java.security.ProviderException: Could not initialize NSS
at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:183)
at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:90)
at test.TripleDESTest.main(TripleDESTest.java:112)
Caused by: java.io.IOException: The specified version of NSS is
incompatible, 3.7 or later required
at sun.security.pkcs11.Secmod.initialize(Secmod.java:190)
at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:179)
... 2 more
The version I am using is greater than 3.7, despite what the exception
says. I am looking to use the FIPS 140-2 certified symmetric key
algorithms in this library.
I am using the following configuration:
name = NSScrypto
attributes = compatibility
nssLibraryDirectory = ./lib
nssDbMode = noDb
nssModule = fips
I am adding the cryptography provided dynamically with the following
code:
String configName = "nss.cfg";
Provider cryptoProvider = new sun.security.pkcs11.SunPKCS11
(configName); // exception occurs on this line
Security.addProvider(cryptoProvider);
Has anyone else run into this issue or have any insight into the
problem?
If this doesn't work out I will look into direct utilization of JSS.
Thanks!
Initializing SunPKCS11 for utilization of NSS 3.11.4 capabilities yields the following exception: java.security.ProviderException: Could not initialize NSS at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:183) at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:90) at test.TripleDESTest.main(TripleDESTest.java:112) Caused by: java.io.IOException: The specified version of NSS is incompatible, 3.7 or later required at sun.security.pkcs11.Secmod.initialize(Secmod.java:190) at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:179) ... 2 more The version I am using is greater than 3.7, despite what the exception says. I am looking to use the FIPS 140-2 certified symmetric key algorithms in this library. I am using the following configuration: name = NSScrypto attributes = compatibility nssLibraryDirectory = ./lib nssDbMode = noDb nssModule = fips
name = NSScrypto attributes = compatibility nssLibraryDirectory = <----- full path to NSS and NSPR libraries nssSecmodDirectory = <---- full path to location of the NSS databases nssDbMode = readWrite nssModule = fips To create a set of databases in the current directory: certutil -N -d . review the NSS 3.11.4 security policy "Strength of Authentication Mechanism" for password requirements. To enable FIPS mode: modutil -fips true -dbdir .
I am adding the cryptography provided dynamically with the following code: String configName = "nss.cfg"; Provider cryptoProvider = new sun.security.pkcs11.SunPKCS11 (configName); // exception occurs on this line Security.addProvider(cryptoProvider); Has anyone else run into this issue or have any insight into the problem? If this doesn't work out I will look into direct utilization of JSS.
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp814.pdf http://java.sun.com/javase/6/docs/technotes/guides/security/p11guide.html http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/FIPS.html http://mxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/all.pl see createpkcs11_cfg
Thanks!
Thank you for the prompt response Glen!
I tried your proposed actions. I am still having issues, but now I
have more information. Indeed, the next issue I would have ran into
after fixing this version incompatibility issue would have been
related to the secmod database. The problem may be more deep-rooted
in NSS compatibility than I originally thought (in such a way that
utilizing JSS directly probably wouldn't work either).
I ran into issues creating the secmod database:
* Steps taken on the first Windows XP Professional Version 2002 SP2
box
1) "certutil -N -d ." ran fine, created the three database files with
a strong password
2) "modutil -fips true -dbdir ." failed, with error:
"An I/O error occurred during security authorization.
ERROR: Unable to switch FIPS modes."
* Executed the same commands and same configuration on a Windows Vista
box with success (output: "FIPS mode enabled.", and modutil -list
shows the appropriate FIPS module).
* Executed the same commands and same configuration on a second
Windows XP Professional Version 2002 SP2 box with success.
That was odd, but nevertheless, I now have a secmod database that I
can work with.
Next, I copied the database files/directory into my Eclipse Java
project and modified the NSS configuration file appropriately:
name = NSScrypto
attributes = compatibility
nssLibraryDirectory = ./lib
nssSecmodDirectory = ./nss_db
nssDbMode = readWrite
nssModule = fips
This project is hosted on shared storage between both the Windows XP
boxes. Running the test application (see previous message) on the
original machine still produces the original exception:
java.security.ProviderException: Could not initialize NSS
at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:183)
at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:90)
at test.TripleDESTest.main(TripleDESTest.java:112)
Caused by: java.io.IOException: The specified version of NSS is
incompatible, 3.7 or later required
at sun.security.pkcs11.Secmod.initialize(Secmod.java:190)
at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:179)
... 2 more
Running the test application (the exact same Eclipse Java project, the
same libraries, the same configuration) with the same JVM, jdk/jre
1.6.0_13, on the second Windows XP machine (where "modutil -fips true"
succeeded) was successful (e.g., the crypto provider object was
returned).
Any further insight into this issue would be appreciated!
Best regards,
Drew Morris
Technical Lead, Software Developer
CDM Technologies, Inc. (http://www.cdmtech.com)
My Google searches happened to bring this highly-related gem to the
surface today (odd that they didn't yesterday):
http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6521498
Looks like it is a real issue.
Any ideas?
Thanks!
Any further insight into this issue would be appreciated! Best regards, Drew Morris Technical Lead, Software Developer CDM Technologies, Inc. (http://www.cdmtech.com)My Google searches happened to bring this highly-related gem to the surface today (odd that they didn't yesterday): http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6521498
Looks like it is a real issue.
Thanks Glen; I double checked on inclusion of the *.chk files. They
are included in the appropriate directories and are on the path.
In an attempt to recreate your problem, I wrote a test program and some
rough notes that
should hopefully help. The program/notes are rough as I don't have much
time to spend on this issue.
I had a clean window 7 box so I:
downloaded NSPR 4.6.4
https://ftp.mozilla.org/pub/mozilla.org/nspr/releases/v4.6.4/msvc6.0/WINNT5.0_OPT.OBJ/
downloaded NSS 3.11.4
https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_11_4_RTM/msvc6.0/WINNT5.0_OPT.OBJ/
installed java version "1.6.0_16":
2) set the PATH for NSS/NSPR libraries/chk files/binaries and Java bin
directory
3) created the NSS db's and configured for FIPS mode:
certutil -N -d .
modutil -fips true -dbdir .
4) created the following nss.cfg file:
name = NSSFIPS
nssLibraryDirectory = ./lib
nssSecmodDirectory = .
nssDbMode = readWrite
nssModule = fips
5) created the attached test program sunpkcs11nss.java
6) javac javac sunpkcs11nss.java
7) java sunpkcs11nss nss.cfg <password>
Initializing sunpkcs11-NSS nss.cfg
Initialized sunpkcs11-NSS
Provider 0: SunPKCS11-NSSFIPS
Provider 1: SUN
Provider 2: SunRsaSign
Provider 3: SunJSSE
Provider 4: SunJCE
Provider 5: SunJGSS
Provider 6: SunSASL
Provider 7: XMLDSig
Provider 8: SunPCSC
Provider 9: SunMSCAPI
Key generation done by SunPKCS11-NSSFIPS version 1.6
encrypt op done by SunPKCS11-NSSFIPS version 1.6
decrypt op done by SunPKCS11-NSSFIPS version 1.6
recovered bytes equal the original plaintext
Hopefully the above will help you solve your issue, or at least aid in
creating a bug with a provided testcase.
-glen
Glen,
Aha! I found the configuration issue that you were looking for.
I have the smart card software ActiveClient CAC 6.1 installed on my
Windows XP box. This software includes NSS and NSPR libraries and the
modutil binary. Installation of the software adds the binaries to the
PATH. I ended up using a process monitor to capture Win32 API
messages and noticed Windows was pulling that location off the PATH.
Anyway, uninstalling ActiveClient yields success:
"C:\nss_db>modutil -fips true -dbdir .
...
Using database directory ....
FIPS mode enabled."
I will now continue on with your suggestions and post again after
testing is complete. Thank you for your time and assistance.
Glen,
Uninstalling ActiveClient also fixed the exception ("The specified
version of NSS is incompatible, 3.7 or later required"). Not entirely
sure why the libraries/binaries included in the Windows PATH would be
used by the JVM with higher priority than the configured value in
nss.cfg, "nssLibraryDirectory = ./lib". Nevertheless, I now know what
the issue is and can work around it-- thank you for the assistance.
Hi Glen,
I finally got all the other problems solved, and ran into this problem
when trying to run your code.
When attempting to actually generate the key, I get this exception:
java.security.ProviderException: Could not generate key
at sun.security.pkcs11.P11KeyGenerator.engineGenerateKey
(P11KeyGenerator.java:260)
at javax.crypto.KeyGenerator.generateKey(DashoA13*..)
at test.SunPKCS11NSS.main(SunPKCS11NSS.java:53)
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception:
CKR_ATTRIBUTE_VALUE_INVALID
at sun.security.pkcs11.wrapper.PKCS11.C_GenerateKey(Native Method)
at sun.security.pkcs11.P11KeyGenerator.engineGenerateKey
(P11KeyGenerator.java:255)
... 2 more
Anyway, thanks very much for all your help so far.
Kevin Oberlies
Student Software Developer
Hi Glen,
I finally got all the other problems solved, and ran into this problem
when trying to run your code.
When attempting to actually generate the key, I get this exception:
java.security.ProviderException: Could not generate key
at sun.security.pkcs11.P11KeyGenerator.engineGenerateKey
(P11KeyGenerator.java:260)
at javax.crypto.KeyGenerator.generateKey(DashoA13*..)
at test.SunPKCS11NSS.main(SunPKCS11NSS.java:53)
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception:
CKR_ATTRIBUTE_VALUE_INVALID
at sun.security.pkcs11.wrapper.PKCS11.C_GenerateKey(Native Method)
at sun.security.pkcs11.P11KeyGenerator.engineGenerateKey
(P11KeyGenerator.java:255)
... 2 more
Anyway, thanks very much for all your help so far.
Kevin Oberlies
Student Software Developer
I have some doubts that you're running my exact code sample and instead
have changed the code
sample which would mean the code is no longer mine and is yours. Doubts,
only of course, I freely
admit to haven written some buggy code in my day.
My code sample creates an "128 bit AES" key.
I expect that you change the sample and are trying to create say a
DESede key?
not sure, but if yes then please review
http://java.sun.com/javase/6/docs/technotes/guides/security/crypto/CryptoSpec.html
http://java.sun.com/javase/6/docs/technotes/guides/security/p11guide.html
Also, please try to provide detailed info such as version number of the
software you're using, and which OS.
Meaning state "I am using NSPR ver, NSS ver, Java ver, on OS, with
FIPSMODE ON/OFF".
You also might want to consider using JSS, as I believe it should be easier
than using NSS-SunPKCS11 bridge.
https://developer.mozilla.org/En/JSS
http://mxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/JCASymKeyGen.java
hope this helps,
glen
> When attempting to actually generate the key, I get this exception:
> java.security.ProviderException: Could not generate key
> at sun.security.pkcs11.P11KeyGenerator.engineGenerateKey
> (P11KeyGenerator.java:260)
>
I had attempted to post a reply stating that I accidentally put the
line
attributes = compatibility
into the nss.cfg file. That is what caused my problem. I appreciate
your reply however.
I now have it generating AES keys and have it working like we intended
in the first place.
Thank you very much.