Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8230923

SunJSSE is not properly initialized in FIPS mode from a configuration file

    Details

    • Introduced In Version:
      11
    • Resolved In Build:
      b01
    • CPU:
      generic
    • OS:
      generic

      Description

      SunJSSE security provider cannot be properly initialized in FIPS mode from a configuration file. Initialization apparently succeeds but in non-FIPS mode.

      In example, let's assume we have the following security providers in a 'java.security' configuration file:

      security.provider.1=SunPKCS11 /path/to/nss.cfg
      security.provider.2=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-NSS

      SunJSSE provider will be initialized in non-FIPS mode, as if the configuration line were "security.provider.2=com.sun.net.ssl.internal.ssl.Provider". In fact, you can set any invalid argument and initialization apparently succeeds because the argument is not considered at all.

      This bug affects JDK-11 only. Newer versions are not affected because "Experimental FIPS support" was removed. Older versions are not affected because the code related to loading security providers is different.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                mbalao Martin Balao
                Reporter:
                mbalao Martin Balao
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: