[xmlsec] signature verification failures using NSS with FIPS
Aleksey Sanin
aleksey at aleksey.com
Sat Jan 2 19:18:31 PST 2016
Roumen,
I think that application can call PK11_SetPasswordFunc() directly
if needed.
Best,
Aleksey
On 1/2/16 9:34 AM, Roumen Petrov wrote:
> Hello,
>
> I would like to continue discussion.
> Aleksey please find my comments below.
>
> Lara Blatchford wrote:
>> We are using mod_nss 1.0.8, this appears to indicate that the bug
>> being described
>> was addressed in mod_nss 1.0.3
>>
>> Thanks,
>> Lara
>>
>> -----Original Message-----
>> From: Aleksey Sanin [mailto:aleksey at aleksey.com]
>> Sent: Thursday, June 25, 2015 12:55 PM
>> To: Lara Blatchford; xmlsec at aleksey.com
>> Subject: Re: [xmlsec] signature verification failures using NSS with FIPS
>>
>>
>> https://www.google.com/search?q=nss+certificate+verification+fails+fips+mode&ie=UTF-8#q=nss+certificate++failed+fips+
>>
>>
>> The first link.
> I don't think that result from internet queries could help .
>
> The main issue is that NSS module is in FIPS mode .
> I'm not sure that pages like
> "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/FIPS_Mode_-_an_explanation"
> could explain difference .
> It seems to me when module is in FIPS mode user should authenticate to
> it on each operation. In particular verify operation also requires user
> to enter password.
>
>
> xmlsec should use PK11_SetPasswordFunc to register password callback.
>
> It seems to me NSS test database is not protected by "master"-password
> and so test operations pass in non-FIPS.
>
>
>
>> Aleksey
>>
> [SNIP]
>
> Regards
> Roumen Petrov
>
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec
More information about the xmlsec
mailing list