This bug was initially created as a copy of Bug #2023467

I am copying this bug because:

RHEL 9 needs to be kept in sync.

In the context of RH1991003, we implemented an enhancement to import plain secret and private keys (i.e.: obtained from a file-based keystore) into the NSS Software token in FIPS mode. The goal now is to enable the reverse operation: export keys in plain from the NSS Software Token while in FIPS mode.

The scope will be initially constrained to keys of CKO_SECRET_KEY class, as this is what we require for TLS 1.3 key-derivation in FIPS mode (see RH2020290). In the future, we might extend the exporter functionality to support keys of CKO_PRIVATE_KEY class.

In the same way that for the importer functionality, the exporter can be disabled by means of the 'com.redhat.fips.plainKeySupport' system property: -Dcom.redhat.fips.plainKeySupport=false. Default behavior is enabled.

As part of this work, we aim to implement several code, debugging and reliability improvements to the FIPS Key Importer.