@@ -229,6 +229,193 @@ $ openssl list -providers | grep -A3 fips
229229 status: active
230230```
231231
232+ ### NSS-FIPS and Java crypto APIs
233+
234+ #### Java crypto
235+
236+ Java has a fully abstract crypto API with a pluggable cryptographic implementation organized into
237+ crypto Providers. Providers, as the name suggests, provide implementations for various crypto
238+ algorithms. The providers are loaded using JRE's configuration, either system-wide or per
239+ deployment, or can be loaded at application runtime.
240+
241+ The order of available crypto providers is important as methods such as
242+ Cipher.getInstance(algorithm) without specifying the exact provider name (through second
243+ parameter) will return a matching implementation from the first provider that implements that
244+ crypto mechanism.
245+
246+ Some providers, like one of the default JDK providers – SunJCE – provide only the basic crypto
247+ primitives. Others - like SunJSSE – provide higher level operations that rely on crypto primitives
248+ implemented by other providers. Those operations are, for instance, those being part of TLS or
249+ X509 standards in order to handle transport layer security or public key infrastructure.
250+
251+ #### FIPS compliant implementations
252+
253+ In order to use FIPS compliant and FIPS certified implementations of cryptographic mechanisms
254+ the application should use a crypto provider that interfaces with a concrete implementation certified
255+ to be FIPS compliant. Many 3rd party applications or libraries (packages) rely on the Provider
256+ infrastructure and cede the choice of crypto implementations to the app/system maintainer.
257+
258+ Therefore in most cases the deployer – likely a sysadmin or devops – is free to choose an
259+ appropriate set of crypto providers for the application.
260+
261+ OpenJDK for instance allows for configuring a PKCS11 provider which can interface with a native,
262+ system-wide crypto library – NSS and its PKCS11 implementation – libsoftokn3.so. This
263+ implementation by tuxcare is FIPS compliant.
264+
265+ An alternative PKCS11 implementation is SoftHSM which uses OpenSSL underneath. However,
266+ the cryptographic boundary is slightly shifted here. libsoftokn3 with NSS is FIPS certified while
267+ softhsm library alone is not, although the underlying openssl is.
268+
269+ There are also alternative ways to interface with other system wide, FIPS compliant, native libs
270+ such as OpenSSL however this would need extra effort to build and maintain other, 3rd party
271+ providers, that are not readily available in the package repos and would have to be provided by the
272+ maintainer of the end application.
273+
274+ #### Java's crypto API diagram
275+
276+ ![ Java Crypto Providers] ( /images/providers.webp )
277+
278+ #### SunPKCS11 provider
279+
280+ SunPKCS11 is a provider which interfaces, through JNI, with a native implementation that exposes
281+ a PKCS11 crypto API, typically called a "token". Typically that would mean a hardware token – a
282+ device that implements crypto operations and exposes a PKCS11 interface through a "driver" being
283+ a native shared library.
284+
285+ #### NSS-FIPS implementation
286+
287+ NSS-FIPS implementation acts as a software token. It provides a PKCS11 interface like any USB
288+ crypto token, a HSM or a smart card would, but the actual implementation is provided in software
289+ using libnss3.
290+
291+ #### JSSE
292+
293+ JSSE provides TLS and PKI implementations and, if the provider set is properly configured, would
294+ have to rely on cryptographic primitives provided by NSS-FIPS.
295+
296+ #### Alternative providers
297+
298+ So far NSS is the only crypto library that alone provides an "upwards-facing" PKCS11 API and
299+ thus can be easily and seamlessly incorporated into a Java software solution. Other means include
300+ using
301+
302+ * softHSM
303+
304+ Which is also a PKCS11 provider and relies on OpenSSL underneath, however, it doesn't itself fall
305+ within a FIPS cryptographic boundary of the system deliverables.
306+
307+ * conscrypt
308+
309+ However, conscrypt became problematic to maintain having been hardwired to boringSSL by
310+ Google. Even though boringssl essentially has the same API as OpenSSL, conscrypt would require
311+ extra maintenance and as such is not provided as an AlmaLinux package.
312+
313+ * openssl-fips-java
314+
315+ Maintained by Canonical but not available as a package (even in Ubuntu), this provider can be built
316+ to interface with the FIPS implementation of OpenSSL.
