On 2010/04/05 10:12 PDT, G. Richard Bellamy wrote: > I should have been more clear, I was asking if signtool, certutil, etc, > could run in FIPS mode.
Absolutely, yes. It all depends on whether the "softoken" PKCS#11 module is configured to be in FIPS mode or not. If it is, then any program that depends exclusively on it for all crypto can claim FIPS compliance (I believe, perhaps with a few caveats). > From what I can tell, it does not, but I'm not > convinced of my own analysis, hence my question. For instance in > certutil.c, line 2609 says /* XXX temporary hack for fips - must log in > to get priv key */, but none of the code actually executes > FC_Initialize. From my reading, that's the only way to enable FIPS - is > this correct? Yes, It's necessary to call FC_Initialize to run in FIPS mode. Nearly all NSS based programs call NSS_Init, which loads softoken, and determines if it is in FIPS mode or not, the gets either the table of addresses of the FIPS functions, or the table of addresses of the non-FIPS functions, and calls them. See https://mxr.mozilla.org/security/source/security/nss/lib/pk11wrap/pk11load.c#411 and https://mxr.mozilla.org/security/source/security/nss/lib/pk11wrap/pk11load.c#473 It calls FC_Initialize or NSC_Initialize depending on which function's address is in that table. It does't call the function by name. It calls it via the function pointer in that table. See https://mxr.mozilla.org/security/source/security/nss/lib/pk11wrap/pk11load.c#252 > A follow-up question is - what is the consequence of setting secmod.db > to fips mode? How do other tools that use secmod interact when in fips mode? The consequence is that when NSS subsequently goes to initialize Softoken, it will get the table of FC_ functions and run in FIPS mode. >> There are no plans to enhance signtool any further. The Firefox browser >> developers have no further interest in it. > > So what tool does the FF dev community recommend for signing JARs and XPIs? I would have to say that, presently, the Firefox browser folks do not recommend signing JARs and XPIs. But if you want to do so, signtool is still the tool of choice. > I've looked at cmsutil. I'm mostly interested in object signing... When it comes to choosing a signing tool, of course, one must also consider what program is going to test the signature thus generated. Putting a CMS signature on a JAR or XPI is of little value because no program in the world expects those and checks those. For Jars and XPIs signtool is still the only option from NSS. >> Have you read the pages found at >> http://www.mozilla.org/projects/security/pki/nss/tools/ ?? > > Yes, I've read that page. What I was hoping for was some visibility into > answers to things like the questions I've posed above. As well: > 1. Roadmaps (e.g. plans for man pages?) At this point, AFAIK, the only companies that employ developers to enhance and expand or improve NSS are Red Hat and Google. If there's any road map, it would come from them. > 2. Interoperability With what? At this point, NSS is mostly used for SSL/TLS, and is fully interoperable with all other standards-compliant implementations for the protocol versions and cipher suites they mutually support. NSS also supports CMS. I use it daily in Thunderbird, and it interoperates with Microsoft's email clients without fail. Use in code signing is sadly almost non-existent because of Mozilla's disinterest. > 3. Possible consolidation Of what? with what? Of test tools into one big all-encompassing test tool? No plans for that. Of NSS with some competing crypo library? No plans for that. I don't know what else you might have in mind. > 4. nss/cmd/XXXX specific documentation (e.g. cmsutil is a part of smime, > but there's no doco for smime that I can find, aside from the usage/help) Integration of NSS's CMS library with a MIME library is a BIG task. If you have a MIME library and want to try to integrate NSS's CMS library with it, then documentation would help you, granted. If you don't have a MIME library, then you'd need one. A MIME library is probably MORE code than the CMS library, so it wouldn't be realistic to start with the CMS library and build a full S/MIME MUA. Having said that, there's a perl script that provides an EXTREMELY rudimentary SMIME client on top of NSS's cmsutil test program. You can see it at http://mxr.mozilla.org/security/source/security/nss/cmd/smimetools/smime > Thanks again for your response. Hopefully these questions aren't stoopid. Not at all. -- dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
