RH2117972 - Extend the support for NSS DBs (PKCS11) in FIPS mode (openjdk#17)

Reviewed-by: @franferrax, @gnu-andrew

Author: martinuy

src/java.base/share/conf/security/java.security

@@ -304,6 +304,42 @@ keystore.type=pkcs12
 #
 fips.keystore.type=pkcs12
 
+#
+# Location of the NSS DB keystore (PKCS11) in FIPS mode.
+#
+# The syntax for this property is identical to the 'nssSecmodDirectory'
+# attribute available in the SunPKCS11 NSS configuration file. Use the
+# 'sql:' prefix to refer to an SQLite DB.
+#
+# If the system property fips.nssdb.path is also specified, it supersedes
+# the security property value defined here.
+#
+# Note: the default value for this property points to an NSS DB that might be
+# readable by multiple operating system users and unsuitable to store keys.
+#
+fips.nssdb.path=sql:/etc/pki/nssdb
+
+#
+# PIN for the NSS DB keystore (PKCS11) in FIPS mode.
+#
+# Values must take any of the following forms:
+#   1) pin:<value>
+#        Value: clear text PIN value.
+#   2) env:<value>
+#        Value: environment variable containing the PIN value.
+#   3) file:<value>
+#        Value: path to a file containing the PIN value in its first
+#        line.
+#
+# If the system property fips.nssdb.pin is also specified, it supersedes
+# the security property value defined here.
+#
+# When used as a system property, UTF-8 encoded values are valid. When
+# used as a security property (such as in this file), encode non-Basic
+# Latin Unicode characters with \uXXXX.
+#
+fips.nssdb.pin=pin:
+
 #
 # Controls compatibility mode for JKS and PKCS12 keystore types.
 #

src/java.base/share/conf/security/nss.fips.cfg.in

@@ -1,7 +1,7 @@
 name = NSS-FIPS
 nssLibraryDirectory = @NSS_LIBDIR@
-nssSecmodDirectory = sql:/etc/pki/nssdb
-nssDbMode = readOnly
+nssSecmodDirectory = ${fips.nssdb.path}
+nssDbMode = readWrite
 nssModule = fips
 
 attributes(*,CKO_SECRET_KEY,CKK_GENERIC_SECRET)={ CKA_SIGN=true }

src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSTokenLoginHandler.java

@@ -0,0 +1,149 @@
+/*
+ * Copyright (c) 2022, Red Hat, Inc.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.pkcs11;
+
+import java.io.BufferedReader;
+import java.io.ByteArrayInputStream;
+import java.io.InputStream;
+import java.io.InputStreamReader;
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.nio.file.Paths;
+import java.nio.file.StandardOpenOption;
+import java.security.ProviderException;
+
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.PasswordCallback;
+import javax.security.auth.callback.UnsupportedCallbackException;
+
+import sun.security.util.Debug;
+import sun.security.util.SecurityProperties;
+
+final class FIPSTokenLoginHandler implements CallbackHandler {
+
+    private static final String FIPS_NSSDB_PIN_PROP = "fips.nssdb.pin";
+
+    private static final Debug debug = Debug.getInstance("sunpkcs11");
+
+    public void handle(Callback[] callbacks)
+            throws IOException, UnsupportedCallbackException {
+        if (!(callbacks[0] instanceof PasswordCallback)) {
+            throw new UnsupportedCallbackException(callbacks[0]);
+        }
+        PasswordCallback pc = (PasswordCallback)callbacks[0];
+        pc.setPassword(getFipsNssdbPin());
+    }
+
+    private static char[] getFipsNssdbPin() throws ProviderException {
+        if (debug != null) {
+            debug.println("FIPS: Reading NSS DB PIN for token...");
+        }
+        String pinProp = SecurityProperties
+                .privilegedGetOverridable(FIPS_NSSDB_PIN_PROP);
+        if (pinProp != null && !pinProp.isEmpty()) {
+            String[] pinPropParts = pinProp.split(":", 2);
+            if (pinPropParts.length < 2) {
+                throw new ProviderException("Invalid " + FIPS_NSSDB_PIN_PROP +
+                        " property value.");
+            }
+            String prefix = pinPropParts[0].toLowerCase();
+            String value = pinPropParts[1];
+            String pin = null;
+            if (prefix.equals("env")) {
+                if (debug != null) {
+                    debug.println("FIPS: PIN value from the '" + value +
+                            "' environment variable.");
+                }
+                pin = System.getenv(value);
+            } else if (prefix.equals("file")) {
+                if (debug != null) {
+                    debug.println("FIPS: PIN value from the '" + value +
+                            "' file.");
+                }
+                pin = getPinFromFile(Paths.get(value));
+            } else if (prefix.equals("pin")) {
+                if (debug != null) {
+                    debug.println("FIPS: PIN value from the " +
+                            FIPS_NSSDB_PIN_PROP + " property.");
+                }
+                pin = value;
+            } else {
+                throw new ProviderException("Unsupported prefix for " +
+                        FIPS_NSSDB_PIN_PROP + ".");
+            }
+            if (pin != null && !pin.isEmpty()) {
+                if (debug != null) {
+                    debug.println("FIPS: non-empty PIN.");
+                }
+                /*
+                 * C_Login in libj2pkcs11 receives the PIN in a char[] and
+                 * discards the upper byte of each char, before passing
+                 * the value to the NSS Software Token. However, the
+                 * NSS Software Token accepts any UTF-8 PIN value. Thus,
+                 * expand the PIN here to account for later truncation.
+                 */
+                byte[] pinUtf8 = pin.getBytes(StandardCharsets.UTF_8);
+                char[] pinChar = new char[pinUtf8.length];
+                for (int i = 0; i < pinChar.length; i++) {
+                    pinChar[i] = (char)(pinUtf8[i] & 0xFF);
+                }
+                return pinChar;
+            }
+        }
+        if (debug != null) {
+            debug.println("FIPS: empty PIN.");
+        }
+        return null;
+    }
+
+    /*
+     * This method extracts the token PIN from the first line of a password
+     * file in the same way as NSS modutil. See for example the -newpwfile
+     * argument used to change the password for an NSS DB.
+     */
+    private static String getPinFromFile(Path f) throws ProviderException {
+        try (InputStream is =
+                Files.newInputStream(f, StandardOpenOption.READ)) {
+            /*
+             * SECU_FilePasswd in NSS (nss/cmd/lib/secutil.c), used by modutil,
+             * reads up to 4096 bytes. In addition, the NSS Software Token
+             * does not accept PINs longer than 500 bytes (see SFTK_MAX_PIN
+             * in nss/lib/softoken/pkcs11i.h).
+             */
+            BufferedReader in =
+                    new BufferedReader(new InputStreamReader(
+                            new ByteArrayInputStream(is.readNBytes(4096)),
+                            StandardCharsets.UTF_8));
+            return in.readLine();
+        } catch (IOException ioe) {
+            throw new ProviderException("Error reading " + FIPS_NSSDB_PIN_PROP +
+                    " from the '" + f + "' file.", ioe);
+        }
+    }
+}

src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java

@@ -50,6 +50,7 @@
 import sun.security.util.Debug;
 import sun.security.util.ResourcesMgr;
 import static sun.security.util.SecurityConstants.PROVIDER_VER;
+import sun.security.util.SecurityProperties;
 import static sun.security.util.SecurityProviderConstants.getAliases;
 
 import sun.security.pkcs11.Secmod.*;
@@ -97,6 +98,8 @@ public final class SunPKCS11 extends AuthProvider {
         fipsExportKey = fipsExportKeyTmp;
     }
 
+    private static final String FIPS_NSSDB_PATH_PROP = "fips.nssdb.path";
+
     private static final long serialVersionUID = -1354835039035306505L;
 
