RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Description of problem:
A certificate bears public information and its addition to an nss database should not be guarded by a password, not even in FIPS mode.

Version-Release number of selected component (if applicable):
nss-tools-3.21.3-2

How reproducible:
Create a clean NSS database. Get a .der certificate. Try to run certutil to store the certificate in the database as root.

Steps to Reproduce:
1. # mkdir nssdb
2. # certutil -N -d nssdb -f nssdbpwd 
3. # cat cert.der | certutil -A -d nssdb -n CA Certificate 1 -t C,,

Actual results:
Receiving password/pin-prompt:
'Enter Password or Pin for "NSS FIPS 140-2 Certificate DB":'


Expected results:
The certificate gets stored in the database.

Stanislav,

I believe it's intended that any modification to the NSS database in FIPS mode requires the password.

I'm setting needinfo.

Bob, if you agree with me, please close this bug as CLOSED/NOTABUG.

certificate may include only public information, but adding it to database changes what CAs the clients will trust, so modification of the database is not without effect

if modification of the database is required not to require password, it's possible to do that by creating a database with empty password:

1. # mkdir nssdb
2. # certutil -N -d nssdb --empty-password
3. # cat cert.der | certutil -A -d nssdb -n CA Certificate 1 -t C,,

Hello Kai, Hubert,

Yes, I believe you may close the ticket now. If you could add a pointer to a documentation to what's different for certutil in FIPS mode, I'd appreciate that, too.

Cheers.

I don't think we have specific documentation for certutil.

You might be interested in generic requirements for FIPS mode.

I'm keeping the needinfo for Bob, in case he knows of a document describing the differences of NSS expectations in FIPS mode.

Unforutnately there is no documentation for this.