Wan-Teh Chang wrote: > PK11_ImportSymKey ultimately calls the C_CreateKey function of > the softoken. In FIPS mode, the function does not allow a secret > or private key to be created: > http://lxr.mozilla.org/security/source/security/nss/lib/softoken/fipstokn.c#698 > > 698 /* FIPS can't create keys from raw key material */ > 699 if (SFTK_IS_NONPUBLIC_KEY_OBJECT(*classptr)) { > 700 rv = CKR_ATTRIBUTE_VALUE_INVALID;
Just posting on this old thread to provide some closure should anyone else be reading this. Reading the "/* FIPS can't create keys from raw key material */" comment made me do some investigation... Page 61 of the "Implementation Guidance for FIPS PUB 140-2 and the Cryptographic Module Validation Program" available at http://csrc.nist.gov/groups/STM/cmvp/documents/fips140-2/FIPS1402IG.pdf says the following: "Password-Based Key Establishment Methods: all password-based key establishment methods such as PKCS#5 are not to be used in the FIPS mode." _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
