RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1419179 - nssdb not created correctly in a fips environment when password is not set
Summary: nssdb not created correctly in a fips environment when password is not set
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: nss
Version: 7.3
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Daiki Ueno
QA Contact: Hubert Kario
URL:
Whiteboard:
Depends On:
Blocks: 1420851
TreeView+ depends on / blocked
 
Reported: 2017-02-03 20:02 UTC by Eugene Keck
Modified: 2021-06-10 11:54 UTC (History)
8 users (show)

Fixed In Version: nss-3.34.0-0.1.beta1.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-04-10 09:25:43 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Mozilla Foundation 1395495 0 P3 RESOLVED modutil -create should initialize database with empty password 2021-02-15 16:26:21 UTC
Red Hat Product Errata RHEA-2018:0679 0 None None None 2018-04-10 09:26:39 UTC

Description Eugene Keck 2017-02-03 20:02:09 UTC 
Description of problem:
nssdb not created correctly in a fips environment when password is not set. 

Version-Release number of selected component (if applicable):
nss-tools-3.21.3-2.el7_3.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Enable FIPS
2. modutil -dbdir /tmp/ -create
3. certutil -A -d /tmp/ -n "my cert" -t "CT,C,C" -i cert.pem 

Actual results:
certutil: could not authenticate to token NSS FIPS 140-2 Certificate DB.: SEC_ERROR_IO: An I/O error occurred during security authorization.

Expected results:
No error and allowed to add certs.

Additional info:

Using certutil to create the nssdb and not setting a password I am successfully able to add my cert

$ certutil -N -d /tmp/
$ certutil -A -d /tmp/ -n "my cert" -t "CT,C,C" -i cert.pem

I am also able to add my certs if I set a password 

$ modutil -dbdir /tmp/ -create
$ modutil -changepw 'NSS FIPS 140-2 Certificate DB' -dbdir /tmp/
$ certutil -A -d /tmp/ -n "my cert" -t "CT,C,C" -i cert.pem

There is not a way using modutil to create a nssdb without a password and be able to use it in a FIPS environment.
Comment 4 Ondrej Moriš 2017-02-17 10:20:09 UTC 
Hm, I do not see the difference between FIPS and non-FIPS environment. Steps from the description give the same result in non-FIPS mode. 

Kai, is an user expected to set password (even an empty one) after creating NSS DB via modutil? That is

1. modutil -dbdir /tmp -create
2. modutil -dbdir /tmp -changepw 

It looks like an authentication is required by default after DB creation (regardless of FIPS mode).

------------------------------------------------------

BTW: Setting empty password works for me in FIPS mode:

# modutil -dbdir /tmp/ -create

WARNING: Performing this operation while the browser is running could cause
corruption of your security databases. If the browser is currently running,
you should exit browser before continuing this operation. Type 
'q <enter>' to abort, or <enter> to continue: 

# modutil -dbdir /tmp/ -chkfips true
FIPS mode enabled.

# modutil -dbdir /tmp/ -changepw "NSS FIPS 140-2 Certificate DB"

WARNING: Performing this operation while the browser is running could cause
corruption of your security databases. If the browser is currently running,
you should exit browser before continuing this operation. Type 
'q <enter>' to abort, or <enter> to continue: 

Enter new password: 
Re-enter new password: 
Token "NSS FIPS 140-2 Certificate DB" password changed successfully.

# certutil -d /tmp/ -K
certutil: Checking token "NSS FIPS 140-2 Certificate DB" in slot "NSS FIPS 140-2 User Private Key Services"
certutil: no keys found
Comment 5 Bob Relyea 2017-02-22 17:47:51 UTC 
So NSS has 2 modes: FIPS Level 1 and FIPS level 2. In FIPS level 2 you must authenticate to the token before you can do almost anything. In FIPS level 1 you don't need to authenticate to the token.

NSS determines whether or not you are in FIPS level 1 mode by whether or not the database has a password.

In FIPS mode you can move from Level 1 to Level 2 (by setting the password), but you can't move from level 2 to level 1.

It looks like everything Eugene has mentioned is consistant with that behavior.

The only issue is modutil -create doesn't produce a database without a password. My guess is modutil is creating an uninitialized database which requires sso pin login. I'm guessing this implies to softoken that the database is in FIPS Level 2 mode.

We can deal with this in 2 ways:
1) document you can't use modutil to create a FIPS level 1 database.
or 
2) modify modutil -create to initialize the database at creation time the same way certutil works today.
Comment 7 Kai Engert (:kaie) (inactive account) 2017-02-22 19:59:28 UTC 
We need a bug filed upstream that requests and implements the enhancement for modutil.
Comment 19 errata-xmlrpc 2018-04-10 09:25:43 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:0679
Note You need to log in before you can comment on or make changes to this bug.