I'm trying to enable FIPS mode using SUNPKCS11 with NSS in Java 11. I got this exception java.security.NoSuchAlgorithmException: PKCS11 KeyStore not available.
When I tried to enable FIPS in Java 8 it works fine but doing the same in Java 11 throws the exception.
The initialization of SUNPKCS11 changed from Java 8 to Java 11.
In Java 8:
  Provider provider = Security.getProvider("SunPKCS11");      
  provider.configure(nssConfigFile);
Java 11:
  Provider provider = new sun.security.pkcs11.SunPKCS11(nssConfigFile);
  Security.addProvider(nssProvider);
After the initialization of SUNPKCS11 with config file, I'm trying to get the provider from the keystore as below.
One more thing is when I initialized the SUNPKCS11, it's Provider.id.info is set to
Unconfigured and unusable PKCS11 provider , Does this has some thing to do with?
KeyStore.getInstance("SUNPKCS11");
Then here I didn't have the PKCS11 in keystore.
My config file content look as below:
  name=nss-client   
  nssLibraryDirectory=X:\XXX\NSS\lib\   
  nssSecmodDirectory=X:\XXX\NSS\db\   
  nssModule=fips
Do I need to change something in the config file contents or is it a bug in Java 11?
Please help me with the valuable suggestions.
Alright -- one of the comments on the original question contained the solution. So, I'm re-documenting it here.
It appears that the provider.configure(..) method returns a new Provider rather than mutating the original provider.  With that in mind, you can do this instead:
Provider oldProvider = Security.getProvider("SunPKCS11");
Provider newProvider = oldProvider.configure("yubihsm.conf");
Security.addProvider(newProvider);
// Hooray!  This works now!
KeyStore ks = KeyStore.getInstance("pkcs11");
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With