Bug 1254896

Summary:	python-nss upstream test suite fails in FIPS mode
Product:	Red Hat Enterprise Linux 7	Reporter:	Stanislav Zidek <szidek>
Component:	python-nss	Assignee:	John Dennis <jdennis>
Status:	CLOSED WONTFIX	QA Contact:	Stanislav Zidek <szidek>
Severity:	low	Docs Contact:
Priority:	low
Version:	7.2	CC:	nkinder
Target Milestone:	rc
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2016-02-16 23:17:20 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Stanislav Zidek 2015-08-19 08:07:26 UTC

Description of problem:
As mentioned in bz1194349, upstream test suite as a whole is still FIPS-incompatible, just some particular test cases are fixed.

Version-Release number of selected component (if applicable):
python-nss-0.16.0-3.el7

How reproducible:
always

Steps to Reproduce:
1. run upstream tests in FIPS mode

Actual results:
:: [  BEGIN   ] :: Running test suite :: actually running 'python run_tests'
INFO: Creating clean database directory: "pki"
WARNING: System FIPS enabled, cannot disable FIPS
INFO: creating ca cert: subject="CN=Test CA", nickname="test_ca"
INFO: creating server cert: subject="CN=pes-guest-81.lab.eng.brq.redhat.com", nickname="test_server"
INFO: creating client cert: subject="CN=test_user", nickname="test_user"
INFO: adding system trusted certs: name="ca_certs" module="libnssckbi.so"
INFO: ---------- Summary ----------
INFO: NSS database name="sql:pki", password="DB_passwd"
INFO: system FIPS mode=True
INFO: DB FIPS mode=True
INFO: CA nickname="test_ca", CA subject="CN=Test CA"
INFO: server nickname="test_server", server subject="CN=pes-guest-81.lab.eng.brq.redhat.com"
INFO: client nickname="test_user", client subject="CN=test_user"
...........EE........EEEEEEE
======================================================================
ERROR: test_file (test_cipher.TestCipher)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/tmp/tmp.IGN1SljrAc/test/test_cipher.py", line 72, in setUp
    self.encoding_ctx, self.decoding_ctx = setup_contexts(mechanism, key, iv)
  File "/tmp/tmp.IGN1SljrAc/test/test_cipher.py", line 32, in setup_contexts
    nss.CKA_ENCRYPT, key_si)
NSPRError: (SEC_ERROR_BAD_DATA) security library: received bad data.

======================================================================
ERROR: test_string (test_cipher.TestCipher)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/tmp/tmp.IGN1SljrAc/test/test_cipher.py", line 72, in setUp
    self.encoding_ctx, self.decoding_ctx = setup_contexts(mechanism, key, iv)
  File "/tmp/tmp.IGN1SljrAc/test/test_cipher.py", line 32, in setup_contexts
    nss.CKA_ENCRYPT, key_si)
NSPRError: (SEC_ERROR_BAD_DATA) security library: received bad data.

======================================================================
ERROR: test_ocsp_default_responder (test_ocsp.TestAPI)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/tmp/tmp.IGN1SljrAc/test/test_ocsp.py", line 45, in test_ocsp_default_responder
    nss.enable_ocsp_default_responder()
NSPRError: (SEC_ERROR_OCSP_RESPONDER_CERT_INVALID) Configured OCSP responder's certificate is invalid.

======================================================================
ERROR: test_ocsp_default_responder (test_ocsp.TestAPI)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/tmp/tmp.IGN1SljrAc/test/test_ocsp.py", line 23, in tearDown
    nss.nss_shutdown()
NSPRError: (SEC_ERROR_BUSY) NSS could not shutdown. Objects are still in use.

======================================================================
ERROR: test_ocsp_failure_mode (test_ocsp.TestAPI)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/tmp/tmp.IGN1SljrAc/test/test_ocsp.py", line 19, in setUp
    nss.nss_init_read_write(db_name)
NSPRError: (SEC_ERROR_UNKNOWN_PKCS11_ERROR) Unknown PKCS #11 error.

======================================================================
ERROR: test_ocsp_timeout (test_ocsp.TestAPI)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/tmp/tmp.IGN1SljrAc/test/test_ocsp.py", line 19, in setUp
    nss.nss_init_read_write(db_name)
NSPRError: (SEC_ERROR_UNKNOWN_PKCS11_ERROR) Unknown PKCS #11 error.

======================================================================
ERROR: test_use_pkix_for_validation (test_ocsp.TestAPI)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/tmp/tmp.IGN1SljrAc/test/test_ocsp.py", line 19, in setUp
    nss.nss_init_read_write(db_name)
NSPRError: (SEC_ERROR_UNKNOWN_PKCS11_ERROR) Unknown PKCS #11 error.

======================================================================
ERROR: test_csr_parse (test_cert_request.TestCertRequest)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/tmp/tmp.IGN1SljrAc/test/test_cert_request.py", line 111, in setUp
    nss.nss_init_nodb()
NSPRError: (SEC_ERROR_UNKNOWN_PKCS11_ERROR) Unknown PKCS #11 error.

