FIPS 140-2 compatible JVM with NSS

Tue, 15 Nov 2016 04:52:04 -0800 

Hi,

We are trying to generate a FIPS compliant JVM using NSS as our cryptographic 
provider. We compiled NSS 3.25, JDK 1.8u112 and made the below settings.

We removed all other providers from java.security, and left only NSS as 
provider of JCE and JSSE.

Our questions:
1 - Is it actually needed to have NSS as the only provider in order to have a 
FIPS compatible JVM? If not, what should be the location?
2 - We are getting Jar verification error due to X.509 not found (log below). 
What could be the reason?

Thanks you for your help,
  Eldad,


====nss.cfg======================
name = NSSfips
nssLibraryDirectory = C:\NSS\lib
nssSecmodDirectory = C:\NSS\db
nssModule = fips
=================================

=========java.security===================
security.provider.1=sun.security.pkcs11.SunPKCS11 C:\\NSS\\nss.cfg
security.provider.2=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-NSSfips
#commented:
#security.provider.3=sun.security.provider.Sun
#security.provider.4=com.sun.crypto.provider.SunJCE
#security.provider.4=sun.security.rsa.SunRsaSign
#security.provider.6=sun.security.ec.SunEC
#security.provider.7=sun.security.jgss.SunProvider 
#security.provider.8=com.sun.security.sasl.Provider
#security.provider.9=org.jcp.xml.dsig.internal.dom.XMLDSigRI
#security.provider.10=sun.security.smartcardio.SunPCSC
===========================================================================

=========error log==================================
Exception in thread "main" java.lang.ExceptionInInitializerError

        at javax.crypto.JarVerifier.<clinit>(JarVerifier.java:228)
        ... 14 more
Caused by: java.security.PrivilegedActionException: 
java.security.cert.CertificateException: X.509 not found
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.crypto.JarVerifier.<clinit>(JarVerifier.java:186)
        ... 14 more
Caused by: java.security.cert.CertificateException: X.509 not found
        at java.security.cert.CertificateFactory.getInstance(Unknown Source)
        at javax.crypto.JarVerifier$1.run(JarVerifier.java:192)
        at javax.crypto.JarVerifier$1.run(JarVerifier.java:187)
        ... 16 more
Caused by: java.security.NoSuchAlgorithmException: X.509 CertificateFactory not 
available
        at sun.security.jca.GetInstance.getInstance(Unknown Source)
        ... 19 more
=======================================================================
-- 
dev-tech-crypto mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-crypto

Reply via email to