morris.d...@gmail.com wrote:
the NSS dbs must exist if your goal is to be FIPS compliant and your setting "nssModule = fips". The "nssDbMode = noDb" mode allows NSS to be used without database files purely as a cryptographic provider.Initializing SunPKCS11 for utilization of NSS 3.11.4 capabilities yields the following exception:java.security.ProviderException: Could not initialize NSS at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:183) at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:90) at test.TripleDESTest.main(TripleDESTest.java:112) Caused by: java.io.IOException: The specified version of NSS is incompatible, 3.7 or later required at sun.security.pkcs11.Secmod.initialize(Secmod.java:190) at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:179) ... 2 more The version I am using is greater than 3.7, despite what the exception says. I am looking to use the FIPS 140-2 certified symmetric key algorithms in this library. I am using the following configuration: name = NSScrypto attributes = compatibility nssLibraryDirectory = ./lib nssDbMode = noDb nssModule = fips
make the following changes: name = NSScrypto attributes = compatibility nssLibraryDirectory = <----- full path to NSS and NSPR librariesnssSecmodDirectory = <---- full path to location of the NSS databases nssDbMode = readWrite
nssModule = fips To create a set of databases in the current directory: certutil -N -d . review the NSS 3.11.4 security policy <http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp814.pdf> "Strength of Authentication Mechanism" for password requirements. To enable FIPS mode: modutil -fips true -dbdir .
Java 1.5 claimed no FIPS compliance, and Java 1.6 or higher needs to be used for the SunPKCS11-NSS bridge. JSS can use Java 1.4 of higher to be FIPS compliant.I am adding the cryptography provided dynamically with the following code: String configName = "nss.cfg"; Provider cryptoProvider = new sun.security.pkcs11.SunPKCS11 (configName); // exception occurs on this line Security.addProvider(cryptoProvider); Has anyone else run into this issue or have any insight into the problem? If this doesn't work out I will look into direct utilization of JSS.
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp814.pdf http://java.sun.com/javase/6/docs/technotes/guides/security/p11guide.htmlhttp://java.sun.com/javase/6/docs/technotes/guides/security/jsse/FIPS.html http://mxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/all.pl see createpkcs11_cfg
-glen
Thanks!
smime.p7s
Description: S/MIME Cryptographic Signature
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
