SunPKCS11 and NSS 3.11.4
morri...@gmail.com
yields the following exception:
java.security.ProviderException: Could not initialize NSS
at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:183)
at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:90)
at test.TripleDESTest.main(TripleDESTest.java:112)
Caused by: java.io.IOException: The specified version of NSS is
incompatible, 3.7 or later required
at sun.security.pkcs11.Secmod.initialize(Secmod.java:190)
at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:179)
... 2 more
The version I am using is greater than 3.7, despite what the exception
says. I am looking to use the FIPS 140-2 certified symmetric key
algorithms in this library.
I am using the following configuration:
name = NSScrypto
attributes = compatibility
nssLibraryDirectory = ./lib
nssDbMode = noDb
nssModule = fips
I am adding the cryptography provided dynamically with the following
code:
String configName = "nss.cfg";
Provider cryptoProvider = new sun.security.pkcs11.SunPKCS11
(configName); // exception occurs on this line
Security.addProvider(cryptoProvider);
Has anyone else run into this issue or have any insight into the
problem?
If this doesn't work out I will look into direct utilization of JSS.
Thanks!
Glen Beasley
Initializing SunPKCS11 for utilization of NSS 3.11.4 capabilities yields the following exception: java.security.ProviderException: Could not initialize NSS at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:183) at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:90) at test.TripleDESTest.main(TripleDESTest.java:112) Caused by: java.io.IOException: The specified version of NSS is incompatible, 3.7 or later required at sun.security.pkcs11.Secmod.initialize(Secmod.java:190) at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:179) ... 2 more The version I am using is greater than 3.7, despite what the exception says. I am looking to use the FIPS 140-2 certified symmetric key algorithms in this library. I am using the following configuration: name = NSScrypto attributes = compatibility nssLibraryDirectory = ./lib nssDbMode = noDb nssModule = fips
The "nssDbMode = noDb" mode allows NSS to be used without database files purely as a cryptographic provider.
make the following changes:
name = NSScrypto attributes = compatibility nssLibraryDirectory = <----- full path to NSS and NSPR libraries nssSecmodDirectory = <---- full path to location of the NSS databases nssDbMode = readWrite nssModule = fips To create a set of databases in the current directory: certutil -N -d . review the NSS 3.11.4 security policy "Strength of Authentication Mechanism" for password requirements. To enable FIPS mode: modutil -fips true -dbdir .
I am adding the cryptography provided dynamically with the following code: String configName = "nss.cfg"; Provider cryptoProvider = new sun.security.pkcs11.SunPKCS11 (configName); // exception occurs on this line Security.addProvider(cryptoProvider); Has anyone else run into this issue or have any insight into the problem? If this doesn't work out I will look into direct utilization of JSS.
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp814.pdf http://java.sun.com/javase/6/docs/technotes/guides/security/p11guide.html http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/FIPS.html http://mxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/all.pl see createpkcs11_cfg
-glen
Thanks!
morri...@gmail.com
> To enable FIPS mode:
> modutil -fips true -dbdir .
>
> > I am adding the cryptography provided dynamically with the following
> > code:
>
> > String configName = "nss.cfg";
> > Provider cryptoProvider = new sun.security.pkcs11.SunPKCS11
> > (configName); // exception occurs on this line
> > Security.addProvider(cryptoProvider);
>
> > Has anyone else run into this issue or have any insight into the
> > problem?
>
> > If this doesn't work out I will look into direct utilization of JSS.
>
> Java 1.5 claimed no FIPS compliance, and Java 1.6 or higher needs to be
> used for the SunPKCS11-NSS bridge. JSS can use Java 1.4 of higher to be
> FIPS compliant.
>
>
> -glen
>
> > Thanks!
>
>
>
> smime.p7s
> 6KViewDownload
Thank you for the prompt response Glen!
