-
Bug
-
Resolution: Fixed
-
P3
-
11
-
b01
-
generic
-
generic
SunJSSE security provider cannot be properly initialized in FIPS mode from a configuration file. Initialization apparently succeeds but in non-FIPS mode.
In example, let's assume we have the following security providers in a 'java.security' configuration file:
security.provider.1=SunPKCS11 /path/to/nss.cfg
security.provider.2=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-NSS
SunJSSE provider will be initialized in non-FIPS mode, as if the configuration line were "security.provider.2=com.sun.net.ssl.internal.ssl.Provider". In fact, you can set any invalid argument and initialization apparently succeeds because the argument is not considered at all.
This bug affects JDK-11 only. Newer versions are not affected because "Experimental FIPS support" was removed. Older versions are not affected because the code related to loading security providers is different.
In example, let's assume we have the following security providers in a 'java.security' configuration file:
security.provider.1=SunPKCS11 /path/to/nss.cfg
security.provider.2=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-NSS
SunJSSE provider will be initialized in non-FIPS mode, as if the configuration line were "security.provider.2=com.sun.net.ssl.internal.ssl.Provider". In fact, you can set any invalid argument and initialization apparently succeeds because the argument is not considered at all.
This bug affects JDK-11 only. Newer versions are not affected because "Experimental FIPS support" was removed. Older versions are not affected because the code related to loading security providers is different.
- relates to
-
JDK-7191662 JCE providers should be located via ServiceLoader
-
- Closed
-
-
-
- Resolved
-