Bug 1539785 - modutil rejects new empty password in FIPS mode on clean database
Summary: modutil rejects new empty password in FIPS mode on clean database
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: nss
Version: 7.5
Hardware: x86_64
OS: Linux
high
medium
Target Milestone: rc
: ---
Assignee: Daiki Ueno
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On: 1508581
Blocks: 1566472 1730687
TreeView+ depends on / blocked
 
Reported: 2018-01-29 15:40 UTC by Hubert Kario
Modified: 2019-07-17 11:08 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1508581
: 1566472 1730687 (view as bug list)
Environment:
Last Closed: 2018-11-09 14:40:52 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Mozilla Foundation 1415847 -- RESOLVED modutil -changepw shouldn't prompt for old password if it's the empty string 2020-02-06 13:47:00 UTC
Mozilla Foundation 1453408 -- RESOLVED modutil -changepw fails in FIPS mode if password is an empty string 2020-02-06 13:47:00 UTC

Description Hubert Kario 2018-01-29 15:40:01 UTC
Description of problem:


I am seeing a difference in behaviour with regard to modutil in RHEL7.5.


RHEL7.5
===========
Red Hat Enterprise Linux release 7.5 Beta (Maipo)

Version: nss-3.34.0-4.el7.x86_64


$ mkdir abc

$ cd abc
$ modutil -dbdir . -create -force
$ modutil -changepw "NSS FIPS 140-2 Certificate DB" -newpwfile <(echo) -force -dbdir . >/dev/null
Enter old password:



RHEL7.4.z
=========
Red Hat Enterprise Linux Server release 7.4 (Maipo)
version: nss-3.28.4-15.el7_4.x86_64

[root@server-3294 abc]# modutil -changepw "NSS FIPS 140-2 Certificate DB" -newpwfile <(echo) -force -dbdir . >/dev/null
[root@server-3294 abc]#



Version-Release number of selected component (if applicable):
nss-tools-3.34.0-0.1.beta1.el7.x86_64

Actual results:
 modutil -changepw "NSS FIPS 140-2 Certificate DB" -newpwfile <(echo) -force -dbdir . >/dev/null 

The above command prompts for password



Expected results:

 modutil -changepw "NSS FIPS 140-2 Certificate DB" -newpwfile <(echo) -force -dbdir . >/dev/null

The above command should not prompt for old password. 

Additional info:


Note You need to log in before you can comment on or make changes to this bug.