Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1395301 - certutil -C ignores -f parameter in FIPS mode
certutil -C ignores -f parameter in FIPS mode
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: nss (Show other bugs)
7.3
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Kai Engert (:kaie) (inactive account)
Hubert Kario
:
Depends On:
Blocks: 1377248
  Show dependency treegraph
 
Reported: 2016-11-15 11:15 EST by Endi Sukma Dewata
Modified: 2017-08-01 12:47 EDT (History)
7 users (show)

See Also:
Fixed In Version: nss-3.28.3-3.el7
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-08-01 12:47:42 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Mozilla Foundation 1317981 None None None 2016-11-16 09:50 EST
Red Hat Product Errata RHEA-2017:1977 normal SHIPPED_LIVE nss bug fix and enhancement update 2017-08-01 13:57:47 EDT

  None (edit)
Description Endi Sukma Dewata 2016-11-15 11:15:32 EST 
The certutil -C command is supposed to issue a certificate given a CSR. In non-FIPS mode the command does not require any password, but in FIPS mode it does require a password to the internal token (no HSM is used in this case). The problem is the password specified with the -f parameter is always ignored. Instead, the command will always prompt for the password on the console, so it cannot be automated. This problem affects current RHCS testing automation and may affect future RHCS development.

Steps to reproduce:

1. Prepare a FIPS-enabled machine.
2. Store the NSS database password in password.txt.
3. Create an NSS database with the password file:

 $ mkdir nssdb
 $ certutil -N -d nssdb -f password.txt

4. Generate a random noise file:

 $ openssl rand -out noise.bin 2048

5. Generate a root CA certificate:

 $ echo -e "y\n\ny\n" | \
  certutil -S \
  -d nssdb \
  -f password.txt \
  -z noise.bin \
  -n "Root CA" \
  -s "CN=Root CA,O=EXAMPLE" \
  -x \
  -t "CT,C,C" \
  -m $RANDOM\
  -2 \
  --keyUsage certSigning \
  --nsCertType sslCA,smimeCA,objectSigningCA

6. Issue a certificate with an existing CSR:

 $ echo -e "0\n1\n5\n6\n9\ny\ny\n\ny\n" | \
  certutil -C \
  -d nssdb \
  -f password.txt \
  -m $RANDOM \
  -a \
  -i example.csr \
  -o example.crt \
  -c "Root CA" \
  -1 \
  -2
 Enter Password or Pin for "NSS FIPS 140-2 Certificate DB":

Actual result: In step #6 the command prompts for the internal token password although the password file is already specified with the -f parameter. After entering the password manually, the certificate is issued correctly.

Expected result: The command in step #6 should not prompt for the password since it's already specified with the -f parameter.
Comment 2 Kai Engert (:kaie) (inactive account) 2016-11-16 09:38:14 EST 
I think I have a fix, which I've worked on a while ago, as part of bug 1088366 (which needs much more work to get fully done).

I'll file an upstream patch, which picks up the utility fixes from that work-in-progress-patch.
Comment 12 errata-xmlrpc 2017-08-01 12:47:42 EDT 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:1977
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.