Spring Boot 3.1.1 can't load SSL certs from PKCS11-NSS keystore when JVM FIPS mode is turned on. This is regression from 3.0.7. To reproduce run application with extra JVM options along with FIPS mode config for JVM:
-Dserver.ssl.key-store-type=PKCS11 -Dserver.ssl.key-store-provider=SunPKCS11-NSS-FIPS
Seems even with FIPS mode on it looks for JKS type truststore
Error in log:
java.security.NoSuchAlgorithmException: JKS KeyStore not available
at sun.security.jca.GetInstance.getInstance()
Comment From: wilkinsona
Thanks for the report but it doesn't contain enough information for me to be able to diagnose the problem. If you would like us to spend some more time investigating, please spend some time providing a complete yet minimal sample that reproduces the problem. You can share it with us by pushing it to a separate repository on GitHub or by zipping it up and attaching it to this issue. The complete stack trace of the failure would also be useful.
Comment From: spring-projects-issues
If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.
Comment From: Shrinivas-Kane
demo.zip PFA please set JVM arguments to enable fips encryption in JVM
Comment From: wilkinsona
Thanks for the sample.
please set JVM arguments to enable fips encryption in JVM
Please describe this in detail. We may be able to guess what your custom FIPS configuration is, but doing so is time consuming and likely to be inaccurate. We need the exact steps that are required to recreate the configuration with which you're seeing the problem.
Comment From: Shrinivas-Kane
nss.fips.cfg
name = NSS-FIPS
nssLibraryDirectory = /usr/lib64
nssSecmodDirectory = /etc/pki/nssdb
nssDbMode = readOnly
nssModule = fips
Security provider has
security.provider.12=SunPKCS11
RestrictedSecurity1.keystore.type = PKCS11
RestrictedSecurity1.javax.net.ssl.keyStore = NONE
RestrictedSecurity1.securerandom.provider = SunPKCS11-NSS-FIPS
RestrictedSecurity1.securerandom.algorithm = PKCS11
securerandom.source=file:/dev/random
securerandom.strongAlgorithms=NativePRNGBlocking:SUN,DRBG:SUN
securerandom.drbg.config=
login.configuration.provider=sun.security.provider.ConfigFile
Comment From: wilkinsona
Thanks. Unfortunately, that's not sufficient. As I said above, we need the exact steps to recreate the problem. Please assume that we know nothing about your environment and that we have never set up FIPS before. I'm afraid we can't justify spending time on trying to guess what your setup may be and without the exact steps needed to recreate the problem this issue will be closed.
Comment From: spring-projects-issues
If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.
Comment From: spring-projects-issues
Closing due to lack of requested feedback. If you would like us to look at this issue, please provide the requested information and we will re-open the issue.