On Tue, Jul 22, 2008 at 1:22 PM, Dean <[EMAIL PROTECTED]> wrote: > > I've been reading around about key generation and key material > manipulation and am hearing that key material manipulations is not > allowed in FIPs mode. This seems to be confirmed by my code which > works in non-FIPs mode but throws Token failed to process key: Failed > to unwrap key exceptions with FIPs mode.... > > In FIPs mode is there any way to go from a byte[] encoding of a > SecretKey and reconstitute a SecretKey. The code that works in non- > FIPS mode creates a new SecretKeySpec with the correct algorithm > (DESede) and calls Cipher.init() with the KeySpec. This works in non- > FIPs mode but fails in FIPs mode with the error noted above. > > I'm thinking that NSS must allows this in some manner in FIPs mde as > they would have to do this in their SSL implementation with the > incoming pre master secret from the server.
NSS doesn't allow importing or exporting of *unencrypted* secret or private keys in FIPS mode. This is not an issue for SSL because the incoming premaster secret from the *client* is encrypted with the server's RSA public key. If you really have to import an unencrypted secret key in FIPS mode, you can use this workaround: - Generate a secret key inside the NSS softoken. Call it SK. - Use SK to encrypt your secret key as data. - Then, unwrap the encrypted data with SK. (Unwrap means descrypting an encrypted key.) This workaround works by abusing the NSS API and treating your secret key as data. Wan-Teh _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
