I turned on FIPS mode in our JSS-using application and in the last step
of creating a PKCS#12 file I get the following token exception:
org.mozilla.jss.crypto.TokenException: Failed to import PBA key from
PBA-generated bits
at org.mozilla.jss.pkcs11.PK11KeyGenerator.generatePBE(Native Method)
at
org.mozilla.jss.pkcs11.PK11KeyGenerator.generate(PK11KeyGenerator.java:213)
at org.mozilla.jss.pkcs12.MacData.<init>(MacData.java:131)
at org.mozilla.jss.pkcs12.PFX.computeMacData(PFX.java:242)
The call that kicked off the exception was:
pfx.computeMacData(pw, salt, iterationCount);
where pw is a 10 character "strong" password (examples: [EMAIL PROTECTED] and
%06+hz9LJd), salt is an 8 byte array populated with "nextBytes(salt)"
via JSS's SecureRandom and the iterationCount is 2048.
I enabled FIPS mode by setting:
initializationValues.fipsMode = FIPSMode.ENABLED;
before calling:
CryptoManager.initialize(initializationValues);
The private key I'm trying to include in the PKCS#12 was generated in
and exported from the software token moments right before this.
I can only guess that FIPS mode is being (understandably) stricter about
letting the private key go from the softtoken?
Is there a way to get past this with some different code or do FIPS
restrictions just flat out disallow what I am trying to do?
Thanks,
Dave
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
