces.ECPrivateKey]
Provider: Set SunEC provider property [Signature.SHA384withECDSA SupportedKeyClasses/java.security.interfaces.ECPublicKey|java.security.interfaces.ECPrivateKey]
Provider: Set SunEC provider property [Signature.SHA512withECDSA SupportedKeyClasses/java.security.interfaces.ECPublicKey|java.security.interfaces.ECPrivateKey]
Provider: Set SunEC provider property [Signature.SHA1withECDSA KeySize/256]
Provider: Set SunEC provider property [Signature.NONEwithECDSA ImplementedIn/Software]
Provider: Set SunEC provider property [Signature.SHA1withECDSA ImplementedIn/Software]
Provider: Set SunEC provider property [Signature.SHA224withECDSA ImplementedIn/Software]
Provider: Set SunEC provider property [Signature.SHA256withECDSA ImplementedIn/Software]
Provider: Set SunEC provider property [Signature.SHA384withECDSA ImplementedIn/Software]
Provider: Set SunEC provider property [Signature.SHA512withECDSA ImplementedIn/Software]
Provider: Set SunEC provider property [KeyPairGenerator.EC/sun.security.ec.ECKeyPairGenerator]
Provider: Set SunEC provider property [Alg.Alias.KeyPairGenerator.EllipticCurve/EC]
Provider: Set SunEC provider property [KeyPairGenerator.EC KeySize/256]
Provider: Set SunEC provider property [KeyPairGenerator.EC ImplementedIn/Software]
Provider: Set SunEC provider property [KeyAgreement.ECDH/sun.security.ec.ECDHKeyAgreement]
Provider: Set SunEC provider property [KeyAgreement.ECDH SupportedKeyClasses/java.security.interfaces.ECPublicKey|java.security.interfaces.ECPrivateKey]
Provider: Set SunEC provider property [KeyAgreement.ECDH ImplementedIn/Software]
ProviderConfig: Loaded provider SunEC version 1.8
ProviderConfig: Loading provider: com.sun.net.ssl.internal.ssl.Provider('SunPKCS11-NSS-FIPS')
ProviderConfig: Loading provider: sun.security.pkcs11.SunPKCS11('/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.232.b09-3.el8.x86_64/jre/lib/security/nss.fips.cfg')
SunPKCS11 loading /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.232.b09-3.el8.x86_64/jre/lib/security/nss.fips.cfg
ProviderConfig: Error loading provider sun.security.pkcs11.SunPKCS11('/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.232.b09-3.el8.x86_64/jre/lib/security/nss.fips.cfg')
java.lang.RuntimeException: FIPS flag set for non-internal module: /usr/share/pki/lib/p11-kit-trust.so, p11-kit-trust
	at sun.security.pkcs11.Secmod$Module.<init>(Secmod.java:408)
	at sun.security.pkcs11.Secmod.nssGetModuleList(Native Method)
	at sun.security.pkcs11.Secmod.getModules(Secmod.java:248)
	at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:225)
	at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:103)
	at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
	at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
	at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
	at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
	at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:224)
	at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:206)
	at java.security.AccessController.doPrivileged(Native Method)
	at sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:206)
	at sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:187)
	at sun.security.jca.ProviderList.getProvider(ProviderList.java:233)
	at sun.security.jca.ProviderList.getIndex(ProviderList.java:263)
	at sun.security.jca.ProviderList.getProviderConfig(ProviderList.java:247)
	at sun.security.jca.ProviderList.getProvider(ProviderList.java:253)
	at java.security.Security.getProvider(Security.java:483)
	at sun.security.ssl.SunJSSE.<init>(SunJSSE.java:140)
	at sun.security.ssl.SunJSSE.<init>(SunJSSE.java:123)
	at com.sun.net.ssl.internal.ssl.Provider.<init>(Provider.java:51)
	at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
	at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
	at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
	at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
	at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:224)
	at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:206)
	at java.security.AccessController.doPrivileged(Native Method)
	at sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:206)
	at sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:187)
	at sun.security.jca.ProviderList.getProvider(ProviderList.java:233)
	at sun.security.jca.ProviderList.getIndex(ProviderList.java:263)
	at sun.security.jca.ProviderList.getProviderConfig(ProviderList.java:247)
	at sun.security.jca.ProviderList.getProvider(ProviderList.java:253)
	at sun.security.jca.GetInstance.getService(GetInstance.java:81)
	at sun.security.jca.GetInstance.getInstance(GetInstance.java:206)
	at java.security.Security.getImpl(Security.java:713)
