On Oct 30, 12:40 pm, "morris.d...@gmail.com" <morris.d...@gmail.com> wrote: > On Oct 29, 11:30 pm, Glen Beasley <glen.beas...@sun.com> wrote: > > > morris.d...@gmail.com wrote: > > > Initializing SunPKCS11 for utilization of NSS 3.11.4 capabilities > > > yields the following exception: > > > > java.security.ProviderException: Could not initialize NSS > > > at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:183) > > > at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:90) > > > at test.TripleDESTest.main(TripleDESTest.java:112) > > > Caused by: java.io.IOException: The specified version of NSS is > > > incompatible, 3.7 or later required > > > at sun.security.pkcs11.Secmod.initialize(Secmod.java:190) > > > at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:179) > > > ... 2 more > > > > The version I am using is greater than 3.7, despite what the exception > > > says. I am looking to use the FIPS 140-2 certified symmetric key > > > algorithms in this library. > > > > I am using the following configuration: > > > > name = NSScrypto > > > attributes = compatibility > > > nssLibraryDirectory = ./lib > > > nssDbMode = noDb > > > nssModule = fips > > > the NSS dbs must exist if your goal is to be FIPS compliant and your > > setting "nssModule = fips". > > The "nssDbMode = noDb" mode allows NSS to be used without database files > > purely as a cryptographic provider. > > > make the following changes: > > > name = NSScrypto > > attributes = compatibility > > nssLibraryDirectory = <----- full path to NSS and NSPR libraries > > nssSecmodDirectory = <---- full path to location of the NSS databases > > nssDbMode = readWrite > > nssModule = fips > > > To create a set of databases in the current directory: > > certutil -N -d . > > review the NSS 3.11.4 security policy > > <http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp814.pdf> > > "Strength of Authentication Mechanism" for password requirements. > > To enable FIPS mode: > > modutil -fips true -dbdir . > > > > I am adding the cryptography provided dynamically with the following > > > code: > > > > String configName = "nss.cfg"; > > > Provider cryptoProvider = new sun.security.pkcs11.SunPKCS11 > > > (configName); // exception occurs on this line > > > Security.addProvider(cryptoProvider); > > > > Has anyone else run into this issue or have any insight into the > > > problem? > > > > If this doesn't work out I will look into direct utilization of JSS. > > > Java 1.5 claimed no FIPS compliance, and Java 1.6 or higher needs to be > > used for the SunPKCS11-NSS bridge. JSS can use Java 1.4 of higher to be > > FIPS compliant. > > >http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp814.p...createpkcs11_cfg > > > -glen > > > > Thanks! > > > smime.p7s > > 6KViewDownload > > Thank you for the prompt response Glen! > > I tried your proposed actions. I am still having issues, but now I > have more information. Indeed, the next issue I would have ran into > after fixing this version incompatibility issue would have been > related to the secmod database. The problem may be more deep-rooted > in NSS compatibility than I originally thought (in such a way that > utilizing JSS directly probably wouldn't work either). > > I ran into issues creating the secmod database: > > * Steps taken on the first Windows XP Professional Version 2002 SP2 > box > 1) "certutil -N -d ." ran fine, created the three database files with > a strong password > 2) "modutil -fips true -dbdir ." failed, with error: > "An I/O error occurred during security authorization. > ERROR: Unable to switch FIPS modes." > > * Executed the same commands and same configuration on a Windows Vista > box with success (output: "FIPS mode enabled.", and modutil -list > shows the appropriate FIPS module). > * Executed the same commands and same configuration on a second > Windows XP Professional Version 2002 SP2 box with success. > > That was odd, but nevertheless, I now have a secmod database that I > can work with. > > Next, I copied the database files/directory into my Eclipse Java > project and modified the NSS configuration file appropriately: > > name = NSScrypto > attributes = compatibility > nssLibraryDirectory = ./lib > nssSecmodDirectory = ./nss_db > nssDbMode = readWrite > nssModule = fips > > This project is hosted on shared storage between both the Windows XP > boxes. Running the test application (see previous message) on the > original machine still produces the original exception: > > java.security.ProviderException: Could not initialize NSS > at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:183) > at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:90) > at test.TripleDESTest.main(TripleDESTest.java:112) > Caused by: java.io.IOException: The specified version of NSS is > incompatible, 3.7 or later required > at sun.security.pkcs11.Secmod.initialize(Secmod.java:190) > at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:179) > ... 2 more > > Running the test application (the exact same Eclipse Java project, the > same libraries, the same configuration) with the same JVM, jdk/jre > 1.6.0_13, on the second Windows XP machine (where "modutil -fips true" > succeeded) was successful (e.g., the crypto provider object was > returned). > > Any further insight into this issue would be appreciated! > > Best regards, > > Drew Morris > Technical Lead, Software Developer > CDM Technologies, Inc. (http://www.cdmtech.com)
My Google searches happened to bring this highly-related gem to the surface today (odd that they didn't yesterday): http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6521498 Looks like it is a real issue. Any ideas? Thanks! Drew Morris Technical Lead, Software Developer CDM Technologies, Inc. (http://www.cdmtech.com) -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto