If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

PSM's FIPS token label is truncated

RESOLVED FIXED in Future

Status

()

Core
Security: PSM
P3
normal
RESOLVED FIXED
12 years ago
7 years ago

People

(Reporter: Wan-Teh Chang, Assigned: kaie)

Tracking

(Blocks: 1 bug)

Trunk
Future
x86
All
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [kerh-coa])

Attachments

(2 attachments, 4 obsolete attachments)

(Reporter)

Description

12 years ago
In PKCS #11, the 'label' field of the CK_TOKEN_INFO
structure is 32 octet long:

  CK_UTF8CHAR label[32];

In Firefox's Device Manager, you see that the label
of the NSS FIPS token is truncated:

  Label    PSM Internal FIPS-140-1 Cryptogr

This string comes from
mozilla/security/manager/locales/en-US/chrome/pipnss/pipnss.properties:

  # 64
  FipsSlotDescription=PSM Internal FIPS-140-1 Cryptographic Services

which is 46 octet long.  This string needs to be shortened to avoid
truncation.  (In non-FIPS mode, the token's label is
"Software Security Device".)  We should take the opportunity
to review the other PKCS #11 strings in that file to make sure
they are the right length and make sense to most people.
(Assignee)

Updated

12 years ago
Whiteboard: [kerh-coa]
Blocks: 320231
This also affects localization of verbose languages (see bug 320231)

Updated

12 years ago
Priority: -- → P3
Target Milestone: --- → Future
(Assignee)

Comment 2

11 years ago
Created attachment 255544 [details] [diff] [review]
Patch v1

This is a first patch to address the primary problem with wording truncation. The proposal is to use the same wording "Software Security Device" as people are used to in the standard crypto mode - however, with "(FIPS)" appended.

Once we land this, we should keep the bug open, in order to address Wan-Teh's other concerns.
Attachment #255544 - Flags: review?(rrelyea)
(Assignee)

Comment 3

11 years ago
Comment on attachment 255544 [details] [diff] [review]
Patch v1

oh, I notice an issue with this patch. We are required to change the string identifier whenever we change the string, in order to assist people who localize.
Attachment #255544 - Attachment is obsolete: true
Attachment #255544 - Flags: review?(rrelyea)
(Assignee)

Comment 4

11 years ago
I also notice an inconsistency, our hardcoded strings in PSM say "fips 140-1", while NSS' internal string talk about "140-2".

I propose we remove that number from PSM's strings, in order to avoid future inconsistencies.

I take the opportunity to remove "PSM" from that string, too. Nobody knows what PSM means, and for end users it's not relevant to know.
(Assignee)

Updated

11 years ago
OS: Windows XP → All
(Assignee)

Comment 5

11 years ago
Created attachment 255547 [details] [diff] [review]
Patch v2
Attachment #255547 - Flags: review?(rrelyea)
(Assignee)

Comment 6

11 years ago
Created attachment 255558 [details] [diff] [review]
Patch v3

sigh ;-) third attempt of a patch. We of course must change the user of the string ID when changing it. forgot to include this diff in the previous patch.
Attachment #255547 - Attachment is obsolete: true
Attachment #255558 - Flags: review?(rrelyea)
Attachment #255547 - Flags: review?(rrelyea)

Comment 7

11 years ago
Ideally the FIPS statement should be FIPS-140. The -1 or -2 should be removed. That changes over time (NIST is working on -3). There are more than one FIPS standard, they don't all deal with crypto. Besides FIPS-140, FIPS-200 and FIPS-201 are of interest to most customers of FIPS-140.

The -140 should be included unless we are running into string constraints.

Comment 8

11 years ago
Comment on attachment 255558 [details] [diff] [review]
Patch v3

r+= relyea.

this patch is acceptable, but I do have some suggested changes.


1) The new name should be called  fipsTokenDescription (this is part of the confusion about string length. Token descriptions are 32 bytes, slot descriptions are 64). I would Create a new variable fipsTokenDescription, remove the fipsPrivateSlotDescription and name fipsSlotDescription2 to something like "FIPS-140 Cryptographic, Key and Certificate Services"
(the latter string would only be visible in the Security manager).

fipsTokenDescription should be passed to PK11_ConfigurePKCS11 in the same position as fipsSlotDescription today. fipsSlotDescription2 should be passed to PK11_ConfigurePKCS11 in the same position as fipsPrivateSlotDescription today.

FIPS should be FIPS-140 where ever it's possible to fit the full string.
Attachment #255558 - Flags: review?(rrelyea) → review+
(Assignee)

Comment 9

11 years ago
Created attachment 255776 [details] [diff] [review]
Patch v4

Patch after addressing Bob's comments

I learn that 140 is an important piece of the FIPS message, so I shortened Software to Softw. in the prompt:

  FIPS-140 Softw. Security Device
Attachment #255558 - Attachment is obsolete: true
(Assignee)

Comment 10

11 years ago
Created attachment 255777 [details] [diff] [review]
Patch v5
Attachment #255776 - Attachment is obsolete: true
(Assignee)

Comment 11

11 years ago
fix checked in to trunk.

I also checked in a little change that will give the details&value column a bit more dynamic space in device manager, when enlarging the window. This makes it possible to actually have a chance to read that longer 64 bit wide descriptions.
Status: NEW → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → FIXED
(Reporter)

Comment 12

11 years ago
Kai, please remove the '-' in "FIPS-140".

"S/W" may be a better abbreviation than "Softw."  But I hope we
can avoid abbreviations.

The name I like the best is "Software Security Device (FIPS mode)",
but it's too long.  (The term "FIPS mode" appears in NIST's FIPS
140-2 Implementation Guidance document.)  "Software Security Device (FIPS)"
is the best name under the length constraint that I can come up with.

Updated

11 years ago
Duplicate of this bug: 293123
(Assignee)

Comment 14

10 years ago
(In reply to comment #12)
> Kai, please remove the '-' in "FIPS-140".

ok


> "S/W" may be a better abbreviation than "Softw."  But I hope we
> can avoid abbreviations.

In Germany, S/W is the abbreviation for "black and white" and when doing a web search, I find pages talking about black&white ranked higher. Personally I find Softw. more obvious than S/W.


> The name I like the best is "Software Security Device (FIPS mode)",
> but it's too long.  (The term "FIPS mode" appears in NIST's FIPS
> 140-2 Implementation Guidance document.)  "Software Security Device (FIPS)"
> is the best name under the length constraint that I can come up with.


Ok, as Bob also said "let's omit 140 if there is little space"
I'm ok to change it to
  "Software Security Device (FIPS)"

This might be best, as the usual (non-FIPS) prompt reads
  "Software Security Device"
(Assignee)

Comment 15

10 years ago
Created attachment 270189 [details] [diff] [review]
Incremental Patch v6 [checked in]

Bob,

- the first string changes the master password prompt

- the second string changes the long description in device manager, I'm only removing the dash
Attachment #270189 - Flags: review?(rrelyea)

Comment 16

10 years ago
Comment on attachment 270189 [details] [diff] [review]
Incremental Patch v6 [checked in]

Yes, these are much better.
Attachment #270189 - Flags: review?(rrelyea) → review+
(Assignee)

Comment 17

10 years ago
Comment on attachment 270189 [details] [diff] [review]
Incremental Patch v6 [checked in]

Patch checked in to trunk
Attachment #270189 - Attachment description: Incremental Patch v6 → Incremental Patch v6 [checked in]

Updated

10 years ago
Duplicate of this bug: 345188
(Assignee)

Comment 19

7 years ago
It seems the fix was not sufficient, the longer label is still being used and truncated. See bug 428421.
(Assignee)

Updated

7 years ago
Blocks: 428421
You need to log in before you can comment on or make changes to this bug.