https://www.google.com/search?q=nss+certificate+verification+fails+fips+mode&ie=UTF-8#q=nss+certificate++failed+fips+
The first link. Aleksey On 6/25/15 9:37 AM, Lara Blatchford wrote: > Please find attached examples.tar. This contains a program to sign an XML > document based > on the sign1.c example. It also contains a script to create an NSS database > in FIPS mode, and > an XML document containing the signature template we are using. > > Below is an example run of the application and the subsequent verification > failure (this was > done on a Linux machine). Input on why verification would fail is greatly > appreciated. As shown > below, verification works if the signature is regenerated after FIPS mode is > disabled. > > lara@aft1:chroot ~/xmlsec_example$ ./gen_fips_selfsigned_rsa.sh > creating db > put in fips mode > FIPS mode enabled. > generate self signed cert > > > Generating key. This may take a few moments... > > lara@aft1:chroot ~/xmlsec_example$ ./sign1visnss docToSign.xml ./fips_db_dir > vis password >signed.xml > set nss_passwd=password > Loading template file: docToSign.xml > adding key name: vis > returning nss_passwd=password > lara@aft1:chroot ~/xmlsec_example$ xmlsec1 --verify --crypto nss > --crypto-config ./fips_db_dir signed.xml > func=xmlSecNssSignatureVerify:file=signatures.c:line=356:obj=rsa-sha512:subj=VFY_EndWithSignature:error=4:crypto > library function failed:error code=-8182;last nss error=-8182 (0xFFFFE00A) > func=xmlSecTransformVerifyNodeContent:file=transforms.c:line=1804:obj=rsa-sha512:subj=xmlSecTransformVerify:error=1:xmlsec > library function failed: ;last nss error=-8182 (0xFFFFE00A) > func=xmlSecDSigCtxVerify:file=xmldsig.c:line=401:obj=unknown:subj=xmlSecTransformVerifyNodeContent:error=1:xmlsec > library function failed: ;last nss error=-8182 (0xFFFFE00A) > Error: signature failed > ERROR > SignedInfo References (ok/all): 1/1 > Manifests References (ok/all): 0/0 > Error: failed to verify file "signed.xml" > lara@aft1:chroot ~/xmlsec_example$ exit > > Script done on Thu 25 Jun 2015 12:30:50 PM EDT > lara@aft1:chroot ~/xmlsec_example$ > lara@aft1:chroot ~/xmlsec_example$ modutil -fips false -dbdir ./fips_db_dir > > WARNING: Performing this operation while the browser is running could cause > corruption of your security databases. If the browser is currently running, > you should exit browser before continuing this operation. Type > 'q <enter>' to abort, or <enter> to continue: > > FIPS mode already disabled. > lara@aft1:chroot ~/xmlsec_example$ ./sign1visnss docToSign.xml ./fips_db_dir > vis password >signed.xml > set nss_passwd=password > Loading template file: docToSign.xml > adding key name: vis > returning nss_passwd=password > lara@aft1:chroot ~/xmlsec_example$ xmlsec1 --verify --crypto nss > --crypto-config ./fips_db_dir signed.xml > OK > SignedInfo References (ok/all): 1/1 > Manifests References (ok/all): 0/0 > lara@aft1:chroot ~/xmlsec_example$ > > -----Original Message----- > From: Aleksey Sanin [mailto:[email protected]] > Sent: Thursday, June 25, 2015 11:18 AM > To: Lara Blatchford; [email protected] > Subject: Re: [xmlsec] signature verification failures using NSS with FIPS > > I have no idea what are you doing. As I said, the current error means that > certificate verification fails. That's the reason. > > Aleksey > > On 6/25/15 7:03 AM, Lara Blatchford wrote: >> >> Thank you for your quick response! >> >> The specification that I am coding to requires the KeyInfo element to be >> included. Are you suggesting that the signature may verify successfully if >> I omit the KeyInfo and/or KeyName information from the signature template? >> >> I tried removing the calls to xmlSecTmplSignatureEnsureKeyInfo, >> xmlSecTmplKeyInfoAddKeyName, and xmlSecTmplKeyInfoAddX509Data, but >> when I do so, xmlsec generates the following error when xmlSecDSigCtxSign is >> called: >> >> func=xmlSecKeysMngrGetKey:file=keys.c:line=1370:obj=unknown:subj=xmlSe >> cKeysMngrFindKey:error=1:xmlsec library function failed: ;last nss >> error=0 (0x00000000) >> func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=889:obj=unkno >> wn:subj=unknown:error=45:key is not found: ;last nss error=0 >> (0x00000000) >> func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=581:obj=unk >> nown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec library >> function failed: ;last nss error=0 (0x00000000) >> func=xmlSecDSigCtxSign:file=xmldsig.c:line=319:obj=unknown:subj=xmlSec >> DSigCtxSignatureProcessNode:error=1:xmlsec library function failed: >> ;last nss error=0 (0x00000000) >> >> if I take out only the call to xmlSecTmplKeyInfoAddX509Data, then >> xmlsec will sign the document, but signature verification still fails >> with the "invalid signature" error you previously indicated, so it appears >> that xmlsec is generating an invalid signature for some reason. >> >> Could you please provide an example of a signature template that >> should work when using an NSS database in FIPS mode? Or is there more >> additional information I can provide that would help to determine why >> xmlsec generates an invalid signature from the signature template I >> previously provided? >> >> Thanks again, >> Lara >> >> -----Original Message----- >> From: Aleksey Sanin [mailto:[email protected]] >> Sent: Tuesday, June 23, 2015 12:15 PM >> To: Lara Blatchford; [email protected] >> Subject: Re: [xmlsec] signature verification failures using NSS with >> FIPS >> >> This particular error means that the certificate verification failed >> >> https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/SSL_func >> tions/sslerr.html >> >> SEC_ERROR_BAD_SIGNATURE -8182 Peer's certificate has an invalid >> signature. >> >> I didn't test in FIPS mode recently, but as far as I know it should work >> fine for a subset of XMLDsig spec (e.g. you can't put keys into signature >> for