morris.d...@gmail.com wrote:
I ran into issues creating the secmod database:
before moving on to Java/SunPKCS11-NSSFIPS issue you should first get
your configuration correct
so that running the modutil command will work correctly. Copying the
databases from a working system to
a system that is unable to correctly run "modutil -fips true -dbdir ."
makes no sense.
In an attempt to recreate your problem, I wrote a test program and some
rough notes that
should hopefully help. The program/notes are rough as I don't have much
time to spend on this issue.
I had a clean window 7 box so I:
downloaded NSPR 4.6.4
https://ftp.mozilla.org/pub/mozilla.org/nspr/releases/v4.6.4/msvc6.0/WINNT5.0_OPT.OBJ/
downloaded NSS 3.11.4
https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_11_4_RTM/msvc6.0/WINNT5.0_OPT.OBJ/
installed java version "1.6.0_16":
2) set the PATH for NSS/NSPR libraries/chk files/binaries and Java bin
directory
3) created the NSS db's and configured for FIPS mode:
certutil -N -d .
modutil -fips true -dbdir .
4) created the following nss.cfg file:
name = NSSFIPS
nssLibraryDirectory = ./lib
nssSecmodDirectory = .
nssDbMode = readWrite
nssModule = fips
5) created the attached test program sunpkcs11nss.java
6) javac javac sunpkcs11nss.java
7) java sunpkcs11nss nss.cfg <password>
Initializing sunpkcs11-NSS nss.cfg
Initialized sunpkcs11-NSS
Provider 0: SunPKCS11-NSSFIPS
Provider 1: SUN
Provider 2: SunRsaSign
Provider 3: SunJSSE
Provider 4: SunJCE
Provider 5: SunJGSS
Provider 6: SunSASL
Provider 7: XMLDSig
Provider 8: SunPCSC
Provider 9: SunMSCAPI
Key generation done by SunPKCS11-NSSFIPS version 1.6
encrypt op done by SunPKCS11-NSSFIPS version 1.6
decrypt op done by SunPKCS11-NSSFIPS version 1.6
recovered bytes equal the original plaintext
Hopefully the above will help you solve your issue, or at least aid in
creating a bug with a provided testcase.
-glen
import java.security.AlgorithmParameters;
import java.security.Provider;
import java.security.Security;
import javax.crypto.Cipher;
import javax.crypto.KeyGenerator;
import java.security.KeyStore;
//glen.beas...@sun.com
//This is a sample test program
//the nss.cfg file
//name = NSSFIPS
//nssLibraryDirectory = ./lib
//nssSecmodDirectory = .
//nssDbMode = readWrite
//nssModule = fips
//
//http://java.sun.com/javase/6/docs/technotes/guides/security/p11guide.html
public class sunpkcs11nss {
public static void main(String args[]) {
try {
// pass in nss.cfg file and "password" for the NSS databases
String nssConfig = args[0];
System.out.println("Initializing sunpkcs11-NSS " + nssConfig);
Provider pkcs11NSS = new sun.security.pkcs11.SunPKCS11(nssConfig);
Security.insertProviderAt(pkcs11NSS, 1);
System.out.println("Initialized sunpkcs11-NSS");
Provider[] providers = Security.getProviders();
for (int i = 0; i < providers.length; i++) {
System.out.println("Provider " + i + ": " +
providers[i].getName());
}
// Login
KeyStore ks = KeyStore.getInstance("PKCS11", pkcs11NSS);
// this is test code, please mask the password
ks.load(null, args[1].toCharArray());
javax.crypto.SecretKey skey = null;
javax.crypto.KeyGenerator kg = null;
kg = KeyGenerator.getInstance("AES",
pkcs11NSS);
kg.init(128);
skey = kg.generateKey();
System.out.println("Key generation done by " +
kg.getProvider().toString());
String algFamily = "AES";
String algType = "AES/CBC/PKCS5Padding";
byte[] plaintext = "testing NSS in FIPS MODE".getBytes();
Cipher cipher = Cipher.getInstance(algType, pkcs11NSS);
AlgorithmParameters ap = null;
byte[] encodedAlgParams = null;
cipher.init(Cipher.ENCRYPT_MODE, skey);
//generate the algorithm Parameters; they need to be
//the same for encrypt/decrypt if they are needed.
ap = cipher.getParameters();
if (ap != null) {
//get parameters to store away as example.
encodedAlgParams = ap.getEncoded();
}
byte[] ciphertext =
new byte[cipher.getOutputSize(plaintext.length)];
int cLen = cipher.update(plaintext, 0, plaintext.length,
ciphertext, 0);
cLen += cipher.doFinal(ciphertext, cLen);
System.out.println("encrypt op done by " +
cipher.getProvider().toString());
//decrypt
cipher = Cipher.getInstance(algType, pkcs11NSS);
if (encodedAlgParams == null) {
cipher.init(Cipher.DECRYPT_MODE, skey);
} else {
//retrieve the algorithmParameters from the encoded array
AlgorithmParameters aps =
AlgorithmParameters.getInstance(algFamily);
aps.init(encodedAlgParams);
cipher.init(Cipher.DECRYPT_MODE, skey, aps);
}
System.out.println("decrypt op done by " +
cipher.getProvider().toString());
byte[] recovered = new byte[cLen];
int rLen = cipher.update(ciphertext, 0, cLen, recovered, 0);
rLen += cipher.doFinal(recovered, rLen);
//ensure the recovered bytes equals the orginal plaintext
boolean isEqual = true;
for (int i = 0; i < plaintext.length; i++) {
if (plaintext[i] != recovered[i]) {
isEqual = false;
break;
}
}
if (isEqual) System.out.println("recovered bytes equal " +
"the original plaintext\n");
} catch (Exception ex) {
ex.printStackTrace();
}
}
}
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
