Skip to Main Content
Forums

Java Security

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Problem in using NSS fips mode for SunPKCS11

843811Jun 30 2008
Hello,

I am trying to develop a FIPS compliant application using NSS as security provider for SunPKCS11. But when I was trying to run a simple testing program, I ran into the following problem:

- If I have the following providers specified in java.security, everything is fine

security.provider.1=sun.security.pkcs11.SunPKCS11 /var/nss_test/pkcs11.cfg
security.provider.2=sun.security.provider.Sun

- If I remove the provider "sun.security.provider.Sun", then the following exception is thrown out:

Caught exception at ks.load
java.security.cert.CertificateException: X.509 not found
at java.security.cert.CertificateFactory.getInstance(Unknown Source)
at sun.security.pkcs11.P11KeyStore.loadCert(P11KeyStore.java:1193)
at sun.security.pkcs11.P11KeyStore.mapLabels(P11KeyStore.java:2429)
at sun.security.pkcs11.P11KeyStore.engineLoad(P11KeyStore.java:746)
at java.security.KeyStore.load(Unknown Source)
at SimpleTest.main(SimpleTest.java:13)
Caused by: java.security.NoSuchAlgorithmException: X.509 CertificateFactory not available
at sun.security.jca.GetInstance.getInstance(Unknown Source)
... 6 more

I attached my setup details and testing program in the end.

Has anyone else also run into this kind of problem? Can someone offer some solutions/suggestions?

To be FIPS compliant, I think SunPKCS11-NSSfips should be the only security provider available in the system. If having other non-FIPs certified provider such as "sun.security.provider.Sun" in the system, then the FIPS compliance cannot be guaranteed.

There is a known problem in mapping the JCA keystore interface onto NSS's model of PKCS #11 modules, therefore someone suggested one should use JSS directly, instead of using SunPKCS11. If that is the case/only choice, it would be very disappointing....

Am I missing something?

Thanks,

JL

=================================

The setup details and testing program:

1) The cfg file "/var/nss_testing/pkcs11.cfg"

name = NSSfips
nssLibraryDirectory = /usr/lib
nssSecmodDirectory = /var/nss_test/fips_db
nssModule = fips

2) The NSS fips security databases were created using the NSS tools "certutil" and "modutil".

3) Testing program

import java.security.*;
import java.io.*;
import java.util.*;

public class SimpleTest {

public static void main(String[] args){

//load keystore
char[] password = "myfips".toCharArray();
try {
KeyStore ks = KeyStore.getInstance("PKCS11");
ks.load(null, password);
} catch (Exception e) {
System.out.println( "Caught exception at ks.load");
e.printStackTrace();
System.exit(1);
}

}
}
Comments
Locked Post
New comments cannot be posted to this locked post.
Post Details
Locked on Jul 28 2008
Added on Jun 30 2008
#java-secure-socket-extension-jsse
0 comments
1,644 views