David Stutzman wrote: > Bob Relyea wrote: >> David Stutzman wrote: >>>> >>>> >>>> In FIPS mode, the NSS cryptographic module imposes the following >>>> requirements on the password. >>>> >>>> * The password must be at least seven characters long. >>>> * The password must consist of characters from three or more >>>> character classes. We define five character classes: digits (0-9), >>>> ASCII lowercase letters, ASCII uppercase letters, ASCII >>>> non-alphanumeric characters (such as space and punctuation marks), >>>> and non-ASCII characters. If an ASCII uppercase letter is the first >>>> character of the password, the uppercase letter is not counted >>>> toward its character class. Similarly, if a digit is the last >>>> character of the password, the digit is not counted toward its >>>> character class. >>> >>> Hrm...NSS 3.11.2 is *definately* not enforcing this. Today I went >>> through our code and changed the password from "test" (which was >>> working just fine) to "password" (which is now working just fine) on >>> all of our databases. I'll wait for Wan-Teh to chime in before I go >>> changing to the even stricter version. Maybe this is something that >>> will only happen once 3.11.5 (The wiki says that's the version >>> reserved for FIPS approval) is out. >> Are you making the change through the FIPS interface? I believe the >> check is only made when the password is being set or changed, not in >> normal use. >> >> bob > > I'm doing it like this: > modutil -changepw "NSS FIPS 140-2 Certificate DB" -dbdir .
David, I tried to reproduce your results and could not. I was using NSS 3.11.3, and I don't know if that version difference explains it. I initialized a softoken with the password test, then put it into FIPS mode. Then I tried to change the password from test to password, using the same command as you used above. I got an error every time. ERROR: Unable to change password on token "NSS FIPS 140-2 Certificate DB". Tracing it, I found the error was because password contains characters of only one class (referring to Glen's explanation above). I tried the above command when the module was not in FIPS mode, and the above command also failed. ERROR: Token "NSS FIPS 140-2 Certificate DB" not found. Guess I should go back to NSS 3.11.2 and try that. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
