[jboss-jira] [JBoss JIRA] (ELY-1578) Upgrade to Fedora 28 breaks FIPS scenarios

Martin Choma (JIRA) issues at jboss.org
Fri May 4 09:45:04 EDT 2018 

    [ https://issues.jboss.org/browse/ELY-1578?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13571526#comment-13571526 ] 

Martin Choma commented on ELY-1578:
-----------------------------------

After turning on -Djava.security.debug=sunpkcs11 I see
{code}
SunPKCS11 loading /opt/java/jdk-9.0.4_fips/fips/pkcs11.cfg
NSS modules: [NSS Internal PKCS #11 Module (CRYPTO, /usr/lib64/libsoftokn3.so, slot 0), NSS Internal PKCS #11 Module (KEYSTORE, /usr/lib64/libsoftokn3.so, slot 1)]
SunPKCS11 loading /opt/java/jdk-9.0.4_fips/fips/pkcs11.cfg
NSS modules: [NSS Internal PKCS #11 Module (CRYPTO, /usr/lib64/libsoftokn3.so, slot 0), NSS Internal PKCS #11 Module (KEYSTORE, /usr/lib64/libsoftokn3.so, slot 1)]
SunPKCS11 loading /opt/java/jdk-9.0.4_fips/fips/pkcs11.cfg
NSS modules: [NSS Internal PKCS #11 Module (CRYPTO, /usr/lib64/libsoftokn3.so, slot 0), NSS Internal PKCS #11 Module (KEYSTORE, /usr/lib64/libsoftokn3.so, slot 1)]
SunPKCS11 loading /opt/java/jdk-9.0.4_fips/fips/pkcs11.cfg
NSS modules: [NSS Internal PKCS #11 Module (CRYPTO, /usr/lib64/libsoftokn3.so, slot 0), NSS Internal PKCS #11 Module (KEYSTORE, /usr/lib64/libsoftokn3.so, slot 1)]
SunPKCS11 loading /opt/java/jdk-9.0.4_fips/fips/pkcs11.cfg
NSS modules: [NSS Internal PKCS #11 Module (CRYPTO, /usr/lib64/libsoftokn3.so, slot 0), NSS Internal PKCS #11 Module (KEYSTORE, /usr/lib64/libsoftokn3.so, slot 1)]
SunPKCS11 loading /opt/java/jdk-9.0.4_fips/fips/pkcs11.cfg
NSS modules: [NSS Internal PKCS #11 Module (CRYPTO, /usr/lib64/libsoftokn3.so, slot 0), NSS Internal PKCS #11 Module (KEYSTORE, /usr/lib64/libsoftokn3.so, slot 1)]
SunPKCS11 loading /opt/java/jdk-9.0.4_fips/fips/pkcs11.cfg
NSS modules: [NSS Internal PKCS #11 Module (CRYPTO, /usr/lib64/libsoftokn3.so, slot 0), NSS Internal PKCS #11 Module (KEYSTORE, /usr/lib64/libsoftokn3.so, slot 1)]
SunPKCS11 loading /opt/java/jdk-9.0.4_fips/fips/pkcs11.cfg
NSS modules: [NSS Internal PKCS #11 Module (CRYPTO, /usr/lib64/libsoftokn3.so, slot 0), NSS Internal PKCS #11 Module (KEYSTORE, /usr/lib64/libsoftokn3.so, slot 1)]
SunPKCS11 loading /opt/java/jdk-9.0.4_fips/fips/pkcs11.cfg
NSS modules: [NSS Internal PKCS #11 Module (CRYPTO, /usr/lib64/libsoftokn3.so, slot 0), NSS Internal PKCS #11 Module (KEYSTORE, /usr/lib64/libsoftokn3.so, slot 1)]
SunPKCS11 loading /opt/java/jdk-9.0.4_fips/fips/pkcs11.cfg
NSS modules: [NSS Internal PKCS #11 Module (CRYPTO, /usr/lib64/libsoftokn3.so, slot 0), NSS Internal PKCS #11 Module (KEYSTORE, /usr/lib64/libsoftokn3.so, slot 1)]
15:41:27,164 INFO  [org.jboss.msc] (main) JBoss MSC version 1.3.2.Final-redhat-1
15:41:27,171 INFO  [org.jboss.threads] (main) JBoss Threads version 2.3.2.Final
15:41:27,268 INFO  [org.jboss.as] (MSC service thread 1-2) WFLYSRV0049: JBoss EAP CD 7.2.0.CD13 (WildFly Core 5.0.0.Alpha-redhat-20180502) starting
15:41:27,274 INFO  [stdout] (MSC service thread 1-2) SunPKCS11 loading /opt/java/jdk-9.0.4_fips/fips/pkcs11.cfg
15:41:27,275 INFO  [stdout] (MSC service thread 1-2) NSS modules: [NSS Internal PKCS #11 Module (CRYPTO, /usr/lib64/libsoftokn3.so, slot 0), NSS Internal PKCS #11 Module (KEYSTORE, /usr/lib64/libsoftokn3.so, slot 1)]
{code}

