On Nov 3, 12:34 pm, "[email protected]" <[email protected]>
wrote:
> On Nov 2, 8:13 pm, Glen Beasley <[email protected]> wrote:
>
>
>
> > [email protected] wrote:
>
> > >>>> I ran into issues creating the secmod database:
>
> > before moving on to Java/SunPKCS11-NSSFIPS issue you should first get
> > your configuration correct
> > so that running the modutil command will work correctly. Copying the
> > databases from a working system to
> > a system that is unable to correctly run "modutil -fips true -dbdir ."
> > makes no sense.
>
> > In an attempt to recreate your problem, I wrote a test program and some
> > rough notes that
> > should hopefully help. The program/notes are rough as I don't have much
> > time to spend on this issue.
>
> > I had a clean window 7 box so I:
>
> > downloaded NSPR
> > 4.6.4https://ftp.mozilla.org/pub/mozilla.org/nspr/releases/v4.6.4/msvc6.0/...
> > downloaded NSS
> > 3.11.4https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_1...
> > installed java version "1.6.0_16":
>
> > 2) set the PATH for NSS/NSPR libraries/chk files/binaries and Java bin
> > directory
>
> > 3) created the NSS db's and configured for FIPS mode:
>
> > certutil -N -d .
> > modutil -fips true -dbdir .
>
> > 4) created the following nss.cfg file:
>
> > name = NSSFIPS
> > nssLibraryDirectory = ./lib
> > nssSecmodDirectory = .
> > nssDbMode = readWrite
> > nssModule = fips
>
> > 5) created the attached test program sunpkcs11nss.java
>
> > 6) javac javac sunpkcs11nss.java
> > 7) java sunpkcs11nss nss.cfg <password>
> > Initializing sunpkcs11-NSS nss.cfg
> > Initialized sunpkcs11-NSS
> > Provider 0: SunPKCS11-NSSFIPS
> > Provider 1: SUN
> > Provider 2: SunRsaSign
> > Provider 3: SunJSSE
> > Provider 4: SunJCE
> > Provider 5: SunJGSS
> > Provider 6: SunSASL
> > Provider 7: XMLDSig
> > Provider 8: SunPCSC
> > Provider 9: SunMSCAPI
> > Key generation done by SunPKCS11-NSSFIPS version 1.6
> > encrypt op done by SunPKCS11-NSSFIPS version 1.6
> > decrypt op done by SunPKCS11-NSSFIPS version 1.6
> > recovered bytes equal the original plaintext
>
> > Hopefully the above will help you solve your issue, or at least aid in
> > creating a bug with a provided testcase.
>
> > -glen
>
> > [sunpkcs11nss.java4K ]
>
> > import java.security.AlgorithmParameters;
> > import java.security.Provider;
> > import java.security.Security;
> > import javax.crypto.Cipher;
> > import javax.crypto.KeyGenerator;
> > import java.security.KeyStore;
>
> > //[email protected]
> > //This is a sample test program
> > //the nss.cfg file
> > //name = NSSFIPS
> > //nssLibraryDirectory = ./lib
> > //nssSecmodDirectory = .
> > //nssDbMode = readWrite
> > //nssModule = fips
> > //
> > //http://java.sun.com/javase/6/docs/technotes/guides/security/p11guide....
>
> > public class sunpkcs11nss {
>
> > public static void main(String args[]) {
> > try {
> > // pass in nss.cfg file and "password" for the NSS databases
> > String nssConfig = args[0];
> > System.out.println("Initializing sunpkcs11-NSS " + nssConfig);
> > Provider pkcs11NSS = new
> > sun.security.pkcs11.SunPKCS11(nssConfig);
> > Security.insertProviderAt(pkcs11NSS, 1);
> > System.out.println("Initialized sunpkcs11-NSS");
>
> > Provider[] providers = Security.getProviders();
> > for (int i = 0; i < providers.length; i++) {
> > System.out.println("Provider " + i + ": " +
> > providers[i].getName());
> > }
>
> > // Login
> > KeyStore ks = KeyStore.getInstance("PKCS11", pkcs11NSS);
> > // this is test code, please mask the password
> > ks.load(null, args[1].toCharArray());
>
> > javax.crypto.SecretKey skey = null;
> > javax.crypto.KeyGenerator kg = null;
>
> > kg = KeyGenerator.getInstance("AES",
> > pkcs11NSS);
> > kg.init(128);
> > skey = kg.generateKey();
>
> > System.out.println("Key generation done by " +
> > kg.getProvider().toString());
>
> > String algFamily = "AES";
> > String algType = "AES/CBC/PKCS5Padding";
>
> > byte[] plaintext = "testing NSS in FIPS MODE".getBytes();
> > Cipher cipher = Cipher.getInstance(algType, pkcs11NSS);
> > AlgorithmParameters ap = null;
> > byte[] encodedAlgParams = null;
>
> > cipher.init(Cipher.ENCRYPT_MODE, skey);
> > //generate the algorithm Parameters; they need to be
> > //the same for encrypt/decrypt if they are needed.
