On Oct 30, 3:32 pm, Glen Beasley <[email protected]> wrote: > >> I ran into issues creating the secmod database: > > >> * Steps taken on the first Windows XP Professional Version 2002 SP2 > >> box > >> 1) "certutil -N -d ." ran fine, created the three database files with > >> a strong password > >> 2) "modutil -fips true -dbdir ." failed, with error: > >> "An I/O error occurred during security authorization. > >> ERROR: Unable to switch FIPS modes." > > >> * Executed the same commands and same configuration on a Windows Vista > >> box with success (output: "FIPS mode enabled.", and modutil -list > >> shows the appropriate FIPS module). > >> * Executed the same commands and same configuration on a second > >> Windows XP Professional Version 2002 SP2 box with success. > > >> That was odd, but nevertheless, I now have a secmod database that I > >> can work with. > > >> Next, I copied the database files/directory into my Eclipse Java > >> project and modified the NSS configuration file appropriately: > > >> name = NSScrypto > >> attributes = compatibility > >> nssLibraryDirectory = ./lib > >> nssSecmodDirectory = ./nss_db > >> nssDbMode = readWrite > >> nssModule = fips > > >> This project is hosted on shared storage between both the Windows XP > >> boxes. Running the test application (see previous message) on the > >> original machine still produces the original exception: > > >> java.security.ProviderException: Could not initialize NSS > >> at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:183) > >> at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:90) > >> at test.TripleDESTest.main(TripleDESTest.java:112) > >> Caused by: java.io.IOException: The specified version of NSS is > >> incompatible, 3.7 or later required > >> at sun.security.pkcs11.Secmod.initialize(Secmod.java:190) > >> at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:179) > >> ... 2 more > > >> Running the test application (the exact same Eclipse Java project, the > >> same libraries, the same configuration) with the same JVM, jdk/jre > >> 1.6.0_13, on the second Windows XP machine (where "modutil -fips true" > >> succeeded) was successful (e.g., the crypto provider object was > >> returned). > > On the Windows XP system that does not work, can you confirm/deny that you > have the .chk files installed in your path with their matching libraries. > > see security rule > 34http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp814.pdf > > . softokn3.dll > . softokn3.chk > . freebl3.dll > . freebl3.chk > > Since you have one system that works and one that does not, missing .chk > files is > the most logical configuration difference. > > >> Any further insight into this issue would be appreciated! > > >> Best regards, > > >> Drew Morris > >> Technical Lead, Software Developer > >> CDM Technologies, Inc. (http://www.cdmtech.com) > > > My Google searches happened to bring this highly-related gem to the > > surface today (odd that they didn't yesterday): > > >http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6521498 > > > Looks like it is a real issue. > > will missing .chk files are a real issue. The other issue > is nobody is actively working on bug_id=6521498. > I will see if I can contact the jce team about updating this bug. > > -glen > > > Any ideas? > > > Thanks! > > > Drew Morris > > Technical Lead, Software Developer > > CDM Technologies, Inc. (http://www.cdmtech.com) > > > > smime.p7s > 6KViewDownload
Thanks Glen; I double checked on inclusion of the *.chk files. They are included in the appropriate directories and are on the path. -- dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