	at java.security.KeyStore.getInstance(KeyStore.java:896)
	at Main.main(Main.java:15)
ProviderConfig: Recursion loading provider: com.sun.net.ssl.internal.ssl.Provider('SunPKCS11-NSS-FIPS')
java.lang.Exception: Call trace
	at sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:180)
	at sun.security.jca.ProviderList.getProvider(ProviderList.java:233)
	at sun.security.jca.ProviderList.getIndex(ProviderList.java:263)
	at sun.security.jca.ProviderList.getProviderConfig(ProviderList.java:247)
	at sun.security.jca.ProviderList.getProvider(ProviderList.java:253)
	at java.security.Security.getProvider(Security.java:483)
	at sun.security.ssl.SunJSSE.<init>(SunJSSE.java:140)
	at sun.security.ssl.SunJSSE.<init>(SunJSSE.java:123)
	at com.sun.net.ssl.internal.ssl.Provider.<init>(Provider.java:51)
	at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
	at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
	at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
	at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
	at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:224)
	at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:206)
	at java.security.AccessController.doPrivileged(Native Method)
	at sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:206)
	at sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:187)
	at sun.security.jca.ProviderList.getProvider(ProviderList.java:233)
	at sun.security.jca.ProviderList.getIndex(ProviderList.java:263)
	at sun.security.jca.ProviderList.getProviderConfig(ProviderList.java:247)
	at sun.security.jca.ProviderList.getProvider(ProviderList.java:253)
	at sun.security.jca.GetInstance.getService(GetInstance.java:81)
	at sun.security.jca.GetInstance.getInstance(GetInstance.java:206)
	at java.security.Security.getImpl(Security.java:713)
	at java.security.KeyStore.getInstance(KeyStore.java:896)
	at Main.main(Main.java:15)
ProviderConfig: Error loading provider com.sun.net.ssl.internal.ssl.Provider('SunPKCS11-NSS-FIPS')
java.security.ProviderException: Crypto provider not installed: SunPKCS11-NSS-FIPS
	at sun.security.ssl.SunJSSE.<init>(SunJSSE.java:142)
	at sun.security.ssl.SunJSSE.<init>(SunJSSE.java:123)
	at com.sun.net.ssl.internal.ssl.Provider.<init>(Provider.java:51)
	at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
	at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
	at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
	at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
	at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:224)
	at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:206)
	at java.security.AccessController.doPrivileged(Native Method)
	at sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:206)
	at sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:187)
	at sun.security.jca.ProviderList.getProvider(ProviderList.java:233)
	at sun.security.jca.ProviderList.getIndex(ProviderList.java:263)
	at sun.security.jca.ProviderList.getProviderConfig(ProviderList.java:247)
	at sun.security.jca.ProviderList.getProvider(ProviderList.java:253)
	at sun.security.jca.GetInstance.getService(GetInstance.java:81)
	at sun.security.jca.GetInstance.getInstance(GetInstance.java:206)
	at java.security.Security.getImpl(Security.java:713)
	at java.security.KeyStore.getInstance(KeyStore.java:896)
	at Main.main(Main.java:15)
Exception in thread "main" java.security.ProviderException: Crypto provider not installed: SunPKCS11-NSS-FIPS
	at sun.security.ssl.SunJSSE.<init>(SunJSSE.java:142)
	at sun.security.ssl.SunJSSE.<init>(SunJSSE.java:123)
	at com.sun.net.ssl.internal.ssl.Provider.<init>(Provider.java:51)
	at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
	at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
	at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
	at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
	at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:224)
	at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:206)
	at java.security.AccessController.doPrivileged(Native Method)
	at sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:206)
	at sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:187)
	at sun.security.jca.ProviderList.getProvider(ProviderList.java:233)
	at sun.security.jca.ProviderList.getIndex(ProviderList.java:263)
	at sun.security.jca.ProviderList.getProviderConfig(ProviderList.java:247)
	at sun.security.jca.ProviderList.getProvider(ProviderList.java:253)
	at sun.security.jca.GetInstance.getService(GetInstance.java:81)
	at sun.security.jca.GetInstance.getInstance(GetInstance.java:206)
	at java.security.Security.getImpl(Security.java:713)
	at java.security.KeyStore.getInstance(KeyStore.java:896)
	at Main.main(Main.java:15)