I tried your proposed actions. I am still having issues, but now I
have more information. Indeed, the next issue I would have ran into
after fixing this version incompatibility issue would have been
related to the secmod database. The problem may be more deep-rooted
in NSS compatibility than I originally thought (in such a way that
utilizing JSS directly probably wouldn't work either).
I ran into issues creating the secmod database:
* Steps taken on the first Windows XP Professional Version 2002 SP2
box
1) "certutil -N -d ." ran fine, created the three database files with
a strong password
2) "modutil -fips true -dbdir ." failed, with error:
"An I/O error occurred during security authorization.
ERROR: Unable to switch FIPS modes."
* Executed the same commands and same configuration on a Windows Vista
box with success (output: "FIPS mode enabled.", and modutil -list
shows the appropriate FIPS module).
* Executed the same commands and same configuration on a second
Windows XP Professional Version 2002 SP2 box with success.
That was odd, but nevertheless, I now have a secmod database that I
can work with.
Next, I copied the database files/directory into my Eclipse Java
project and modified the NSS configuration file appropriately:
name = NSScrypto
attributes = compatibility
nssLibraryDirectory = ./lib
nssSecmodDirectory = ./nss_db
nssDbMode = readWrite
nssModule = fips
This project is hosted on shared storage between both the Windows XP
boxes. Running the test application (see previous message) on the
original machine still produces the original exception:
java.security.ProviderException: Could not initialize NSS
at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:183)
at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:90)
at test.TripleDESTest.main(TripleDESTest.java:112)
Caused by: java.io.IOException: The specified version of NSS is
incompatible, 3.7 or later required
at sun.security.pkcs11.Secmod.initialize(Secmod.java:190)
at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:179)
... 2 more
Running the test application (the exact same Eclipse Java project, the
same libraries, the same configuration) with the same JVM, jdk/jre
1.6.0_13, on the second Windows XP machine (where "modutil -fips true"
succeeded) was successful (e.g., the crypto provider object was
returned).
Any further insight into this issue would be appreciated!
Best regards,
Drew Morris
Technical Lead, Software Developer
CDM Technologies, Inc. (http://www.cdmtech.com)
morri...@gmail.com
wrote:
My Google searches happened to bring this highly-related gem to the
surface today (odd that they didn't yesterday):
http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6521498
Looks like it is a real issue.
Any ideas?
Thanks!
Glen Beasley
have the .chk files installed in your path with their matching libraries.
see security rule 34 http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp814.pdf
• softokn3.dll
• softokn3.chk
• freebl3.dll
• freebl3.chk
Since you have one system that works and one that does not, missing .chk files is
the most logical configuration difference.
Any further insight into this issue would be appreciated! Best regards, Drew Morris Technical Lead, Software Developer CDM Technologies, Inc. (http://www.cdmtech.com)My Google searches happened to bring this highly-related gem to the surface today (odd that they didn't yesterday): http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6521498
Looks like it is a real issue.
is nobody is actively working on bug_id=6521498.
I will see if I can contact the jce team about updating this bug.
-glen
morri...@gmail.com
> . softokn3.chk
> . freebl3.dll
> . freebl3.chk
>
> Since you have one system that works and one that does not, missing .chk
> files is
> the most logical configuration difference.
>
> >> Any further insight into this issue would be appreciated!
>
> >> Best regards,
>
> >> Drew Morris
> >> Technical Lead, Software Developer
> >> CDM Technologies, Inc. (http://www.cdmtech.com)
>
> > My Google searches happened to bring this highly-related gem to the
> > surface today (odd that they didn't yesterday):
>
> >http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6521498
>
> > Looks like it is a real issue.
>
> will missing .chk files are a real issue. The other issue
> is nobody is actively working on bug_id=6521498.
> I will see if I can contact the jce team about updating this bug.
>
> -glen
>
> > Any ideas?
>
> > Thanks!
>
> > Drew Morris
> > Technical Lead, Software Developer
> > CDM Technologies, Inc. (http://www.cdmtech.com)
>
>
>
> 6KViewDownload
Thanks Glen; I double checked on inclusion of the *.chk files. They
are included in the appropriate directories and are on the path.
