Bug 1227918

Summary: [security][fips] openjdk crash in FIPS mode
Product: [SUSE Linux Enterprise Server] PUBLIC SUSE Linux Enterprise Server 15 SP3 Reporter: Emil Miler <emil.miler>
Component: SecurityAssignee: Martin Sirringhaus <martin.sirringhaus>
Status: NEW --- QA Contact:
Severity: Normal    
Priority: P5 - None CC: emil.miler, meissner
Version: unspecifiedFlags: martin.sirringhaus: needinfo? (emil.miler)
Target Milestone: unspecified   
Hardware: Other   
OS: Other   
URL: https://openqa.suse.de/tests/14938083/modules/tpm_selftest/steps/32
Whiteboard:
Found By: openQA Services Priority:
Business Priority: Blocker: Yes
Marketing QA Status: --- IT Deployment: ---

Description Emil Miler 2024-07-16 12:26:03 UTC 
Our tests of openjdk started crashing in FIPS mode after the latest mozilla-nss update https://smelt.suse.de/incident/34061/

Fails with `Could not initialize NSS`.

```
Listing all JCA Security Providers.
Exception in thread “main” java.security.ProviderException: Could not initialize NSS
at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11. java :295)
at jdk.crypto.cryptoki/sun.secur ity.pkcs11.SunPKCS1191 .run(SunPKCS11. java :179)
at jdk.crypto.cryptoki/sun.secur ity .pkcs11.SunPKCS1191 .run(SunPKCS11. java : 153)
at java.base’ java .secur ity .AccessControl ler .doPr ivi leged(AccessControl ler . java :569)
at jdk.crypto.cryptoki’sun.security.pkcs11.SunPKCS11.conf igure (SunPKCS11. java: 153)
at java.base/’sun.security. jca.ProviderConf ig$3.run(ProviderConf ig. java:257)
at java.base/sun.security. jca.ProviderConf ig$3.run(ProviderConf ig. java :248)
at java.base’ java.security.AccessControl ler .doPrivi leged(AccessControl ler. java :318)
at java.base/sun.security. jca.ProviderConf ig .doLoadProvider (ProviderConf ig . java :248)
at java.base/’sun.security. jca.ProviderConf ig .getProvider (ProviderConf ig . java :226)
at java.base/sun.security. jca.ProviderList .loadAl1(ProviderList . java :317)
at java.base/’sun.security. jca.ProviderList .remove Invalid(ProviderList . java :334)
at java.base/’sun.security. jca.Providers .getFul lProviderList (Providers . java : 186)
at java.base/ java.security .Security.getProviders (Security. java :506)
at net .eckenfels.test. jce .JCEProvider Info .main(JCEProvider Info. java:27)
Caused by: java.io.IOException: NSS initialization failed
at jdk.crypto.cryptoki/sun.security.pkcsi11.Secmod. initial ize(Secmod . java :243)
at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11. java :290)
... 14 more
```

Related test: https://openqa.suse.de/tests/14939487#step/openjdk_fips/37
Comment 1 Marcus Meissner 2024-07-16 13:56:14 UTC 
I think the 
mozilla-nss-sysinit

package is not installed.


java-17-openjdk-headless-17.0.11.0-150400.3.42.1.x86_64
Recommends: mozilla-nss-sysinit


can you make the java fips tests install "mozilla-nss-sysinit" ?
Comment 2 Marcus Meissner 2024-07-16 13:56:45 UTC 
(so I think its a testcase issue)
Comment 3 Emil Miler 2024-07-17 13:29:44 UTC 
The issue happens even when `mozilla-nss-sysinit` is installed, for example: https://openqa.suse.de/tests/14948508#step/prepare_env/10 where Zypper complains that the package is already installed when I tried to install it again.
Comment 4 Martin Sirringhaus 2024-07-17 13:40:49 UTC 
Could you please retest with NSS 3.101.1 from https://build.suse.de/package/show/Devel:Desktop:Mozilla:SLE-15:next/mozilla-nss and see if the problem persists?
Comment 5 Marcus Meissner 2024-07-17 15:14:01 UTC 
it really seems to depend on correct mozilla-nss-sysinit initialization for me
Comment 6 Emil Miler 2024-07-18 07:15:55 UTC 
I injected the 3.101.1 version of all the related NSS packages into the failing test run and it seems to be working fine. See https://openqa.suse.de/tests/14958050.