obvious reasons). >> >> Aleksey >> >> On 6/23/15 8:49 AM, Lara Blatchford wrote: >>> Though I am able to generate signatures using RSA keys retrievedfroma >>> FIPS-enabled NSS database, the signatures do >>> >>> not verify. >>> >>> If FIPS is disabledon the database, the signature does verify. >>> >>> A mail archive post fromWed, 05 Mar 2003 21:39:24indicated that FIPS >>> modeisnot supported for the NSS library. >>> >>> Why is this, and is there a plan to add support in the future? >>> >>> Here is the error received when attempting to verify the database,as >>> well as the signature portion of my XML document: >>> >>> [nss]$ xmlsec1 --verify --crypto nss --crypto-config . >>> 100_1_2003_doc.xml >>> >>> func=xmlSecNssSignatureVerify:file=signatures.c:line=356:obj=rsa-sha5 >>> 1 2:subj=VFY_EndWithSignature:error=4:crypto >>> library function failed:error code=-8182;last nss error=-8182 >>> (0xFFFFE00A) >>> >>> func=xmlSecTransformVerifyNodeContent:file=transforms.c:line=1804:obj >>> = rsa-sha512:subj=xmlSecTransformVerify:error=1:xmlsec >>> library function failed: ;last nss error=-8182 (0xFFFFE00A) >>> >>> func=xmlSecDSigCtxVerify:file=xmldsig.c:line=401:obj=unknown:subj=xml >>> S ecTransformVerifyNodeContent:error=1:xmlsec >>> library function failed: ;last nss error=-8182 (0xFFFFE00A) >>> >>> Error: signature failed >>> >>> ERROR >>> >>> SignedInfo References (ok/all): 1/1 >>> >>> Manifests References (ok/all): 0/0 >>> >>> Error: failed to verify file "100_1_2003_doc.xml" >>> >>> [nss]$ >>> >>> [nss]$ modutil -chkfips true -dbdir . >>> >>> FIPS mode enabled. >>> >>> [nss]$ >>> >>> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#";> >>> >>> <SignedInfo> >>> >>> <CanonicalizationMethod >>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"/> >>> >>> <SignatureMethod >>> Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"/> >>> >>> <Reference URI="#xpointer(/)"> >>> >>> <Transforms> >>> >>> <Transform >>> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> >>> >>> <Transform >>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"/> >>> >>> </Transforms> >>> >>> <DigestMethod >>> Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/> >>> >>> >>> <DigestValue>DotbZXz+hs3PZpA2SflWZvtbT9LI0i7pUMGfx9g1isX92tD8FtQ09r3w >>> V >>> ls3gRZr >>> >>> mIkMbgPU4pbcV493Ks/j7g==</DigestValue> >>> >>> </Reference> >>> >>> </SignedInfo> >>> >>> >>> <SignatureValue>ol+p5Jpj7mL+gl5UfeIemn4d+NBAgHpRKmUzl1/aJuJ82frs5WHep >>> 5 >>> zvVbdUcWNg >>> >>> RTalqXo0D1TlbT6JzP54UnwCYSTk8L9ttROPKRWF+28sJzujigyVQ0QYDkGJLu3e >>> >>> R7IunkvESUmoiBjDZlJXHoBkrWVIeazvV0qfouQHmFHxNxg8epLXsjXkUjNgyWUK >>> >>> WFDqnS2h+qTNvuxYEOUcQaR1wDvSg/7KHCoEfShMLOY1avgs3ZEDfEX2Vn0GsN9w >>> >>> Fy1smTmeBd+yHINe3HpkOJeG5h7zpCdTU2NSD1Bs3gWH4r/HSUNENswIKdpS58JJ >>> >>> 6hLhncPMK28FiyLOefcCUYVfUu0i5nROcCZewbgOJws2fmn21GcXm9XlrUM7tNP+ >>> >>> 73FP2I0sdQU04mPbj2TcacGprw1ELd1zIJFDxGVYmQ9fQ1zoOpXr1O6C0iTxHrGk >>> >>> 