I am having trouble getting some basic symmetric crypto working in FIPS mode. I start with the sample at this URL:
http://www.mozilla.org/projects/security/pki/nss/sample-code/sample2.html (I've removed everything after "PK11_ImportSymKey" because that's where my problem lies). I tried putting the non-db NSS into FIPS mode using SECMOD_DeleteInternalModule() (who thinks these things up?) but that seems to be a big can of worms and honestly I need this thing to work with a database. So I change the init code to look like this: rv = NSS_InitReadWrite("."); PK11_SetPasswordFunc(mycallback); and I add the pw callback: char * PR_CALLBACK pk11Passwordcallback2(PK11SlotInfo *slot, PRBool retry, void *arg) { string mypw = "password"; char *pw = (char*)PR_Malloc((int)mypw.length()+1); strcpy(pw, mypw.data()); return pw; } Of course in "." I have already run "certutil -N -d ." and I set the password to "password". NOW I run the program : it works. Then I use "modutil -fips true -dbdir ." to turn on FIPS. NOW I run it again - it fails on PK11_ImportSymKey() with -8190 (SEC_ERROR_BAD_DATA). So... Am I not supposed to be able to do this in FIPS mode? If not... what needs to change to get it to work? Thanks for looking this over. -glenn standefer _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
