Re: FIPS mode key import?

Fri, 19 Jun 2020 04:30:17 -0700 

I don't know how it maps to NSS, but at the PKCS#11 layer you can generate a 
key pair, export the public key (even in FIPS mode, because it's public), use 
the public key to encrypt your secret key, then unwrap that with the private 
key. Then you can use that secret key to unwrap private keys.
(At least one HSM has a PKCS#11 library that effectively does that for you, so 
it just allows plaintext import and export of non-CKA_SENSITIVE keys even if 
strict FIPS mode restricts the HSM boundary.)
________________________________
From: dev-tech-crypto <dev-tech-crypto-boun...@lists.mozilla.org> on behalf of 
Chris Newman <chris.new...@oracle.com>
Sent: 01 June 2020 17:38
To: mozilla's crypto code discussion list <dev-tech-crypto@lists.mozilla.org>
Subject: FIPS mode key import?

CAUTION: This email originated from outside of PulseSecure. Do not click links 
or open attachments unless you recognize the sender and know the content is 
safe.


I have NSS-based DKIM signing working in our mail server software, but
run into a problem when trying to do it in FIPS mode.

I've been importing the DKIM private key using either
PK11_ImportPrivateKeyInfoAndReturnKey or
PK11_ImportDERPrivateKeyInfoAndReturnKey, but these APIs don't work in
FIPS mode (they map to C_CreateObject which disallows raw key import).
If FIPS mode only supports import of an encrypted private key, how would
I import the symmetric key that was used to encrypt the private key?
Seems like a catch22 for a distributed system where keys have to move
around.

I like to avoid the OpenSSL-crypto-monoculture, but right now it looks
like using OpenSSL-FIPS is the fastest path forward. Any suggestions for
a way I could keep using NSS for this?

                - Chris
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://app-us.bitdam.com/api/v1.0/links/rewrite_click/?rewrite_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJyZXdyaXRlX2lkIjoiNWVkNTM0YTllMTMzMjI1OWMyYTIzNjU5IiwidXJsIjoiIn0.nC--nvz2SsPWjp5OWXGSmXxxci-E05q5XCMI5z03l0g&url=https%3A//nam04.safelinks.protection.outlook.com/%3Furl%3Dhttps%253A%252F%252Flists.mozilla.org%252Flistinfo%252Fdev-tech-crypto%26amp%3Bdata%3D02%257C01%257C%257C16d46204adef48e5b7cd08d8064a564e%257C3290a9179dd643db843ba3e376f9f96c%257C0%257C1%257C637266263636461480%26amp%3Bsdata%3DhbeaCwPoa9HPjleDPJSw6CjjmEJz%252FFv5p4shli%252BoYRg%253D%26amp%3Breserved%3D0
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Reply via email to