Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-3425

Enable the export of keys in plain from the NSS Software Token while in FIPS mode [rhel-9, openjdk-8]

    • sst_java
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • If docs needed, set a value
    • None

      This bug was initially created as a copy of Bug #2023467

      I am copying this bug because:

      RHEL 9 needs to be kept in sync.

      In the context of RH1991003, we implemented an enhancement to import plain secret and private keys (i.e.: obtained from a file-based keystore) into the NSS Software token in FIPS mode. The goal now is to enable the reverse operation: export keys in plain from the NSS Software Token while in FIPS mode.

      The scope will be initially constrained to keys of CKO_SECRET_KEY class, as this is what we require for TLS 1.3 key-derivation in FIPS mode (see RH2020290). In the future, we might extend the exporter functionality to support keys of CKO_PRIVATE_KEY class.

      In the same way that for the importer functionality, the exporter can be disabled by means of the 'com.redhat.fips.plainKeySupport' system property: -Dcom.redhat.fips.plainKeySupport=false. Default behavior is enabled.

      As part of this work, we aim to implement several code, debugging and reliability improvements to the FIPS Key Importer.

            mbalaoal Martin Balao
            rhn-engineering-ahughes Andrew Hughes
            Martin Balao Martin Balao
            David Kutalek David Kutalek
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated: