Current nss.fips.cfg has the following attributes' template:

attributes(*,CKO_SECRET_KEY,CKK_GENERIC_SECRET)={ CKA_SIGN=true }

As part of the JAVAMON-682 research, we found a use-case where the same P11SecretKey created by KeyGenerator for the "AES" algorithm is passed to both the Mac and Cipher services (see this comment). As a consequence, for the same CKK_AES key, Mac will require the CKA_SIGN=true attribute, and Cipher will require the CKA_ENCRYPT=true attribute.

The following attributes' template is proposed, by combining the JAVAMON-682 findings with the current template:

attributes(*,CKO_SECRET_KEY,*)={ CKA_SIGN=true CKA_ENCRYPT=true }

In order to address potential similar issues, I've also extended the attributes to any CKO_SECRET_KEY. Please note this won't hurt the FIPS setup, because NSS will still impose any required restriction, as demonstrated when we tried to use the fully permissive attributes = compatibility.

The Cryostat team is already using this template, and it has passed their testing.