Closed Bug 686761 Opened 8 years ago Closed 8 years ago
crlutil -f switch ignored when importing CRLs in FIPS mode
User Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:126.96.36.199) Gecko/20110904 Red Hat/3.6-1.el5_7 Firefox/3.6.22 Build ID: 20110904115320 Steps to reproduce: I'm on a RHEL6.1 box, with nss-tools-3.12.9-9.el6.i686. (None of the Red Hat patches changes crlutil.c, and according to MXR it hasn't changed in mozilla-central since 2010.) To duplicate the problem you will need an NSS database with a CA certificate in it, and a CRL issued by that CA. The following commands will prepare such a database: cat > pwfile <<EOF NSS Certificate DB:foo NSS FIPS 140-2 Certificate DB:foo EOF mkdir ca server for db in ca server; do certutil -d $db -f pwfile -N; done certutil -d ca -f pwfile -S -n ca -s 'cn=ca.example.com,dc=example,dc=com' -x -t CT,CT,CT # type random keys as requested certutil -d ca -f pwfile -L -n ca -r > ca.crt (date +'update=%Y%m%d%H%M%SZ'; date -d 'now + 1 week' +'nextupdate=%Y%m%d%H%M%SZ') > crl.conf crlutil -d ca -f pwfile -G -c crl.conf -n ca -o ca.crl certutil -d server -f pwfile -A -n ca -t CT,C,C -i ca.crt Actual results: Under non-FIPS circumstances, a CRL can be imported without a password: modutil -dbdir server -fips false # hit enter to confirm crlutil -d server -f pwfile -I -i ca.crl # no password prompted for # delete the CRL crlutil -d server -f pwfile -D -n ca But under FIPS mode, authentication appears to be required, and the -f switch does not supply it adequately: modutil -dbdir server -fips true # hit enter to confirm crlutil -d server -f pwfile -I -i ca.crl # A password prompt shows. Expected results: Expected behavior: modutil -dbdir server -fips true # hit enter to confirm crlutil -d server -f pwfile -I -i ca.crl # No password prompt.
No test, because I'm not sure whether it goes in fips.sh (which does nothing with CRLs right now) or in cert.sh (which does nothing with FIPS right now).
Thank you Jarred for this report and the proposed patch to the tool with a good reproducer. Though fips.sh may be a possibility, tools.sh could also be a good place for this test as this could be considered a bug on the crlutil tool rather than the libraries themself. I'm currently trying to replicate and verify myself but for some odd odd reason I can't turn on fips mode on the server database.
I was able to reproduce the problem on RHEL 6.2 and verify that the patch has the intended result of getting rid of the unwanted prompt. It's what we currently do on certutil and similarly witrh modutil. It's looking good to me.
running crlutil -h showed: ... -f pwd-file Provide path to a default pwd file -w pwd-string Provide db password in command line ... so this patch implements the "-f pwd-file" option as was orinally intended.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Comment on attachment 560348 [details] [diff] [review] before importing CRLs, authenticate if necessary using pwdata r+ from me for jared's patch.
Attachment #560348 - Flags: review+
Patch committed to TRUNK: Checking in crlutil.c; /cvsroot/mozilla/security/nss/cmd/crlutil/crlutil.c,v <-- crlutil.c new revision: 1.34; previous revision: 1.33 done
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.