trying to enable FIPS mode using SunPKCS11 with NSS in Java

6.9k views Asked by At

I'm working on a project requiring FIPS 140-2 validated cryptography, and I'm trying to use NSS with the SunPKCS11 token interface, and I've gotten it working up until turning on FIPS mode in NSS. I get an error, CKR_USER_NOT_LOGGED_IN, that I just don't have any idea what to do with. Any suggestions as to what I should do?

I'm new to the security world, so this code is cobbled together from the examples in the Oracle Java Tutorials, the SunPKCS11 reference page, and suggestions for using NSS in FIPS mode on the web.

Here's the code I'm using:

String ksName = "my.pfx";
char[] spass = {'m', 'y', 'p', 'w' };
String alias = "testalias";
try {
    KeyStore ks = KeyStore.getInstance("PKCS12");
    FileInputStream ksfis = new FileInputStream(ksName); 
    BufferedInputStream ksbufin = new BufferedInputStream(ksfis);
    ks.load(ksbufin, spass);
    PrivateKey priv = (PrivateKey) ks.getKey(alias, spass);

    System.out.println(" Initialize the signing.");
    Signature sig = Signature.getInstance("SHA1withRSA", "SunPKCS11-NSS-FIPS");
    sig.initSign(priv);

    System.out.println(" Open the digital object to sign.");
    FileInputStream fis = new FileInputStream( "digitalRecipes2.txt" );
    BufferedInputStream bufin = new BufferedInputStream(fis);
    byte[] buffer = new byte[1024];
    int len;
    while ((len = bufin.read(buffer)) >= 0) {
        sig.update(buffer, 0, len);
    }
    bufin.close();

    byte[] realSig = sig.sign();

    FileOutputStream sigfos = new FileOutputStream("digitalRecipes2.txt.sig");
    sigfos.write(realSig);
    sigfos.close();

    java.security.cert.Certificate cert = ks.getCertificate(alias);
    byte[] encodedCert = cert.getEncoded();

    FileOutputStream certfos = new FileOutputStream("mykey.cert");
    certfos.write(encodedCert);
    certfos.close();    
} catch (Exception e) {
    System.err.println( "Caught exception " + e.toString() );
    e.printStackTrace();
}

and here's the config I'm using for nss.

name = NSS-FIPS
nssLibraryDirectory = /opt/local/lib/nss
nssSecmodDirectory = /Users/xxxx/work/workspace/learnin/XXXX
nssDbMode = readWrite 
nssModule = fips

When I run this code, I get the the following stacktrace.

Initialize the signing.
Caught exception java.security.InvalidKeyException: Could not create RSA private key
java.security.InvalidKeyException: Could not create RSA private key
    at     sun.security.pkcs11.P11RSAKeyFactory.implTranslatePrivateKey(P11RSAKeyFactory.java:88)
    at sun.security.pkcs11.P11KeyFactory.engineTranslateKey(P11KeyFactory.java:115)
    at sun.security.pkcs11.P11KeyFactory.convertKey(P11KeyFactory.java:48)
    at sun.security.pkcs11.P11Signature.engineInitSign(P11Signature.java:374)
    at java.security.Signature$Delegate.engineInitSign(Signature.java:1095)
    at java.security.Signature.initSign(Signature.java:480)
    at     com.xxxxxxxx.digitalSigning.SignMeUpSunPKCS11NSS.main(SignMeUpSunPKCS11NSS.java:43)
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_USER_NOT_LOGGED_IN
    at sun.security.pkcs11.wrapper.PKCS11.C_CreateObject(Native Method)
    at sun.security.pkcs11.P11RSAKeyFactory.generatePrivate(P11RSAKeyFactory.java:238)
    at     sun.security.pkcs11.P11RSAKeyFactory.implTranslatePrivateKey(P11RSAKeyFactory.java:62)
    ... 6 more

and it's the CKR_USER_NOT_LOGGED_IN error that I have no idea what to do with.

If I change the NSS configuration to not use FIPS mode, then the program runs fine and signs the file, gives the signature, and gives the public key.

I created the NSS databases using the following commands while in the appropriate directory listed in the NSS config file.

modutil -create -dbdir .
modutil -fips true -dbdir .
modutil -changepw "NSS FIPS 140-2 Certificate DB" -dbdir .
1

There are 1 answers

0
Ivan Kinash On

You should login on security token first. You can use AuthProvider:

AuthProvider aprov = Security.getProvider("SunPKCS11-NSS-FIPS");
aprov.login(subject, new MyCallbackHandler());

In accordance with:

http://docs.oracle.com/javase/6/docs/technotes/guides/security/p11guide.html#Login