I'm trying to enable FIPS mode using SUNPKCS11 with NSS in Java 11. I got this exception java.security.NoSuchAlgorithmException: PKCS11 KeyStore not available.

When I tried to enable FIPS in Java 8 it works fine but doing the same in Java 11 throws the exception.

The initialization of SUNPKCS11 changed from Java 8 to Java 11.

In Java 8:

  Provider provider = Security.getProvider("SunPKCS11");      
  provider.configure(nssConfigFile);

Java 11:

  Provider provider = new sun.security.pkcs11.SunPKCS11(nssConfigFile);
  Security.addProvider(nssProvider);

After the initialization of SUNPKCS11 with config file, I'm trying to get the provider from the keystore as below.
One more thing is when I initialized the SUNPKCS11, it's Provider.id.info is set to Unconfigured and unusable PKCS11 provider , Does this has some thing to do with?

KeyStore.getInstance("SUNPKCS11");

Then here I didn't have the PKCS11 in keystore.

My config file content look as below:

  name=nss-client   
  nssLibraryDirectory=X:\XXX\NSS\lib\   
  nssSecmodDirectory=X:\XXX\NSS\db\   
  nssModule=fips

Do I need to change something in the config file contents or is it a bug in Java 11?

Please help me with the valuable suggestions.

1

There are 1 answers

1
Brian Lauber On

Alright -- one of the comments on the original question contained the solution. So, I'm re-documenting it here.

It appears that the provider.configure(..) method returns a new Provider rather than mutating the original provider. With that in mind, you can do this instead:

Provider oldProvider = Security.getProvider("SunPKCS11");
Provider newProvider = oldProvider.configure("yubihsm.conf");
Security.addProvider(newProvider);

// Hooray!  This works now!
KeyStore ks = KeyStore.getInstance("pkcs11");