Bug 1149240

Summary: NSS fails with "certificate has an invalid signature" error in FIPS mode when NSS db user does not provide password [rhel-7]
Product: Red Hat Enterprise Linux 7 Reporter: Alicja Kario <hkario>
Component: nssAssignee: Bob Relyea <rrelyea>
Status: CLOSED WONTFIX QA Contact: Alicja Kario <hkario>
Severity: low Docs Contact:
Priority: low    
Version: 7.0CC: amarecek, arubin, emaldona, hkario, jenifer.golmitz, jkurik, jrieden, kengert, ksrot, nkinder, omoris, ovasik, qe-baseos-security, rrelyea, sdordevi
Target Milestone: rcKeywords: Reopened
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 994634 Environment:
Last Closed: 2016-04-25 20:43:27 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 994634    
Bug Blocks: 839624, 1088359    

Comment 3 Bob Relyea 2014-10-24 16:27:30 UTC 
Hmm looks like the application hasn't authenticated to the token yet. If you didn't get a password prompt, then you most likely have an application problem.
Comment 4 Alicja Kario 2014-10-29 15:59:34 UTC 
Well, if the way you need to interact with the dabase changes after enabling the FIPS mode, isn't this a regression?

Note that the created database is using exact same password in fips and non fips mode, in fips mode the application fails, while in non fips it works correctly (recognises the certificate).
Comment 8 Bob Relyea 2014-11-20 16:27:24 UTC 
> Well, if the way you need to interact with the dabase changes after
> enabling the FIPS mode, isn't this a regression?

No it's NSS as always done this in FIPS mode. Applications which can't authenticate arbitrarily are not FIPS level-2 compliant. If the database does not have a password, that's a different matter.
Comment 9 Ann Marie Rubin 2014-11-20 18:54:23 UTC 
bug needs devel_ack so blocker flag will get set.
Comment 16 RHEL Program Management 2015-01-08 22:15:47 UTC 
Development Management has reviewed and declined this request.
You may appeal this decision by reopening this request.