Expected results:


Should succeed.

Additional info:

p11-kit-trust is a required module for letting NSS access the system trust store. Without this application owners are required to export the system trust store certificates and import them into the NSS DB manually, losing system updates.

Comment 1 Alex Scheel 2019-12-05 17:32:15 UTC

Note that p11-kit-trust can be removed from the NSS DB:

[root@localhost ~]#  modutil -dbdir /nssdb -delete p11-kit-trust

After which, the test will succeed:

Provider: MessageDigest.SHA-1 algorithm from: SunPKCS11-NSS-FIPS
Killing session (sun.security.pkcs11.P11Digest.engineReset(P11Digest.java:145)) active: 3
Provider: MessageDigest.SHA-1 algorithm from: SunPKCS11-NSS-FIPS
Killing session (sun.security.pkcs11.P11Digest.engineReset(P11Digest.java:145)) active: 3
Token Alias Map:
  localhost	type=[private key]
	label=[localhost]
	id=0xd4b9ef47ebeb5414c277c068dc94459328422185
	trusted=[false]
	matched=[true]
	cert=[	subject: CN=localhost, O=CIPHERBOY
		issuer: CN=CA Root Certificate, OU=pki-tomcat, O=CIPHERBOY
		serialNum: 20878]
  CA Root	type=[private key]
	label=[CA Root]
	id=0x9af25882bf3ef65f07bc9034dd87081ed34b3216
	trusted=[false]
	matched=[true]
	cert=[	subject: CN=CA Root Certificate, OU=pki-tomcat, O=CIPHERBOY
		issuer: CN=CA Root Certificate, OU=pki-tomcat, O=CIPHERBOY
		serialNum: 28335]
All known SunJSSE.PKCS12 aliases:
 - localhost
 - CA Root

Comment 2 Martin Balao 2019-12-18 15:50:26 UTC

Yes, OpenJDK explicitly checks that no module other than the software token is in NSSDB when configured in FIPS mode: http://hg.openjdk.java.net/jdk/jdk/file/b2aca65cc099/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Secmod.java#l417

This check has been there since the initial revision. I'm not sure of the rationale though. I wonder if we are able to initialize NSS in FIPS mode using an NSSDB with external modules. I can further investigate this.

Comment 3 Martin Balao 2019-12-20 23:05:21 UTC

Hello Alex,

I've been investigating a bit deeper into this issue and want to make some notes -which will hopefully clarify my initial comment in this ticket-.

NSS represents modules internally with a "struct SECMODModuleStr" object. In particular, there is a isFIPS member [1] which is initialized with PR_FALSE by default [2]. The only code line that may change the value of isFIPS to PR_TRUE is here [3], and depends on the existence of a "FIPS" flag in the spec. This isFIPS value gets passed to OpenJDK as the "fips" variable and is used here [4] to check whether or not the module is allowed. What OpenJDK does not allow is the existence of a module that has isFIPS = true but is different than the internal software token. That means that if there is a module (say p11-kit-trust) which has isFIPS = false, there shouldn't be any problems.

I could not reproduce this issue yet.

My NSSDB has:

[martin@vmhost test]$ modutil -dbdir /home/martin/redhat/java/openjdk/workspace/rhel_8_fips/fips/test/src/nssdb -list

Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal FIPS PKCS #11 Module
	 slots: 1 slot attached
	status: loaded

	 slot: NSS FIPS 140-2 User Private Key Services
	token: NSS FIPS 140-2 Certificate DB

  2. p11-kit-trust
	library name: /usr/lib64/p11-kit-trust.so
	 slots: 2 slots attached
	status: loaded

	 slot: /etc/pki/ca-trust/source
	token: System Trust

	 slot: /usr/share/pki/ca-trust-source
	token: Default Trust
-----------------------------------------------------------

It's FIPS enabled:

[martin@vmhost test]$ modutil -dbdir /home/martin/redhat/java/openjdk/workspace/rhel_8_fips/fips/test/src/nssdb -chkfips true
FIPS mode enabled.

The spec for #1 module is:

" name=\"NSS Internal FIPS PKCS #11 Module\" parameters=\"configdir='/home/martin/redhat/java/openjdk/workspace/rhel_8_fips/fips/test/src/nssdb' certPrefix='' keyPrefix='' secmod='secmod.db' flags=readOnly updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' \" NSS=\"  slotParams={0x00000003=[slotFlags=RSA,RC4,RC2,DES,DH,SHA1,MD5,MD2,SSL,TLS,AES,RANDOM ] }  Flags=internal,FIPS,critical\""

And the SECMODModule module for #1 is:

