ksreedha...@gmail.com wrote:
Understand that it very unlikely that the NSS 3.11.4 FIPS RNG would fail, but if the RNG continuous test failed, NSS would consider that a critical error, and would go into error state setting SEC_ERROR_LIBRARY_FAILURE and would allow no further cryptographic operation, until NSS was re-initialized. All JSS method requesting the NSS module to perform an operation would result with an exception, most likely with org.mozilla.jss.crypto.TokenRuntimeExceptionOn Apr 24, 10:03 am, Wan-Teh Chang <w...@google.com> wrote:On Thu, Apr 23, 2009 at 1:51 PM, <ksreedha...@gmail.com> wrote:Hello,I am using Mozilla JSS provider from Java. JSS 4.2.5NSS 3.11.4 NSPR 4.6.4When the FIPS RNG continuous tests fail, what is the behavior in NSS/JSS. What does it return. do we get an java exception to the calling function.For example, when Java code tries to establish a TLS Socket session,and this continuous tests fail during random number generation, do we get an exception to the socket creation code.I guess so. In FIPS mode, once the continuous RNG test fails, the NSS software crypto module ("softoken") enters an error state, and all subsequent crypto operations will fail. I don't know how these NSS errors will be reflected in Java, but JSS definitely won't be able to do TLS.Wan-Teh- Hide quoted text - - Show quoted text -Thanks Wan for the reply. I was also certain that JSS will not able to do TLS but it would be helpful if a distinct exception/error is thrown incase of continuous tests fail. It seems we need to flag/log these messages.
but this Exception is not guaranteed for all methods.
you're welcome to tweak that NSS code but understand that would break NSS 3.11.4 FIPS compliance. meaning if you want to tweak the NSS code, you would have to submit a patch, have patch pass review, andIf any one can point me what kind of errors will be thrown, that would be great.Otherwise I may have to tweak the nss code.
then have the release with that included patch pass a FIPS validation.if you want the JSS Exception consistent you would be tweaking the JSS code (not NSS), and providing patch for JSS.
But right now I don't see the point. The JSS layer is FIPS compliant because it requests the NSS cryptographic module to perform any and all cryptographic operations. If the RNG continuous test fail the NSS cryptographic module enters an error state and is not usable. A java application configured to be FIPS compliant using JSS/NSS would be unusable for cryptographic operations until re-initialized. If the user configured NSS to audit data the user would view the configured log files.
see Access to Audit Data in the NSS security policy: http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp814.pdf -glen
Thanks, Sreedhar
smime.p7s
Description: S/MIME Cryptographic Signature
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto