Closed Bug 317630 Opened 16 years ago Closed 15 years ago

PSM's FIPS token label is truncated

Categories

(Core :: Security: PSM, defect, P3)

x86
All
defect

Tracking

()

RESOLVED FIXED
Future

People

(Reporter: wtc, Assigned: KaiE)

References

Details

(Whiteboard: [kerh-coa])

Attachments

(2 files, 4 obsolete files)

In PKCS #11, the 'label' field of the CK_TOKEN_INFO
structure is 32 octet long:

  CK_UTF8CHAR label[32];

In Firefox's Device Manager, you see that the label
of the NSS FIPS token is truncated:

  Label    PSM Internal FIPS-140-1 Cryptogr

This string comes from
mozilla/security/manager/locales/en-US/chrome/pipnss/pipnss.properties:

  # 64
  FipsSlotDescription=PSM Internal FIPS-140-1 Cryptographic Services

which is 46 octet long.  This string needs to be shortened to avoid
truncation.  (In non-FIPS mode, the token's label is
"Software Security Device".)  We should take the opportunity
to review the other PKCS #11 strings in that file to make sure
they are the right length and make sense to most people.
Whiteboard: [kerh-coa]
Blocks: 320231
This also affects localization of verbose languages (see bug 320231)
Priority: -- → P3
Target Milestone: --- → Future
Attached patch Patch v1 (obsolete) — Splinter Review
This is a first patch to address the primary problem with wording truncation. The proposal is to use the same wording "Software Security Device" as people are used to in the standard crypto mode - however, with "(FIPS)" appended.

Once we land this, we should keep the bug open, in order to address Wan-Teh's other concerns.
Attachment #255544 - Flags: review?(rrelyea)
Comment on attachment 255544 [details] [diff] [review]
Patch v1

oh, I notice an issue with this patch. We are required to change the string identifier whenever we change the string, in order to assist people who localize.
Attachment #255544 - Attachment is obsolete: true
Attachment #255544 - Flags: review?(rrelyea)
I also notice an inconsistency, our hardcoded strings in PSM say "fips 140-1", while NSS' internal string talk about "140-2".

I propose we remove that number from PSM's strings, in order to avoid future inconsistencies.

I take the opportunity to remove "PSM" from that string, too. Nobody knows what PSM means, and for end users it's not relevant to know.
OS: Windows XP → All
Attached patch Patch v2 (obsolete) — Splinter Review
Attachment #255547 - Flags: review?(rrelyea)
Attached patch Patch v3 (obsolete) — Splinter Review
sigh ;-) third attempt of a patch. We of course must change the user of the string ID when changing it. forgot to include this diff in the previous patch.
Attachment #255547 - Attachment is obsolete: true
Attachment #255558 - Flags: review?(rrelyea)
Attachment #255547 - Flags: review?(rrelyea)
Ideally the FIPS statement should be FIPS-140. The -1 or -2 should be removed. That changes over time (NIST is working on -3). There are more than one FIPS standard, they don't all deal with crypto. Besides FIPS-140, FIPS-200 and FIPS-201 are of interest to most customers of FIPS-140.

The -140 should be included unless we are running into string constraints.
Comment on attachment 255558 [details] [diff] [review]
Patch v3

r+= relyea.

this patch is acceptable, but I do have some suggested changes.


1) The new name should be called  fipsTokenDescription (this is part of the confusion about string length. Token descriptions are 32 bytes, slot descriptions are 64). I would Create a new variable fipsTokenDescription, remove the fipsPrivateSlotDescription and name fipsSlotDescription2 to something like "FIPS-140 Cryptographic, Key and Certificate Services"
(the latter string would only be visible in the Security manager).

fipsTokenDescription should be passed to PK11_ConfigurePKCS11 in the same position as fipsSlotDescription today. fipsSlotDescription2 should be passed to PK11_ConfigurePKCS11 in the same position as fipsPrivateSlotDescription today.

FIPS should be FIPS-140 where ever it's possible to fit the full string.
Attachment #255558 - Flags: review?(rrelyea) → review+
Attached patch Patch v4 (obsolete) — Splinter Review
Patch after addressing Bob's comments

I learn that 140 is an important piece of the FIPS message, so I shortened Software to Softw. in the prompt:

  FIPS-140 Softw. Security Device
Attachment #255558 - Attachment is obsolete: true
Attached patch Patch v5Splinter Review
Attachment #255776 - Attachment is obsolete: true
fix checked in to trunk.

I also checked in a little change that will give the details&value column a bit more dynamic space in device manager, when enlarging the window. This makes it possible to actually have a chance to read that longer 64 bit wide descriptions.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Kai, please remove the '-' in "FIPS-140".

"S/W" may be a better abbreviation than "Softw."  But I hope we
can avoid abbreviations.

The name I like the best is "Software Security Device (FIPS mode)",
but it's too long.  (The term "FIPS mode" appears in NIST's FIPS
140-2 Implementation Guidance document.)  "Software Security Device (FIPS)"
is the best name under the length constraint that I can come up with.
Duplicate of this bug: 293123
(In reply to comment #12)
> Kai, please remove the '-' in "FIPS-140".

ok


> "S/W" may be a better abbreviation than "Softw."  But I hope we
> can avoid abbreviations.

In Germany, S/W is the abbreviation for "black and white" and when doing a web search, I find pages talking about black&white ranked higher. Personally I find Softw. more obvious than S/W.


> The name I like the best is "Software Security Device (FIPS mode)",
> but it's too long.  (The term "FIPS mode" appears in NIST's FIPS
> 140-2 Implementation Guidance document.)  "Software Security Device (FIPS)"
> is the best name under the length constraint that I can come up with.


Ok, as Bob also said "let's omit 140 if there is little space"
I'm ok to change it to
  "Software Security Device (FIPS)"

This might be best, as the usual (non-FIPS) prompt reads
  "Software Security Device"
Bob,

- the first string changes the master password prompt

- the second string changes the long description in device manager, I'm only removing the dash
Attachment #270189 - Flags: review?(rrelyea)
Comment on attachment 270189 [details] [diff] [review]
Incremental Patch v6 [checked in]

Yes, these are much better.
Attachment #270189 - Flags: review?(rrelyea) → review+
Comment on attachment 270189 [details] [diff] [review]
Incremental Patch v6 [checked in]

Patch checked in to trunk
Attachment #270189 - Attachment description: Incremental Patch v6 → Incremental Patch v6 [checked in]
Duplicate of this bug: 345188
It seems the fix was not sufficient, the longer label is still being used and truncated. See bug 428421.
Blocks: 428421
You need to log in before you can comment on or make changes to this bug.