On 18 March 2016 at 13:49, Robert Relyea <[email protected]> wrote:
> On 03/18/2016 09:14 AM, Andrew Cagney wrote:
>
>> Is it possible to put NSS (softtoken) in FIPS mode (PK11_IsFIPS()) without
>> a "modutil -fips true" database?
>>
>> By FIPS mode I guess I really mean confirm that NSS has performed some
>> sort
>> of FIPS self-check.
>>
>> An earlier thread mentioned some way of toggling things using
>> SECMOD_DeleteInternalModule()?
>>
> Yes, SECMOD_DeleteInternalModule() is a toggle which switches NSS between
> FIPS and non-FIPS. If you don't have a database open, or the database is
> open readOnly, the change only affects the running program.
>
I guess I just pass it the current internal module's common name vis:
NSS_NoDB_Init(".");
if (!PK11_IsFIPS()) {
SECMODModule *internal = SECMOD_GetInternalModule();
debug_log("Deleting internal module %s", internal->commonName);
SECMOD_DeleteInternalModule(internal->commonName);
}
debug_log("FIPS: %s", PK11_IsFIPS() ? "yes" : "no");
which seems to work:
Deleting internal module NSS Internal PKCS #11 Module
FIPS: yes
thanks!
bob
>
>>
>> Andrew
>>
>
>
>
> --
> dev-tech-crypto mailing list
> [email protected]
> https://lists.mozilla.org/listinfo/dev-tech-crypto
>
--
dev-tech-crypto mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-crypto
