Bug 1539785

Summary: modutil rejects new empty password in FIPS mode on clean database
Product: Red Hat Enterprise Linux 7 Reporter: Alicja Kario <hkario>
Component: nssAssignee: Daiki Ueno <dueno>
Status: CLOSED CURRENTRELEASE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: high    
Version: 7.5CC: dueno, hkario, lslebodn, mniranja, mthacker, nss-nspr-maint, qe-baseos-security, szidek, vashirov
Target Milestone: rcKeywords: Regression, ZStream
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1508581
: 1566472 1730687 (view as bug list) Environment:
Last Closed: 2018-11-09 14:40:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1508581    
Bug Blocks: 1566472, 1730687    

Description Alicja Kario 2018-01-29 15:40:01 UTC 
Description of problem:


I am seeing a difference in behaviour with regard to modutil in RHEL7.5.


RHEL7.5
===========
Red Hat Enterprise Linux release 7.5 Beta (Maipo)

Version: nss-3.34.0-4.el7.x86_64


$ mkdir abc

$ cd abc
$ modutil -dbdir . -create -force
$ modutil -changepw "NSS FIPS 140-2 Certificate DB" -newpwfile <(echo) -force -dbdir . >/dev/null
Enter old password:



RHEL7.4.z
=========
Red Hat Enterprise Linux Server release 7.4 (Maipo)
version: nss-3.28.4-15.el7_4.x86_64

[root@server-3294 abc]# modutil -changepw "NSS FIPS 140-2 Certificate DB" -newpwfile <(echo) -force -dbdir . >/dev/null
[root@server-3294 abc]#



Version-Release number of selected component (if applicable):
nss-tools-3.34.0-0.1.beta1.el7.x86_64

Actual results:
 modutil -changepw "NSS FIPS 140-2 Certificate DB" -newpwfile <(echo) -force -dbdir . >/dev/null 

The above command prompts for password



Expected results:

 modutil -changepw "NSS FIPS 140-2 Certificate DB" -newpwfile <(echo) -force -dbdir . >/dev/null

The above command should not prompt for old password. 

Additional info: