On Jul 28, 6:47 pm, Nelson B Bolyard <[EMAIL PROTECTED]> wrote: > Dean wrote, On 2008-07-28 13:50: > > > > > If an application wants to claim FIPS compliance does it have to be > > implemented following all the guidelines set out in the FIPS certified > > applications Security Policy document? > > > Specifically I suppose I'm trying to confirm that JSS is a FIPS > > compliant library and, if a Java application can be considered FIPS > > compliant if all its crypto is via JSS. I know the JSS FAQ does say > > it is a FIPS complian application when used with the FIPS certified > > NSS libraries in FIPS mode. > > > However, I was browsing the Security Policy file for NSS and it seems > > to be saying that a user running in FIPS compliant mode should only > > call FC_* functions and that, in fact, these functions should be > > called by function pointers returned by an FC lookup function. > > > Looking at the exports from the jss.dll it seems that FC functions are > > not being called and functions from nss and nspr are being called > > directly. Do libraries get special consideration? > > > My knowledge of FIPS is extremely limited so I'm sure I'm > > misunderstanding something fundimental. > > Dean, I expect that Glen and/or Wan-Teh will give you a much more complete > answer than this, but this should get you started. > > For an application to claim FIPS compliance with JAA+NSS, it must use > JSS+NSS in full accordance with the Security Policy file's instructions. > (Note that this is true of all FIPS certified modules from all vendors. > Every such module has a Security policy and must be used in accordance > with that module's Security policy to claim FIPS compliance.) > > It's not enough to merely be using JSS+NSS. One of the aspects of using NSS > in a FIPS compliant way is that NSS's PKCS#11 module must be configured > to operate in "FIPS mode". NSS's PKCS#11 module has two tables of > functions pointers, one table for FIPS mode and one table for non-FIPS > mode. It's important that you use the pointers from the FIPS mode table. > > Note that neither of these tables of functions is exported directly from > NSS's PKCS#11 module. Instead, there is a function that is called that > returns the address of the table. That function is exported. IIRC, > that function is exported with several different names, which include > C_GetFunctionList > NSC_GetFunctionList > FC_GetFunctionList (returns the FIPS mode list) > (seehttp://mxr.mozilla.org/security/source/security/nss/lib/softoken/soft... > ) > > As a JSS user, that's all basically internal to NSS+JSS. You just need to > be sure that the NSS PKCS#11 module being used by JSS is in FIPS mode. > There are several ways to do that. One way is with NSS's modutil command. > JSS also provides an interface for putting NSS into that mode, but I'm not > familiar with the details of that interface.
Thanks for the information Nelson. What you said is pretty much what I understood... So nice to know I'm slowly learning :-) So the question I have is really that the JSS source code does not appear to actually call any FC_ functions. If that really is the case then is JSS really a FIPS compliant implementation? Or, more likely, the JSS code really is calling FC_ functions with some pointer indirection magic that I don't understand. Am I correct is assuming that in order for JSS to claim FIPs compliance they must adhere to the Security Policy file for NSS .... or is it sufficient that an application developer (me) use NSS + JSS together and that only I need to follow the Security Policy file .... which does not really make much sense since JSS does not expose the FC_ functions.... nor should they in the context of a JCE provider implementation. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
