0

Following https://docs.oracle.com/en/java/javase/11/security/pkcs11-reference-guide1.html#GUID-85EA1017-E59C-49B9-9207-65B7B2BF171E I setup FIPS like this:

# File: /usr/lib/jvm/java-11-openjdk-11.0.13.0.8-1.el7_9.x86_64/conf/security/java.security
# security.provider.12=SunPKCS11
security.provider.1=SunPKCS11 ${java.home}/lib/security/nss.cfg

# File: /usr/lib/jvm/java-11-openjdk-11.0.13.0.8-1.el7_9.x86_64/lib/security/nss.cfg
nssModule=fips

Then I followed https://stackoverflow.com/a/56428353, but fails with:

[root@singlenode ~]# /usr/lib/jvm/java-11-openjdk-11.0.13.0.8-1.el7_9.x86_64/bin/jrunscript -e "java.util.Arrays.asList(javax.net.ssl.SSLServerSocketFactory.getDefault().getSupportedCipherSuites()).stream().forEach(println)"
Exception in thread "main" java.lang.InternalError: internal error: SHA-1 not available.
        at java.base/sun.security.provider.SecureRandom.init(SecureRandom.java:108)
        at java.base/sun.security.provider.SecureRandom.<init>(SecureRandom.java:79)
        at java.base/java.security.SecureRandom.getDefaultPRNG(SecureRandom.java:285)
        at java.base/java.security.SecureRandom.<init>(SecureRandom.java:219)
        at java.base/javax.crypto.JceSecurity.<clinit>(JceSecurity.java:80)
        at java.base/javax.crypto.Cipher.getInstance(Cipher.java:540)
        at java.base/sun.security.ssl.JsseJce.getCipher(JsseJce.java:190)
        at java.base/sun.security.ssl.SSLCipher.isTransformationAvailable(SSLCipher.java:509)
        at java.base/sun.security.ssl.SSLCipher.<init>(SSLCipher.java:498)
        at java.base/sun.security.ssl.SSLCipher.<clinit>(SSLCipher.java:81)
        at java.base/sun.security.ssl.CipherSuite.<clinit>(CipherSuite.java:69)
        at java.base/sun.security.ssl.SSLContextImpl.getApplicableSupportedCipherSuites(SSLContextImpl.java:348)
        at java.base/sun.security.ssl.SSLContextImpl$AbstractTLSContext.<clinit>(SSLContextImpl.java:580)
        at java.base/java.lang.Class.forName0(Native Method)
        at java.base/java.lang.Class.forName(Class.java:315)
        at java.base/java.security.Provider$Service.getImplClass(Provider.java:1918)
        at java.base/java.security.Provider$Service.newInstance(Provider.java:1894)
        at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:236)
        at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:164)
        at java.base/javax.net.ssl.SSLContext.getInstance(SSLContext.java:168)
        at java.base/javax.net.ssl.SSLContext.getDefault(SSLContext.java:99)
        at java.base/javax.net.ssl.SSLServerSocketFactory.getDefault(SSLServerSocketFactory.java:114)
        [...]

which makes kinda sense because MD5 is not allowed by FIPS.

So I (loosely) followed https://www.baeldung.com/java-list-cipher-algorithms but got this:

jshell> import java.security.Security;

jshell> import java.security.Provider;

jshell> for (Provider provider : Security.getProviders()) {
   ...>     System.out.println(provider);
   ...>     System.out.println("--------");
   ...>     for (Provider.Service service : provider.getServices()) {
   ...>         if (service.getType().equals("Cipher")) {
   ...>             String algorithm = service.getAlgorithm();
   ...>             System.out.println(algorithm);
   ...>         }
   ...>     }
   ...>     System.out.println();
   ...> }
Exception in thread "main" java.lang.SecurityException: SHA MessageDigest not available
        at java.base/java.io.ObjectStreamClass.computeDefaultSUID(ObjectStreamClass.java:1915)
        at java.base/java.io.ObjectStreamClass$1.run(ObjectStreamClass.java:265)
        at java.base/java.io.ObjectStreamClass$1.run(ObjectStreamClass.java:263)
        at java.base/java.security.AccessController.doPrivileged(Native Method)
        at java.base/java.io.ObjectStreamClass.getSerialVersionUID(ObjectStreamClass.java:262)
        at java.base/java.io.ObjectStreamClass.writeNonProxy(ObjectStreamClass.java:809)
        at java.base/java.io.ObjectOutputStream.writeClassDescriptor(ObjectOutputStream.java:671)
        at java.base/java.io.ObjectOutputStream.writeNonProxyDesc(ObjectOutputStream.java:1283)
        at java.base/java.io.ObjectOutputStream.writeClassDesc(ObjectOutputStream.java:1232)
        at java.base/java.io.ObjectOutputStream.writeArray(ObjectOutputStream.java:1323)
        at java.base/java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1175)
        at java.base/java.io.ObjectOutputStream.writeObject(ObjectOutputStream.java:349)
        [...]

So the question is: what should I call to get that list? Or am I breaking java because I haven't set FIPS correctly?

Marcos Dione
  • 556
  • 6
  • 13

0 Answers0