[xmlsec] signature verification failures using NSS with FIPS

Lara Blatchford lara.blatchford at nteligen.com
Tue Jun 23 08:49:34 PDT 2015 

Though I am able to generate signatures using RSA keys retrieved from a
FIPS-enabled NSS database, the signatures do
not verify.  

If FIPS is disabled on the database, the signature does verify.

A mail archive post from Wed, 05 Mar 2003 21:39:24 indicated that FIPS mode
is not supported for the NSS library.
Why is this, and is there a plan to add support in the future?

Here is the error received when attempting to verify the database, as well
as the  signature portion of my XML document:

[nss]$ xmlsec1 --verify --crypto nss --crypto-config . 100_1_2003_doc.xml
func=xmlSecNssSignatureVerify:file=signatures.c:line=356:obj=rsa-sha512:subj
=VFY_EndWithSignature:error=4:crypto library function failed:error
code=-8182;last nss error=-8182 (0xFFFFE00A)
func=xmlSecTransformVerifyNodeContent:file=transforms.c:line=1804:obj=rsa-sh
a512:subj=xmlSecTransformVerify:error=1:xmlsec library function failed:
;last nss error=-8182 (0xFFFFE00A)
func=xmlSecDSigCtxVerify:file=xmldsig.c:line=401:obj=unknown:subj=xmlSecTran
sformVerifyNodeContent:error=1:xmlsec library function failed: ;last nss
error=-8182 (0xFFFFE00A)
Error: signature failed
ERROR
SignedInfo References (ok/all): 1/1
Manifests References (ok/all): 0/0
Error: failed to verify file "100_1_2003_doc.xml"
[nss]$
[nss]$ modutil -chkfips true -dbdir .
FIPS mode enabled.
[nss]$

  <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
    <SignedInfo>
      <CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"/>
      <SignatureMethod
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"/>
      <Reference URI="#xpointer(/)">
        <Transforms>
          <Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
          <Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"/>
        </Transforms>
        <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/>
 
<DigestValue>DotbZXz+hs3PZpA2SflWZvtbT9LI0i7pUMGfx9g1isX92tD8FtQ09r3wVls3gRZ
r
mIkMbgPU4pbcV493Ks/j7g==</DigestValue>
      </Reference>
    </SignedInfo>
 
<SignatureValue>ol+p5Jpj7mL+gl5UfeIemn4d+NBAgHpRKmUzl1/aJuJ82frs5WHep5zvVbdU
cWNg
RTalqXo0D1TlbT6JzP54UnwCYSTk8L9ttROPKRWF+28sJzujigyVQ0QYDkGJLu3e
R7IunkvESUmoiBjDZlJXHoBkrWVIeazvV0qfouQHmFHxNxg8epLXsjXkUjNgyWUK
WFDqnS2h+qTNvuxYEOUcQaR1wDvSg/7KHCoEfShMLOY1avgs3ZEDfEX2Vn0GsN9w
Fy1smTmeBd+yHINe3HpkOJeG5h7zpCdTU2NSD1Bs3gWH4r/HSUNENswIKdpS58JJ
6hLhncPMK28FiyLOefcCUYVfUu0i5nROcCZewbgOJws2fmn21GcXm9XlrUM7tNP+
73FP2I0sdQU04mPbj2TcacGprw1ELd1zIJFDxGVYmQ9fQ1zoOpXr1O6C0iTxHrGk
80KEwhTiuHwiLtSbc2I2F/fKWKqun/VQ1pKccN9b9jNaNPCFvzs87luuW3OKW7w3
DQiLJKQ8e9/b3sJEf9HYFNDmam75rm4E15rPvNr97jF5uZQ55dwQGp3tEPejbAtg
6rkEifPTOMydGFT6G7nSKM+T3+mw051BovXgtuVkg4YxRGsv2ozWgwCKQv4kdrZ8
lfCpA4vij5HcFoOPsleth5twmY69GBMPnl0cgfmW7sA=</SignatureValue>
    <KeyInfo>
<KeyName>signingCert</KeyName>
<X509Data>
<X509Certificate>MIIEpzCCAo+gAwIBAgIBADANBgkqhkiG9w0BAQUFADAWMRQwEgYDVQQDEwt
zaWdu
aW5nQ2VydDAgFw0xNTA2MjMxNTMwMzNaGA81MDU5MDIyMzE1MzAzM1owFjEUMBIG
A1UEAxMLc2lnbmluZ0NlcnQwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC
AQDeKjUCmUAIis5nJ2xYkRo8OYoH853ebnLh+WxnjSy6vUzkKQGRsNgBWY0XJpgf
kugjZpUH1F6LaV/4e/jzvGp5fF+f42u9X9VPXYod07dzbJneJTdw+WcSw9v4oKzK
J/gqLvuz+MTT0GRN5M+E7tT7vjyz/D/n+mPpmd6TAUYnYTPI+6OMfbbD4pDu7Xyf
c8whVfLbRuIR0qC43V3dNAg6Hb0FqJH1VkQe83iTdhGM2G21ppQuxBZsMjsLvlvR
rAyt4Ma6q4AIMx/slyP0ZNrSo0HYqEVYo3+ZPjdHyzUDtKgmybO8yM/HXrXtQHVs
HolnHEQPNOuhFiOB8lkWUUuDjHshBAelmf05466qYK32MXXV27vpzwL5n6uw1C8D
qj/BJrvFCGRfhJMSJcRVR6CznWMByclvPH0YGoL/nwm3Y5d5/CzG6aE34FF+jExF
uCEb1/L48hVR+RtY7G9GyUigQ8lM0YzTDRIlEeWd1YZ5JJwQmaanw1qV+/8z/FMC
aRDrmNVWuIPBx3Hh8B+i6Lw8HJ+JqlDdR3dYPH0HGhwvsJrIG1PN1PHbfjkgxVh4
70NJ85qyt/Dk9ulxNIYpEgiCCSSdVrWhg9iH+Wi23VUtKQADyqqXlPfv7cArYstH
d3O7ihgxK/fs9zt29RSP0IRPppr2JogjNEsb4qq+BOKO4wIDAQABMA0GCSqGSIb3
DQEBBQUAA4ICAQBVKULeDMz/HdA8Z2XmVOkv/OckVm/ZxjJYG4HnZQ3VR10Ih9Oq
gpJgRS0k1lpwFgQJMNV0kT2yxmlHWTuYrvQty7RXSFIbfANojCivJ+LnFYiJjqZi
WwQOT51NQ849MTwRV8ETHbWkuA3oEPRqJFVrM3Ww66IEPFLLWH7ybH3ij7TD/T9d
1xuBk+5NC3Tn1ECLEhiKYZ8sVnSFtQqIXx3bYecwGc53ToUqrXMqei6zSkrxdz7N
xZ3vahhRoK0Pjd7foLVktQ279h/Sg6QtB5V8hLBhFouu7qRB3I02B/h8fGhfxf22
mMgtppQnOYpO27LUIo2OqzO9g7/dbvlyoRNIJ2iBQpJohKfHFEq9Bhn9jsurOVuV
F2+lgHOEWqPMAEa30mFzvkcauQlZJ2wK5TVWFt5jPlGj3Nq0rIelCjFqkEgaJTfU
Cvlgbt3hobr5nLeBpk3P4fsUe/m2FNiYLcoE+z4tTSdmZ0lMWBqQySfOm3WU5txR
e6YgfRnQOckuIWJJIcCvFgVBqeV+QKueWUG1EGCBw4LmcWibV+0GRgT8PYDsCsFL
H9AGwhAKDuZXGdhIM/88zL7FPfE8A0Cb0FnYtrWh93wz4K3CTZZrn3bG2xpctco0
E6mxACLMMkgy792ldum5QfOiLiA1KYe4ZvwS4/rJIlzdf7LQy/liBpT4Nw==</X509Certificat
e>
</X509Data>
</KeyInfo>
  </Signature>

Thanks you,
Lara

~~~~~~~~~~~~~~
Lara Blatchford
Principal Engineer
Nteligen, LLC


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20150623/790ecf35/attachment.html>

More information about the xmlsec mailing list