Hide Forgot
Description of problem: A certificate bears public information and its addition to an nss database should not be guarded by a password, not even in FIPS mode. Version-Release number of selected component (if applicable): nss-tools-3.21.3-2 How reproducible: Create a clean NSS database. Get a .der certificate. Try to run certutil to store the certificate in the database as root. Steps to Reproduce: 1. # mkdir nssdb 2. # certutil -N -d nssdb -f nssdbpwd 3. # cat cert.der | certutil -A -d nssdb -n CA Certificate 1 -t C,, Actual results: Receiving password/pin-prompt: 'Enter Password or Pin for "NSS FIPS 140-2 Certificate DB":' Expected results: The certificate gets stored in the database.
Stanislav, I believe it's intended that any modification to the NSS database in FIPS mode requires the password. I'm setting needinfo. Bob, if you agree with me, please close this bug as CLOSED/NOTABUG.
certificate may include only public information, but adding it to database changes what CAs the clients will trust, so modification of the database is not without effect if modification of the database is required not to require password, it's possible to do that by creating a database with empty password: 1. # mkdir nssdb 2. # certutil -N -d nssdb --empty-password 3. # cat cert.der | certutil -A -d nssdb -n CA Certificate 1 -t C,,
Hello Kai, Hubert, Yes, I believe you may close the ticket now. If you could add a pointer to a documentation to what's different for certutil in FIPS mode, I'd appreciate that, too. Cheers.
I don't think we have specific documentation for certutil. You might be interested in generic requirements for FIPS mode. I'm keeping the needinfo for Bob, in case he knows of a document describing the differences of NSS expectations in FIPS mode.
Unforutnately there is no documentation for this.