|Summary:||nssdb not created correctly in a fips environment when password is not set|
|Product:||Red Hat Enterprise Linux 7||Reporter:||Eugene Keck <ekeck>|
|Component:||nss||Assignee:||Daiki Ueno <dueno>|
|Status:||CLOSED ERRATA||QA Contact:||Hubert Kario <hkario>|
|Version:||7.3||CC:||cww, dueno, ekeck, hkario, kengert, omoris, rrelyea, szidek|
|Fixed In Version:||nss-3.34.0-0.1.beta1.el7||Doc Type:||If docs needed, set a value|
|Doc Text:||Story Points:||---|
|Last Closed:||2018-04-10 09:25:43 UTC||Type:||Bug|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
|Bug Depends On:|
Description Eugene Keck 2017-02-03 20:02:09 UTC
Description of problem: nssdb not created correctly in a fips environment when password is not set. Version-Release number of selected component (if applicable): nss-tools-3.21.3-2.el7_3.x86_64 How reproducible: Always Steps to Reproduce: 1. Enable FIPS 2. modutil -dbdir /tmp/ -create 3. certutil -A -d /tmp/ -n "my cert" -t "CT,C,C" -i cert.pem Actual results: certutil: could not authenticate to token NSS FIPS 140-2 Certificate DB.: SEC_ERROR_IO: An I/O error occurred during security authorization. Expected results: No error and allowed to add certs. Additional info: Using certutil to create the nssdb and not setting a password I am successfully able to add my cert $ certutil -N -d /tmp/ $ certutil -A -d /tmp/ -n "my cert" -t "CT,C,C" -i cert.pem I am also able to add my certs if I set a password $ modutil -dbdir /tmp/ -create $ modutil -changepw 'NSS FIPS 140-2 Certificate DB' -dbdir /tmp/ $ certutil -A -d /tmp/ -n "my cert" -t "CT,C,C" -i cert.pem There is not a way using modutil to create a nssdb without a password and be able to use it in a FIPS environment.
Comment 4 Ondrej Moriš 2017-02-17 10:20:09 UTC
Hm, I do not see the difference between FIPS and non-FIPS environment. Steps from the description give the same result in non-FIPS mode. Kai, is an user expected to set password (even an empty one) after creating NSS DB via modutil? That is 1. modutil -dbdir /tmp -create 2. modutil -dbdir /tmp -changepw It looks like an authentication is required by default after DB creation (regardless of FIPS mode). ------------------------------------------------------ BTW: Setting empty password works for me in FIPS mode: # modutil -dbdir /tmp/ -create WARNING: Performing this operation while the browser is running could cause corruption of your security databases. If the browser is currently running, you should exit browser before continuing this operation. Type 'q <enter>' to abort, or <enter> to continue: # modutil -dbdir /tmp/ -chkfips true FIPS mode enabled. # modutil -dbdir /tmp/ -changepw "NSS FIPS 140-2 Certificate DB" WARNING: Performing this operation while the browser is running could cause corruption of your security databases. If the browser is currently running, you should exit browser before continuing this operation. Type 'q <enter>' to abort, or <enter> to continue: Enter new password: Re-enter new password: Token "NSS FIPS 140-2 Certificate DB" password changed successfully. # certutil -d /tmp/ -K certutil: Checking token "NSS FIPS 140-2 Certificate DB" in slot "NSS FIPS 140-2 User Private Key Services" certutil: no keys found
Comment 5 Bob Relyea 2017-02-22 17:47:51 UTC
So NSS has 2 modes: FIPS Level 1 and FIPS level 2. In FIPS level 2 you must authenticate to the token before you can do almost anything. In FIPS level 1 you don't need to authenticate to the token. NSS determines whether or not you are in FIPS level 1 mode by whether or not the database has a password. In FIPS mode you can move from Level 1 to Level 2 (by setting the password), but you can't move from level 2 to level 1. It looks like everything Eugene has mentioned is consistant with that behavior. The only issue is modutil -create doesn't produce a database without a password. My guess is modutil is creating an uninitialized database which requires sso pin login. I'm guessing this implies to softoken that the database is in FIPS Level 2 mode. We can deal with this in 2 ways: 1) document you can't use modutil to create a FIPS level 1 database. or 2) modify modutil -create to initialize the database at creation time the same way certutil works today.
Comment 7 Kai Engert (:kaie) (inactive account) 2017-02-22 19:59:28 UTC
We need a bug filed upstream that requests and implements the enhancement for modutil.
Comment 19 errata-xmlrpc 2018-04-10 09:25:43 UTC
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2018:0679