Glen Beasley
your configuration correct
so that running the modutil command will work correctly. Copying the
databases from a working system to
a system that is unable to correctly run "modutil -fips true -dbdir ."
makes no sense.
In an attempt to recreate your problem, I wrote a test program and some
rough notes that
should hopefully help. The program/notes are rough as I don't have much
time to spend on this issue.
I had a clean window 7 box so I:
downloaded NSPR 4.6.4
https://ftp.mozilla.org/pub/mozilla.org/nspr/releases/v4.6.4/msvc6.0/WINNT5.0_OPT.OBJ/
downloaded NSS 3.11.4
https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_11_4_RTM/msvc6.0/WINNT5.0_OPT.OBJ/
installed java version "1.6.0_16":
2) set the PATH for NSS/NSPR libraries/chk files/binaries and Java bin
directory
3) created the NSS db's and configured for FIPS mode:
certutil -N -d .
modutil -fips true -dbdir .
4) created the following nss.cfg file:
name = NSSFIPS
nssLibraryDirectory = ./lib
nssSecmodDirectory = .
nssDbMode = readWrite
nssModule = fips
5) created the attached test program sunpkcs11nss.java
6) javac javac sunpkcs11nss.java
7) java sunpkcs11nss nss.cfg <password>
Initializing sunpkcs11-NSS nss.cfg
Initialized sunpkcs11-NSS
Provider 0: SunPKCS11-NSSFIPS
Provider 1: SUN
Provider 2: SunRsaSign
Provider 3: SunJSSE
Provider 4: SunJCE
Provider 5: SunJGSS
Provider 6: SunSASL
Provider 7: XMLDSig
Provider 8: SunPCSC
Provider 9: SunMSCAPI
Key generation done by SunPKCS11-NSSFIPS version 1.6
encrypt op done by SunPKCS11-NSSFIPS version 1.6
decrypt op done by SunPKCS11-NSSFIPS version 1.6
recovered bytes equal the original plaintext
Hopefully the above will help you solve your issue, or at least aid in
creating a bug with a provided testcase.
-glen
morri...@gmail.com
> morris.d...@gmail.com wrote:
>
> >>>> I ran into issues creating the secmod database:
>
> before moving on to Java/SunPKCS11-NSSFIPS issue you should first get
> your configuration correct
> so that running the modutil command will work correctly. Copying the
> databases from a working system to
> a system that is unable to correctly run "modutil -fips true -dbdir ."
> makes no sense.
>
> In an attempt to recreate your problem, I wrote a test program and some
> rough notes that
> should hopefully help. The program/notes are rough as I don't have much
> time to spend on this issue.
>
> I had a clean window 7 box so I:
>
> downloaded NSS 3.11.4https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_1...
>
> import java.security.AlgorithmParameters;
> import java.security.Provider;
> import java.security.Security;
> import javax.crypto.Cipher;
> import javax.crypto.KeyGenerator;
> import java.security.KeyStore;
>
> //glen.beas...@sun.com
> //This is a sample test program
> //the nss.cfg file
> //name = NSSFIPS
> //nssLibraryDirectory = ./lib
> //nssSecmodDirectory = .
> //nssDbMode = readWrite
> //nssModule = fips
> //
> //http://java.sun.com/javase/6/docs/technotes/guides/security/p11guide....
