Problems using NSS library as PKCS#11 provider with JAVA 6
843811Apr 22 2008 — edited Apr 23 2008Hi,
I�m trying to configure JAVA 6 on Solaris 10 SPARC to use Mozilla NSS library as PKCS#11 provider (to achieve FIPS-140 certification for my application). I�m following the guidelines from http://java.sun.com/javase/6/docs/technotes/guides/security/p11guide.html#NSS but unfortunately something doesn�t work for me as expected...
Let me describe the exact steps that I followed (because devil may be in the small details :-)
I downloaded NSS 3.11.4 and NSPR 4.6.4 binaries from mozilla.org (32 bit �debug� versions for Solaris 9, because these were the only �binary� versions for SPARC available on Mozilla site and as far as I understand these are the exact versions that passed FIPS-140 certification), unpacked them under the /opt directory and copied both of them into a single /opt/nss tree as follows:
mkdir /opt/nss
cp �r /opt/nss-3.11.4/* /opt/nss
cp �r /opt/nspr-4.6.4/* /opt/nss
I created a PKCS#11 configuration file /opt/nss/pkcs11.cfg as per JAVA 6 security guide:
name = NSScrypto
nssLibraryDirectory = /opt/nss/lib
nssDbMode = noDb
attributes = compatibility
(I know that this configuration is not for FIPS mode � but I thought that I�d better start with a simple NSS configuration)
Then I modified /usr/jdk/jdk1.6.0_03/jre/lib/security/java.security file and replaced 1st provider with:
security.provider.1=sun.security.pkcs11.SunPKCS11 /opt/nss/pkcs11.cfg
Now everything should be in place � so I created a small JAVA program and ran it:
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.DESedeKeySpec;
import javax.crypto.SecretKey;
import javax.crypto.Cipher;
import java.security.*;
public class Test
{
public static void main(String[] args)
{
try
{
SecretKeyFactory keyFactory = SecretKeyFactory.getInstance("DESede");
DESedeKeySpec keySpec = null;
keySpec = new DESedeKeySpec(new String("laKuf1Tcc6sOhsdPf49=m4es").getBytes());
System.out.println("keyFactory provider: " + keyFactory.getProvider().getName());
SecretKey key = keyFactory.generateSecret(keySpec);
Cipher decryptCipher = Cipher.getInstance("DESede");
decryptCipher.init(Cipher.DECRYPT_MODE, key);
System.out.println("decryptCipher provider: " + decryptCipher.getProvider().getName());
}
catch (Exception ex)
{
ex.printStackTrace();
}
}
}
Unfortunately it produced the following output:
EMS-Server42# java test
keyFactory provider: SunPKCS11-NSScrypto
decryptCipher provider: SunJCE
And when I comment out SunJCE provider in java.security file I get the following exception:
java.security.NoSuchAlgorithmException: Cannot find any provider supporting DESede
at javax.crypto.Cipher.getInstance(DashoA13*..)
at test.main(test.java:38)
So it looks like something is wrong with my NSS configuration. Because AFAIK DESede (3DES) is supported by the NSS library, but for some reason JAVA doesn�t see this algorithm implemented in NSS PKCS#11 provider.
Any suggestions on what am I doing wrong?
Best regards,
Alex