info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Initializing FIPS mode
36 views
Skip to first unread message
jonetsu
Jan 20, 2016, 6:05:50 PM1/20/16
to dev-se...@lists.mozilla.org
Hello !
Please let me know if this is not the right place to ask the following.
I am used to OpenSSL and GnuTLS, both of which have an explicit method for enabling FIPS and at the same time run the FIPS self-tests. This method is called very near the start of the code, for instance.
I would like to use NSS with FIPS support. I am browsing the code (3.17.4) and although there are a few methods for doing various checks, such as sftk_fipsPowerUpSelfTest() and various power on self tests, the file fipstest.c seems to happily delve in testing without doing any FIPS initialization at all. Now, NSS was appropriately set externaly froma ny code in FIPS mode by doing:
modutil -force -fips true -dbdir <directory>
And then checking it out with:
modutil -chkfips false -dbdir <directory>
Is that all that's needed, assuming that any application using NSS will now work with a FIPS-enabled NSS ?
Then what would be the way for an application to first verify that indeed NSS is in FIPS mode ? What woudl be the preferred method for doing so ? Are the methods inside fipstokn.c such as sftk_fipsCheck() available for applications ? Finally, and simple example code out there that checks FIPS mode and perhaps do a simple operation ?
Thanks, any comments much appreciated.
Please let me know if this is not the right place to ask the following.
I am used to OpenSSL and GnuTLS, both of which have an explicit method for enabling FIPS and at the same time run the FIPS self-tests. This method is called very near the start of the code, for instance.
I would like to use NSS with FIPS support. I am browsing the code (3.17.4) and although there are a few methods for doing various checks, such as sftk_fipsPowerUpSelfTest() and various power on self tests, the file fipstest.c seems to happily delve in testing without doing any FIPS initialization at all. Now, NSS was appropriately set externaly froma ny code in FIPS mode by doing:
modutil -force -fips true -dbdir <directory>
And then checking it out with:
modutil -chkfips false -dbdir <directory>
Is that all that's needed, assuming that any application using NSS will now work with a FIPS-enabled NSS ?
Then what would be the way for an application to first verify that indeed NSS is in FIPS mode ? What woudl be the preferred method for doing so ? Are the methods inside fipstokn.c such as sftk_fipsCheck() available for applications ? Finally, and simple example code out there that checks FIPS mode and perhaps do a simple operation ?
Thanks, any comments much appreciated.
Daniel Veditz
Jan 21, 2016, 6:29:54 PM1/21/16
to jonetsu, dev-se...@lists.mozilla.org
On Wed, Jan 20, 2016 at 3:06 PM, jonetsu <jon...@teksavvy.com> wrote:
> Hello !
>
> Please let me know if this is not the right place to ask the following.
>
for technical NSS issues please ask the folks in mozilla.dev.tech.crypto
> Hello !
>
> Please let me know if this is not the right place to ask the following.
>
https://www.mozilla.org/en-US/about/forums/#dev-tech-crypto
-Dan Veditz
0 new messages