1428746 – NSS should provide a tool to check the validity of a crypto policy configuration file

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1428746 - NSS should provide a tool to check the validity of a crypto policy configuration file

Summary: NSS should provide a tool to check the validity of a crypto policy configurat...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	nss
Sub Component:
Version:	27
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Kai Engert (:kaie) (inactive account)
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	fedora-crypto-policies 1527033 1605247
TreeView+	depends on / blocked

Reported:	2017-03-03 09:53 UTC by Nikos Mavrogiannopoulos
Modified:	2018-10-08 10:37 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1527033 (view as bug list)
Environment:
Last Closed:	2018-10-05 11:14:39 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
enhances listsuites to check crypto-policies config file for correctness (14.56 KB, patch) 2017-03-04 00:26 UTC, Elio Maldonado Batiz	emaldona: review-	Details \| Diff
Changes to nss.spec - in patch format (1.45 KB, patch) 2017-03-04 00:28 UTC, Elio Maldonado Batiz	no flags	Details \| Diff
enhances listsuites to check crypto-policies confile file for correctnes (14.47 KB, patch) 2017-03-17 16:41 UTC, Elio Maldonado Batiz	no flags	Details \| Diff
Changes to nss.spec - in patch format (14.49 KB, patch) 2017-03-17 16:42 UTC, Elio Maldonado Batiz	no flags	Details \| Diff
listsuites output before the patch is applied (7.75 KB, text/plain) 2017-03-17 16:44 UTC, Elio Maldonado Batiz	no flags	Details
listsuites output after the patch was applied (13.80 KB, text/plain) 2017-03-17 16:45 UTC, Elio Maldonado Batiz	no flags	Details
Show Obsolete (2) View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Mozilla Foundation	1406953	0	--	RESOLVED	listsuites: Respect policy configuration	2020-03-09 08:41:28 UTC
Mozilla Foundation	1474887	0	--	RESOLVED	nss-policy-check: a tool to check a NSS policy configuration for errors	2020-03-09 08:41:28 UTC

Description Nikos Mavrogiannopoulos 2017-03-03 09:53:30 UTC

Description of problem:
For the purposes of Fedora crypto-policies we generate configuration files for multiple applications/libraries. For the NSS policy however the generated configuration file cannot be tested for correctness, other than by manually inspecting the file. That means that a CI testing infrastructure will not detect any bugs introduced to this generation.

Please provide some way to verify whether a generated configuration is valid, i.e., no typos are present, and the configuration provides at least one valid encryption option.

Comment 3 Elio Maldonado Batiz 2017-03-04 00:26:51 UTC

Created attachment 1259812 [details]
enhances listsuites to check crypto-policies config file for correctness

CAVEAT: this latest version is untested.

Comment 4 Elio Maldonado Batiz 2017-03-04 00:28:36 UTC

Created attachment 1259813 [details]
Changes to nss.spec - in patch format

Comment 5 Elio Maldonado Batiz 2017-03-17 16:31:29 UTC

Comment on attachment 1259812 [details]
enhances listsuites to check crypto-policies config file for correctness

Remove this
+    if (info.cipherSuite == TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA)
+        fprintf (stdout, "foo\n");
How did it get there, I don't know. Also the formatting of extra info leaves a bit to be desired.

Comment 6 Elio Maldonado Batiz 2017-03-17 16:41:33 UTC

Created attachment 1264214 [details]
enhances listsuites to check crypto-policies confile file for correctnes

Checking for policy file for correctness is a bit of an overstatement. It does print extra policy information when available and it's probably a good first step towards the goal.

Comment 7 Elio Maldonado Batiz 2017-03-17 16:42:44 UTC

Created attachment 1264216 [details]
Changes to nss.spec - in patch format

Comment 8 Elio Maldonado Batiz 2017-03-17 16:44:15 UTC

Created attachment 1264217 [details]
listsuites output before the patch is applied

Comment 9 Elio Maldonado Batiz 2017-03-17 16:45:36 UTC

Created attachment 1264218 [details]
listsuites output after the patch was applied

Comment 10 Jan Kurik 2017-08-15 08:09:56 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle.
Changing version to '27'.

Comment 11 Daiki Ueno 2017-10-09 15:25:33 UTC

I took the liberty of filing an upstream bug for this with a subset of the patch provided by Elio.

Comment 12 Kai Engert (:kaie) (inactive account) 2018-01-12 14:17:19 UTC

We discussed this request by email, and the request was clarified, which I'll attempt to summarize below. Nikos, please speak up if the summary is incorrect.

We should implement a tool that checks that:
- the policy file has a correct syntax
- that at least one version or mechanism of each configured category
  is enabled

Checking for inconsistencies between configuration categories is outside the scope of this tool.

Comment 13 Kai Engert (:kaie) (inactive account) 2018-07-11 14:11:40 UTC

I've provided an initial patch upstream:
  https://bugzilla.mozilla.org/show_bug.cgi?id=1474887

This isn't a clear black/white request. IMHO the implementation I'm suggesting accomplishes the request, however, I suggest that you review it. Not a code review, but rather, a review of the approach that is used, of the coverage that is provided, and of the way failures are reported and treated.

The code review should be done later, after we've agreed that the implementation sufficiently implements the requested check.

Comment 14 Kai Engert (:kaie) (inactive account) 2018-07-17 10:33:39 UTC

The new nss-policy-check tool has been checked in upstream and will be available with NSS 3.39, which is expected around mid July.

Comment 15 Nikos Mavrogiannopoulos 2018-10-05 11:14:39 UTC

This is already in fedora. Thank you!

Note You need to log in before you can comment on or make changes to this bug.