>
> public class sunpkcs11nss {
>
> public static void main(String args[]) {
> try {
> // pass in nss.cfg file and "password" for the NSS databases
> String nssConfig = args[0];
> System.out.println("Initializing sunpkcs11-NSS " + nssConfig);
> Provider pkcs11NSS = new sun.security.pkcs11.SunPKCS11(nssConfig);
> Security.insertProviderAt(pkcs11NSS, 1);
> System.out.println("Initialized sunpkcs11-NSS");
>
> Provider[] providers = Security.getProviders();
> for (int i = 0; i < providers.length; i++) {
> System.out.println("Provider " + i + ": " +
> providers[i].getName());
> }
>
> // Login
> KeyStore ks = KeyStore.getInstance("PKCS11", pkcs11NSS);
> // this is test code, please mask the password
> ks.load(null, args[1].toCharArray());
>
> javax.crypto.SecretKey skey = null;
> javax.crypto.KeyGenerator kg = null;
>
> kg = KeyGenerator.getInstance("AES",
> pkcs11NSS);
> kg.init(128);
> skey = kg.generateKey();
>
> System.out.println("Key generation done by " +
> kg.getProvider().toString());
>
> String algFamily = "AES";
> String algType = "AES/CBC/PKCS5Padding";
>
> byte[] plaintext = "testing NSS in FIPS MODE".getBytes();
> Cipher cipher = Cipher.getInstance(algType, pkcs11NSS);
> AlgorithmParameters ap = null;
> byte[] encodedAlgParams = null;
>
> cipher.init(Cipher.ENCRYPT_MODE, skey);
> //generate the algorithm Parameters; they need to be
> //the same for encrypt/decrypt if they are needed.
> ap = cipher.getParameters();
> if (ap != null) {
> //get parameters to store away as example.
> encodedAlgParams = ap.getEncoded();
> }
> byte[] ciphertext =
> new byte[cipher.getOutputSize(plaintext.length)];
> int cLen = cipher.update(plaintext, 0, plaintext.length,
> ciphertext, 0);
> cLen += cipher.doFinal(ciphertext, cLen);
>
> System.out.println("encrypt op done by " +
> cipher.getProvider().toString());
>
> //decrypt
> cipher = Cipher.getInstance(algType, pkcs11NSS);
> if (encodedAlgParams == null) {
> cipher.init(Cipher.DECRYPT_MODE, skey);
> } else {
> //retrieve the algorithmParameters from the encoded array
> AlgorithmParameters aps =
> AlgorithmParameters.getInstance(algFamily);
> aps.init(encodedAlgParams);
> cipher.init(Cipher.DECRYPT_MODE, skey, aps);
> }
> System.out.println("decrypt op done by " +
> cipher.getProvider().toString());
>
> byte[] recovered = new byte[cLen];
> int rLen = cipher.update(ciphertext, 0, cLen, recovered, 0);
> rLen += cipher.doFinal(recovered, rLen);
>
> //ensure the recovered bytes equals the orginal plaintext
> boolean isEqual = true;
> for (int i = 0; i < plaintext.length; i++) {
> if (plaintext[i] != recovered[i]) {
> isEqual = false;
> break;
> }
> }
> if (isEqual) System.out.println("recovered bytes equal " +
> "the original plaintext\n");
>
> } catch (Exception ex) {
> ex.printStackTrace();
> }
> }
>
> }
>
>
Glen,
Aha! I found the configuration issue that you were looking for.
I have the smart card software ActiveClient CAC 6.1 installed on my
Windows XP box. This software includes NSS and NSPR libraries and the
modutil binary. Installation of the software adds the binaries to the
PATH. I ended up using a process monitor to capture Win32 API
messages and noticed Windows was pulling that location off the PATH.
Anyway, uninstalling ActiveClient yields success:
"C:\nss_db>modutil -fips true -dbdir .
...
Using database directory ....
FIPS mode enabled."
I will now continue on with your suggestions and post again after
testing is complete. Thank you for your time and assistance.
morri...@gmail.com
> morris.d...@gmail.com wrote:
>
> >>>> I ran into issues creating the secmod database:
>
> before moving on to Java/SunPKCS11-NSSFIPS issue you should first get
> your configuration correct
> so that running the modutil command will work correctly. Copying the
> databases from a working system to
> a system that is unable to correctly run "modutil -fips true -dbdir ."
> makes no sense.
