On Aug 1, 8:02 pm, "Wan-Teh Chang" <[EMAIL PROTECTED]> wrote:
> On 8/1/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
>
> > I am having trouble getting some basic symmetric crypto working in
> > FIPS mode.
> [...]
> > I tried putting the non-db NSS into FIPS mode using
> > SECMOD_DeleteInternalModule() (who thinks these things up?) but that
> > seems to be a big can of worms and honestly I need this thing to work
> > with a database.
>
> Right.  NSS in FIPS mode must authenticate the user, so you must
> create a database where NSS stores the user's password.
>
> [...]
>
> > NOW I run it again - it fails on PK11_ImportSymKey() with -8190
> > (SEC_ERROR_BAD_DATA).
>
> The error code is confusing.  But PK11_ImportSymKey() won't work
> in FIPS mode because FIPS mode disallows input or output of plaintext
> (unencrypted) private or symmetric keys.  You must use PK11_UnwrapSymKey
> or related functions to import an encrypted symmetric key into NSS in the
> FIPS mode:http://lxr.mozilla.org/security/ident?i=PK11_UnwrapSymKey
>
> If you really need to import a plaintext symmetric key in FIPS mode,
> you can use the following workaround:
>
> 1. Generate a (temporary) symmetric key in NSS.
> 2. Use that symmetric key to encrypt your symmetric key as data.
> 3. Unwrap your wrapped symmetric key, using the symmetric key
> you generated in Step 1 as the unwrapping key.
>
> This workaround works because NSS allows the symmetric key
> you generated in Step 1 to be used for both the "encrypt" (of data)
> and the "unwrap" (of keys) operations.
>
> Wan-Teh


Wan-Teh,

Thank you so much!!  I didn't think I'd get a response at all, much
less so quickly!!  That was exactly what I needed to know.

I owe you one!
-glenn

_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Reply via email to