(gdb) print *((*((*(SECMODModuleList*)0x7f59c13b94e0).next)).module)
$8 = {arena = 0x7f59b826d8d0, internal = 3, loaded = 1, isFIPS = 1, dllName = 0x0, commonName = 0x7f59b8271e78 "NSS Internal FIPS PKCS #11 Module", library = 0x0, functionList = 0x7f59c0815420, refLock = 0x7f59b8271fa0, refCount = 2, slots = 0x7f59b82720b0, slotCount = 1, slotInfo = 0x7f59b8272070, slotInfoCount = 0, moduleID = 1, isThreadSafe = 1, ssl = {0, 0}, libraryParams = 0x7f59b8271ea0 "configdir='/home/martin/redhat/java/openjdk/workspace/rhel_8_fips/fips/test/src/nssdb' certPrefix='' keyPrefix='' secmod='secmod.db' flags=readOnly updatedir='' updateCertPrefix='' updateKeyPrefix='' "..., moduleDBFunc = 0x0, parent = 0x7f59b826d630, isCritical = 1, isModuleDB = 0, moduleDBOnly = 0, trustOrder = 50, cipherOrder = 0, evControlMask = 0, cryptokiVersion = {major = 2 '\002', minor = 20 '\024'}}

The spec for #2 module is:

"library=/usr/lib64/p11-kit-trust.so name=p11-kit-trust  NSS=\"trustOrder=100    \""

And the SECMODModule module for #2 is:

(gdb) print *((*((*((*(SECMODModuleList*)0x7f59c13b94e0).next)).next)).module)
$11 = {arena = 0x7f59b8293560, internal = 0, loaded = 1, isFIPS = 0, dllName = 0x7f59b8293758 "/usr/lib64/p11-kit-trust.so", commonName = 0x7f59b8293748 "p11-kit-trust", library = 0x7f59b8293530, functionList = 0x7f599a4f9020, refLock = 0x7f59b8293870, refCount = 1, slots = 0x7f59b8293778, slotCount = 2, slotInfo = 0x7f59b82937c8, slotInfoCount = 0, moduleID = 2, isThreadSafe = 1, ssl = {0, 0}, libraryParams = 0x0, moduleDBFunc = 0x0, parent = 0x7f59b826d630, isCritical = 0, isModuleDB = 0, moduleDBOnly = 0, trustOrder = 100, cipherOrder = 0, evControlMask = 0, cryptokiVersion = {major = 2 '\002', minor = 20 '\024'}}

Looks to me that your spec for p11-kit-trust (#2 in my case) has the "FIPS" flag in it. Is this correct? Is it required for you?

Beyond that, and assuming that you are able to initialize SunPKCS11-NSS-FIPS with the NSSDB you want, do you need access from OpenJDK to p11-kit-trust module?

Thanks,
Martin.-

--
[1] - https://github.com/nss-dev/nss/blob/c1ff439ca931f53c318e7381636ed5889b3d66f1/lib/pk11wrap/secmodt.h#L49
[2] - https://github.com/nss-dev/nss/blob/a141cd68ece76118aebf8033c06d46a3692b55fe/lib/pk11wrap/pk11pars.c#L49
[3] - https://github.com/nss-dev/nss/blob/a141cd68ece76118aebf8033c06d46a3692b55fe/lib/pk11wrap/pk11pars.c#L819
[4] - http://hg.openjdk.java.net/jdk/jdk/file/b2aca65cc099/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Secmod.java#l417
[5] - http://hg.openjdk.java.net/jdk/jdk/file/f93bd058a4ce/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java#l235

Comment 4 Martin Balao 2019-12-20 23:14:53 UTC

Update:

I've just realized that newer NSS versions have a secmod_GetSystemFIPSEnabled function, introduced by 1531267 [1] [2].

As a result, all modules have isFIPS = PR_TRUE when global FIPS in enabled in the system; you don't need a "FIPS" flag in your p11-kit-trust spec (and you don't probably have it).

I'll investigate what happens if we remove the check from OpenJDK. Keep you posted.

--
[1] - https://bugzilla.mozilla.org/show_bug.cgi?id=1531267
[2] - https://hg.mozilla.org/projects/nss/rev/536fd7c9db5a

Comment 5 Martin Balao 2019-12-21 01:19:05 UTC

(In reply to mbalao from comment #4)
> 
> I'll investigate what happens if we remove the check from OpenJDK. Keep you
> posted.
> 

I've done a quick test removing the check but couldn't notice anything in my testing environment, so I raised the discussion in upstream [1].

--
[1] - https://mail.openjdk.java.net/pipermail/security-dev/2019-December/021077.html

Comment 19 errata-xmlrpc 2020-11-04 02:43:27 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (java-1.8.0-openjdk bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4656

Note You need to log in before you can comment on or make changes to this bug.