Normal NSS 3.101 shlibsign is not working in FIPS mode:
# rpm -q nss # nss-3.101.0-7.el9_2 # /usr/lib64/nss/unsupported-tools/shlibsign -v -o test -i /usr/lib64/libsoftokn3.so moduleSpec configdir='' certPrefix='' keyPrefix='' secmod='' flags=noCertDB, noModDB Library File: /usr/lib64/libsoftokn3.so Check File: test Generate an HMAC key ... HMAC key generation failed: 0x00000013, CKR_ATTRIBUTE_VALUE_INVALID NSPR error code: -8191: Unknown code ___f 1
It used to work in 3.90:
[root@rhel-9-5-0-20240828-2 ~]# rpm -q nss nss-3.90.0-7.el9_4.x86_64 [root@rhel-9-5-0-20240828-2 ~]# /usr/lib64/nss/unsupported-tools/shlibsign -v -o test -i /usr/lib64/libsoftokn3.so moduleSpec configdir='' certPrefix='' keyPrefix='' secmod='' flags=noCertDB, noModDB Library File: /usr/lib64/libsoftokn3.so Check File: test Generate an HMAC key ... Library File Size: 360504 bytes key: 32 bytes 16 e4 47 da 70 04 d7 f1 3a bb f5 06 fc 6b cb 9b 0c 3a cf 6f c7 18 90 ea 31 6e ac 1b fb 1c 60 40 signature: 32 bytes 83 17 74 9b 42 52 ad dd c1 1c f7 8b cd ba b7 fc fb 74 01 b4 57 3d 17 b3 6d 2c f9 92 a4 00 70 ed
but failed the same with -F option.
And it works when NSC_GetFunctionList is used instead of C_GetFunctionList:
Breakpoint 3, main (argc=<optimized out>, argv=<optimized out>)
at /usr/src/debug/nss-3.101.0-7.el9_2.x86_64/nss/cmd/shlibsign/shlibsign.c:1428
1428 pC_GetFunctionList = (CK_C_GetFunctionList)
(gdb) s
PR_FindFunctionSymbol (lib=lib@entry=0x555555560150, raw_name=raw_name@entry=0x5555555593c8 "C_GetFunctionList")
at linking/../../../../nspr/pr/src/linking/prlink.c:844
844 {
(gdb) set raw_name="NSC_GetFunctionList"
(gdb) cont
Continuing.
moduleSpec configdir='' certPrefix='' keyPrefix='' secmod='' flags=noCertDB, noModDB
Library File: /usr/lib64/libsoftokn3.so
Check File: test
Generate an HMAC key ...
Library File Size: 368784 bytes
Note that shlibsign is shipped under /usr/lib*/nss/unsupported-tools
