On Mon, 1 Jun 2020, Chris Newman wrote:
I've been importing the DKIM private key using either PK11_ImportPrivateKeyInfoAndReturnKey or PK11_ImportDERPrivateKeyInfoAndReturnKey, but these APIs don't work in FIPS mode (they map to C_CreateObject which disallows raw key import). If FIPS mode only supports import of an encrypted private key, how would I import the symmetric key that was used to encrypt the private key? Seems like a catch22 for a distributed system where keys have to move around.
pk12util can import a key-wrapped private key and certificate bundle. This symmetric key is password protected, but you can specify this password via a (tmp)file or commandline argument. We automated this in our (libreswan) testing using; pk12util -W ourpassword -K '' -d sql:/etc/ipsec.d -i /testing/x509/selfsigned/east-selfsigned.p12 Paul -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
