Non-root Java applications cannot use java.security.KeyStore in FIPS mode due to NSS module configuration

When a container based off of the openjdk21-devel-fips is run on a FIPS-enabled host, any non-root Java application that uses the SunPKCS11 provider (such as through java.security.KeyStore) will fail to initialize. Instead, an exception similar to the following will be thrown:

Exception

``` java.lang.RuntimeException: Failed to start quarkus at io.quarkus.runner.ApplicationImpl.(Unknown Source) at java.base/jdk.internal.misc.Unsafe.allocateInstance(Native Method) at java.base/java.lang.invoke.DirectMethodHandle.allocateInstance(DirectMethodHandle.java:501) at io.quarkus.runtime.Quarkus.run(Quarkus.java:76) at org.keycloak.quarkus.runtime.KeycloakMain.start(KeycloakMain.java:145) at org.keycloak.quarkus.runtime.cli.Picocli.start(Picocli.java:988) at org.keycloak.quarkus.runtime.cli.command.AbstractStartCommand.run(AbstractStartCommand.java:49) at picocli.CommandLine.executeUserObject(CommandLine.java:2030) at picocli.CommandLine.access$1500(CommandLine.java:148) at picocli.CommandLine$RunLast.executeUserObjectOfLastSubcommandWithSameParent(CommandLine.java:2465) at picocli.CommandLine$RunLast.handle(CommandLine.java:2457) at picocli.CommandLine$RunLast.handle(CommandLine.java:2419) at picocli.CommandLine$AbstractParseResultHandler.execute(CommandLine.java:2277) at picocli.CommandLine$RunLast.execute(CommandLine.java:2421) at picocli.CommandLine.execute(CommandLine.java:2174) at org.keycloak.quarkus.runtime.cli.Picocli.parseAndRun(Picocli.java:128) at org.keycloak.quarkus.runtime.KeycloakMain.main(KeycloakMain.java:116) at org.keycloak.quarkus.runtime.KeycloakMain.main(KeycloakMain.java:71) at io.quarkus.bootstrap.runner.QuarkusEntryPoint.doRun(QuarkusEntryPoint.java:68) at io.quarkus.bootstrap.runner.QuarkusEntryPoint.main(QuarkusEntryPoint.java:36) Caused by: java.lang.RuntimeException: Unexpected error when configuring the crypto provider: org.keycloak.crypto.fips.Fips1402StrictCryptoProvider at org.keycloak.quarkus.runtime.KeycloakRecorder.setCryptoProvider(KeycloakRecorder.java:211) at io.quarkus.runner.recorded.KeycloakProcessor$setCryptoProvider946368736.deploy_0(Unknown Source) at io.quarkus.runner.recorded.KeycloakProcessor$setCryptoProvider946368736.deploy(Unknown Source) ... 20 more Caused by: java.lang.reflect.InvocationTargetException at java.base/jdk.internal.reflect.DirectConstructorHandleAccessor.newInstance(DirectConstructorHandleAccessor.java:74) at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:502) at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:486) at org.keycloak.quarkus.runtime.KeycloakRecorder.setCryptoProvider(KeycloakRecorder.java:204) ... 22 more Caused by: java.security.ProviderException: Could not initialize NSS at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.(SunPKCS11.java:289) at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunPKCS11.java:187) at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunPKCS11.java:161) at java.base/java.security.AccessController.doPrivileged(AccessController.java:571) at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.configure(SunPKCS11.java:161) at java.base/sun.security.jca.ProviderConfig$3.run(ProviderConfig.java:256) at java.base/sun.security.jca.ProviderConfig$3.run(ProviderConfig.java:247) at java.base/java.security.AccessController.doPrivileged(AccessController.java:319) at java.base/sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:247) at java.base/sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:225) at java.base/sun.security.jca.ProviderList.getProvider(ProviderList.java:271) at java.base/sun.security.jca.ProviderList.getIndex(ProviderList.java:301) at java.base/sun.security.jca.ProviderList.getProviderConfig(ProviderList.java:285) at java.base/sun.security.jca.ProviderList.getProvider(ProviderList.java:291) at java.base/java.security.Security.getProvider(Security.java:522) at org.keycloak.crypto.fips.FIPS1402Provider.(FIPS1402Provider.java:82) at org.keycloak.crypto.fips.Fips1402StrictCryptoProvider.(Fips1402StrictCryptoProvider.java:12) at java.base/jdk.internal.reflect.DirectConstructorHandleAccessor.newInstance(DirectConstructorHandleAccessor.java:62) ... 25 more Caused by: java.io.IOException: NSS initialization failed at jdk.crypto.cryptoki/sun.security.pkcs11.Secmod.initialize(Secmod.java:243) at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.(SunPKCS11.java:284) ... 42 more ```

This failure occurs because of the SunPKSC11's usage of the NSS library, and how the changes this image makes to /etc/pki/nssdb/pkcs11.txt affect the NSS library's initialization. The changes made cause NSS to attempt opening /etc/pki/nssdb as a writeable file when the library is first initialized, regardless of whether the process using NSS has the correct permissions. If NSS is unable to open /etc/pki/nssdb it returns an error, which in turn causes SunPKCS11 to fail.