Dean wrote, On 2008-07-28 13:50:
> If an application wants to claim FIPS compliance does it have to be
> implemented following all the guidelines set out in the FIPS certified
> applications Security Policy document?
>
> Specifically I suppose I'm trying to confirm that JSS is a FIPS
> compliant library and, if a Java application can be considered FIPS
> compliant if all its crypto is via JSS. I know the JSS FAQ does say
> it is a FIPS complian application when used with the FIPS certified
> NSS libraries in FIPS mode.
>
> However, I was browsing the Security Policy file for NSS and it seems
> to be saying that a user running in FIPS compliant mode should only
> call FC_* functions and that, in fact, these functions should be
> called by function pointers returned by an FC lookup function.
>
> Looking at the exports from the jss.dll it seems that FC functions are
> not being called and functions from nss and nspr are being called
> directly. Do libraries get special consideration?
>
> My knowledge of FIPS is extremely limited so I'm sure I'm
> misunderstanding something fundimental.
Dean, I expect that Glen and/or Wan-Teh will give you a much more complete
answer than this, but this should get you started.
For an application to claim FIPS compliance with JAA+NSS, it must use
JSS+NSS in full accordance with the Security Policy file's instructions.
(Note that this is true of all FIPS certified modules from all vendors.
Every such module has a Security policy and must be used in accordance
with that module's Security policy to claim FIPS compliance.)
It's not enough to merely be using JSS+NSS. One of the aspects of using NSS
in a FIPS compliant way is that NSS's PKCS#11 module must be configured
to operate in "FIPS mode". NSS's PKCS#11 module has two tables of
functions pointers, one table for FIPS mode and one table for non-FIPS
mode. It's important that you use the pointers from the FIPS mode table.
Note that neither of these tables of functions is exported directly from
NSS's PKCS#11 module. Instead, there is a function that is called that
returns the address of the table. That function is exported. IIRC,
that function is exported with several different names, which include
C_GetFunctionList
NSC_GetFunctionList
FC_GetFunctionList (returns the FIPS mode list)
(see
http://mxr.mozilla.org/security/source/security/nss/lib/softoken/softokn.def#51
)
As a JSS user, that's all basically internal to NSS+JSS. You just need to
be sure that the NSS PKCS#11 module being used by JSS is in FIPS mode.
There are several ways to do that. One way is with NSS's modutil command.
JSS also provides an interface for putting NSS into that mode, but I'm not
familiar with the details of that interface.
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
