Bug 1419179 - nssdb not created correctly in a fips environment when password is not set
Summary: nssdb not created correctly in a fips environment when password is not set
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: nss
Version: 7.3
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Daiki Ueno
QA Contact: Hubert Kario
URL:
Whiteboard:
Depends On:
Blocks: 1420851
TreeView+ depends on / blocked
 
Reported: 2017-02-03 20:02 UTC by Eugene Keck
Modified: 2018-04-10 09:26 UTC (History)
8 users (show)

Fixed In Version: nss-3.34.0-0.1.beta1.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-04-10 09:25:43 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2018:0679 None None None 2018-04-10 09:26:39 UTC
Mozilla Foundation 1395495 None None None 2019-05-15 12:25:54 UTC

Description Eugene Keck 2017-02-03 20:02:09 UTC
Description of problem:
nssdb not created correctly in a fips environment when password is not set. 

Version-Release number of selected component (if applicable):
nss-tools-3.21.3-2.el7_3.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Enable FIPS
2. modutil -dbdir /tmp/ -create
3. certutil -A -d /tmp/ -n "my cert" -t "CT,C,C" -i cert.pem 

Actual results:
certutil: could not authenticate to token NSS FIPS 140-2 Certificate DB.: SEC_ERROR_IO: An I/O error occurred during security authorization.

Expected results:
No error and allowed to add certs.

Additional info:

Using certutil to create the nssdb and not setting a password I am successfully able to add my cert

$ certutil -N -d /tmp/
$ certutil -A -d /tmp/ -n "my cert" -t "CT,C,C" -i cert.pem

I am also able to add my certs if I set a password 

$ modutil -dbdir /tmp/ -create
$ modutil -changepw 'NSS FIPS 140-2 Certificate DB' -dbdir /tmp/
$ certutil -A -d /tmp/ -n "my cert" -t "CT,C,C" -i cert.pem

There is not a way using modutil to create a nssdb without a password and be able to use it in a FIPS environment.

Comment 4 Ondrej Moriš 2017-02-17 10:20:09 UTC
Hm, I do not see the difference between FIPS and non-FIPS environment. Steps from the description give the same result in non-FIPS mode. 

Kai, is an user expected to set password (even an empty one) after creating NSS DB via modutil? That is

1. modutil -dbdir /tmp -create
2. modutil -dbdir /tmp -changepw 

It looks like an authentication is required by default after DB creation (regardless of FIPS mode).

------------------------------------------------------

BTW: Setting empty password works for me in FIPS mode:

# modutil -dbdir /tmp/ -create

WARNING: Performing this operation while the browser is running could cause
corruption of your security databases. If the browser is currently running,
you should exit browser before continuing this operation. Type 
'q <enter>' to abort, or <enter> to continue: 

# modutil -dbdir /tmp/ -chkfips true
FIPS mode enabled.

# modutil -dbdir /tmp/ -changepw "NSS FIPS 140-2 Certificate DB"

WARNING: Performing this operation while the browser is running could cause
corruption of your security databases. If the browser is currently running,
you should exit browser before continuing this operation. Type 
'q <enter>' to abort, or <enter> to continue: 

Enter new password: 
Re-enter new password: 
Token "NSS FIPS 140-2 Certificate DB" password changed successfully.

# certutil -d /tmp/ -K
certutil: Checking token "NSS FIPS 140-2 Certificate DB" in slot "NSS FIPS 140-2 User Private Key Services"
certutil: no keys found

Comment 5 Bob Relyea 2017-02-22 17:47:51 UTC
So NSS has 2 modes: FIPS Level 1 and FIPS level 2. In FIPS level 2 you must authenticate to the token before you can do almost anything. In FIPS level 1 you don't need to authenticate to the token.

NSS determines whether or not you are in FIPS level 1 mode by whether or not the database has a password.

In FIPS mode you can move from Level 1 to Level 2 (by setting the password), but you can't move from level 2 to level 1.

It looks like everything Eugene has mentioned is consistant with that behavior.

The only issue is modutil -create doesn't produce a database without a password. My guess is modutil is creating an uninitialized database which requires sso pin login. I'm guessing this implies to softoken that the database is in FIPS Level 2 mode.

We can deal with this in 2 ways:
1) document you can't use modutil to create a FIPS level 1 database.
or 
2) modify modutil -create to initialize the database at creation time the same way certutil works today.

Comment 7 Kai Engert (:kaie) (inactive account) 2017-02-22 19:59:28 UTC
We need a bug filed upstream that requests and implements the enhancement for modutil.

Comment 19 errata-xmlrpc 2018-04-10 09:25:43 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:0679


Note You need to log in before you can comment on or make changes to this bug.