1908876 – Crypto provider not installed: SunPKCS11-NSS-FIPS

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1908876 - Crypto provider not installed: SunPKCS11-NSS-FIPS

Summary: Crypto provider not installed: SunPKCS11-NSS-FIPS

Keywords:
Status:	CLOSED DUPLICATE of bug 1759335
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	java-1.8.0-openjdk
Sub Component:
Version:	8.3
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	8.0
Assignee:	Martin Balao
QA Contact:	OpenJDK QA
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-12-17 19:04 UTC by Paulo Andrade
Modified:	2024-03-25 17:37 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-04-08 22:02:39 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Paulo Andrade 2020-12-17 19:04:34 UTC

Should be related to bz#1750752, and user is running an openjdk that
should have the fix.

Example command line:

keytool -genkeypair -v -alias myproject -keyalg RSA -keysize 4096 -storetype PKCS12 -dname "cn=myproject, ou=Devices, ou=Example Company, ou=Example Company, o=Example Company, c=US"  -keypass ExamplePassword$ -storepass ExamplePassword$ -keystore my.keystore

and java output:

java.security.ProviderException: Crypto provider not installed: SunPKCS11-NSS-FIPS
        at sun.security.ssl.SunJSSE.<init>(SunJSSE.java:146)
        at sun.security.ssl.SunJSSE.<init>(SunJSSE.java:127)
        at com.sun.net.ssl.internal.ssl.Provider.<init>(Provider.java:51)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
        at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
        at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
        at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:224)
        at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:206)
        at java.security.AccessController.doPrivileged(Native Method)
        at sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:206)
        at sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:187)
        at sun.security.jca.ProviderList.getProvider(ProviderList.java:233)
        at sun.security.jca.ProviderList.getService(ProviderList.java:331)
        at sun.security.jca.GetInstance.getInstance(GetInstance.java:157)
        at java.security.Security.getImpl(Security.java:710)
        at java.security.KeyStore.getInstance(KeyStore.java:848)
        at sun.security.tools.keytool.Main.doCommands(Main.java:800)
        at sun.security.tools.keytool.Main.run(Main.java:370)
        at sun.security.tools.keytool.Main.main(Main.java:363)

Comment 1 Saurabh Sharma 2020-12-22 05:06:30 UTC

User has a query requesting help with query to create a custom Global Crypto Provider that encompasses all of FIPS, except Java for the short term.

Experts,

Could someone please advice on how to address the customer request ?

Comment 2 Patrick Del Bello 2021-01-07 19:20:10 UTC

Hi team,

Is there any updates about this? I think we have 2 cases where customers are experiencing this issue with both Java 8 275 and Java 11

Comment 3 Andrew John Hughes 2021-01-09 03:11:25 UTC

I see a different failure:

$ /usr/lib/jvm/java-1.8.0-openjdk/bin/keytool -genkeypair -v -alias myproject -keyalg RSA -keysize 4096 -storetype PKCS12 -dname "cn=myproject, ou=Devices, ou=Example Company, ou=Example Company, o=Example Company, c=US"  -keypass ExamplePassword$ -storepass ExamplePassword$ -keystore my.keystore
keytool error: java.security.ProviderException: NSS module not available: fips
java.security.ProviderException: NSS module not available: fips
	at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:283)
	at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:103)
	at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
	at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
	at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
	at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
	at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:224)
	at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:206)
	at java.security.AccessController.doPrivileged(Native Method)
	at sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:206)
	at sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:187)
	at sun.security.jca.ProviderList.getProvider(ProviderList.java:233)
	at sun.security.jca.ProviderList.getService(ProviderList.java:331)
	at sun.security.jca.GetInstance.getInstance(GetInstance.java:157)
	at java.security.Security.getImpl(Security.java:710)
	at java.security.KeyStore.getInstance(KeyStore.java:848)
	at sun.security.tools.keytool.Main.doCommands(Main.java:800)
	at sun.security.tools.keytool.Main.run(Main.java:370)
	at sun.security.tools.keytool.Main.main(Main.java:363)

This is with /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.272.b10-3.el8_3.x86_64 (apparently latest available here...)

Assigning to Martin to investigate.

Comment 5 Martin Balao 2021-01-12 17:34:59 UTC

The error I see is different:

[test@vmrheltarget tmp]$ cat /etc/redhat-release 
Red Hat Enterprise Linux release 8.3 (Ootpa)

[test@vmrheltarget tmp]$ fips-mode-setup --check
FIPS mode is enabled.

[test@vmrheltarget tmp]$ echo $JAVA_HOME
/lib/jvm/java-1.8.0-openjdk

[test@vmrheltarget tmp]$ $JAVA_HOME/bin/java -version
openjdk version "1.8.0_275-debug"
OpenJDK Runtime Environment (build 1.8.0_275-debug-b01)
OpenJDK 64-Bit Server VM (build 25.275-b01-debug, mixed mode)

[test@vmrheltarget tmp]$ $JAVA_HOME/bin/keytool -genkeypair -v -alias myproject -keyalg RSA -keysize 4096 -storetype PKCS12 -dname "cn=myproject, ou=Devices, ou=Example Company, ou=Example Company, o=Example Company, c=US"  -keypass ExamplePassword$ -storepass ExamplePassword$ -keystore my.keystore
Generating 4,096 bit RSA key pair and self-signed certificate (SHA256withRSA) with a validity of 90 days
	for: CN=myproject, OU=Devices, OU=Example Company, OU=Example Company, O=Example Company, C=US
keytool error: java.security.KeyStoreException: Key protection  algorithm not found: java.lang.NullPointerException
java.security.KeyStoreException: Key protection  algorithm not found: java.lang.NullPointerException
	at sun.security.pkcs12.PKCS12KeyStore.setKeyEntry(PKCS12KeyStore.java:677)
	at sun.security.pkcs12.PKCS12KeyStore.engineSetKeyEntry(PKCS12KeyStore.java:577)
	at java.security.KeyStore.setKeyEntry(KeyStore.java:1140)
	at sun.security.tools.keytool.Main.doGenKeyPair(Main.java:1782)
	at sun.security.tools.keytool.Main.doCommands(Main.java:1013)
	at sun.security.tools.keytool.Main.run(Main.java:370)
	at sun.security.tools.keytool.Main.main(Main.java:363)
Caused by: java.lang.NullPointerException
	at sun.security.pkcs12.PKCS12KeyStore.setKeyEntry(PKCS12KeyStore.java:603)
	... 6 more

This error is caused by a know bug. See:

 * https://bugzilla.redhat.com/show_bug.cgi?id=1915071
 * https://bugzilla.redhat.com/show_bug.cgi?id=1906862


@Paulo: can you please try on 8u275? In case it fails again with the same error you got before, can you please list all installed security providers? (Security.getProviders()).

Comment 6 Paulo Andrade 2021-01-18 12:42:24 UTC

Just tested a plain rhel-8.3 vm. Setting fips mode and rebooting,
when updating to latest java-1.8.0-openjdk from brew I see:

warning: /etc/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.275.b01-2.el8_3.x86_64/lib/security/blacklisted.certs created as /etc/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.275.b01-2.el8_3.x86_64/lib/security/blacklisted.certs.rpmnew
warning: /etc/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.275.b01-2.el8_3.x86_64/lib/security/java.security created as /etc/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.275.b01-2.el8_3.x86_64/lib/security/java.security.rpmnew
restored /etc/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.275.b01-2.el8_3.x86_64/lib/security/blacklisted.certs.rpmnew to /etc/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.275.b01-2.el8_3.x86_64/lib/security/blacklisted.certs
restored /etc/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.275.b01-2.el8_3.x86_64/lib/security/java.security.rpmnew to /etc/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.275.b01-2.el8_3.x86_64/lib/security/java.security
mv: cannot stat '/etc/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.275.b01-2.el8_3.x86_64/lib/security/blacklisted.certs.rpmnew': No such file or directory
FAILED to restore /etc/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.275.b01-2.el8_3.x86_64/lib/security/blacklisted.certs.rpmnew to /etc/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.275.b01-2.el8_3.x86_64/lib/security/blacklisted.certs
mv: cannot stat '/etc/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.275.b01-2.el8_3.x86_64/lib/security/java.security.rpmnew': No such file or directory
FAILED to restore /etc/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.275.b01-2.el8_3.x86_64/lib/security/java.security.rpmnew to /etc/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.275.b01-2.el8_3.x86_64/lib/security/java.security

and then the same failure pattern as in comment #3

As commented in support case 02821277, adding "-J-Dcom.redhat.fips=false"
to the command line corrects the issue.

Note You need to log in before you can comment on or make changes to this bug.