Closed
Bug 1342412
Opened 7 years ago
Closed 7 years ago
In a FIPS environment, certutil should explain the stricter password requirements
Categories
(NSS :: Tools, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
3.33
People
(Reporter: KaiE, Assigned: ueno)
Details
Attachments
(2 files)
2.25 KB,
patch
|
KaiE
:
review+
|
Details | Diff | Splinter Review |
2.58 KB,
patch
|
KaiE
:
review+
|
Details | Diff | Splinter Review |
If certutil -N is executed in a FIPS environment, it should explain the expected password strength requirements. Today it requests "The password should be at least 8 characters long, and should contain at least one non-alphabetic character." which is insufficient for FIPS mode.
Assignee | ||
Comment 1•7 years ago
|
||
This patch improves the password prompt by printing the FIPS requirement.
Attachment #8902623 -
Flags: review?(kaie)
Assignee | ||
Comment 2•7 years ago
|
||
certutil -N currently doesn't error out when it fails to set password. This adds some checks around the call to PK11_InitPin and SECU_ChangePW2 to catch the error earlier.
Attachment #8902624 -
Flags: review?(kaie)
Reporter | ||
Comment 3•7 years ago
|
||
Comment on attachment 8902623 [details] [diff] [review] certutil-fips-pwreq.patch Do you want to check if FIPS_MIN_PIN could be moved to a public header file, that certutil could include, to avoid copying the definition?
Attachment #8902623 -
Flags: review?(kaie) → review+
Reporter | ||
Updated•7 years ago
|
Attachment #8902624 -
Flags: review?(kaie) → review+
Reporter | ||
Comment 4•7 years ago
|
||
(In reply to Kai Engert (:kaie:) from comment #3) > Do you want to check if FIPS_MIN_PIN could be moved to a public header file, > that certutil could include, to avoid copying the definition? Please let me know if you want to try this, or if it's too much hassle and I should go ahead and check it in. Thanks
Assignee: nobody → dueno
Flags: needinfo?(dueno)
Assignee | ||
Comment 5•7 years ago
|
||
(In reply to Kai Engert (:kaie:) from comment #4) > (In reply to Kai Engert (:kaie:) from comment #3) > > Do you want to check if FIPS_MIN_PIN could be moved to a public header file, > > that certutil could include, to avoid copying the definition? > > Please let me know if you want to try this, or if it's too much hassle and I > should go ahead and check it in. I was thinking about that, but realized that it is not trivial, considering our RHEL packaging and FIPS validation. Though it's unlikely, the FIPS requirements for passwords may change in the future. In that case, all three packages we have (nss-util, nss-softokn, nss) must be in sync about the change. If we determined the requirements at compile time, there could be any inconsistencies, because we may need to keep shipping older nss-softokn with newer nss-util and nss. So I would rather suggest to have this constant as a private copy, to make it easily adjustable in such situations.
Flags: needinfo?(dueno)
Reporter | ||
Comment 6•7 years ago
|
||
https://hg.mozilla.org/projects/nss/rev/07d0f4131459 https://hg.mozilla.org/projects/nss/rev/597c4badcc6c
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.33
You need to log in
before you can comment on or make changes to this bug.
Description
•