80KEwhTiuHwiLtSbc2I2F/fKWKqun/VQ1pKccN9b9jNaNPCFvzs87luuW3OKW7w3 >>> >>> DQiLJKQ8e9/b3sJEf9HYFNDmam75rm4E15rPvNr97jF5uZQ55dwQGp3tEPejbAtg >>> >>> 6rkEifPTOMydGFT6G7nSKM+T3+mw051BovXgtuVkg4YxRGsv2ozWgwCKQv4kdrZ8 >>> >>> lfCpA4vij5HcFoOPsleth5twmY69GBMPnl0cgfmW7sA=</SignatureValue> >>> >>> <KeyInfo> >>> >>> <KeyName>signingCert</KeyName> >>> >>> <X509Data> >>> >>> <X509Certificate>MIIEpzCCAo+gAwIBAgIBADANBgkqhkiG9w0BAQUFADAWMRQwEgYD >>> V >>> QQDEwtzaWdu >>> >>> aW5nQ2VydDAgFw0xNTA2MjMxNTMwMzNaGA81MDU5MDIyMzE1MzAzM1owFjEUMBIG >>> >>> A1UEAxMLc2lnbmluZ0NlcnQwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC >>> >>> AQDeKjUCmUAIis5nJ2xYkRo8OYoH853ebnLh+WxnjSy6vUzkKQGRsNgBWY0XJpgf >>> >>> kugjZpUH1F6LaV/4e/jzvGp5fF+f42u9X9VPXYod07dzbJneJTdw+WcSw9v4oKzK >>> >>> J/gqLvuz+MTT0GRN5M+E7tT7vjyz/D/n+mPpmd6TAUYnYTPI+6OMfbbD4pDu7Xyf >>> >>> c8whVfLbRuIR0qC43V3dNAg6Hb0FqJH1VkQe83iTdhGM2G21ppQuxBZsMjsLvlvR >>> >>> rAyt4Ma6q4AIMx/slyP0ZNrSo0HYqEVYo3+ZPjdHyzUDtKgmybO8yM/HXrXtQHVs >>> >>> HolnHEQPNOuhFiOB8lkWUUuDjHshBAelmf05466qYK32MXXV27vpzwL5n6uw1C8D >>> >>> qj/BJrvFCGRfhJMSJcRVR6CznWMByclvPH0YGoL/nwm3Y5d5/CzG6aE34FF+jExF >>> >>> uCEb1/L48hVR+RtY7G9GyUigQ8lM0YzTDRIlEeWd1YZ5JJwQmaanw1qV+/8z/FMC >>> >>> aRDrmNVWuIPBx3Hh8B+i6Lw8HJ+JqlDdR3dYPH0HGhwvsJrIG1PN1PHbfjkgxVh4 >>> >>> 70NJ85qyt/Dk9ulxNIYpEgiCCSSdVrWhg9iH+Wi23VUtKQADyqqXlPfv7cArYstH >>> >>> d3O7ihgxK/fs9zt29RSP0IRPppr2JogjNEsb4qq+BOKO4wIDAQABMA0GCSqGSIb3 >>> >>> DQEBBQUAA4ICAQBVKULeDMz/HdA8Z2XmVOkv/OckVm/ZxjJYG4HnZQ3VR10Ih9Oq >>> >>> gpJgRS0k1lpwFgQJMNV0kT2yxmlHWTuYrvQty7RXSFIbfANojCivJ+LnFYiJjqZi >>> >>> WwQOT51NQ849MTwRV8ETHbWkuA3oEPRqJFVrM3Ww66IEPFLLWH7ybH3ij7TD/T9d >>> >>> 1xuBk+5NC3Tn1ECLEhiKYZ8sVnSFtQqIXx3bYecwGc53ToUqrXMqei6zSkrxdz7N >>> >>> xZ3vahhRoK0Pjd7foLVktQ279h/Sg6QtB5V8hLBhFouu7qRB3I02B/h8fGhfxf22 >>> >>> mMgtppQnOYpO27LUIo2OqzO9g7/dbvlyoRNIJ2iBQpJohKfHFEq9Bhn9jsurOVuV >>> >>> F2+lgHOEWqPMAEa30mFzvkcauQlZJ2wK5TVWFt5jPlGj3Nq0rIelCjFqkEgaJTfU >>> >>> Cvlgbt3hobr5nLeBpk3P4fsUe/m2FNiYLcoE+z4tTSdmZ0lMWBqQySfOm3WU5txR >>> >>> e6YgfRnQOckuIWJJIcCvFgVBqeV+QKueWUG1EGCBw4LmcWibV+0GRgT8PYDsCsFL >>> >>> H9AGwhAKDuZXGdhIM/88zL7FPfE8A0Cb0FnYtrWh93wz4K3CTZZrn3bG2xpctco0 >>> >>> E6mxACLMMkgy792ldum5QfOiLiA1KYe4ZvwS4/rJIlzdf7LQy/liBpT4Nw==</X509Cer >>> t >>> ificate> >>> >>> </X509Data> >>> >>> </KeyInfo> >>> >>> </Signature> >>> >>> Thanks you, >>> >>> Lara >>> >>> ~~~~~~~~~~~~~~ >>> >>> Lara Blatchford >>> >>> Principal Engineer >>> >>> Nteligen, LLC >>> >>> >>> >>> _______________________________________________ >>> xmlsec mailing list >>> [email protected] >>> http://www.aleksey.com/mailman/listinfo/xmlsec >>> >> >> _______________________________________________ >> xmlsec mailing list >> [email protected] >> http://www.aleksey.com/mailman/listinfo/xmlsec >> >> >> >> _______________________________________________ >> xmlsec mailing list >> [email protected] >> http://www.aleksey.com/mailman/listinfo/xmlsec _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
