On Tue, Jul 29, 2008 at 5:59 AM, Dean <[EMAIL PROTECTED]> wrote: > > So the question I have is really that the JSS source code does not > appear to actually call any FC_ functions. If that really is the case > then is JSS really a FIPS compliant implementation? Or, more likely, > the JSS code really is calling FC_ functions with some pointer > indirection magic that I don't understand.
Hi Dean, JSS calls NSS (C functions) through the Java Native Interface (JNI). NSS treats its own software crypto module (softoken) as a PKCS #11 module. NSS calls the functions of a PKCS #11 module through function pointers. Here is an example: http://mxr.mozilla.org/security/source/security/nss/lib/pk11wrap/pk11skey.c#1233 1233 crv = PK11_GETTAB(slot)->C_Encrypt(session,data->data,data->len, 1234 outKey->data, &len); PK11_GETTAB(slot)->C_Encrypt is a function pointer pointing to the C_Encrypt function of 'slot'. Finally, let's see how NSS gets the table of function pointers for its own softoken in FIPS mode. It looks up the FC_GetFunctionList function by name and invokes the function: http://mxr.mozilla.org/security/source/security/nss/lib/pk11wrap/pk11load.c#288 286 if (mod->isFIPS) { 287 entry = (CK_C_GetFunctionList) 288 PR_FindSymbol(softokenLib, "FC_GetFunctionList"); 289 } else { 290 entry = (CK_C_GetFunctionList) 291 PR_FindSymbol(softokenLib, "NSC_GetFunctionList"); 292 } and http://mxr.mozilla.org/security/source/security/nss/lib/pk11wrap/pk11load.c#363 360 /* 361 * We need to get the function list 362 */ 363 if ((*entry)((CK_FUNCTION_LIST_PTR *)&mod->functionList) != CKR_OK) 364 goto fail; To recap, the call chain is like this: JSS ==> NSS ==> the softoken > Am I correct is assuming that in order for JSS to claim FIPs > compliance they must adhere to the Security Policy file for NSS .... > or is it sufficient that an application developer (me) use NSS + JSS > together and that only I need to follow the Security Policy file .... > which does not really make much sense since JSS does not expose the > FC_ functions.... nor should they in the context of a JCE provider > implementation. When NSS uses the softoken in FIPS mode, it adheres to the Security Policy for the NSS softoken. So you just need to use JSS and enable the FIPS mode using the code snippet that David Stutzman provided, reproduced here: CryptoManager.InitializationValues initializationValues = new CryptoManager.InitializationValues(dbdir); initializationValues.fipsMode = FIPSMode.ENABLED; CryptoManager.initialize(initializationValues); Our FIPS validation applies to the NSS softoken only. (This allows us to change the rest of NSS without losing the FIPS validation status.) To not confuse the NIST reviewers, we didn't mention the rest of NSS in the Security Policy. Wan-Teh _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
