1395301 – certutil -C ignores -f parameter in FIPS mode

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1395301 - certutil -C ignores -f parameter in FIPS mode

Summary: certutil -C ignores -f parameter in FIPS mode

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	nss
Sub Component:
Version:	7.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Kai Engert (:kaie) (inactive account)
QA Contact:	Alicja Kario
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1377248
TreeView+	depends on / blocked

Reported:	2016-11-15 16:15 UTC by Endi Sukma Dewata
Modified:	2017-08-01 16:47 UTC (History)
CC List:	7 users (show)
Fixed In Version:	nss-3.28.3-3.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-08-01 16:47:42 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Mozilla Foundation	1317981	0	None	None	None	2019-06-17 16:40:52 UTC
Red Hat Product Errata	RHEA-2017:1977	0	normal	SHIPPED_LIVE	nss bug fix and enhancement update	2017-08-01 17:57:47 UTC

Description Endi Sukma Dewata 2016-11-15 16:15:32 UTC

The certutil -C command is supposed to issue a certificate given a CSR. In non-FIPS mode the command does not require any password, but in FIPS mode it does require a password to the internal token (no HSM is used in this case). The problem is the password specified with the -f parameter is always ignored. Instead, the command will always prompt for the password on the console, so it cannot be automated. This problem affects current RHCS testing automation and may affect future RHCS development.

Steps to reproduce:

1. Prepare a FIPS-enabled machine.
2. Store the NSS database password in password.txt.
3. Create an NSS database with the password file:

 $ mkdir nssdb
 $ certutil -N -d nssdb -f password.txt

4. Generate a random noise file:

 $ openssl rand -out noise.bin 2048

5. Generate a root CA certificate:

 $ echo -e "y\n\ny\n" | \
  certutil -S \
  -d nssdb \
  -f password.txt \
  -z noise.bin \
  -n "Root CA" \
  -s "CN=Root CA,O=EXAMPLE" \
  -x \
  -t "CT,C,C" \
  -m $RANDOM\
  -2 \
  --keyUsage certSigning \
  --nsCertType sslCA,smimeCA,objectSigningCA

6. Issue a certificate with an existing CSR:

 $ echo -e "0\n1\n5\n6\n9\ny\ny\n\ny\n" | \
  certutil -C \
  -d nssdb \
  -f password.txt \
  -m $RANDOM \
  -a \
  -i example.csr \
  -o example.crt \
  -c "Root CA" \
  -1 \
  -2
 Enter Password or Pin for "NSS FIPS 140-2 Certificate DB":

Actual result: In step #6 the command prompts for the internal token password although the password file is already specified with the -f parameter. After entering the password manually, the certificate is issued correctly.

Expected result: The command in step #6 should not prompt for the password since it's already specified with the -f parameter.

Comment 2 Kai Engert (:kaie) (inactive account) 2016-11-16 14:38:14 UTC

I think I have a fix, which I've worked on a while ago, as part of bug 1088366 (which needs much more work to get fully done).

I'll file an upstream patch, which picks up the utility fixes from that work-in-progress-patch.

Comment 12 errata-xmlrpc 2017-08-01 16:47:42 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:1977

Note You need to log in before you can comment on or make changes to this bug.