Forum Stats

  • 3,839,941 Users
  • 2,262,551 Discussions
  • 7,901,101 Comments

Discussions

Java 8 64 bit on Windows with NSS for FIPS 140 compliance

I have asked this question on Stackoverflow but I am beginning to think that this may be a better forum to ask.

According to JEP 131, Java 8 should provide a PKCS#11 Crypto provider for 64 bit Windows:  https://blogs.oracle.com/mullan/entry/jep_131_pkcs_11_crypto.

With that in mind, I downloaded and built both 32 and 64 bit versions of NSS with NSPR using these instructions:  https://developer.mozilla.org/en-US/docs/NSS_Sources_Building_Testing

I downloaded Java 8 for Windows 64 build b118, configured the java.security file and created a nss.cfg file:

Excerpt from java.security file:

security.provider.1=sun.security.provider.Sun<br/>security.provider.2=sun.security.rsa.SunRsaSign<br/>security.provider.3=sun.security.ec.SunEC<br/>security.provider.4=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-NSS<br/>security.provider.5=com.sun.crypto.provider.SunJCE<br/>security.provider.6=sun.security.jgss.SunProvider<br/>security.provider.7=com.sun.security.sasl.Provider<br/>security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI<br/>security.provider.9=sun.security.smartcardio.SunPCSC<br/>security.provider.10=sun.security.pkcs11.SunPKCS11 /devel/nss.cfg


From my nss.cfg file:

# Use NSS as a FIPS-140 compliant cryptographic token <br/># SunPKCS11-NSS<br/>name = NSS<br/><br/>#32 bit<br/>#nssLibraryDirectory = C:\devel\nss\nss-3.15.3.1\dist\WINNT6.1_DBG.OBJ\lib<br/><br/>#64 bit<br/>nssLibraryDirectory = C:\devel\nss\nss-3.15.3.1\dist\WINNT6.1_64_DBG.OBJ\lib<br/><br/>#non FIPS<br/>#nssDbMode = noDb<br/>#attributes = compatibility<br/><br/>#FIPS<br/>nssSecmodDirectory = c:\devel\fipsdb<br/>nssModule = fips

I ran the test suite that comes with NSS and it looks like all of the encryption/decryption tests passed (did have some issues with the tests that required hostname/domainname but that has to do with the Windows environment).

So here is the problem. I run my test encryption app on Java 7 32 bit with the 32 bit version of NSS and everything works great. When I attempt to run Java 8 64 bit with 64 bit NSS I get the following error:

java.security.ProviderException: Could not initialize NSS<br/>at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:212)<br/>at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:103)<br/>at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)<br/>at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)<br/>at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)<br/>at java.lang.reflect.Constructor.newInstance(Unknown Source)<br/>at sun.security.jca.ProviderConfig$2.run(Unknown Source)<br/>at sun.security.jca.ProviderConfig$2.run(Unknown Source)<br/>at java.security.AccessController.doPrivileged(Native Method)<br/>at sun.security.jca.ProviderConfig.doLoadProvider(Unknown Source)<br/>at sun.security.jca.ProviderConfig.getProvider(Unknown Source)<br/>at sun.security.jca.ProviderList.getProvider(Unknown Source)<br/>at sun.security.jca.ProviderList.getIndex(Unknown Source)<br/>at sun.security.jca.ProviderList.getProviderConfig(Unknown Source)<br/>at sun.security.jca.ProviderList.getProvider(Unknown Source)<br/>at java.security.Security.getProvider(Unknown Source)<br/>at sun.security.ssl.SunJSSE.<init>(Unknown Source)<br/>at sun.security.ssl.SunJSSE.<init>(Unknown Source)<br/>at com.sun.net.ssl.internal.ssl.Provider.<init>(Unknown Source)<br/>at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)<br/>at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)<br/>at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)<br/>at java.lang.reflect.Constructor.newInstance(Unknown Source)<br/>at sun.security.jca.ProviderConfig$2.run(Unknown Source)<br/>at sun.security.jca.ProviderConfig$2.run(Unknown Source)<br/>at java.security.AccessController.doPrivileged(Native Method)<br/>at sun.security.jca.ProviderConfig.doLoadProvider(Unknown Source)<br/>at sun.security.jca.ProviderConfig.getProvider(Unknown Source)<br/>at sun.security.jca.ProviderList.getProvider(Unknown Source)<br/>at sun.security.jca.ProviderList$ServiceList.tryGet(Unknown Source)<br/>at sun.security.jca.ProviderList$ServiceList.access$200(Unknown Source)<br/>at sun.security.jca.ProviderList$ServiceList$1.hasNext(Unknown Source)<br/>at javax.crypto.KeyGenerator.nextSpi(KeyGenerator.java:323)<br/>at javax.crypto.KeyGenerator.<init>(KeyGenerator.java:158)<br/>at javax.crypto.KeyGenerator.getInstance(KeyGenerator.java:208)<br/>at STSAESEncryption.generateKeyWithGenerator(STSAESEncryption.java:74)<br/>at Main.main(Main.java:24)<br/>Caused by: java.io.IOException: %1 is not a valid Win32 application.<br/><br/>at sun.security.pkcs11.Secmod.nssLoadLibrary(Native Method)<br/>at sun.security.pkcs11.Secmod.initialize(Secmod.java:210)<br/>at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:207)<br/>... 36 more


Has JEP 131 been implemented with Windows/Java 64 bit as of b119?  If so has it been verified to work with NSS or should I submit a bug report?  I did download the code and the error is occurring in the following block of code at the line in bold (also with the arrow by it):


public synchronized void initialize(DbMode dbMode, String configDir,

        String nssLibDir, boolean nssOptimizeSpace) throws IOException {

        if (isInitialized()) {

            throw new IOException("NSS is already initialized");

        }

        if (dbMode == null) {

            throw new NullPointerException();

        }

        if ((dbMode != DbMode.NO_DB) && (configDir == null)) {

            throw new NullPointerException();

        }

        String platformLibName = System.mapLibraryName("nss3");

        String platformPath;

        if (nssLibDir == null) {

            platformPath = platformLibName;

        } else {

            File base = new File(nssLibDir);

            if (base.isDirectory() == false) {

                throw new IOException("nssLibDir must be a directory:" + nssLibDir);

            }

            File platformFile = new File(base, platformLibName);

            if (platformFile.isFile() == false) {

                throw new FileNotFoundException(platformFile.getPath());

            }

            platformPath = platformFile.getPath();

        }

        if (configDir != null) {

            File configBase = new File(configDir);

            if (configBase.isDirectory() == false ) {

                throw new IOException("configDir must be a directory: " + configDir);

            }

            File secmodFile = new File(configBase, "secmod.db");

            if (secmodFile.isFile() == false) {

                throw new FileNotFoundException(secmodFile.getPath());

            }

        }

        if (DEBUG) System.out.println("lib: " + platformPath);

--->   nssHandle = nssLoadLibrary(platformPath);

        if (DEBUG) System.out.println("handle: " + nssHandle);

        fetchVersions();

        if (supported == false) {

            throw new IOException

                ("The specified version of NSS is incompatible, "

                + "3.7 or later required");

        }

        if (DEBUG) System.out.println("dir: " + configDir);

        boolean initok = nssInitialize(dbMode.functionName, nssHandle,

            configDir, nssOptimizeSpace);

        if (DEBUG) System.out.println("init: " + initok);

        if (initok == false) {

            throw new IOException("NSS initialization failed");

        }

        this.configDir = configDir;

        this.nssLibDir = nssLibDir;

    }

Any help or advise about filing a bug report would be appreciated.

Thanks,


This discussion has been closed.