On Aug 1, 8:02 pm, "Wan-Teh Chang" <[EMAIL PROTECTED]> wrote: > On 8/1/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > > I am having trouble getting some basic symmetric crypto working in > > FIPS mode. > [...] > > I tried putting the non-db NSS into FIPS mode using > > SECMOD_DeleteInternalModule() (who thinks these things up?) but that > > seems to be a big can of worms and honestly I need this thing to work > > with a database. > > Right. NSS in FIPS mode must authenticate the user, so you must > create a database where NSS stores the user's password. > > [...] > > > NOW I run it again - it fails on PK11_ImportSymKey() with -8190 > > (SEC_ERROR_BAD_DATA). > > The error code is confusing. But PK11_ImportSymKey() won't work > in FIPS mode because FIPS mode disallows input or output of plaintext > (unencrypted) private or symmetric keys. You must use PK11_UnwrapSymKey > or related functions to import an encrypted symmetric key into NSS in the > FIPS mode:http://lxr.mozilla.org/security/ident?i=PK11_UnwrapSymKey > > If you really need to import a plaintext symmetric key in FIPS mode, > you can use the following workaround: > > 1. Generate a (temporary) symmetric key in NSS. > 2. Use that symmetric key to encrypt your symmetric key as data. > 3. Unwrap your wrapped symmetric key, using the symmetric key > you generated in Step 1 as the unwrapping key. > > This workaround works because NSS allows the symmetric key > you generated in Step 1 to be used for both the "encrypt" (of data) > and the "unwrap" (of keys) operations. > > Wan-Teh
Wan-Teh, Thank you so much!! I didn't think I'd get a response at all, much less so quickly!! That was exactly what I needed to know. I owe you one! -glenn _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto