Closed Bug 686761 Opened 8 years ago Closed 8 years ago

crlutil -f switch ignored when importing CRLs in FIPS mode

Categories

(NSS :: Tools, defect)

3.12.9
defect
Not set

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: jjennings, Unassigned)

References

Details

Attachments

(1 file)

User Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.22) Gecko/20110904 Red Hat/3.6-1.el5_7 Firefox/3.6.22
Build ID: 20110904115320

Steps to reproduce:

I'm on a RHEL6.1 box, with nss-tools-3.12.9-9.el6.i686. (None of the Red Hat patches changes crlutil.c, and according to MXR it hasn't changed in mozilla-central since 2010.)

To duplicate the problem you will need an NSS database with a CA certificate in it, and a CRL issued by that CA. The following commands will prepare such a database:

cat > pwfile <<EOF
NSS Certificate DB:foo
NSS FIPS 140-2 Certificate DB:foo
EOF
mkdir ca server
for db in ca server; do certutil -d $db -f pwfile -N; done
certutil -d ca -f pwfile -S -n ca -s 'cn=ca.example.com,dc=example,dc=com' -x -t CT,CT,CT
# type random keys as requested
certutil -d ca -f pwfile -L -n ca -r > ca.crt
(date +'update=%Y%m%d%H%M%SZ'; 
 date -d 'now + 1 week' +'nextupdate=%Y%m%d%H%M%SZ') > crl.conf
crlutil -d ca -f pwfile -G -c crl.conf -n ca -o ca.crl
certutil -d server -f pwfile -A -n ca -t CT,C,C -i ca.crt


Actual results:

Under non-FIPS circumstances, a CRL can be imported without a password:

modutil -dbdir server -fips false
# hit enter to confirm
crlutil -d server -f pwfile -I -i ca.crl
# no password prompted for
# delete the CRL
crlutil -d server -f pwfile -D -n ca


But under FIPS mode, authentication appears to be required, and the -f switch does not supply it adequately:

modutil -dbdir server -fips true
# hit enter to confirm
crlutil -d server -f pwfile -I -i ca.crl
# A password prompt shows.



Expected results:

Expected behavior:

modutil -dbdir server -fips true
# hit enter to confirm
crlutil -d server -f pwfile -I -i ca.crl
# No password prompt.
No test, because I'm not sure whether it goes in fips.sh (which does nothing with CRLs right now) or in cert.sh (which does nothing with FIPS right now).
Thank you Jarred for this report and the proposed patch to the tool with a good reproducer.

Though fips.sh may be a possibility, tools.sh could also be a good place for this test as this could be considered a bug on the crlutil tool rather than the libraries themself. 

I'm currently trying to replicate and verify myself but for some odd odd reason I can't turn on fips mode on the server database.
I was able to reproduce the problem on RHEL 6.2 and verify that the patch has the intended result of getting rid of the unwanted prompt. It's what we currently do on certutil and similarly witrh modutil. It's looking good to me.
running crlutil -h showed:
...
-f pwd-file          Provide path to a default pwd file
-w pwd-string        Provide db password in command line
...
so this patch implements the "-f pwd-file" option as was orinally intended.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Assignee: nobody → emaldona
Status: NEW → ASSIGNED
Target Milestone: --- → 3.13
Assignee: emaldona → nobody
Comment on attachment 560348 [details] [diff] [review]
before importing CRLs, authenticate if necessary using pwdata

r+ from me for jared's patch.
Attachment #560348 - Flags: review+
Patch committed to TRUNK:
Checking in crlutil.c;
/cvsroot/mozilla/security/nss/cmd/crlutil/crlutil.c,v  <--  crlutil.c
new revision: 1.34; previous revision: 1.33
done
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.