[xmlsec] signature verification failures using NSS with FIPS

Roumen Petrov xmlsec at roumenpetrov.info
Sat Jan 2 09:34:31 PST 2016


Hello,

I would like to continue discussion.
Aleksey please find my comments below.

Lara Blatchford wrote:
> We are using mod_nss 1.0.8, this appears to indicate that the bug being described
> was addressed in mod_nss 1.0.3
>
> Thanks,
> Lara
>
> -----Original Message-----
> From: Aleksey Sanin [mailto:aleksey at aleksey.com]
> Sent: Thursday, June 25, 2015 12:55 PM
> To: Lara Blatchford; xmlsec at aleksey.com
> Subject: Re: [xmlsec] signature verification failures using NSS with FIPS
>
>
> https://www.google.com/search?q=nss+certificate+verification+fails+fips+mode&ie=UTF-8#q=nss+certificate++failed+fips+
>
> The first link.
I don't think that result from internet queries could help .

The main issue is that NSS module is in FIPS mode .
I'm not sure that pages like 
"https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/FIPS_Mode_-_an_explanation" 
could explain difference .
It seems to me when module is in FIPS mode user should authenticate to 
it on each operation. In particular verify operation also requires user 
to enter password.


xmlsec should use PK11_SetPasswordFunc to register password callback.

It seems to me NSS test database is not protected by "master"-password 
and so test operations pass in non-FIPS.



> Aleksey
>
[SNIP]

Regards
Roumen Petrov



More information about the xmlsec mailing list