Thanks Glen for the information.
On Apr 24, 5:57 pm, Glen Beasley <glen.beas...@sun.com> wrote:
> ksreedha...@gmail.com wrote:
> > On Apr 24, 10:03 am, Wan-Teh Chang <w...@google.com> wrote:
>
> >> On Thu, Apr 23, 2009 at 1:51 PM, <ksreedha...@gmail.com> wrote:
>
> >>> Hello,
>
> >>> I am using Mozilla JSS provider from Java.
>
> >>> JSS 4.2.5
> >>> NSS 3.11.4
> >>> NSPR 4.6.4
>
> >>> When the FIPS RNG continuous tests fail, what is the behavior in NSS/
> >>> JSS. What does it return. do we get an java exception to the calling
> >>> function.
>
> >>> For example, when Java code tries to establish a TLS Socket session,
> >>> and this continuous tests fail during random number generation, do we
> >>> get an exception to the socket creation code.
>
> >> I guess so. In FIPS mode, once the continuous RNG test fails, the
> >> NSS software crypto module ("softoken") enters an error state, and
> >> all subsequent crypto operations will fail. I don't know how these
> >> NSS errors will be reflected in Java, but JSS definitely won't be able
> >> to do TLS.
>
> >> Wan-Teh- Hide quoted text -
>
> >> - Show quoted text -
>
> > Thanks Wan for the reply.
>
> > I was also certain that JSS will not able to do TLS but it would be
> > helpful if a distinct exception/error is thrown incase of continuous
> > tests fail. It seems we need to flag/log these messages.
>
> Understand that it very unlikely that the NSS 3.11.4 FIPS RNG would
> fail, but
> if the RNG continuous test failed, NSS would consider that a critical
> error, and would go
> into error state setting SEC_ERROR_LIBRARY_FAILURE and would allow no
> further cryptographic operation, until NSS was re-initialized. All JSS
> method requesting the NSS module to perform an operation would result
> with an exception, most likely with
> org.mozilla.jss.crypto.TokenRuntimeException
> but this Exception is not guaranteed for all methods.
>
> > If any one can point me what kind of errors will be thrown, that would
> > be great.
>
> > Otherwise I may have to tweak the nss code.
>
> you're welcome to tweak that NSS code but understand that would break
> NSS 3.11.4 FIPS compliance.
> meaning if you want to tweak the NSS code, you would have to submit a
> patch, have patch pass review, and
> then have the release with that included patch pass a FIPS validation.
>
> if you want the JSS Exception consistent you would be tweaking the JSS
> code (not NSS), and providing patch for JSS.
>
> But right now I don't see the point. The JSS layer is FIPS compliant
> because it requests the NSS cryptographic module to perform any and all
> cryptographic operations. If the RNG continuous test fail the NSS
> cryptographic module enters an error state and is not usable. A java
> application configured to be FIPS compliant using JSS/NSS would be
> unusable for cryptographic operations until re-initialized. If the user
> configured NSS to audit data the user would view the configured log files.
>
> see Access to Audit Data in the NSS security
> policy:http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp814.pdf
>
> -glen
>
>
>
> > Thanks,
> > Sreedhar
>
>
>
> smime.p7s
> 6KViewDownload- Hide quoted text -
>
> - Show quoted text -- Hide quoted text -
>
> - Show quoted text -
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
