-
Bug
-
Resolution: Unresolved
-
Undefined
-
None
-
rhel-9.0.0
This bug was initially created as a copy of Bug #2023467
I am copying this bug because:
RHEL 9 needs to be kept in sync.
In the context of RH1991003, we implemented an enhancement to import plain secret and private keys (i.e.: obtained from a file-based keystore) into the NSS Software token in FIPS mode. The goal now is to enable the reverse operation: export keys in plain from the NSS Software Token while in FIPS mode.
The scope will be initially constrained to keys of CKO_SECRET_KEY class, as this is what we require for TLS 1.3 key-derivation in FIPS mode (see RH2020290). In the future, we might extend the exporter functionality to support keys of CKO_PRIVATE_KEY class.
In the same way that for the importer functionality, the exporter can be disabled by means of the 'com.redhat.fips.plainKeySupport' system property: -Dcom.redhat.fips.plainKeySupport=false. Default behavior is enabled.
As part of this work, we aim to implement several code, debugging and reliability improvements to the FIPS Key Importer.
- blocks
-
RHEL-3429 Support TLS 1.3 in FIPS mode [rhel-9, openjdk-8]
-
- Planning
-
- external trackers