SunPKCS11's Secmod and external modules in FIPS mode
sean.mullan at oracle.com
Tue Jan 21 20:47:40 UTC 2020
I asked around but no-one can quite recall why the fips variable was set
this way. Our best guess is that it was set this way as we did not have
any tests for this use case.
I don't have any issue with changing this. However, is there a way you
could provide some tests (ex: on linux) to make sure it is working as
On 1/20/20 2:16 PM, Martin Balao wrote:
> Ping. Any hint about this?
> On 12/20/19 10:03 PM, Martin Balao wrote:
>> SunPKCS11's Secmod in OpenJDK does not allow modules other than the NSS
>> Software Token to be configured in FIPS mode . To give some context,
>> NSS represents modules internally with a structure called "struct
>> SECMODModuleStr" and the "fips" variable you see in  is the "isFIPS"
>> member of the module structure . isFIPS is initialized by NSS to
>> false for all modules  but if the module spec string has a "FIPS"
>> flag, it may be turned to true . Newer NSS versions (since bug
>> 1531267  ) may set isFIPS to true for all modules when
>> /proc/sys/crypto/fips_enabled is 1 in Linux systems. As a result, as
>> soon as the system is in FIPS mode and the NSSDB has more than the NSS
>> Software Token module in it, OpenJDK refuses to initialize the SunPKCS11
>> provider. You can see a real case with pk11-kit-trust as the external
>> module in RH1780335 .
>> This behavior has been the same since the very beginning of OpenJDK
>> (revision 2), and I couldn't find much information about it. There might
>> be a commit message previous to that.
>> I'm trying to understand the rationale behind it and see what would be
>> the implications of removing the check (note: couldn't notice anything
>> in my quick test by removing it).
>> Can someone give me a hint?
>>  -
>>  -
>>  -
>>  -
>>  - https://bugzilla.mozilla.org/show_bug.cgi?id=1531267
>>  - https://hg.mozilla.org/projects/nss/rev/536fd7c9db5a
>>  - https://bugzilla.redhat.com/show_bug.cgi?id=1780335
More information about the security-dev