-
Bug
-
Resolution: Fixed
-
P4
-
8
-
b14
-
generic
-
generic
-
Verified
To use samevm mode in java_security, we reserved and restored the default SSLContext in CR 7055363, test/sun/security/pkcs11/fips/ClientJSSEServerJSSE.java:
+ SSLContext reservedSSLContext = SSLContext.getDefault();
+ try {
...
+ } finally {
+ SSLContext.setDefault(reservedSSLContext);
+ }
However, the default SSLContext is not supposed to be FIPS compliant. When run the test manually, we would get the following exception:
default context init failed: java.security.KeyStoreException: FIPS mode: KeyStore must be from provider SunPKCS11-NSSKeyStore
----------System.err:(32/2442)----------
java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext)
at java.security.Provider$Service.newInstance(Provider.java:1261)
at sun.security.jca.GetInstance.getInstance(GetInstance.java:236)
at sun.security.jca.GetInstance.getInstance(GetInstance.java:164)
at javax.net.ssl.SSLContext.getInstance(SSLContext.java:157)
at javax.net.ssl.SSLContext.getDefault(SSLContext.java:97)
at CipherTest.main(CipherTest.java:397)
at ClientJSSEServerJSSE.main(ClientJSSEServerJSSE.java:67)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:474)
at com.sun.javatest.regtest.MainWrapper$MainThread.run(MainWrapper.java:94)
at java.lang.Thread.run(Thread.java:722)
Caused by: java.security.KeyStoreException: FIPS mode: KeyStore must be from provider SunPKCS11-NSSKeyStore
at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:65)
at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:259)
at sun.security.ssl.SSLContextImpl$DefaultSSLContext.getDefaultKeyManager(SSLContextImpl.java:712)
at sun.security.ssl.SSLContextImpl$DefaultSSLContext.<init>(SSLContextImpl.java:573)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:395)
at java.lang.Class.newInstance0(Class.java:368)
at java.lang.Class.newInstance(Class.java:320)
at java.security.Provider$Service.newInstance(Provider.java:1235)
... 12 more
+ SSLContext reservedSSLContext = SSLContext.getDefault();
+ try {
...
+ } finally {
+ SSLContext.setDefault(reservedSSLContext);
+ }
However, the default SSLContext is not supposed to be FIPS compliant. When run the test manually, we would get the following exception:
default context init failed: java.security.KeyStoreException: FIPS mode: KeyStore must be from provider SunPKCS11-NSSKeyStore
----------System.err:(32/2442)----------
java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext)
at java.security.Provider$Service.newInstance(Provider.java:1261)
at sun.security.jca.GetInstance.getInstance(GetInstance.java:236)
at sun.security.jca.GetInstance.getInstance(GetInstance.java:164)
at javax.net.ssl.SSLContext.getInstance(SSLContext.java:157)
at javax.net.ssl.SSLContext.getDefault(SSLContext.java:97)
at CipherTest.main(CipherTest.java:397)
at ClientJSSEServerJSSE.main(ClientJSSEServerJSSE.java:67)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:474)
at com.sun.javatest.regtest.MainWrapper$MainThread.run(MainWrapper.java:94)
at java.lang.Thread.run(Thread.java:722)
Caused by: java.security.KeyStoreException: FIPS mode: KeyStore must be from provider SunPKCS11-NSSKeyStore
at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:65)
at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:259)
at sun.security.ssl.SSLContextImpl$DefaultSSLContext.getDefaultKeyManager(SSLContextImpl.java:712)
at sun.security.ssl.SSLContextImpl$DefaultSSLContext.<init>(SSLContextImpl.java:573)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:395)
at java.lang.Class.newInstance0(Class.java:368)
at java.lang.Class.newInstance(Class.java:320)
at java.security.Provider$Service.newInstance(Provider.java:1235)
... 12 more