317+
318+ #### PKCS11-NSS-FIPS setup
319+
320+ As shown on the diagram, a PKCS11 provider needs to be configured in order to work with Java
321+ crypto. A HSM or smart card would require a driver in form of a shared library.
322+
323+ For NSS specifically – OpenJDK provides several shorthand configuration attributes.
324+
325+ The configuration can either be done in the application's Java code by passing the config as a String
326+ argument or through environment or system-wide via configuration files.
327+
328+ #### System-wide config files
329+
330+ * ` (...)/security/java.security `
331+
332+ This file specifies the provider list and the order of providers. In non-fips mode this file will contain
333+ the following:
334+
335+ ```
336+ security.provider.N=SunPKCS11 ${java.home}/lib/security/nss.cfg
337+ ```
338+
339+ while in FIPS mode:
340+
341+ ```
342+ fips.provider.1=SunPKCS11 ${java.home}/conf/security/nss.fips.cfg
343+ ```
344+
345+ Both directives configure a SunPKCS11 provider and point to the provider-specific configuration
346+ files
347+
348+ * ` (...)/security/nss.fips.cfg `
349+
350+ ```
351+ name = NSS-FIPS
352+ ```
353+
354+ The name which will be appended to "SunPKCS11-" identifying the configured provider
355+
356+ Followed by nss-specific directives
357+
358+ ```
359+ nssLibraryDirectory = /usr/lib64
360+ nssSecmodDirectory = ${fips.nssdb.path}
361+ nssDbMode = readWrite
362+ nssModule = fips
363+ ```
364+
365+ Instead of providing a full path to the NSS shared lib one needs only to point to a library directory
366+ containing NSS libraries.
367+
368+ #### SoftHSM configuration
369+
370+ The configuration of SoftHSM includes
371+
372+ * setting up a config file. If the Java app is used in non-root context (as it probably is) then the
373+ config file needs to be user accessible and SOFTHSM2_CONF environment variable must point to
374+ it.
375+ * a keystore needs to be set up in the config file
376+ * a SoftHSM "token" needs to be created within the keystore directory. It must be PIN protected,
377+ therefore
378+ * in order to use crypto primitves Java application needs to instantiate SoftHSM KeyStore object
379+ and .init() it with the PIN.
380+
381+ #### Limiting non-FIPS algorithm implementations
382+
383+ Neither PKCS11 alone, nor NSS, does prevent library users from instantiating and using FIPS
384+ unapproved algorithms. Application developers are also free to include any code within their
385+ applications, including FIPS unapproved cryptographic algorithms in cryptographic context, or
386+ using FIPS unapproved algos, like SHA-1 in non-cryptographic contexts, like file checksums or
387+ lookup hashes.
388+
389+ NSS implements a notion of a FIPS indicator which allows the application's implementer to decide
390+ what to do with a FIPS unapproved algorithms. Unlike openssl which bluntly fails if a non-fips
391+ operation is requested.
392+
393+ The caveat – NSS's PKCS11 API does not provide a facility for querying the indicator as there can
394+ be no such facility within PKCS11.
395+
396+ #### disabledAlgorithms directive
397+
398+ Certain algorithms from NSS (or any other PKCS11 provider) can be blacklisted in the provider's
399+ config file (or by other means of configuring PKCS11). For instance DES based cipher mechanisms
400+ can be explicitly blocked using
401+
402+ ```
403+ disabledMechanisms = {
404+ CKM_DES_ECB
405+ CKM_DES_ECB_ENCRYPT_DATA
406+ CKM_DES3_ECB
407+ CKM_DES3_ECB_ENCRYPT_DATA
408+ CKM_DES_CBC
409+ CKM_DES_CBC_ENCRYPT_DATA
410+ CKM_DES_CBC_PAD
411+ CKM_DES3_CBC
412+ CKM_DES3_CBC_ENCRYPT_DATA
413+ CKM_DES3_CBC_PAD
414+ }
415+ ```
416+
417+ The above will not even appear on the mechanism list for this provider.
418+
232419### Uninstalling tuxctl
233420
234421To uninstall tuxctl, disable the ESU/FIPS functionality and revert to community repo's, you can run the following as root:
0 commit comments