-
Task
-
Resolution: Done
-
Major
-
None
-
None
-
None
-
None
-
False
-
-
False
-
-
This task is to find a solution to a group of downstream patches, identified as the patches that allow importing and exporting cleartext key from the NSS PKCS#11 software token.
Even when other FIPS-certified libraries allow cleartext import/export of key material (see OpenSSL and Bouncy Castle PoCs in the comments), NSS' FIPS security policy seems to rely on this self-imposed restriction. This doesn't seem something easy to change, so, among the alternatives we considered, we are currently leaning towards re-implementing the importer/exporter code as part of a helper native library. This library would wrap around NSS, redirecting almost everything except the scenarios handled by the current Java importer/exporter.
Every patch is listed as a sub-task, to be closed once we are able to remove this patch in a future OpenJDK 22 build, and in a OpenJDK 21 build assuming the work referred in this task is applicable. You can refer the full fips-21u-75ffdc48eda.patch list of included commits, which corresponds to java-21-openjdk-21.0.0.0.35-1.el8.
- links to
-
openjdk/nss-fips-key-import-export-adapter
NSS FIPS Key Import Export Adapter
1.
|
RH1996182: Login to the NSS Software Token in FIPS Mode |
|
New | 
|
Unassigned |
2.
|
RH1991003: Enable the import of plain keys into the NSS software token |
|
New |
|
Unassigned |
3.
|
RH2023467: Enable FIPS keys export |
|
New |
|
Unassigned |
4.
|
RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage |
|
New |
|
Unassigned |
5.
|
RH2104724: Avoid import/export of DH private keys |
|
New |
|
Unassigned |
6.
|
Remove forgotten dead code from #13 and #14 |
|
New |
|
Unassigned |
7.
|
OJ1357: Fix issue on FIPS with a SecurityManager in place |
|
New |
|
Unassigned |