======================================================================
ERROR: test_ssl (test_client_server.TestSSL)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/tmp/tmp.IGN1SljrAc/test/test_client_server.py", line 339, in setUp
    self.server_pid = run_server()
  File "/tmp/tmp.IGN1SljrAc/test/test_client_server.py", line 318, in run_server
    nss.nss_init(db_name)
NSPRError: (SEC_ERROR_NO_MODULE) security library: no security module can perform the requested operation.

----------------------------------------------------------------------
Ran 27 tests in 3.119s

FAILED (errors=9)
Using installed libraries

E
======================================================================
ERROR: test_file (test_cipher.TestCipher)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/tmp/tmp.IGN1SljrAc/test/test_cipher.py", line 72, in setUp
    self.encoding_ctx, self.decoding_ctx = setup_contexts(mechanism, key, iv)
  File "/tmp/tmp.IGN1SljrAc/test/test_cipher.py", line 32, in setup_contexts
    nss.CKA_ENCRYPT, key_si)
NSPRError: (SEC_ERROR_BAD_DATA) security library: received bad data.

======================================================================
ERROR: test_string (test_cipher.TestCipher)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/tmp/tmp.IGN1SljrAc/test/test_cipher.py", line 72, in setUp
    self.encoding_ctx, self.decoding_ctx = setup_contexts(mechanism, key, iv)
  File "/tmp/tmp.IGN1SljrAc/test/test_cipher.py", line 32, in setup_contexts
    nss.CKA_ENCRYPT, key_si)
NSPRError: (SEC_ERROR_BAD_DATA) security library: received bad data.

======================================================================
ERROR: test_ocsp_default_responder (test_ocsp.TestAPI)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/tmp/tmp.IGN1SljrAc/test/test_ocsp.py", line 45, in test_ocsp_default_responder
    nss.enable_ocsp_default_responder()
NSPRError: (SEC_ERROR_OCSP_RESPONDER_CERT_INVALID) Configured OCSP responder's certificate is invalid.

======================================================================
ERROR: test_ocsp_default_responder (test_ocsp.TestAPI)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/tmp/tmp.IGN1SljrAc/test/test_ocsp.py", line 23, in tearDown
    nss.nss_shutdown()
NSPRError: (SEC_ERROR_BUSY) NSS could not shutdown. Objects are still in use.

======================================================================
ERROR: test_ocsp_failure_mode (test_ocsp.TestAPI)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/tmp/tmp.IGN1SljrAc/test/test_ocsp.py", line 19, in setUp
    nss.nss_init_read_write(db_name)
NSPRError: (SEC_ERROR_UNKNOWN_PKCS11_ERROR) Unknown PKCS #11 error.

======================================================================
ERROR: test_ocsp_timeout (test_ocsp.TestAPI)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/tmp/tmp.IGN1SljrAc/test/test_ocsp.py", line 19, in setUp
    nss.nss_init_read_write(db_name)
NSPRError: (SEC_ERROR_UNKNOWN_PKCS11_ERROR) Unknown PKCS #11 error.

======================================================================
ERROR: test_use_pkix_for_validation (test_ocsp.TestAPI)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/tmp/tmp.IGN1SljrAc/test/test_ocsp.py", line 19, in setUp
    nss.nss_init_read_write(db_name)
NSPRError: (SEC_ERROR_UNKNOWN_PKCS11_ERROR) Unknown PKCS #11 error.

======================================================================
ERROR: test_csr_parse (test_cert_request.TestCertRequest)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/tmp/tmp.IGN1SljrAc/test/test_cert_request.py", line 111, in setUp
    nss.nss_init_nodb()
NSPRError: (SEC_ERROR_UNKNOWN_PKCS11_ERROR) Unknown PKCS #11 error.

======================================================================
ERROR: test_ssl (test_client_server.TestSSL)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/tmp/tmp.IGN1SljrAc/test/test_client_server.py", line 346, in test_ssl
    nss.nss_init(db_name)
NSPRError: (SEC_ERROR_UNKNOWN_PKCS11_ERROR) Unknown PKCS #11 error.

----------------------------------------------------------------------
Ran 27 tests in 8.123s

FAILED (errors=9)
Error in atexit._run_exitfuncs:
Traceback (most recent call last):
  File "/usr/lib64/python2.7/atexit.py", line 24, in _run_exitfuncs
Using installed libraries

    func(*targs, **kargs)
  File "/tmp/tmp.IGN1SljrAc/test/setup_certs.py", line 541, in exit_handler_with_options
    exit_handler(options)
  File "/tmp/tmp.IGN1SljrAc/test/setup_certs.py", line 62, in exit_handler
    os.remove(options.passwd_filename)
OSError: [Errno 2] No such file or directory: '/tmp/tmputdUbH'
Error in sys.exitfunc:
Traceback (most recent call last):
  File "/usr/lib64/python2.7/atexit.py", line 24, in _run_exitfuncs
    func(*targs, **kargs)
  File "/tmp/tmp.IGN1SljrAc/test/setup_certs.py", line 541, in exit_handler_with_options
    exit_handler(options)
  File "/tmp/tmp.IGN1SljrAc/test/setup_certs.py", line 62, in exit_handler
    os.remove(options.passwd_filename)
OSError: [Errno 2] No such file or directory: '/tmp/tmputdUbH'
:: [   PASS   ] :: Running test suite (Expected 0, got 0)
:: [   FAIL   ] :: File '/tmp/tmp.IGN1SljrAc/tests.log' should contain '^OK$' 
ERROR: test_file (test_cipher.TestCipher)
Traceback (most recent call last):
NSPRError: (SEC_ERROR_BAD_DATA) security library: received bad data.
ERROR: test_string (test_cipher.TestCipher)
Traceback (most recent call last):
NSPRError: (SEC_ERROR_BAD_DATA) security library: received bad data.
ERROR: test_ocsp_default_responder (test_ocsp.TestAPI)
Traceback (most recent call last):
NSPRError: (SEC_ERROR_OCSP_RESPONDER_CERT_INVALID) Configured OCSP responder's certificate is invalid.
ERROR: test_ocsp_default_responder (test_ocsp.TestAPI)
Traceback (most recent call last):
NSPRError: (SEC_ERROR_BUSY) NSS could not shutdown. Objects are still in use.
ERROR: test_ocsp_failure_mode (test_ocsp.TestAPI)
Traceback (most recent call last):
NSPRError: (SEC_ERROR_UNKNOWN_PKCS11_ERROR) Unknown PKCS #11 error.
ERROR: test_ocsp_timeout (test_ocsp.TestAPI)
Traceback (most recent call last):
NSPRError: (SEC_ERROR_UNKNOWN_PKCS11_ERROR) Unknown PKCS #11 error.
ERROR: test_use_pkix_for_validation (test_ocsp.TestAPI)
Traceback (most recent call last):
NSPRError: (SEC_ERROR_UNKNOWN_PKCS11_ERROR) Unknown PKCS #11 error.
ERROR: test_csr_parse (test_cert_request.TestCertRequest)
Traceback (most recent call last):
NSPRError: (SEC_ERROR_UNKNOWN_PKCS11_ERROR) Unknown PKCS #11 error.
ERROR: test_ssl (test_client_server.TestSSL)
Traceback (most recent call last):
NSPRError: (SEC_ERROR_NO_MODULE) security library: no security module can perform the requested operation.
FAILED (errors=9)
ERROR: test_file (test_cipher.TestCipher)
Traceback (most recent call last):
NSPRError: (SEC_ERROR_BAD_DATA) security library: received bad data.
ERROR: test_string (test_cipher.TestCipher)
Traceback (most recent call last):
NSPRError: (SEC_ERROR_BAD_DATA) security library: received bad data.
ERROR: test_ocsp_default_responder (test_ocsp.TestAPI)
Traceback (most recent call last):
NSPRError: (SEC_ERROR_OCSP_RESPONDER_CERT_INVALID) Configured OCSP responder's certificate is invalid.
ERROR: test_ocsp_default_responder (test_ocsp.TestAPI)
Traceback (most recent call last):
NSPRError: (SEC_ERROR_BUSY) NSS could not shutdown. Objects are still in use.
ERROR: test_ocsp_failure_mode (test_ocsp.TestAPI)
Traceback (most recent call last):
NSPRError: (SEC_ERROR_UNKNOWN_PKCS11_ERROR) Unknown PKCS #11 error.
ERROR: test_ocsp_timeout (test_ocsp.TestAPI)
Traceback (most recent call last):
NSPRError: (SEC_ERROR_UNKNOWN_PKCS11_ERROR) Unknown PKCS #11 error.
ERROR: test_use_pkix_for_validation (test_ocsp.TestAPI)
Traceback (most recent call last):
NSPRError: (SEC_ERROR_UNKNOWN_PKCS11_ERROR) Unknown PKCS #11 error.
ERROR: test_csr_parse (test_cert_request.TestCertRequest)
Traceback (most recent call last):
NSPRError: (SEC_ERROR_UNKNOWN_PKCS11_ERROR) Unknown PKCS #11 error.
ERROR: test_ssl (test_client_server.TestSSL)
Traceback (most recent call last):
NSPRError: (SEC_ERROR_UNKNOWN_PKCS11_ERROR) Unknown PKCS #11 error.
FAILED (errors=9)
Traceback (most recent call last):
Traceback (most recent call last):
:: [   FAIL   ] :: File '/tmp/tmp.IGN1SljrAc/tests.log' should not contain '^(ERROR|NSPRError|Traceback|FAIL)' 
'9436ad82-597b-441c-8f20-139a693db14b'
python-nss-unit-tests result: FAIL


Expected results:
No failures.

Comment 1 Nathan Kinder 2016-02-16 23:17:20 UTC

We have no plans to fix this.  The upstream tests were not designed to run in FIPS mode, and I'm not sure that it's worth the effort given that we're not heavily investing development into python-nss unless important bugfixes are needed.  Closing as WONTFIX.