Open Steve973 opened 5 months ago
I have some more information, in case it helps, and I pushed on a bit further. It turns out that it requires the pin to either be set in java.security, or as a system property on the command line. So, adding -Dfips.nssdb.pin=pin:XXXXXXXXXX
resolves the bad arguments error message, but it ends up producing this:
Caused by: java.security.ProviderException: update() failed
at jdk.crypto.cryptoki/sun.security.pkcs11.P11Digest.engineUpdate(P11Digest.java:242)
at java.base/java.security.MessageDigest$Delegate.engineUpdate(MessageDigest.java:658)
at java.base/java.security.MessageDigest.update(MessageDigest.java:349)
at org.gradle.internal.hash.Hashing$MessageDigestHasher.update(Hashing.java:302)
at org.gradle.internal.hash.Hashing$MessageDigestHasher.putInt(Hashing.java:318)
at org.gradle.internal.hash.Hashing$DefaultHasher.putString(Hashing.java:413)
at org.gradle.internal.hash.Hashing.signature(Hashing.java:78)
at org.gradle.api.internal.changedetection.state.DefaultResourceSnapshotterCacheService.<clinit>(DefaultResourceSnapshotterCacheService.java:33)
... 107 more
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_GENERAL_ERROR
at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11.C_DigestInit(Native Method)
at jdk.crypto.cryptoki/sun.security.pkcs11.P11Digest.engineUpdate(P11Digest.java:224)
... 114 more
when I run gradle init
in an empty directory. I have been searching a lot for information on this, but I cannot seem to find any. So, why is nssdb involved at all when using SoftHSM? I have to assume that plenty of people are using SoftHSM2 on RHEL8 with Java 17, and some of them must be using it in FIPS mode. Any ideas, or can I provide even more information?
We run SoftHSM on Java 17 but not for Gradle. What are you trying to achieve ?
We run SoftHSM on Java 17 but not for Gradle. What are you trying to achieve ?
My team and I work on an enclave where we have future requirements of being FIPS compliant, and using something like SoftHSM for all of our X509 certificate accesses would help a lot.
I don't think that SoftHSM has been FIPS certified. Contrary to OpenSSL which has a FIPS module.
Anyway, I will try reproducing your issue. Does Gradle work with P11 but without the FIPS mode ?
I have followed all of the instructions, and I have looked through a lot of results on google, but there is an error that I am getting that seems like it should not be happening. Here are the details:
I am trying to run gradle (even
gradle init
) on an EC2 instance where I have enabled FIPS mode, and configured SoftHSM 2 as my PKCS#11 provider. This is RHEL 8.9 and SoftHSM is 2.6.1 (from EPEL).Whenever I run gradle, I always get (abbreviated stack trace):
My
~/.config/softhsm2/softhsm2.conf
looks like this:My Java 17 security file has these for the FIPS providers:
The PKCS11 config file (referenced in the fips provider directly above) looks like this:
In my
~/.gradle/gradle.properties
, I have tried using system properties:I have tried including these args in the
JAVA_OPTS
,GRADLE_OPTS
, andDEFAULT_JVM_ARGS
environment variables, and I have also even commented out the jvmargs in gradle.properties. In all cases, I keep getting this same error. You may have noticedshowInfo = true
above, and it always shows that it is accessing PKCS11:Does this seem like a bug? I have checked, double checked, triple-checked, and probably many more iterations of that, though I cannot find the problem. Can I provide any further information if this is worth looking into as a bug?