SunPKCS11's Secmod and external modules in FIPS mode
mbalao at redhat.com
Sat Dec 21 01:03:29 UTC 2019
SunPKCS11's Secmod in OpenJDK does not allow modules other than the NSS
Software Token to be configured in FIPS mode . To give some context,
NSS represents modules internally with a structure called "struct
SECMODModuleStr" and the "fips" variable you see in  is the "isFIPS"
member of the module structure . isFIPS is initialized by NSS to
false for all modules  but if the module spec string has a "FIPS"
flag, it may be turned to true . Newer NSS versions (since bug
1531267  ) may set isFIPS to true for all modules when
/proc/sys/crypto/fips_enabled is 1 in Linux systems. As a result, as
soon as the system is in FIPS mode and the NSSDB has more than the NSS
Software Token module in it, OpenJDK refuses to initialize the SunPKCS11
provider. You can see a real case with pk11-kit-trust as the external
module in RH1780335 .
This behavior has been the same since the very beginning of OpenJDK
(revision 2), and I couldn't find much information about it. There might
be a commit message previous to that.
I'm trying to understand the rationale behind it and see what would be
the implications of removing the check (note: couldn't notice anything
in my quick test by removing it).
Can someone give me a hint?
 - https://bugzilla.mozilla.org/show_bug.cgi?id=1531267
 - https://hg.mozilla.org/projects/nss/rev/536fd7c9db5a
 - https://bugzilla.redhat.com/show_bug.cgi?id=1780335
More information about the security-dev