I’m trying to run the following code on an Oracle Linux Server 8.3, with openjdk 11.0.9 in fips mode.
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import org.apache.commons.codec.binary.Base32;
public class TestMAC {
public static void main(String[] args) throws Exception {
Base32 codec = new Base32();
byte[] decodedKey = codec.decode("TESTKEY1234567890_TESTKEY1234567890");
SecretKeySpec signKey = new SecretKeySpec(decodedKey, "HmacSHA1");
Mac mac = Mac.getInstance("HmacSHA1");
mac.init(signKey);
System.out.println("Created");
}
}
The following exception is thrown from the mac.init(signKey) line:
Exception in thread "main" java.security.InvalidKeyException: Could not create key
at jdk.crypto.cryptoki/sun.security.pkcs11.P11SecretKeyFactory.createKey(P11SecretKeyFactory.java:285)
at jdk.crypto.cryptoki/sun.security.pkcs11.P11SecretKeyFactory.convertKey(P11SecretKeyFactory.java:190)
at jdk.crypto.cryptoki/sun.security.pkcs11.P11SecretKeyFactory.convertKey(P11SecretKeyFactory.java:122)
at jdk.crypto.cryptoki/sun.security.pkcs11.P11Mac.engineInit(P11Mac.java:197)
at java.base/javax.crypto.Mac.chooseProvider(Mac.java:366)
at java.base/javax.crypto.Mac.init(Mac.java:435)
at com.testing.TestMAC.main(TestMAC.java:15)
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ATTRIBUTE_VALUE_INVALID
at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11.C_CreateObject(Native Method)
at jdk.crypto.cryptoki/sun.security.pkcs11.P11SecretKeyFactory.createKey(P11SecretKeyFactory.java:280)
... 6 more
My nss.fips.cfg files contents are:
Name = NSSFIPS
nssLibraryDirectory = /usr/lib64
nssSecmodDirectory = /etc/pki/nssdb
nssDbMode = readOnly
nssModule = fips
I’m not clear if this is related to this bug (https://bugzilla.redhat.com/show_bug.cgi?id=1964109) or not and I’m not sure what to do to resolve it or troubleshoot it any further.
I’d appreciate any ideas you all may have.