On 8/1/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > I am having trouble getting some basic symmetric crypto working in > FIPS mode. [...] > I tried putting the non-db NSS into FIPS mode using > SECMOD_DeleteInternalModule() (who thinks these things up?) but that > seems to be a big can of worms and honestly I need this thing to work > with a database.
Right. NSS in FIPS mode must authenticate the user, so you must create a database where NSS stores the user's password. [...] > NOW I run it again - it fails on PK11_ImportSymKey() with -8190 > (SEC_ERROR_BAD_DATA). The error code is confusing. But PK11_ImportSymKey() won't work in FIPS mode because FIPS mode disallows input or output of plaintext (unencrypted) private or symmetric keys. You must use PK11_UnwrapSymKey or related functions to import an encrypted symmetric key into NSS in the FIPS mode: http://lxr.mozilla.org/security/ident?i=PK11_UnwrapSymKey If you really need to import a plaintext symmetric key in FIPS mode, you can use the following workaround: 1. Generate a (temporary) symmetric key in NSS. 2. Use that symmetric key to encrypt your symmetric key as data. 3. Unwrap your wrapped symmetric key, using the symmetric key you generated in Step 1 as the unwrapping key. This workaround works because NSS allows the symmetric key you generated in Step 1 to be used for both the "encrypt" (of data) and the "unwrap" (of keys) operations. Wan-Teh _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
