Bug 1419179

Summary: nssdb not created correctly in a fips environment when password is not set
Product: Red Hat Enterprise Linux 7 Reporter: Eugene Keck <ekeck>
Component: nssAssignee: Daiki Ueno <dueno>
Status: CLOSED ERRATA QA Contact: Hubert Kario <hkario>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.3CC: cww, dueno, ekeck, hkario, kengert, omoris, rrelyea, szidek
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: nss-3.34.0-0.1.beta1.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-04-10 09:25:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1420851    

Description Eugene Keck 2017-02-03 20:02:09 UTC
Description of problem:
nssdb not created correctly in a fips environment when password is not set. 

Version-Release number of selected component (if applicable):
nss-tools-3.21.3-2.el7_3.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Enable FIPS
2. modutil -dbdir /tmp/ -create
3. certutil -A -d /tmp/ -n "my cert" -t "CT,C,C" -i cert.pem 

Actual results:
certutil: could not authenticate to token NSS FIPS 140-2 Certificate DB.: SEC_ERROR_IO: An I/O error occurred during security authorization.

Expected results:
No error and allowed to add certs.

Additional info:

Using certutil to create the nssdb and not setting a password I am successfully able to add my cert

$ certutil -N -d /tmp/
$ certutil -A -d /tmp/ -n "my cert" -t "CT,C,C" -i cert.pem

I am also able to add my certs if I set a password 

$ modutil -dbdir /tmp/ -create
$ modutil -changepw 'NSS FIPS 140-2 Certificate DB' -dbdir /tmp/
$ certutil -A -d /tmp/ -n "my cert" -t "CT,C,C" -i cert.pem

There is not a way using modutil to create a nssdb without a password and be able to use it in a FIPS environment.

Comment 4 Ondrej Moriš 2017-02-17 10:20:09 UTC
Hm, I do not see the difference between FIPS and non-FIPS environment. Steps from the description give the same result in non-FIPS mode. 

Kai, is an user expected to set password (even an empty one) after creating NSS DB via modutil? That is

1. modutil -dbdir /tmp -create
2. modutil -dbdir /tmp -changepw 

It looks like an authentication is required by default after DB creation (regardless of FIPS mode).

------------------------------------------------------

BTW: Setting empty password works for me in FIPS mode:

# modutil -dbdir /tmp/ -create

WARNING: Performing this operation while the browser is running could cause
corruption of your security databases. If the browser is currently running,
you should exit browser before continuing this operation. Type 
'q <enter>' to abort, or <enter> to continue: 

# modutil -dbdir /tmp/ -chkfips true
FIPS mode enabled.

# modutil -dbdir /tmp/ -changepw "NSS FIPS 140-2 Certificate DB"

WARNING: Performing this operation while the browser is running could cause
corruption of your security databases. If the browser is currently running,
you should exit browser before continuing this operation. Type 
'q <enter>' to abort, or <enter> to continue: 

Enter new password: 
Re-enter new password: 
Token "NSS FIPS 140-2 Certificate DB" password changed successfully.

# certutil -d /tmp/ -K
certutil: Checking token "NSS FIPS 140-2 Certificate DB" in slot "NSS FIPS 140-2 User Private Key Services"
certutil: no keys found

Comment 5 Bob Relyea 2017-02-22 17:47:51 UTC
So NSS has 2 modes: FIPS Level 1 and FIPS level 2. In FIPS level 2 you must authenticate to the token before you can do almost anything. In FIPS level 1 you don't need to authenticate to the token.

NSS determines whether or not you are in FIPS level 1 mode by whether or not the database has a password.

In FIPS mode you can move from Level 1 to Level 2 (by setting the password), but you can't move from level 2 to level 1.

It looks like everything Eugene has mentioned is consistant with that behavior.

The only issue is modutil -create doesn't produce a database without a password. My guess is modutil is creating an uninitialized database which requires sso pin login. I'm guessing this implies to softoken that the database is in FIPS Level 2 mode.

We can deal with this in 2 ways:
1) document you can't use modutil to create a FIPS level 1 database.
or 
2) modify modutil -create to initialize the database at creation time the same way certutil works today.

Comment 7 Kai Engert (:kaie) (inactive account) 2017-02-22 19:59:28 UTC
We need a bug filed upstream that requests and implements the enhancement for modutil.

Comment 19 errata-xmlrpc 2018-04-10 09:25:43 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:0679