> > ap = cipher.getParameters();
> > if (ap != null) {
> > //get parameters to store away as example.
> > encodedAlgParams = ap.getEncoded();
> > }
> > byte[] ciphertext =
> > new byte[cipher.getOutputSize(plaintext.length)];
> > int cLen = cipher.update(plaintext, 0, plaintext.length,
> > ciphertext, 0);
> > cLen += cipher.doFinal(ciphertext, cLen);
>
> > System.out.println("encrypt op done by " +
> > cipher.getProvider().toString());
>
> > //decrypt
> > cipher = Cipher.getInstance(algType, pkcs11NSS);
> > if (encodedAlgParams == null) {
> > cipher.init(Cipher.DECRYPT_MODE, skey);
> > } else {
> > //retrieve the algorithmParameters from the encoded array
> > AlgorithmParameters aps =
> > AlgorithmParameters.getInstance(algFamily);
> > aps.init(encodedAlgParams);
> > cipher.init(Cipher.DECRYPT_MODE, skey, aps);
> > }
> > System.out.println("decrypt op done by " +
> > cipher.getProvider().toString());
>
> > byte[] recovered = new byte[cLen];
> > int rLen = cipher.update(ciphertext, 0, cLen, recovered, 0);
> > rLen += cipher.doFinal(recovered, rLen);
>
> > //ensure the recovered bytes equals the orginal plaintext
> > boolean isEqual = true;
> > for (int i = 0; i < plaintext.length; i++) {
> > if (plaintext[i] != recovered[i]) {
> > isEqual = false;
> > break;
> > }
> > }
> > if (isEqual) System.out.println("recovered bytes equal " +
> > "the original plaintext\n");
>
> > } catch (Exception ex) {
> > ex.printStackTrace();
> > }
> > }
>
> > }
>
> Glen,
>
> Uninstalling ActiveClient also fixed the exception ("The specified
> version of NSS is incompatible, 3.7 or later required"). Not entirely
> sure why the libraries/binaries included in the Windows PATH would be
> used by the JVM with higher priority than the configured value in
> nss.cfg, "nssLibraryDirectory = ./lib". Nevertheless, I now know what
> the issue is and can work around it-- thank you for the assistance.
>
> Drew Morris
> Technical Lead, Software Developer
> CDM Technologies, Inc. (http://www.cdmtech.com)
Hi Glen,
I finally got all the other problems solved, and ran into this problem
when trying to run your code.
When attempting to actually generate the key, I get this exception:
java.security.ProviderException: Could not generate key
at sun.security.pkcs11.P11KeyGenerator.engineGenerateKey
(P11KeyGenerator.java:260)
at javax.crypto.KeyGenerator.generateKey(DashoA13*..)
at test.SunPKCS11NSS.main(SunPKCS11NSS.java:53)
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception:
CKR_ATTRIBUTE_VALUE_INVALID
at sun.security.pkcs11.wrapper.PKCS11.C_GenerateKey(Native Method)
at sun.security.pkcs11.P11KeyGenerator.engineGenerateKey
(P11KeyGenerator.java:255)
... 2 more
Anyway, thanks very much for all your help so far.
Kevin Oberlies
Student Software Developer
CDM Technologies, Inc. (http://www.cdmtech.com)
--
dev-tech-crypto mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-crypto
