On Nov 2, 8:13 pm, Glen Beasley <glen.beas...@sun.com> wrote: > morris.d...@gmail.com wrote: > > >>>> I ran into issues creating the secmod database: > > before moving on to Java/SunPKCS11-NSSFIPS issue you should first get > your configuration correct > so that running the modutil command will work correctly. Copying the > databases from a working system to > a system that is unable to correctly run "modutil -fips true -dbdir ." > makes no sense. > > In an attempt to recreate your problem, I wrote a test program and some > rough notes that > should hopefully help. The program/notes are rough as I don't have much > time to spend on this issue. > > I had a clean window 7 box so I: > > downloaded NSPR > 4.6.4https://ftp.mozilla.org/pub/mozilla.org/nspr/releases/v4.6.4/msvc6.0/... > downloaded NSS > 3.11.4https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_1... > installed java version "1.6.0_16": > > 2) set the PATH for NSS/NSPR libraries/chk files/binaries and Java bin > directory > > 3) created the NSS db's and configured for FIPS mode: > > certutil -N -d . > modutil -fips true -dbdir . > > 4) created the following nss.cfg file: > > name = NSSFIPS > nssLibraryDirectory = ./lib > nssSecmodDirectory = . > nssDbMode = readWrite > nssModule = fips > > 5) created the attached test program sunpkcs11nss.java > > 6) javac javac sunpkcs11nss.java > 7) java sunpkcs11nss nss.cfg <password> > Initializing sunpkcs11-NSS nss.cfg > Initialized sunpkcs11-NSS > Provider 0: SunPKCS11-NSSFIPS > Provider 1: SUN > Provider 2: SunRsaSign > Provider 3: SunJSSE > Provider 4: SunJCE > Provider 5: SunJGSS > Provider 6: SunSASL > Provider 7: XMLDSig > Provider 8: SunPCSC > Provider 9: SunMSCAPI > Key generation done by SunPKCS11-NSSFIPS version 1.6 > encrypt op done by SunPKCS11-NSSFIPS version 1.6 > decrypt op done by SunPKCS11-NSSFIPS version 1.6 > recovered bytes equal the original plaintext > > Hopefully the above will help you solve your issue, or at least aid in > creating a bug with a provided testcase. > > -glen > > [sunpkcs11nss.java4K ] > > import java.security.AlgorithmParameters; > import java.security.Provider; > import java.security.Security; > import javax.crypto.Cipher; > import javax.crypto.KeyGenerator; > import java.security.KeyStore; > > //glen.beas...@sun.com > //This is a sample test program > //the nss.cfg file > //name = NSSFIPS > //nssLibraryDirectory = ./lib > //nssSecmodDirectory = . > //nssDbMode = readWrite > //nssModule = fips > // > //http://java.sun.com/javase/6/docs/technotes/guides/security/p11guide.... > > public class sunpkcs11nss { > > public static void main(String args[]) { > try { > // pass in nss.cfg file and "password" for the NSS databases > String nssConfig = args[0]; > System.out.println("Initializing sunpkcs11-NSS " + nssConfig); > Provider pkcs11NSS = new sun.security.pkcs11.SunPKCS11(nssConfig); > Security.insertProviderAt(pkcs11NSS, 1); > System.out.println("Initialized sunpkcs11-NSS"); > > Provider[] providers = Security.getProviders(); > for (int i = 0; i < providers.length; i++) { > System.out.println("Provider " + i + ": " + > providers[i].getName()); > } > > // Login > KeyStore ks = KeyStore.getInstance("PKCS11", pkcs11NSS); > // this is test code, please mask the password > ks.load(null, args[1].toCharArray()); > > javax.crypto.SecretKey skey = null; > javax.crypto.KeyGenerator kg = null; > > kg = KeyGenerator.getInstance("AES", > pkcs11NSS); > kg.init(128); > skey = kg.generateKey(); > > System.out.println("Key generation done by " + > kg.getProvider().toString()); > > String algFamily = "AES"; > String algType = "AES/CBC/PKCS5Padding"; > > byte[] plaintext = "testing NSS in FIPS MODE".getBytes(); > Cipher cipher = Cipher.getInstance(algType, pkcs11NSS); > AlgorithmParameters ap = null; > byte[] encodedAlgParams = null; > > cipher.init(Cipher.ENCRYPT_MODE, skey); > //generate the algorithm Parameters; they need to be > //the same for encrypt/decrypt if they are needed. > ap = cipher.getParameters(); > if (ap != null) { > //get parameters to store away as example. > encodedAlgParams = ap.getEncoded(); > } > byte[] ciphertext = > new byte[cipher.getOutputSize(plaintext.length)]; > int cLen = cipher.update(plaintext, 0, plaintext.length, > ciphertext, 0); > cLen += cipher.doFinal(ciphertext, cLen); > > System.out.println("encrypt op done by " + > cipher.getProvider().toString()); > > //decrypt > cipher = Cipher.getInstance(algType, pkcs11NSS); > if (encodedAlgParams == null) { > cipher.init(Cipher.DECRYPT_MODE, skey); > } else { > //retrieve the algorithmParameters from the encoded array > AlgorithmParameters aps = > AlgorithmParameters.getInstance(algFamily); > aps.init(encodedAlgParams); > cipher.init(Cipher.DECRYPT_MODE, skey, aps); > } > System.out.println("decrypt op done by " + > cipher.getProvider().toString()); > > byte[] recovered = new byte[cLen]; > int rLen = cipher.update(ciphertext, 0, cLen, recovered, 0); > rLen += cipher.doFinal(recovered, rLen); > > //ensure the recovered bytes equals the orginal plaintext > boolean isEqual = true; > for (int i = 0; i < plaintext.length; i++) { > if (plaintext[i] != recovered[i]) { > isEqual = false; > break; > } > } > if (isEqual) System.out.println("recovered bytes equal " + > "the original plaintext\n"); > > } catch (Exception ex) { > ex.printStackTrace(); > } > } > > } > >
Glen, Aha! I found the configuration issue that you were looking for. I have the smart card software ActiveClient CAC 6.1 installed on my Windows XP box. This software includes NSS and NSPR libraries and the modutil binary. Installation of the software adds the binaries to the PATH. I ended up using a process monitor to capture Win32 API messages and noticed Windows was pulling that location off the PATH. Anyway, uninstalling ActiveClient yields success: "C:\nss_db>modutil -fips true -dbdir . ... Using database directory .... FIPS mode enabled." I will now continue on with your suggestions and post again after testing is complete. Thank you for your time and assistance. Drew Morris Technical Lead, Software Developer CDM Technologies, Inc. (http://www.cdmtech.com) -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
