2019555 – nss.fips.cfg needs sql: prefix

Bug 2019555 - nss.fips.cfg needs sql: prefix

Summary: nss.fips.cfg needs sql: prefix

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	java-11-openjdk
Sub Component:
Version:	35
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Severin Gehwolf
QA Contact:	OpenJDK QA
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-11-02 19:50 UTC by Severin Gehwolf
Modified:	2021-11-11 01:19 UTC (History)
CC List:	5 users (show)
Fixed In Version:	java-11-openjdk-11.0.13.0.8-2.fc35
Clone Of:
Environment:
Last Closed:	2021-11-11 01:19:02 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
ListProviders.java (1.01 KB, text/plain) 2021-11-02 19:50 UTC, Severin Gehwolf	no flags	Details
ListProviders8.java (1017 bytes, text/plain) 2021-11-03 10:54 UTC, Severin Gehwolf	no flags	Details
ListProviders17.java (1.02 KB, text/plain) 2021-11-03 10:55 UTC, Severin Gehwolf	no flags	Details
View All

Description Severin Gehwolf 2021-11-02 19:50:35 UTC

Created attachment 1839356 [details]
ListProviders.java

Description of problem:
When in FIPS mode on F35 initialization of the SunPKCS11 provider fails. This makes java unusable.

Version-Release number of selected component (if applicable):
java-11-openjdk-headless-11.0.13.0.8-1.fc35.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Install java-11-openjdk-headless
2. Move to FIPS mode via 'fips-mode-setup --enable'
3. Reboot
4. Run the reproducer, ListProvider.java
   $ java --add-exports=java.base/jdk.internal.misc=ALL-UNNAMED ListProviders

Actual results:
FIPS: yes
Exception in thread "main" java.security.ProviderException: Could not initialize NSS
        at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:245)
        at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunPKCS11.java:140)
        at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunPKCS11.java:137)
        at java.base/java.security.AccessController.doPrivileged(Native Method)
        at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.configure(SunPKCS11.java:137)
        at java.base/sun.security.jca.ProviderConfig$3.run(ProviderConfig.java:251)
        at java.base/sun.security.jca.ProviderConfig$3.run(ProviderConfig.java:242)
        at java.base/java.security.AccessController.doPrivileged(Native Method)
        at java.base/sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:242)
        at java.base/sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:222)
        at java.base/sun.security.jca.ProviderList.loadAll(ProviderList.java:315)
        at java.base/sun.security.jca.ProviderList.removeInvalid(ProviderList.java:332)
        at java.base/sun.security.jca.Providers.getFullProviderList(Providers.java:174)
        at java.base/java.security.Security.getProviders(Security.java:487)
        at ListProviders.main(ListProviders.java:20)
Caused by: java.io.FileNotFoundException: /etc/pki/nssdb/secmod.db
        at jdk.crypto.cryptoki/sun.security.pkcs11.Secmod.initialize(Secmod.java:223)
        at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:240)
        ... 14 more

Expected results:
FIPS: yes
Number of providers: 4
SunPKCS11-NSS-FIPS 11.0
sun.security.pkcs11.SunPKCS11
SUN 11.0
sun.security.provider.Sun
SunEC 11.0
sun.security.ec.SunEC
SunJSSE 11.0
com.sun.net.ssl.internal.ssl.Provider


Additional info:

Adding the 'sql:' prefix to nss.fips.cfg fixes the problem:

$ cat /etc/java/java-11-openjdk/java-11-openjdk-11.0.13.0.8-1.fc35.x86_64/conf/security/nss.fips.cfg
name = NSS-FIPS
nssLibraryDirectory = /usr/lib64
nssSecmodDirectory = sql:/etc/pki/nssdb
nssDbMode = readOnly
nssModule = fips

Comment 1 Severin Gehwolf 2021-11-02 19:55:41 UTC

Default package installation of java-11-openjdk-headless is:

$ cat /etc/java/java-11-openjdk/java-11-openjdk-11.0.13.0.8-1.fc35.x86_64/conf/security/nss.fips.cfg
name = NSS-FIPS
nssLibraryDirectory = /usr/lib64
nssSecmodDirectory = /etc/pki/nssdb
nssDbMode = readOnly
nssModule = fips

Comment 2 Severin Gehwolf 2021-11-02 20:02:15 UTC

See also:
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.35_release_notes#notable_changes_in_nss_3.35

It seems F35 removed the legacy secmod.db version since I have a F34 installation of nss (same version than F35) which includes the secmod.db file. F35 no longer has it.