     static final Debug debug = Debug.getInstance("sunpkcs11");
@@ -150,6 +153,18 @@ public Provider configure(String configArg) throws InvalidParameterException {
             return AccessController.doPrivileged(new PrivilegedExceptionAction<>() {
                 @Override
                 public SunPKCS11 run() throws Exception {
+                    if (systemFipsEnabled) {
+                        /*
+                         * The nssSecmodDirectory attribute in the SunPKCS11
+                         * NSS configuration file takes the value of the
+                         * fips.nssdb.path System property after expansion.
+                         * Security properties expansion is unsupported.
+                         */
+                        System.setProperty(
+                                FIPS_NSSDB_PATH_PROP,
+                                SecurityProperties.privilegedGetOverridable(
+                                        FIPS_NSSDB_PATH_PROP));
+                    }
                     return new SunPKCS11(new Config(newConfigName));
                 }
             });
@@ -424,24 +439,6 @@ private static <T> T checkNull(T obj) {
             if (nssModule != null) {
                 nssModule.setProvider(this);
             }
-            if (systemFipsEnabled) {
-                // The NSS Software Token in FIPS 140-2 mode requires a user
-                // login for most operations. See sftk_fipsCheck. The NSS DB
-                // (/etc/pki/nssdb) PIN is empty.
-                Session session = null;
-                try {
-                    session = token.getOpSession();
-                    p11.C_Login(session.id(), CKU_USER, new char[] {});
-                } catch (PKCS11Exception p11e) {
-                    if (debug != null) {
-                        debug.println("Error during token login: " +
-                                p11e.getMessage());
-                    }
-                    throw p11e;
-                } finally {
-                    token.releaseSession(session);
-                }
-            }
         } catch (Exception e) {
             if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) {
                 throw new UnsupportedOperationException
@@ -1441,6 +1438,27 @@ public Object newInstance(Object param)
             if (token.isValid() == false) {
                 throw new NoSuchAlgorithmException("Token has been removed");
             }
+            if (systemFipsEnabled && !token.fipsLoggedIn &&
+                    !getType().equals("KeyStore")) {
+                /*
+                 * The NSS Software Token in FIPS 140-2 mode requires a
+                 * user login for most operations. See sftk_fipsCheck
+                 * (nss/lib/softoken/fipstokn.c). In case of a KeyStore
+                 * service, let the caller perform the login with
+                 * KeyStore::load. Keytool, for example, does this to pass a
+                 * PIN from either the -srcstorepass or -deststorepass
+                 * argument. In case of a non-KeyStore service, perform the
+                 * login now with the PIN available in the fips.nssdb.pin
+                 * property.
+                 */
+                try {
+                    token.ensureLoggedIn(null);
+                } catch (PKCS11Exception | LoginException e) {
+                    throw new ProviderException("FIPS: error during the Token" +
+                            " login required for the " + getType() +
+                            " service.", e);
+                }
+            }
             try {
                 return newInstance0(param);
             } catch (PKCS11Exception e) {
@@ -1797,6 +1815,9 @@ public void logout() throws LoginException {
         try {
             session = token.getOpSession();
             p11.C_Logout(session.id());
+            if (systemFipsEnabled) {
+                token.fipsLoggedIn = false;
+            }
             if (debug != null) {
                 debug.println("logout succeeded");
             }

src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java

@@ -33,6 +33,7 @@
 import java.security.*;
 import javax.security.auth.login.LoginException;
 
+import jdk.internal.access.SharedSecrets;
 import sun.security.jca.JCAUtil;
 
 import sun.security.pkcs11.wrapper.*;
@@ -48,6 +49,9 @@
  */
 class Token implements Serializable {
 
+    private static final boolean systemFipsEnabled = SharedSecrets
+            .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled();
+
     // need to be serializable to allow SecureRandom to be serialized
     private static final long serialVersionUID = 2541527649100571747L;
 
@@ -114,6 +118,10 @@ class Token implements Serializable {
     // flag indicating whether we are logged in
     private volatile boolean loggedIn;
 
+    // Flag indicating the login status for the NSS Software Token in FIPS mode.
+    // This Token is never asynchronously removed. Used from SunPKCS11.
+    volatile boolean fipsLoggedIn;
+
     // time we last checked login status
     private long lastLoginCheck;
 
@@ -232,7 +240,12 @@ boolean isLoggedInNow(Session session) throws PKCS11Exception {
     // call provider.login() if not
     void ensureLoggedIn(Session session) throws PKCS11Exception, LoginException {
         if (isLoggedIn(session) == false) {
-            provider.login(null, null);
+            if (systemFipsEnabled) {
+                provider.login(null, new FIPSTokenLoginHandler());
+                fipsLoggedIn = true;
+            } else {
+                provider.login(null, null);
+            }
         }
     }