JDK-8170319 : sun/security/pkcs11/fips/ClientJSSEServerJSSE.java failed with the "java.security.ProviderException: Could not initialize NSS"
  • Type: Bug
  • Component: security-libs
  • Sub-Component: javax.crypto:pkcs11
  • Affected Version: 9
  • Priority: P3
  • Status: Closed
  • Resolution: Not an Issue
  • OS: solaris
  • CPU: generic
  • Submitted: 2016-11-24
  • Updated: 2016-12-14
  • Resolved: 2016-12-14
Related Reports
Relates :  
JDK-8023434 - NSS initialization failed
Relates :  
JDK-8003953 - test/sun/security/pkcs11/fips/TrustManagerTest.java failing on S11u1
Description
Testsuite name:Regression manual
Test name(s): sun/security/pkcs11/fips/ClientJSSEServerJSSE.java
Product(s) tested: JDK 9 b145
OS/architecture: solaris11.3-spac/Jtreg4.2b03
Issue:
The case auto failed with the "java.security.ProviderException: Could not initialize NSS" exception.
Comments
This issue should be an environment problem. It is possible related to NSS libraries in Solaris. Anyway, it has nothing to with the test and the product.
14-12-2016
It looks the FIPS mode db is not supported by Solaris. Run "modutil -list" against sun/security/pkcs11/fips 1. On Solaris 11 modutil: function failed: security library: invalid arguments. 2. On Solaris 12 modutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format. 3. On Ubuntu 15.10 Listing of PKCS #11 Modules ----------------------------------------------------------- 1. NSS Internal FIPS PKCS #11 Module slots: 1 slot attached status: loaded slot: NSS FIPS 140-2 User Private Key Services token: NSS FIPS 140-2 Certificate DB -----------------------------------------------------------
13-12-2016
Traced the creation of the sec module db in FIPS mode, and got some CKR_DEVICE_ERROR (code 48), like the below, -------------------------------------------------------------------------------- /1@1: <- libsoftokn3:sftk_fipsPowerUpSelfTest() = 48 ... /1@1: <- libsoftokn3:FC_Initialize() = 48 ... /1@1: <- libsoftokn3:sftk_fipsPowerUpSelfTest() = 48 ... /1@1: <- libsoftokn3:FC_Initialize() = 48 A PKCS #11 module returned CKR_DEVICE_ERROR, indicating that a problem has occurred with the token or slot. write(2, " A P K C S # 1 1 m".., 108) = 108 ERROR: Unable to switch FIPS modes. -------------------------------------------------------------------------------- The attachment secdb_fips.log contains the full logs.
13-12-2016
It looks Solaris doesn't enable FIPS 140 by default. But I'm not sure it is the cause. $ cryptoadm list fips-140 User-level providers: ===================== /usr/lib/security/$ISA/pkcs11_softtoken: FIPS 140 mode is disabled. Kernel providers: ================= des: FIPS 140 mode is disabled. aes: FIPS 140 mode is disabled. ecc: FIPS 140 mode is disabled. sha1: FIPS 140 mode is disabled. sha2: FIPS 140 mode is disabled. rsa: FIPS 140 mode is disabled. swrand: FIPS 140 mode is disabled. intelrd: FIPS 140 mode is disabled. n2rng: FIPS 140 mode is disabled.
13-12-2016
Does Solaris not support FIPS? I tried to create security module database on FIPS mode. It failed on Solaris 11 and 12, like the below, ----------------------------------------------------- $ modutil -create -dbdir . WARNING: Performing this operation while the browser is running could cause corruption of your security databases. If the browser is currently running, you should exit browser before continuing this operation. Type 'q <enter>' to abort, or <enter> to continue: $ ls cert8.db key3.db secmod.db $ modutil -fips true -dbdir . WARNING: Performing this operation while the browser is running could cause corruption of your security databases. If the browser is currently running, you should exit browser before continuing this operation. Type 'q <enter>' to abort, or <enter> to continue: A PKCS #11 module returned CKR_GENERAL_ERROR, indicating that an unrecoverable error has occurred. ERROR: Unable to switch FIPS modes. ----------------------------------------------------- But the same test passed on Ubuntu 15.10.
09-12-2016
This issue is not associated to Solaris 11 only, it also failed on Solaris 12 sparc. In fact, the test skips to run against non-sparc platforms, that's why it looks passing on Solaris 12 x64 platform. Of course, it always skips to run on none-Solaris platforms, including Linux, Windows and Mac OSX.
08-12-2016
Both of sun/security/pkcs11/fips/ClientJSSEServerJSSE.java and sun/security/pkcs11/fips/TrustManagerTest.java should run on Solaris. I suspect the *.db files should be updated.
08-12-2016
Compare sun/security/pkcs11/fips/ClientJSSEServerJSSE.java with sun/security/pkcs11/fips/TrustManagerTest.java, we can find TrustManagerTest.java doesn't support Solaris sparcv9. I suspect ClientJSSEServerJSSE.java should not support sparcv9 as well.
30-11-2016
Removed link on JDK-8077138, and add link on JDK-8023434.
29-11-2016