On 01/21/2016 07:33 AM, jonetsu wrote:
Hello,Please let me know if this is not the right place to ask about the following...
This is the right place.
FIPS is a mode in softoken. Usually when softoken is in FIPS mode, NSS itself is said to be in FIPS mode.I am new to NSS and would like to use it in FIPS mode. I do know about OpenSSL and GnuTLS, both of them having explicit calls to enabled FIPS mode. With NSS, so far I have seen that the modutil non-programmatical utility is used to set FIPS mode, as in: % modutil -force -fips true -dbdir <directory> How does an application assures that NSS is in FIPS mode ?
The call PK11_IsFIPS() returns true if softoken is in FIPS mode. The dance to programatically is to call SECMOD_DeleteInternalModule(), which toggles the module between FIPS and non-FIPS modes.
Are calls such as sftk_fipsCheck() and sftk_fipsPowerUpSelfTest() in the softtoken module (fipstokn.c) available to applications ?
No.
Currently NSS does not restrict you from using non-approved algorithms. Officially going to FIPS mode requires the application to turn off any uses of non-FIPS algorithms itself. In the SSL code the SSLCipherSuiteInfo includes an isFIPS bit applications can use to manually turn off non-FIPS algorithms.What is the behaviour of NSS if an application tries to use a non-approved algorithm ?
Firefox has a button to flip to FIPS mode. For the most part the only issue applications may have in FIPS mode is if the application tries to access key material directly (or if the application doesn't handle authentication well). An Example of going into FIPS mode can also be found in the nss source tree under the cmd/modutil directory.Finally, is there any example code out there that uses NSS in FIPS mode ?
bob
Any comments, suggestions appreciated, thanks. -- View this message in context: http://mozilla.6506.n7.nabble.com/Using-NSS-in-FIPS-mode-tp350446.html Sent from the Mozilla - Cryptography mailing list archive at Nabble.com.
smime.p7s
Description: S/MIME Cryptographic Signature
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
