Closed Bug 1686354 Opened 4 years ago Closed 3 years ago

clients rsa-pss keys are refused in FIPS mode

Categories

(NSS :: Libraries, defect, P1)

3.41

Tracking

(Not tracked)

RESOLVED WORKSFORME

People

(Reporter: rrelyea, Unassigned)

Details

(Whiteboard: [nss-nofx])

Attachments

(1 file)

Attached file cert.tar.gz

Description of problem:

When server has only RSA-PSS key, and client uses RSA-PSS keys connection aborts with handshake_failure alert. This happens only in FIPS mode.

Version-Release number of selected component (if applicable):

nss-3.44.0-7.el8_0

How reproducible:
always

Steps to Reproduce:

  1. Setup FIPS mode.
  2. Setup server with attachment server/key.pem and server/cert.pem
  3. Create nssdb with ca/cert.pem certificate marked as trusted
  4. tstclnt -d sql:./nssdb/ -h 127.0.0.1 -p 4433

Actual results:

server aborts connection

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: Use keys imported from PKCS#12 file
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 19:33:52 ] :: [ BEGIN ] :: Running '/usr/lib64/nss/unsupported-tools/selfserv -d sql:./pss-srv-db -p 4433 -n server-rsa-pss -rr -J rsa_pss_pss_sha256,rsa_pss_pss_sha384,rsa_pss_pss_sha512 >server.out 2>server.err &'
:: [ 19:33:52 ] :: [ PASS ] :: Command '/usr/lib64/nss/unsupported-tools/selfserv -d sql:./pss-srv-db -p 4433 -n server-rsa-pss -rr -J rsa_pss_pss_sha256,rsa_pss_pss_sha384,rsa_pss_pss_sha512 >server.out 2>server.err &' (Expected 0, got 0)
:: [ 19:33:52 ] :: [ BEGIN ] :: Running 'rlWaitForSocket 4433 -p 45980'
:: [ 19:33:52 ] :: [ INFO ] :: rlWaitForSocket: Waiting max 120s for socket `4433' to start listening
:: [ 19:33:53 ] :: [ INFO ] :: rlWaitForSocket: Wait successful!
:: [ 19:33:53 ] :: [ PASS ] :: Command 'rlWaitForSocket 4433 -p 45980' (Expected 0, got 0)
:: [ 19:33:53 ] :: [ BEGIN ] :: Running './nss-client.expect /usr/lib64/nss/unsupported-tools/tstclnt -d sql:./pss-clnt-db -h localhost -p 4433 -n client-rsa-pss -J rsa_pss_pss_sha256,rsa_pss_pss_sha384,rsa_pss_pss_sha512'
spawn /bin/sh -c /usr/lib64/nss/unsupported-tools/tstclnt -d sql:./pss-clnt-db -h localhost -p 4433 -n client-rsa-pss -J rsa_pss_pss_sha256,rsa_pss_pss_sha384,rsa_pss_pss_sha512
tstclnt: read from socket failed: SSL_ERROR_BAD_CERT_ALERT: SSL peer cannot verify your certificate.
:: [ 19:33:53 ] :: [ FAIL ] :: Command './nss-client.expect /usr/lib64/nss/unsupported-tools/tstclnt -d sql:./pss-clnt-db -h localhost -p 4433 -n client-rsa-pss -J rsa_pss_pss_sha256,rsa_pss_pss_sha384,rsa_pss_pss_sha512' (Expected 0, got 1)
:: [ 19:33:53 ] :: [ BEGIN ] :: Running 'kill 45980'
/usr/share/beakerlib/testing.sh: line 756: 45980 Terminated /usr/lib64/nss/unsupported-tools/selfserv -d sql:./pss-srv-db -p 4433 -n server-rsa-pss -rr -J rsa_pss_pss_sha256,rsa_pss_pss_sha384,rsa_pss_pss_sha512 > server.out 2> server.err
:: [ 19:33:53 ] :: [ PASS ] :: Command 'kill 45980' (Expected 0, got 0)
:: [ 19:33:53 ] :: [ BEGIN ] :: Running 'rlWait 45980'
:: [ 19:33:53 ] :: [ PASS ] :: Command 'rlWait 45980' (Expected 143, got 143)
:: [ 19:33:53 ] :: [ BEGIN ] :: Running 'cat server.out'
:: [ 19:33:53 ] :: [ PASS ] :: Command 'cat server.out' (Expected 0, got 0)
:: [ 19:33:53 ] :: [ BEGIN ] :: Running 'cat server.err'
selfserv: HDX PR_Read returned error -12285:
Unable to find the certificate or key necessary for authentication.
:: [ 19:33:53 ] :: [ PASS ] :: Command 'cat server.err' (Expected 0, got 0)
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: Duration: 1s
:: Assertions: 6 good, 1 bad
:: RESULT: FAIL (Use keys imported from PKCS#12 file)

Expected results:
Connection established

Additional info:

When FIPS is disabled, it works.

Whiteboard: [nss-nofx]
Severity: -- → S4
Priority: -- → P1

Works in the current release.

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: