I ran into issues creating the secmod database:* Steps taken on the first Windows XP Professional Version 2002 SP2 box 1) "certutil -N -d ." ran fine, created the three database files with a strong password 2) "modutil -fips true -dbdir ." failed, with error: "An I/O error occurred during security authorization. ERROR: Unable to switch FIPS modes." * Executed the same commands and same configuration on a Windows Vista box with success (output: "FIPS mode enabled.", and modutil -list shows the appropriate FIPS module). * Executed the same commands and same configuration on a second Windows XP Professional Version 2002 SP2 box with success. That was odd, but nevertheless, I now have a secmod database that I can work with. Next, I copied the database files/directory into my Eclipse Java project and modified the NSS configuration file appropriately: name = NSScrypto attributes = compatibility nssLibraryDirectory = ./lib nssSecmodDirectory = ./nss_db nssDbMode = readWrite nssModule = fips This project is hosted on shared storage between both the Windows XP boxes. Running the test application (see previous message) on the original machine still produces the original exception: java.security.ProviderException: Could not initialize NSS at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:183) at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:90) at test.TripleDESTest.main(TripleDESTest.java:112) Caused by: java.io.IOException: The specified version of NSS is incompatible, 3.7 or later required at sun.security.pkcs11.Secmod.initialize(Secmod.java:190) at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:179) ... 2 more Running the test application (the exact same Eclipse Java project, the same libraries, the same configuration) with the same JVM, jdk/jre 1.6.0_13, on the second Windows XP machine (where "modutil -fips true" succeeded) was successful (e.g., the crypto provider object was returned).
On the Windows XP system that does not work, can you confirm/deny that you have the .chk files installed in your path with their matching libraries.see security rule 34 http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp814.pdf
. softokn3.dll . softokn3.chk . freebl3.dll . freebl3.chkSince you have one system that works and one that does not, missing .chk files is
the most logical configuration difference.
Any further insight into this issue would be appreciated! Best regards, Drew Morris Technical Lead, Software Developer CDM Technologies, Inc. (http://www.cdmtech.com)My Google searches happened to bring this highly-related gem to the surface today (odd that they didn't yesterday): http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6521498Looks like it is a real issue.
will missing .chk files are a real issue. The other issue is nobody is actively working on bug_id=6521498. I will see if I can contact the jce team about updating this bug. -glen
Any ideas? Thanks! Drew Morris Technical Lead, Software Developer CDM Technologies, Inc. (http://www.cdmtech.com)
smime.p7s
Description: S/MIME Cryptographic Signature
-- dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