Comment 3 Severin Gehwolf 2021-11-03 10:05:37 UTC

Affects java-1.8.0-openjdk and java-latest-openjdk too:

$ /usr/lib/jvm/java-17-openjdk-17.0.1.0.12-1.rolling.fc35.x86_64/bin/java --add-exports=java.base/jdk.internal.access=ALL-UNNAMED ListProviders17
FIPS: yes
Exception in thread "main" java.security.ProviderException: Could not initialize NSS
	at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:250)
	at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunPKCS11.java:145)
	at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunPKCS11.java:142)
	at java.base/java.security.AccessController.doPrivileged(AccessController.java:569)
	at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.configure(SunPKCS11.java:142)
	at java.base/sun.security.jca.ProviderConfig$3.run(ProviderConfig.java:257)
	at java.base/sun.security.jca.ProviderConfig$3.run(ProviderConfig.java:248)
	at java.base/java.security.AccessController.doPrivileged(AccessController.java:318)
	at java.base/sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:248)
	at java.base/sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:226)
	at java.base/sun.security.jca.ProviderList.loadAll(ProviderList.java:317)
	at java.base/sun.security.jca.ProviderList.removeInvalid(ProviderList.java:334)
	at java.base/sun.security.jca.Providers.getFullProviderList(Providers.java:186)
	at java.base/java.security.Security.getProviders(Security.java:488)
	at ListProviders17.main(ListProviders17.java:20)
Caused by: java.io.FileNotFoundException: /etc/pki/nssdb/secmod.db
	at jdk.crypto.cryptoki/sun.security.pkcs11.Secmod.initialize(Secmod.java:223)
	at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:245)
	... 14 more

$ /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.312.b07-1.fc35.x86_64/jre/bin/java ListProviders8 
FIPS: yes
Exception in thread "main" java.security.ProviderException: Could not initialize NSS
	at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:251)
	at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:131)
	at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
	at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
	at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
	at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
	at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:224)
	at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:206)
	at java.security.AccessController.doPrivileged(Native Method)
	at sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:206)
	at sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:187)
	at sun.security.jca.ProviderList.loadAll(ProviderList.java:282)
	at sun.security.jca.ProviderList.removeInvalid(ProviderList.java:299)
	at sun.security.jca.Providers.getFullProviderList(Providers.java:174)
	at java.security.Security.getProviders(Security.java:482)
	at ListProviders8.main(ListProviders8.java:20)
Caused by: java.io.FileNotFoundException: /etc/pki/nssdb/secmod.db
	at sun.security.pkcs11.Secmod.initialize(Secmod.java:223)
	at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:246)
	... 15 more

Comment 4 Severin Gehwolf 2021-11-03 10:24:08 UTC

PR: https://src.fedoraproject.org/rpms/java-11-openjdk/pull-request/136

Comment 5 Severin Gehwolf 2021-11-03 10:48:07 UTC

PR for JDK 8: https://src.fedoraproject.org/rpms/java-1.8.0-openjdk/pull-request/148

Comment 6 Severin Gehwolf 2021-11-03 10:53:44 UTC

PR for JDK 17 (java-latest-openjdk): https://src.fedoraproject.org/rpms/java-latest-openjdk/pull-request/84

Comment 7 Severin Gehwolf 2021-11-03 10:54:30 UTC

Created attachment 1839542 [details]
ListProviders8.java

Comment 8 Severin Gehwolf 2021-11-03 10:55:05 UTC

Created attachment 1839543 [details]
ListProviders17.java

Comment 9 Fedora Update System 2021-11-08 04:46:34 UTC

FEDORA-2021-e2c673f0d0 has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2021-e2c673f0d0

Comment 10 Severin Gehwolf 2021-11-08 13:28:58 UTC

Update for java-latest-openjdk is here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-93b53747d9

Comment 11 Fedora Update System 2021-11-09 02:22:07 UTC

FEDORA-2021-e2c673f0d0 has been pushed to the Fedora 35 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-e2c673f0d0`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-e2c673f0d0

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 12 Fedora Update System 2021-11-11 01:19:02 UTC

FEDORA-2021-e2c673f0d0 has been pushed to the Fedora 35 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.