Wan-Teh Chang wrote: > NSS doesn't allow importing or exporting of *unencrypted* secret > or private keys in FIPS mode. > > This is not an issue for SSL because the incoming premaster secret > from the *client* is encrypted with the server's RSA public key. > > If you really have to import an unencrypted secret key in FIPS > mode, you can use this workaround: > - Generate a secret key inside the NSS softoken. Call it SK. > - Use SK to encrypt your secret key as data. > - Then, unwrap the encrypted data with SK. (Unwrap means > descrypting an encrypted key.) > > This workaround works by abusing the NSS API and treating > your secret key as data.
Dean, This "works", but it really is violating FIPS. An application that does this can't really claim full FIPS compliance, IMO, even if it is using a FIPS validated module. There's some sort of architectural or protocol design problem if your application feels it must violate the FIPS rules this way to work. If you're REALLY trying to be fully FIPS compliant, then you won't use the technique described above, and will instead work on the architecture or protocol design so that it becomes no longer necessary to do such a hack\\\\workaround. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
