I have NSS-based DKIM signing working in our mail server software, but
run into a problem when trying to do it in FIPS mode.
I've been importing the DKIM private key using either
PK11_ImportPrivateKeyInfoAndReturnKey or
PK11_ImportDERPrivateKeyInfoAndReturnKey, but these APIs don't work in
FIPS mode (they map to C_CreateObject which disallows raw key import).
If FIPS mode only supports import of an encrypted private key, how would
I import the symmetric key that was used to encrypt the private key?
Seems like a catch22 for a distributed system where keys have to move
around.
I like to avoid the OpenSSL-crypto-monoculture, but right now it looks
like using OpenSSL-FIPS is the fastest path forward. Any suggestions for
a way I could keep using NSS for this?
- Chris
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
