On Oct 29, 11:30 pm, Glen Beasley <glen.beas...@sun.com> wrote:
> morris.d...@gmail.com wrote:
> > Initializing SunPKCS11 for utilization of NSS 3.11.4 capabilities
> > yields the following exception:
>
> > java.security.ProviderException: Could not initialize NSS
> > at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:183)
> > at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:90)
> > at test.TripleDESTest.main(TripleDESTest.java:112)
> > Caused by: java.io.IOException: The specified version of NSS is
> > incompatible, 3.7 or later required
> > at sun.security.pkcs11.Secmod.initialize(Secmod.java:190)
> > at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:179)
> > ... 2 more
>
> > The version I am using is greater than 3.7, despite what the exception
> > says. I am looking to use the FIPS 140-2 certified symmetric key
> > algorithms in this library.
>
> > I am using the following configuration:
>
> > name = NSScrypto
> > attributes = compatibility
> > nssLibraryDirectory = ./lib
> > nssDbMode = noDb
> > nssModule = fips
>
> the NSS dbs must exist if your goal is to be FIPS compliant and your
> setting "nssModule = fips".
> The "nssDbMode = noDb" mode allows NSS to be used without database files
> purely as a cryptographic provider.
>
> make the following changes:
>
> name = NSScrypto
> attributes = compatibility
> nssLibraryDirectory = <----- full path to NSS and NSPR libraries
> nssSecmodDirectory = <---- full path to location of the NSS databases
> nssDbMode = readWrite
> nssModule = fips
>
> To create a set of databases in the current directory:
> certutil -N -d .
> review the NSS 3.11.4 security policy
> <http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp814.pdf>
> "Strength of Authentication Mechanism" for password requirements.
> To enable FIPS mode:
> modutil -fips true -dbdir .
>
> > I am adding the cryptography provided dynamically with the following
> > code:
>
> > String configName = "nss.cfg";
> > Provider cryptoProvider = new sun.security.pkcs11.SunPKCS11
> > (configName); // exception occurs on this line
> > Security.addProvider(cryptoProvider);
>
> > Has anyone else run into this issue or have any insight into the
> > problem?
>
> > If this doesn't work out I will look into direct utilization of JSS.
>
> Java 1.5 claimed no FIPS compliance, and Java 1.6 or higher needs to be
> used for the SunPKCS11-NSS bridge. JSS can use Java 1.4 of higher to be
> FIPS compliant.
>
> http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp814.pdfhttp://java.sun.com/javase/6/docs/technotes/guides/security/p11guide....http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/FIPS...http://mxr.mozilla.org/security/source/security/jss/org/mozilla/jss/t...see
> createpkcs11_cfg
>
> -glen
>
> > Thanks!
>
>
>
> smime.p7s
> 6KViewDownload
Thank you for the prompt response Glen!
I tried your proposed actions. I am still having issues, but now I
have more information. Indeed, the next issue I would have ran into
after fixing this version incompatibility issue would have been
related to the secmod database. The problem may be more deep-rooted
in NSS compatibility than I originally thought (in such a way that
utilizing JSS directly probably wouldn't work either).
I ran into issues creating the secmod database:
* Steps taken on the first Windows XP Professional Version 2002 SP2
box
1) "certutil -N -d ." ran fine, created the three database files with
a strong password
2) "modutil -fips true -dbdir ." failed, with error:
"An I/O error occurred during security authorization.
ERROR: Unable to switch FIPS modes."
* Executed the same commands and same configuration on a Windows Vista
box with success (output: "FIPS mode enabled.", and modutil -list
shows the appropriate FIPS module).
* Executed the same commands and same configuration on a second
Windows XP Professional Version 2002 SP2 box with success.
That was odd, but nevertheless, I now have a secmod database that I
can work with.
Next, I copied the database files/directory into my Eclipse Java
project and modified the NSS configuration file appropriately:
name = NSScrypto
attributes = compatibility
nssLibraryDirectory = ./lib
nssSecmodDirectory = ./nss_db
nssDbMode = readWrite
nssModule = fips
This project is hosted on shared storage between both the Windows XP
boxes. Running the test application (see previous message) on the
original machine still produces the original exception:
java.security.ProviderException: Could not initialize NSS
at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:183)
at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:90)
at test.TripleDESTest.main(TripleDESTest.java:112)
Caused by: java.io.IOException: The specified version of NSS is
incompatible, 3.7 or later required
at sun.security.pkcs11.Secmod.initialize(Secmod.java:190)
at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:179)
... 2 more
Running the test application (the exact same Eclipse Java project, the
same libraries, the same configuration) with the same JVM, jdk/jre
1.6.0_13, on the second Windows XP machine (where "modutil -fips true"
succeeded) was successful (e.g., the crypto provider object was
returned).
Any further insight into this issue would be appreciated!
Best regards,
Drew Morris
Technical Lead, Software Developer
CDM Technologies, Inc. (http://www.cdmtech.com)
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