>
> In an attempt to recreate your problem, I wrote a test program and some
> rough notes that
> should hopefully help. The program/notes are rough as I don't have much
> time to spend on this issue.
>
> I had a clean window 7 box so I:
>
> downloaded NSS 3.11.4https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_1...
Glen,
Uninstalling ActiveClient also fixed the exception ("The specified
version of NSS is incompatible, 3.7 or later required"). Not entirely
sure why the libraries/binaries included in the Windows PATH would be
used by the JVM with higher priority than the configured value in
nss.cfg, "nssLibraryDirectory = ./lib". Nevertheless, I now know what
the issue is and can work around it-- thank you for the assistance.
Kevin Oberlies
wrote:
Hi Glen,
I finally got all the other problems solved, and ran into this problem
when trying to run your code.
When attempting to actually generate the key, I get this exception:
java.security.ProviderException: Could not generate key
at sun.security.pkcs11.P11KeyGenerator.engineGenerateKey
(P11KeyGenerator.java:260)
at javax.crypto.KeyGenerator.generateKey(DashoA13*..)
at test.SunPKCS11NSS.main(SunPKCS11NSS.java:53)
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception:
CKR_ATTRIBUTE_VALUE_INVALID
at sun.security.pkcs11.wrapper.PKCS11.C_GenerateKey(Native Method)
at sun.security.pkcs11.P11KeyGenerator.engineGenerateKey
(P11KeyGenerator.java:255)
... 2 more
Anyway, thanks very much for all your help so far.
Kevin Oberlies
Student Software Developer
Kevin Oberlies
Hi Glen,
I finally got all the other problems solved, and ran into this problem
when trying to run your code.
When attempting to actually generate the key, I get this exception:
java.security.ProviderException: Could not generate key
at sun.security.pkcs11.P11KeyGenerator.engineGenerateKey
(P11KeyGenerator.java:260)
at javax.crypto.KeyGenerator.generateKey(DashoA13*..)
at test.SunPKCS11NSS.main(SunPKCS11NSS.java:53)
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception:
CKR_ATTRIBUTE_VALUE_INVALID
at sun.security.pkcs11.wrapper.PKCS11.C_GenerateKey(Native Method)
at sun.security.pkcs11.P11KeyGenerator.engineGenerateKey
(P11KeyGenerator.java:255)
... 2 more
Anyway, thanks very much for all your help so far.
Kevin Oberlies
Student Software Developer
Glen Beasley
> Hi Glen,
> I finally got all the other problems solved, and ran into this problem
> when trying to run your code
>
I have some doubts that you're running my exact code sample and instead
have changed the code
sample which would mean the code is no longer mine and is yours. Doubts,
only of course, I freely
admit to haven written some buggy code in my day.
My code sample creates an "128 bit AES" key.
I expect that you change the sample and are trying to create say a
DESede key?
not sure, but if yes then please review
http://java.sun.com/javase/6/docs/technotes/guides/security/crypto/CryptoSpec.html
http://java.sun.com/javase/6/docs/technotes/guides/security/p11guide.html
Also, please try to provide detailed info such as version number of the
software you're using, and which OS.
Meaning state "I am using NSPR ver, NSS ver, Java ver, on OS, with
FIPSMODE ON/OFF".
You also might want to consider using JSS, as I believe it should be easier
than using NSS-SunPKCS11 bridge.
https://developer.mozilla.org/En/JSS
http://mxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/JCASymKeyGen.java
hope this helps,
glen
> When attempting to actually generate the key, I get this exception:
> java.security.ProviderException: Could not generate key
> at sun.security.pkcs11.P11KeyGenerator.engineGenerateKey
> (P11KeyGenerator.java:260)
>
Kevin Oberlies
message appeared twice...
I had attempted to post a reply stating that I accidentally put the
line
attributes = compatibility
into the nss.cfg file. That is what caused my problem. I appreciate
your reply however.
I now have it generating AES keys and have it working like we intended
in the first place.
Thank you very much.