> Upgrade to Fedora 28 breaks FIPS scenarios
> ------------------------------------------
>
>                 Key: ELY-1578
>                 URL: https://issues.jboss.org/browse/ELY-1578
>             Project: WildFly Elytron
>          Issue Type: Bug
>    Affects Versions: 1.3.1.Final
>            Reporter: Martin Choma
>
> On Fedora 28 I get 
> {code}
> 14:52:28,813 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-2) MSC000001: Failed to start service jboss.as: org.jboss.msc.service.StartException in service jboss.as: Failed to start service
> 	at org.jboss.msc at 1.3.2.Final-redhat-1//org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1706)
> 	at org.jboss.msc at 1.3.2.Final-redhat-1//org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1540)
> 	at org.jboss.threads at 2.3.2.Final//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
> 	at org.jboss.threads at 2.3.2.Final//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
> 	at org.jboss.threads at 2.3.2.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
> 	at org.jboss.threads at 2.3.2.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
> 	at java.base/java.lang.Thread.run(Thread.java:844)
> Caused by: java.security.ProviderException: NSS module not available: fips
> 	at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:278)
> 	at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunPKCS11.java:113)
> 	at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunPKCS11.java:110)
> 	at java.base/java.security.AccessController.doPrivileged(Native Method)
> 	at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.configure(SunPKCS11.java:110)
> 	at java.base/sun.security.jca.ProviderConfig$3.run(ProviderConfig.java:247)
> 	at java.base/sun.security.jca.ProviderConfig$3.run(ProviderConfig.java:238)
> 	at java.base/java.security.AccessController.doPrivileged(Native Method)
> 	at java.base/sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:238)
> 	at java.base/sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:218)
> 	at java.base/sun.security.jca.ProviderList.getProvider(ProviderList.java:266)
> 	at java.base/sun.security.jca.ProviderList.getService(ProviderList.java:379)
> 	at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:157)
> 	at java.base/java.security.Security.getImpl(Security.java:697)
> 	at java.base/java.security.MessageDigest.getInstance(MessageDigest.java:178)
> 	at org.jboss.as.deployment-repository at 5.0.0.Alpha-redhat-20180502//org.jboss.as.repository.ContentRepositoryImpl.<init>(ContentRepositoryImpl.java:90)
> 	at org.jboss.as.deployment-repository at 5.0.0.Alpha-redhat-20180502//org.jboss.as.repository.ContentRepository$Factory.addService(ContentRepository.java:185)
> 	at org.jboss.as.server at 5.0.0.Alpha-redhat-20180502//org.jboss.as.server.ApplicationServerService.start(ApplicationServerService.java:144)
> 	at org.jboss.msc at 1.3.2.Final-redhat-1//org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1714)
> 	at org.jboss.msc at 1.3.2.Final-redhat-1//org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1693)
> 	... 6 more
> {code}
> In Fedora 28 there is nss 3.36.1 (dnf info nss.x86_64)
> In nss 3.35 there was switch of format to SQL [1]
> ??Applications using NSS may explicitly request to use a specific database format, by adding a type prefix to the database directory, provided at NSS initialization time. ?? 
> But I am not sure how to define that in java. I am using 
> {code:pkcs11.cfg}
> name = testPkcs
> nssLibraryDirectory = /usr/lib64
> nssSecmodDirectory = /opt/java/jdk-9.0.1_fips/fips/nssdb
> nssDbMode = readOnly
> nssModule = fips
> {code}
> I am awaer there is probably nothing that can be done in Elytron. I think it is matter of NSS/SunPKCS11 configuration. I create this JIRA as a place for finding out what the problem is.
> [1] https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.35_release_notes



--
This message was sent by Atlassian JIRA
(v7.5.0#75005)

More information about the jboss-jira mailing list