participate
Sun Forums > Security > Java Secure Socket Extension (JSSE) >

Java Secure Socket Extension (JSSE) - Problem in using NSS fips mode for SunPKCS11
This question is not answered.

<<   Back to Forum  |   Give us Feedback Topics: « Previous | Next
This topic has no replies.
E-mail this Topic   Watch this topic  
JL2008
Posts:1
Registered: 6/30/08
Problem in using NSS fips mode for SunPKCS11   
Jun 30, 2008 10:33 AM  
Click to email this message



 
Hello,

I am trying to develop a FIPS compliant application using NSS as security provider for SunPKCS11. But when I was trying to run a simple testing program, I ran into the following problem:

- If I have the following providers specified in java.security, everything is fine

security.provider.1=sun.security.pkcs11.SunPKCS11 /var/nss_test/pkcs11.cfg
security.provider.2=sun.security.provider.Sun

- If I remove the provider "sun.security.provider.Sun", then the following exception is thrown out:

Caught exception at ks.load
java.security.cert.CertificateException: X.509 not found
at java.security.cert.CertificateFactory.getInstance(Unknown Source)
at sun.security.pkcs11.P11KeyStore.loadCert(P11KeyStore.java:1193)
at sun.security.pkcs11.P11KeyStore.mapLabels(P11KeyStore.java:2429)
at sun.security.pkcs11.P11KeyStore.engineLoad(P11KeyStore.java:746)
at java.security.KeyStore.load(Unknown Source)
at SimpleTest.main(SimpleTest.java:13)
Caused by: java.security.NoSuchAlgorithmException: X.509 CertificateFactory not available
at sun.security.jca.GetInstance.getInstance(Unknown Source)
... 6 more

I attached my setup details and testing program in the end.

Has anyone else also run into this kind of problem? Can someone offer some solutions/suggestions?

To be FIPS compliant, I think SunPKCS11-NSSfips should be the only security provider available in the system. If having other non-FIPs certified provider such as "sun.security.provider.Sun" in the system, then the FIPS compliance cannot be guaranteed.

There is a known problem in mapping the JCA keystore interface onto NSS's model of PKCS #11 modules, therefore someone suggested one should use JSS directly, instead of using SunPKCS11. If that is the case/only choice, it would be very disappointing....

Am I missing something?

Thanks,

JL

=================================

The setup details and testing program:

1) The cfg file "/var/nss_testing/pkcs11.cfg"

name = NSSfips
nssLibraryDirectory = /usr/lib
nssSecmodDirectory = /var/nss_test/fips_db
nssModule = fips

2) The NSS fips security databases were created using the NSS tools "certutil" and "modutil".

3) Testing program

import java.security.;
import java.io.;
import java.util.*;

public class SimpleTest {

public static void main(String[] args){

//load keystore
char[] password = "myfips".toCharArray();
try {
KeyStore ks = KeyStore.getInstance("PKCS11");
ks.load(null, password);
} catch (Exception e) {
System.out.println( "Caught exception at ks.load");
e.printStackTrace();
System.exit(1);
}

}
}
 
This topic has no replies.
Back to Forum
 
Read the Developer Forums Code of Conduct

Click to email this message Email this Topic

Edit this Topic

Sun Forums

Welcome
  
»  Advanced Search
 
Site Upgrade
Forums 7.1.8 was deployed Oct 26th. The release consists of minor fixes & a few enhancements.
 
Forums Statistics

About Sun forums

  • Sun Forums is a large collection of user generated discussions. It is here to help you ask questions, find answers, and participate in discussions.

    Check out our guide on Getting started with Sun Forums for a full walkthrough of how to best leverage the benefits of this community.
Powered by Jive Forums




Sun Guidelines for Public Discourse  |  About Sun  |  About This Site  |  Newsletters  |  Contact Us  |  Employment
How to Buy  |  Licensing  |  Terms of Use  |  Privacy  |  Trademarks
 

 
Copyright Sun Microsystems, Inc.
A Sun Developer Network Site

Unless otherwise licensed, code in all technical manuals herein (including articles, FAQs, samples) is provided under this License.
 
XML Content Feeds